TL; DR: Here at SCYTHE, we created a great deal of purple team content because we’re fans. We developed a public adversary emulation plan library through #ThreatThursday, Our CTO Jorge Orchilles created the Purple Team Exercise Framework (PTEF), and our free hands-on purple team workshop is right around the corner on June 2nd. Purple teaming has brought a great deal of value to the companies that chose to take advantage of it. Up to this point, purple team has been used as a verb. SCYTHE Adversary Emulation Lead, Tim Schulz championed the purple maturity model. This model expands the idea of creating actual teams, comprehension of detection and threat understanding, and will gauge the total capability with specific technology. SCYTHE is excited to share the purple maturity model as a tool to improve your security teams capabilities.
We’re big fans of purple teaming (in fact we hosted our own purple summit at the end of last year!). Beyond offering purple teaming services, we’ve also released a lot of purple team content for use by the greater information security community including
- Purple Team Exercise Framework (PTEF) by Jorge Orchilles,
- Public adversary emulation plan library through #ThreatThursday, and
- Free hands on purple team workshops (next one is June 2nd).
Overall, we’ve seen how purple teaming has developed over the years with Jorge and myself both speaking at the inaugural SANS Purple Team Summit back in 2019. Doing single day or 6 week exercises with customers has shown us just how much return on investment purple teaming brings to companies, so we asked ourselves a simple question: what is the next step for purple teaming?
Today we are proposing a preliminary answer to that question, which initially started out as Advanced Purple Teaming and evolved into something even larger in scope (sidenote: Advanced Purple Teaming is coming). Our answer is what we are calling the Purple Maturity Model.
Right now, purple team is mostly used as a verb - it typically references the execution of an exercise that brings together a combination of blue team, red team, and cyber threat intelligence professionals. The exercises include pre-planning, an agreed upon scope and series of tests, and a lot of communication and transparency throughout the process. The focus on communication and the blended expertise is why these exercises tend to be such a high return on investment. The increasing popularity and expectations of security teams around the globe to conduct purple team exercises supports this.
The Purple Maturity Model encourages the shift to using purple team as a noun - creating permanent teams who share common goals and leverage their varied expertise outside of periodic exercises. These new blended teams will be measured through two categories: threat understanding and detection understanding.
Within each category, we propose three levels of maturity:
Level 1: Deployment
This is where most teams start their journey: deploying tools developed by someone else. Those tools might include vendor platforms like SCYTHE, open source projects like Atomic Red Team, or indicators of compromise released by CISA.
SCYTHE customers that have a SCYTHE server running are in a good position for the deployment part of their threat understanding!
Level 2: Integration
Integration - pairing tools and resources together to achieve greater effect - is the next step in capability development and maturity. The question here is “can we integrate this new tool into our existing technology/process stack (or can we combine two existing tools)?”
SCYTHE customers can take advantage of our many integrations to boost their threat understanding. Once you have confidence in using the baseline SCYTHE instance, try building your capabilities with one of these integrations.
- MITRE ATT&CK for technique creation and reporting
- Splunk, Gravwell, or Syslog for dual campaign tracking and ingestion
- Cortex XSOAR and Splunk Phantom for running emulations
- PlexTrac and VECTR for tracking, reporting and recording results
Level 3: Creation
Our final level of maturity is creation - adding novel tools to the capabilities developed in previous levels. Creation is our final level because understanding a tool, process, or technique to the point where it can applied to a new use case demonstrates significant capability to adapt to changing threats.
SCYTHE customers are positioned to move through this stage of threat understanding capability development by taking advantage of the modular architecture of the SCYTHE platform to create their own campaigns and techniques through the user interface, create custom modules with the SDK, and automate SCYTHE’s actions through the API.
The Full Model
These three levels are meant to be viewed as a team to gauge overall capability, but can also be leveraged to gauge capability with a specific tool or technology. Combining the levels of understanding with the two categories of understanding creates the PMM.
We used color coding to emphasize the required balance between threat and detection understanding to achieve “purple,” but there’s no wrong way to get to the top right corner of the box (what we would consider an advanced purple team). Maybe your organization has a highly skilled team who understands how to create new detections based on the latest threat intelligence; they probably think of themselves as a blue team and sit in the top left corner of our box. This team needs to improve their threat understanding to build their capabilities into purple territory - enabling testing of their detections and guiding development of new ones. The first step for this team might be deploying a tool like SCYTHE with one of our existing emulation plans. As they advance in their threat understanding journey, they might hire someone to refine their threat model or write new adversary techniques to keep their detections on the cutting edge. While there are many paths to purple, if you are looking for guidance on how to invest your limited resources, we would recommend prioritizing balance. Ask yourself where your team falls in the square and what you need to move closer to the purple diagonal. The ultimate goal is to create a team with advanced understanding of both threats and detections, allowing them to better defend the organization.
The purple team is here to stay, and we at SCYTHE are working to provide you with the tools to improve your team’s capabilities. We hope the Purple Maturity Model provides you with the guide you need to make your way toward a purple future!.
If you’re interested in hearing more about the PMM and missed my initial talk at the SANS Purple Team Summit, Jorge and I are giving a talk at the Red Team Village’s Mayhem 2021 conference on May 29th!
About the Author
Tim Schulz is SCYTHE’s Adversary Emulation Lead. He has been helping organizations build and train teams to understand and emulate cyber threats for the last six years while working at multiple FFRDCs. He has given talks on Adaptive Emulation with ATT&CK and on Technical Leadership, and holds GXPN, GDAT, and OSCP certifications.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.