Picture this: Your first purple team exercise.
You have championed purple teaming for months, got executive leadership buy-in, and planned everything down to what color Unicorn t-shirt you are wearing for the day. It is all coming together!
Everyone from the red and blue teams is together in the conference room. Excitement is in the air; the managers bought lunch for everyone in anticipation of the productive day. The CISO gives a charismatic kick-off speech about collaboration, and how they are so excited to see everyone here working together!
https://undraw.co/
The exercise goes well, and the teams identify a few big detection gaps that tie to a recent news cycle (ie. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-136a).
It is a big win! Congratulations are shared all around as everyone is excited about what purple teaming can do going forward! Everyone goes home, another future weekend is saved, and the briefing is C-Suite ready at the end of the exercise!
Where did I lose you? Was it when everyone went home? Or that the briefing is C-Suite ready so quickly?
The reality is quite a bit different, with a word that continues to inspire dread in many from childhood: homework.
Who leaves the purple team exercise with the most homework? The defenders.
Teams that are already taxed, have high burnout, and many other organizational challenges/responsibilities now have more to do as the result of the purple team exercise.
Wait a minute, aren’t purple team exercises supposed to be better? Is that all wrong? What is the problem?
One of the biggest challenges as part of a purple team exercise (and all security testing) is… wait for it:
“The handoff”
https://undraw.co/
What do I mean by handoff? I’ll answer your question with another question: what happens after the purple team exercise when the blue team wants to test their shiny new detections?
Does it involve:
- Setting up another meeting every time the test needs to be run again?
- A Slack/Teams message?
- Assumed knowledge that you think the other team members should know?
Did you provide enough information about the tooling, execution method, command line flags (if any), and timestamps for comparisons?
Keep in mind that the vast majority of information security professionals have never used a command and control framework like those used as part of security test operations.
My guess is the answer is no or you aren’t sure.
The quickest solution to the people part: go ask.
- “What works well for your team from the purple team exercises? What doesn’t?”
- “What can we do to help decrease the work required from a purple team or test?”
- “Is there additional information we can provide that would speed up the detection engineering or remediation process?”
For the best organizations and teams, the purple team process reinforces the day-to-day that already happens but that continues to be an exception more than a rule.
All of this comes to a question I’ve been asking testers more and more: how do you hand off what you are testing to the blue team?
Want to join others across the industry in learning how organizations are making handoffs from Purple Teams Exercises and security tests as transparent and efficient as possible? Request a SCYTHE demo today!