The Information Security industry is full of incredibly insightful, intelligent people looking to solve problems. About 13 years ago, a number of influential industry professionals started challenging the industry to think about the traditional pen test and how to get the maximum value from its findings. Enter one of the ideas: Purple Teaming.
Many years ago, I helped present the results of a penetration test to a client. Around the same time, I presented the findings of a vulnerability scan the same client had commissioned. On paper, both projects were successfully executed, and the client was happy… Or as happy as they could be given the findings. But when I stopped to think about the two presentations, there was something that just seemed off. It took me a while to figure it out.
In essence, the client had commissioned two vulnerability scans. Yes, one was much more in-depth and required a higher degree of manual intervention, but they both fell into the client’s “Vulnerabilities” bucket.
A year later, the same client commissioned us to run some scans and execute a pen test. It was lather, wash, rinse, repeat. I thought to myself, “There has to be a better way” -- a way for the people designing, building, and running enterprise controls - the defenders - to get something more out of this.
This isn’t to say there is no value in Penetration Testing and Red Teaming; and this isn’t to say they are the same thing because they are not. There is still a need for both, whether it be for pure compliance, a point-in-time assessment of specific infrastructure or looking for logic errors in a mission-critical application.
But by partnering together as a single Purple Team, defenders – the Blue Team - and the attackers – who are the Red Teams – can better prepare the enterprise for modern adversaries.
While you don’t have to have your color wheel handy for this next part, I’d say it couldn’t hurt. If you aren’t familiar with the color notation we’re referring to, think of it this way: your Red Team emulates your attacker(s) and the Blue team your defenders (Security Operations, Incident Responders, etc.). Combining red and blue makes purple. Voila - a Purple Team.
So, what is a Purple Team and how is it helpful? Simply put, a Purple Team is an iterative, collaborative, and scalable exercise – or series of exercises – that merges the functions of Red teams and Blue teams. In a Purple team exercise, the point isn’t to compromise an application or network or series of hosts and provide a damning report, nor is it to take possession of that report and get to it “as the schedule allows” (which, as we all know, can sometimes be never).
Purple team exercises give enterprise defenders the ability to work and train with Red teamers as they are compromising their networks -- the very same networks they are defending. The power of the exercise comes in its ability to do things like review logs and system configurations for Red Team activity, to pause for coaching and review, and to even make production changes during the exercise. The purpose is to “practice how you play” not to play a game of “Gotcha.”
Who can benefit from this practice and how? Incident responders and investigations (DFIR) can build and track metrics relative to the effectiveness of their monitoring and response. They can more quickly and easily – and with the insights of their partners on the Red Team – modify their tooling and processes. Operations and Engineering can see how and if their controls are effective and can adjust and re-adjust. Architecture and Design can get a better understanding of the efficacy of the controls they have designed and implemented and experience it in near real-time. If appropriate, the enterprise can test and make production modifications based on the output of the Purple Team exercise. Governance, Risk, and Compliance teams can get a better sense of how the organization is managing and reporting risk to the organization, not in an academic way, but in a more true-to-life manner. And finally, Red Teams benefit from being free to engage in real-world attacks – even longer campaigns – and provide reporting and coaching that is immediately useful and actionable to the organization.
What are some ways to get started?
For starters, you have to agree with the premise. Perhaps that sounds silly, but there are still organizations and leaders within them that don’t see the value in conducting these joint exercises.
One of the objections I’ve often heard is that there is a lack of time and budget. The idea is that purple teaming is training and there is no time and budget for training. This is somewhat understandable as many Operations and Engineering teams are running at near-100% utilization. At least on paper they are.
Another objection is directed at the scope of purple team exercises: they’re too broad and too all-encompassing. There is some validity to this as they can (and probably should) impact the entire organization in more ways and over a longer course of time than traditional Pen Testing and Red Teaming.
But a quick glance across today’s top-of-class InfoSec organizations will reveal the fact that they are strongly considering Purple teaming, funding early proof-of-concept programs, or even fully funding Purple team operations. They’re doing this because they see the value in these exercises as training but also for the other benefits highlighted earlier.
A next step in the process is to agree that Purple teaming is an aspirational goal and include it in budgets and team plans. There are two major budgetary items here: the time and resources required for the defenders to participate, and the time and resources it will take to staff and run the Purple team exercise itself.
This bring us to what it takes to staff the team from either internal staff or by engaging a third party. As Purple Team exercises are more focused on collaboration and training, the skillsets are a bit different from your standard pen tester or Red Teamer. Purple Team members need to be highly skilled in program and project management, presenting to groups large and small and at all levels within the enterprise. They need to be adept at coaching and training, and, finally, they need to be highly technical. If that wasn’t enough, they also need to possess a level of understanding – empathy – for what it takes to design, build, and run enterprise controls. As someone that has been a defender, I am personally (and professionally) amazed by these individuals and their skillsets. I’ve always found it hard to believe that there are people that possess so many difficult-to-master skills at the same time. I’ve been incredibly fortunate to meet and get to know some of them.
Finally, start small, but with an eye and a plan to run large exercises. Start with an internal app, internal infrastructure, or perhaps a small non-critical business unit. This will give both teams a chance to learn what works best and give the organization a chance to adjust to this cultural shift.