PURPLE TEAM EXERCISE FRAMEWORK

6113d4154362581e847c985d_ptef v2-p-500-2
document 1

SCYTHE created a Purple Team Exercise Framework (PTEF) to facilitate the creation of a formal Purple Team Program by performing adversary emulations as Purple Team Exercises and/or Continuous Purple Teaming Operations.

A Purple Team is a virtual team where the following groups work together:

  • Cyber Threat Intelligence - team to research and provide threat TTPs

  • Red Team - offensive team in charge of emulating adversaries

  • Blue Team - the defenders. Security Operations Center (SOC), Hunt Team, Digital Forensics and Incident Response (DFIR), and/or Managed Security Service Provides (MSSP)

At a high level, a Purple Team Exercise is executed with the following flow:

1
EXERCISE COORDINATOR (EC)

Present adversary, TTPs, and technical details 

2
ALL
Table-top discussion of security controls and expectations for TTP execution
3
RED TEAM
Emulate the TTP while sharing the screen so everyone sees and learns what an attack looks like
4
BLUE TEAM

Follow process to detect and respond to TTPs, share screen to confirm identification of artifacts 

5
DETECTION ENGINEERING

Can any adjustments or tuning to security controls and/or logging be made to increase visibility

6
ALL

Repeat procedure and record new results, move to next TTP

Request the Purple Team Exercise Framework 2.0 (PTEF) for free, today!

Purple team exercise framework

 

Get the Purple Team Exercise Framework.