PURPLE TEAM EXERCISE FRAMEWORK

Purple team exercise framework

 

Get the Purple Team Exercise Framework

Request the Purple Team Exercise Framework 2.0 (PTEF) for free, today!

6113d4154362581e847c985d_ptef v2-p-500-2
document 1

SCYTHE created a Purple Team Exercise Framework (PTEF) to facilitate the creation of a formal Purple Team Program by performing adversary emulations as Purple Team Exercises and/or Continuous Purple Teaming Operations.

A Purple Team is a virtual team where the following groups work together:

  • Cyber Threat Intelligence - team to research and provide threat TTPs

  • Red Team - offensive team in charge of emulating adversaries

  • Blue Team - the defenders. Security Operations Center (SOC), Hunt Team, Digital Forensics and Incident Response (DFIR), and/or Managed Security Service Provides (MSSP)

At a high level, a Purple Team Exercise is executed with the following flow:

1
EXERCISE COORDINATOR (EC)

Present adversary, TTPs, and technical details 

2
ALL
Table-top discussion of security controls and expectations for TTP execution
3
RED TEAM
Emulate the TTP while sharing the screen so everyone sees and learns what an attack looks like
4
BLUE TEAM

Follow process to detect and respond to TTPs, share screen to confirm identification of artifacts 

5
DETECTION ENGINEERING

Can any adjustments or tuning to security controls and/or logging be made to increase visibility

6
ALL

Repeat procedure and record new results, move to next TTP