Request the Purple Team Exercise Framework 2.0 (PTEF) for free, today!
SCYTHE created a Purple Team Exercise Framework (PTEF) to facilitate the creation of a formal Purple Team Program by performing adversary emulations as Purple Team Exercises and/or Continuous Purple Teaming Operations.
A Purple Team is a virtual team where the following groups work together:
Cyber Threat Intelligence - team to research and provide threat TTPs
Red Team - offensive team in charge of emulating adversaries
Blue Team - the defenders. Security Operations Center (SOC), Hunt Team, Digital Forensics and Incident Response (DFIR), and/or Managed Security Service Provides (MSSP)
At a high level, a Purple Team Exercise is executed with the following flow:
1
EXERCISE COORDINATOR (EC)
Present adversary, TTPs, and technical details
2
ALL
Table-top discussion of security controls and expectations for TTP execution
3
RED TEAM
Emulate the TTP while sharing the screen so everyone sees and learns what an attack looks like
4
BLUE TEAM
Follow process to detect and respond to TTPs, share screen to confirm identification of artifacts
5
DETECTION ENGINEERING
Can any adjustments or tuning to security controls and/or logging be made to increase visibility
6
ALL
Repeat procedure and record new results, move to next TTP
