FREE Purple Team Workshops: Save Your Seat 🦄

PURPLE TEAM EXERCISE FRAMEWORK

SCYTHE created a Purple Team Exercise Framework (PTEF) to facilitate the creation of a formal Purple Team Program by performing adversary emulations as Purple Team Exercises and/or Continuous Purple Teaming Operations.

Purple team exercise framework 

 

Get the Purple Team Exercise Framework

A Purple Team is a virtual team where the following groups work together:

  • Cyber Threat Intelligence - team to research and provide threat TTPs

  • Red Team - offensive team in charge of emulating adversaries

  • Blue Team - the defenders. Security Operations Center (SOC), Hunt Team, Digital Forensics and Incident Response (DFIR), and/or Managed Security Service Provides (MSSP)

At a high level, a Purple Team Exercise is executed with the following flow:

1
EXERCISE COORDINATOR (EC)

Present adversary, TTPs, and technical details 

2
ALL
Table-top discussion of security controls and expectations for TTP execution
3
RED TEAM
Emulate the TTP while sharing the screen so everyone sees and learns what an attack looks like
4
BLUE TEAM

Follow process to detect and respond to TTPs, share screen to confirm identification of artifacts 

5
DETECTION ENGINEERING

Can any adjustments or tuning to security controls and/or logging be made to increase visibility

6
ALL

Repeat procedure and record new results, move to next TTP