Yes we are, but hear us out.
We are not introducing a new job role where you have to hire more people or have to spend more money. See, a purple team is a virtual, functional team that fosters collaboration and efficiency in testing, measuring, and improving your current cyber security people, process, and technology (security controls).
Purple Teaming is a collaborative effort between the following teams. Your organization may not have some of these, and that is perfectly alright:
A Purple Team Exercise is a full-knowledge engagement where the attack activity is exposed and explained as it occurs. Purple Team Exercises are "hands-on keyboard". Red and Blue teams work together with an open discussion about each attack technique and defense expectation to improve people, process, and technology in real-time. Purple Team Exercises are Cyber Threat Intelligence led, emulating Tactics, Techniques, and Procedures (TTPs) leveraged by known malicious actors actively targeting the organization. This identifies and remediates gaps in the organization’s security posture.
In comparison, a Red Team Engagement is a zero-knowledge assessment where the defenders are unaware of what is happening. To be clear, the target company’s senior management, and other “trusted agents” or “white cells” are aware of the engagement, but the analysts do not know. A Purple Team Exercise is full-knowledge. The Red Team is not trying to be stealthy.
Instead, they are mimicking and sharing the attacks that the adversaries are performing against other organizations.
Sounds easy right? At a high level, these teams work together and viola! But what do they actually do? SCYTHE has released the Purple Team Exercise Framework to guide you through the entire process. This includes the Cyber Threat Intelligence, Preparation, Exercise Execution, and Lessons Learned:
At a high level, a Purple Team Exercise is executed with the following flow:
An internal Red Team may have access to various tools that allow the emulation of adversary behaviors and TTPs. Our team at SCYTHE created a free and open source project called the C2 Matrix where we attempt to document all Command and Control (C2) frameworks available for free and commercially. This is a great start, however we: highly recommend using an enterprise-grade platform that has the ability to automate adversary behaviors consistently and reliably in your live, production environment.
Purple Team operations allow for the collaboration, measurement, and improvement of current people, process, and technology. We believe this is a relatively new concept that will bring significant value to your organization! We hope you have found this post helpful and educational. If you are ready to begin performing Purple Team Exercises, check out the Purple Team Exercise Framework and contact us for help.
For future Purple Team workshops check out the latest schedule here
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.