Actionable Purple Teaming: Why and How You Can (and Should) Go Purple
Jorge Orchilles
4 min. read
12 May 2022
If you are curious about the emerging and maturing concept of purple teaming in cybersecurity, look no further. Purple teaming power houses Chief Technology Officer Jorge Ochilles from SCYTHE, Purple Team Lead and Senior Security Engineer Maril Vernon from Aquia, and Founder and CEO Dan DeCloss of PlexTrac recently combined forces to discuss why and how you need to get started in purple teaming as a way to be more proactive and mature your cybersecurity program.
Watch the full conversation or check out the highlights below shared by our purple teaming expert panel.
One of the top questions we get asked is “How do we get started in purple teaming?” This is a valid question given the concept is a relatively new collaborative assessment type. Together, we have a fair amount of experience in purple teaming in both research and practice. We’ve built internal red teams, helped customers run purple team exercises, and started companies to make purple teaming more accessible. In a fast evolving field, it is tough to keep up, so we are going to break it down for you.
At a minimum, your organization should be performing vulnerability scans and vulnerability assessments as part of the vulnerability management process. Vulnerabilities in technology are tracked by MITRE Common Vulnerability and Exposure (CVE) IDs and rated using the Common Vulnerability Scoring System (CVSS). The focus of vulnerability management is to lower the number of exploitable vulnerabilities to decrease the chance of an adversary obtaining initial access to your organization. From there, your organization may perform penetration testing to measure the vulnerabilities that are exploitable and prioritize vulnerabilities that need to be patched.
As our industry evolves, we realized that adversaries are not only getting in through exploitation of vulnerabilities but also through a variety of other means. Furthermore, we realized that they follow a set of tactics, techniques, and procedures (TTPs) against target organizations. Discovering and protecting against those other TTPs is where purple team, red team, and adversary emulation come into the picture.
A Purple Teaming Q&A
We will briefly address some of the baseline questions we’ve heard from those getting started in purple teaming.
What is purple teaming?
A purple team is a collaboration of various information security skill sets. Purple teaming is a process where teams work together to test, measure, and improve defensive security posture (people, process, and technology) by emulating tactics, techniques, and procedures (TTPs) and adversary behaviors.
This collaboration occurs between a variety of security players:
Cyber threat intelligence — research and provide adversary behaviors, tactics, techniques, and procedures
Red team — the team emulating adversary TTPs
Blue team — the defenders that include security operations center (SOC); threat hunting, digital forensics and incident response (DFIR); and/or managed security service providers (MSSP) or managed detection and response.
Who should be involved in purple teaming?
The ideal collaboration for successful purple teaming is between offensive (red team) and defensive (blue team) information security practitioners. However, your mileage may vary and you should feel free to be creative. The key is that purple teaming is collaborative and strategic to ensure that exercises result in actual progress, so involving multiple perspectives is important. That said, you really can get started with a very skeletal team. You can even purple team single handedly if you are willing to wear multiple hats.
How do I convince my management that purple teaming is bringing value versus other actions?
Be sure to focus on management’s motivations when you are advocating for purple teaming. Why do they care? Demonstrate value with data and examples: “I can show that an unconfirmed control was confirmed by purple teaming exercises.” Show real gaps and patch those gaps in your posture based on the testing/purple teaming you do. Nothing will garner support faster than actual evidence. Purple teaming is designed to provide that evidence by collaborative testing that carries through to remediation and retesting.
Why should we purple team?
A September 2021 study by CyberRisk Alliance entitled The Power of Purple Teaming asked 315 security practitioners from the US and Canada about their security strategy including purple teaming. Of those surveyed who had conducted purple teaming exercises (26 percent), 89 percent deemed purple teaming activities “very important” to their security operations. Additionally, 88 percent of purple teaming users — compared to only 52 percent of those using more traditional pentesting strategy — say their exercises are “very effective” in defending their organization against ransomware and advanced attacks.
This research report demonstrates the real value differences organizations are experiencing between those doing purple teaming and the majority still relying on more traditional assessments.
In addition to improved defenses, organizations using purple teaming reported better team morale. A survey respondent from the financial services sector said, “Purple teaming’s been wonderful in creating an atmosphere of collaboration amongst our team, especially during this period of remote working. Skills are honed and the team becomes real again to one another. Our ability to stop attacks has markedly increased, and it’s been an unquestionable positive development.”
How do I get started?
So who is really doing this anyway? In terms of industries trying out purple teaming, we learned from the Power of Purple Teaming survey that purple teaming is happening across industry verticals, with the tech, industrial and financial services sectors being most experienced with purple teaming using results to help shape their cybersecurity strategies, rather than just vetting current security controls. No surprise there. The question is why everyone wouldn’t be interested in patterning their strategy around what tech, industrial, and financial services are finding successful.
With that established, where are the people on the purple teams coming from? Basically everywhere. Any of your security or IT professionals willing to join a “purple team” can add value and gain takeaways to improve their view into the organization's security posture.
You don’t have to have a huge developed team with a ton of resources to get started. Grab whoever you can and start somewhere. If you are ready to get specific, view the full webinar for more actionable steps!
Where can I get some help?
So this is the part where we make a shameless plug. Both SCYTHE and PlexTrac have been designed with purple teaming in mind. Our platforms enable any security team to get started running and managing purple teaming exercises. And they work in harmony. SCYTHE’s adversary emulation plans are used to execute the adversary behaviors in your environment and the results can be imported into PlexTrac for tracking and reporting.
The Path to Adversary Emulation
As your capabilities grow, you’ll find your program moving along a scale of assessment complexity and maturity. We cover the offensive security maturity model further in this post but show the path most organizations are taking below:
The path to adversary emulation, what we consider the most advanced stage, is all about moving away from testing random TTPs to trying to emulate real world adversary behaviors via attack chains or what we call campaigns.