Unicorn Library

SCYTHE Library: The Purple Team - Organization or Exercise

Written by SCYTHE | Feb 15, 2019 5:00:00 AM

As the cybersecurity industry continues to evolve, the use of certain terminology is changing and becoming more prevalent; such as the increased mention of Red Teams and Blue Teams inside boardrooms and IT departments. With the use of these terms, it is also means their definitions can be broad or confusing, sometimes becoming interchangeable with other terms which may or may not be applicable. For example, a staff member may use the term “Red Team” however this could refer to either an internal team within that organization or an external Penetration Testing Firm.

One such term that has been gaining popularity is “Purple Team”. Though the term can reference a formal organization of staff within a company, it is far more commonly referencing a type of cyber security exercise.

Exercise

The most common use of the term “Purple Team” is in to reference a specific exercise in which an offensive engagement transforms into a defensive learning opportunity. In this way the Red Team and Blue Team are distinct entities, and the flow of information is as follows:

  1. Red Team
  2. Plans out the Campaign’s exercise, including which exploits, payloads, command and control, and other tools to utilize.
  3. Confirms plan with management, and when applicable, notifies Human Resources in the event a non-Red-Team employee will be used as an actor in the Campaign.
  4. Executes the Campaign, without informing Blue Team of engagement.
  5. Documents the Campaign in its entirety, creating a comprehensive list of every method, command, and endpoint utilized during the exercise.
  6. Hands off report to Blue Team…
  7. Blue Team
  8. Reviews the Red Team report.
  9. Analyzes all applicable logs and records that may correlate with Campaign.
  10. Creates, then executes, a remediation plan.
  11. Notifies Red Team of remediation steps allow for …
  12. Red Team
  13. Attempt to perform the same Campaign, under that same conditions, but repeating the process again.

Although the above is a fairly standard means of performing a Purple Team exercise, it relies on on numerous rounds of back and forth between disparate teams, and in the event of remediation failure, more rounds must be completed and documented, which can lead to delays in defensive implementations.

A More Efficient Purple Team

The SCYTHE team has found that there are ways to receive the benefits of a Purple Team engagement, without having to wait for numerous teams to perform operations; nor by having to combine offensive and defensive staffs under the same team. With the SCYTHE platform, we’ve found that Red Team Automation and Defense Validation are two sides of the same coin, and the offensive Campaigns are best remediated when network defenders can execute these Campaigns themselves in a controlled environment.

With the SCYTHE platform a Red Team can:

  • Create a Campaign
  • Define and automate all adversarial actions
  • Save the Campaign as a Threat template
  • Generate a globally unique implant
  • Detonate an adversarial implant on an endpoint
  • Generate a report
  • Provide report and access to SCYTHE to the Blue Team

… allowing the Blue Team to:

  • Use the pre-defined Threat Template to create an identical Campaign
  • Generate a new implant with a unique file signature
  • Detonate the implant in a controlled and monitored environment
  • Validate detections and remediation
  • And repeat until the Threat is satisfactorily addressed

This saves both teams time, allows for fast remediation, and makes threat emulation an easily repeated action without requiring massive cross-team coordination for all iterations of a threat.