What is Purple Teaming?

Penetration testing is a colorful affair. First, there’s blue. Blue teams are the guardians of the network, tasked with defending key systems and meeting regulatory compliance. Then there’s red. Red teams take on the role of hackers, seeking to find flaws in corporate defenses, so they can be remedied before the real bad guys show up. Then there’s purple teaming. That’s what happens when you mix red and blue together.

The goal of purple teaming is to bring the blue and red team functions together. A relatively new concept, purple teaming aims to foster collaboration by aligning processes, cycles, and information flows between teams to overcome the competitive or even adversarial dynamic of the traditional siloed security approach.

How Does Purple Teaming Work?

Purple teaming does not replace red or blue teaming. Both continue as distinct entities on the organizational chart. Rather, purple teaming enables these distinct groups to form communicative, supportive, and collaborative relationships across the functional boundary. This is true regardless of whether organizations use external partners for their red team capabilities (as is most often the case) or whether the red team is an internal capability (as can be the case in large, well-resourced companies).

Trust and cooperation are central to effective purple teaming, which can only be established by building a shared understanding of which cyber risks pose the greatest threat to the organization. Similarly, purple teaming requires a coordinated approach for determining whether cyber defenses are working properly.

To achieve this common language, many organizations are using the MITRE ATT&CK® cybersecurity framework as an underpinning for purple teaming. Developed by the not-for-profit MITRE Corporation, ATT&CK is a knowledge base of adversary tactics, techniques, and procedures (TTPs) that have been observed in cyberattacks and are already used widely by red teams.

Purple teaming can exploit the MITRE ATT&CK framework by pairing it with an automated breach and attack simulation (BAS) platform, such as the AttackIQ Security Optimization Platform, which enables a security organization to routinely simulate the attacks that are most likely to threaten them. Red and blue teams can work together to design the testing regimen, jointly identify security control errors and gaps, undertake mitigation measures, and then re-test to validate that their security controls are effective. As such, purple teaming feeds into threat-informed defense (i.e., focusing on known threats, and testing security controls actual against adversary behaviors).

What are the Benefits of Purple Teaming?

Red and blue teams have capability gaps that the other can fill. Purple teaming optimizes the skillsets and minimizes the limitations of both red and blue. Key benefits of purple teaming include:

  • More focused red team testing. Blue teams possess a deep understanding of the business and its network and security architecture. This institutional knowledge is invaluable in guiding red team decisions about which types of threats pose the greatest risk to the organization and how to mitigate them.
  • More robust blue teaming. Blue team members often do not think in the devious way cybercriminals do. Because they have been trained to think like the bad guys, red teams can provide this crucial input, giving blue team colleagues a better understanding of adversaries’ mindsets that can help influence defensive choices.
  • Better security outcomes. Blue and red teams sometimes develop a mentality where the aim of the exercise is for blue teams to pass a test set by the red teams. This misses the real point of security testing: to develop defenses that can successfully thwart the cyberattacks an organization is likely to face. Purple teaming refocuses minds on addressing real world threats.

How Can I Get Started with Purple Teaming?

As with any new business practice, chief information security officers (CISOs) and other security leaders may wonder how to get purple teaming off the ground. There are several initial steps to consider:

  1. Facilitate collaboration. Build consensus around which attacks pose the greatest risk. Working together, red and blue team members should review the attack variants and TTPs described in the MITRE ATT&CK framework and develop a prioritized list of adversary techniques to test against. Key questions to ask include: What elements of our business are most vulnerable to cyberattack? What are the possible consequences of our cyber defenses failing? Which threats and TTPs from the MITRE ATT&CK framework should our red team testing incorporate? How frequently should we repeat each type of test?
  2. Workshop potential breaches / attacks. Ongoing workshops around attacker techniques, the organization’s security controls, and options for response and mitigation make the importance of red and blue team collaboration apparent to everyone involved and gets the ball rolling on potential solutions to some of the organization’s most challenging threats.
  3. Automate purple testing processes. The scope of threats that companies face is so broad that manual testing cannot routinely test the full panoply of TTPs an organization is likely to face. Moreover, one-off tests fail to validate security controls on a continuous basis, so if a control gap opens, the red team may not notice. It is therefore important to put in place an automated security validation platform that aligns with MITRE ATT&CK and which can regularly simulate the most probable methods of adversary attack. This should be a threat-informed defense posture, focused on addressing the subset of pertinent threats that are most likely to do the most damage.
  4. Adopt a mindset of continual improvement. Purple teaming thrives on collaboration, so there cannot be an “us vs. them” mindset between red and blue teams. In particular, blue teams need to have confidence that they will not get a dressing down from management if a red team test reveals a control gap. CISOs and other leaders must therefore ensure the purple team culture is supportive and collaborative, and that team members see themselves as part of a wider security team that is pulling in the same direction. Clear communication flows between red and blue teams, as well as management, are a key part of embedding this culture.

 

Additional Purple Teaming Resources

Purple Teaming for Dummies

The CISO’s Guide to Purple Teaming

10 Things You May Not Know About Purple Teaming

Purple Teaming in the Cloud webinar

Purple Teaming for Cybersecurity Effectiveness: 10 Lessons