I first learned about the concept of purple team operations when I was Chief Strategy Officer for Cyber Policy in the United States (U.S.) Department of Defense, designing the United States first and second cyberdefense strategies to guide U.S. military forces in the conduct of cyberspace operations. At that time in U.S. history, the country was just beginning to invest in the “Cyber Mission Force,” a team of 6,200 elite cyberspace operators whose job was to defend the United States against hostile nation-state and non-state actors in cyberspace. It was then that I learned of the singular importance of understanding adversary tradecraft in effective cyberdefense operations.
In 2015, Russian government hackers broke into the Pentagon’s networks to try and access national security information. The team that helped repel those attackers came from the Cyber Mission Force team that was focused on defending the whole country against Russian government hostility. When I spoke to that team’s commander at the time about the operation, then Major General Paul Nakasone (now the commander of U.S. Cyber Command) told me that the reason why they were able to repel the intruders from the Pentagon so quickly was because they were focused intensely on understanding the adversary and how to counter them.
That’s why purple teaming is so important for security teams around the world, whether in public or private organizations. In a purple team construct, security teams constantly exercise their defenses against known adversaries’ tactics and techniques to ensure that the defenses work as they should. Because they’re focused on understanding prospective adversaries, they’re ready if and when an intrusion actually happens. They’re called purple because they combine the best of blue and red teams. When they work in close alignment, they conduct continuous assessments to ensure that security programs work as they should to stop advanced threats. Absent continuous, adversary-focused testing, there is no way to ensure that a security program will perform in the way that it must at the right time.
This week we are launching Purple Teaming for Dummies, a new guide developed in partnership with the world-renowned Dummies team at Wiley’s to help security teams all over the world learn the benefit of purple team operations. Using plain language and simple tips, this book is designed to help you build, lead, and manage effective purple team operations. It explains the foundations of purple teaming and threat-informed defense, from using the MITRE ATT&CK framework of known threat behaviors to building collaborative teams to designing an automated testing strategy.
The insights within this book are drawn from decades of experience running cybersecurity operations for the private and public sector. Co-authored by Ben Opel, a former U.S. Marine Corps Captain who guided the U.S. Marine Corps operational doctrine in purple team operations, Ben now teaches purple team operations to security leaders all over the world through AttackIQ Academy, a free online academy of courses for leading cybersecurity professionals, and as a member of AttackIQ’s customer success team. Ben and his colleagues teach courses on purple team operations, operationalizing MITRE ATT&CK and uniting threat and risk management, among others. You can check out Academy and enroll in its free courses here.
In addition to Ben’s writing, this book includes insights of our third co-author, Carl Wright, Chief Commercial Officer at AttackIQ and former Chief Information Security Officer of the U.S. Marine Corps, a technologist and security leader who has advised the world’s leading companies and public organizations on cybersecurity effectiveness. Carl is a dynamic national leader in cybersecurity technology and operations, having served with distinction as a senior leader in the U.S. Marine Corps and then as an entrepreneur, developing new operational concepts and building category-defining companies that help make the world a safer place.
Finally, this book reflects on the research of the MITRE Engenuity Center for Threat-Informed Defense, a research institution that builds on the MITRE ATT&CK framework to improve cyberdefense and advance the state-of-the-art and the-state-of-the-practice in threat-informed defense. AttackIQ is proud to be a founding research partner of the Center for Threat-Informed Defense, and the insights in this book stem from that work.
The cybersecurity community has learned an incredible amount over the last decade in operations, technology, and management, and purple team operations will help improve collective cybersecurity effectiveness. I hope our new book will be helpful to you, and please do be in touch with me, Ben, or Carl if you would like to learn more about any of the concepts outlined in this work. We’d be glad to talk more.