Cybersecurity teams pursuing a defense-in-depth strategy have invested in their security tools and tech stack for decades, and while these tools are critically important, if teams can’t be sure controls are always working, they’re still being left wide open to a breach. For today’s organizations, cybersecurity readiness is a combination of people, processes, and technology—which is where the concept of purple teaming comes in.
In the newly-published analyst brief Purple Gain: Using Red Team, Blue Team Solutions and Strategies to Provide Preferred Cybersecurity Outcomes, analyst Chris Kissel at IDC shares how a purple team mindset and approach to your security program can aid your team in being fully prepared to adapt to real-time network conditions and imminent threats.
Here are some at-a-glance takeaways from the brief:
5 sensical things that can be done to anticipate adversarial behavior—and brace to react
- Schedule DVM assessment scans on a regular basis. According to IDC “roughly half of all devices tested will show some kind of vulnerability.”
- Utilize breach and attack simulation (BAS): Are you prepared (and confident) in sharing how your security controls will perform against known threats, threats du jour, and common adversarial TTPS? BAS comes in here to show how simulated threats evolve and how your network reacts.
- Look at the less-critical threats—not just the top ones. There are hundreds (or even thousands) of medium to medium/high risk vulnerabilities that no one is working on. This is where adversaries are looking to get an easy foothold.
- Look inside your own window from the outside in. Leverage Attack Surface Management (ASM) to give you an attacker’s view of your network.
- Get into a pentesting routine. Engagements with pentesting organizations are typically 4-6 weeks. Determine how often to perform these assessments.
Bear in mind, these technologies and services also have limitations; the IDC report has a handy chart showing the strengths and limitations of each that you’ll find helpful as you plot out your next moves in your unique cybersecurity practice.
What to know about purple teaming exercises
IDC recommends mitigating the anticipation of future threats with an approach that blends red and blue techniques – purple teaming.
According to the report, “Optimally, this would be done in software, the process would be nonabrasive, the attack surface could be tested against malware threats and tactics, and the results would be measured against metrices that are common to the security operation centers (SOCs)such as mean time to detect (MTTD) or alerts investigated.”
IDC notes that a platform approach for this is best, and that type of defense would enable:
- Items you know you should test—malware families, tools, host environments and the like.
- Centralized insights from various tools that can be integrated into a workflow
- Usage of BAS in the interest of standing up a threat-informed defense. Automating security control validation in conjunction with the MITRE ATT&CK framework helps you monitor how an attack progresses and how the security posture of your company evolves over time.
- Predicting and retesting—according to the report, “If the platform can find vulnerabilities either in configurations or in policy, a SOC team can reconfigure, or patch as needed. Self-evidently, the platform would then simply retest and reassess the environment.”
Enacting a purple teaming strategy
- If you’re looking to prioritize adopting purple teaming, we have resources to help you get started.
- Purple Teaming for Dummies: Highly recommend you download this eBook for a closer look at the concept of purple teaming, but, briefly, here are a few tips to keep in mind:
- Recognize the strengths of your red and blue teams and work to merge them into a cooperative, coordinated purple teaming effort. (Chapter 3 of the Dummies guide digs in on exactly how to do that).
- Have the CISO of your organization facilitate the purple teaming effort starting with building consensus around which attacks pose the greatest risk to your organization.
- Create a strategy to test continuously: One-off testing doesn’t cut it in a purple teaming construct when it comes to guaranteeing cybersecurity effectiveness. Purple teaming relies on a continuous feedback loop for validating defenses based on performance data.
- Utilize the MITRE ATT&CK framework: Purple teams can use the ATT&CK framework to organize their testing. ATT&CK provides a user-friendly “periodic table” threat intelligence framework that can help you prioritize assessments, investments, and plans for the future.
- Utilize an automated breach and attack simulation solution. This will allow you to continuously test at scale and also gives you real-time, on-demand data and reports to validate control effectiveness as you face any emerging new threats.
- Foundations of Purple Teaming course: If you’d like a free, expert-led class (where you can also earn ISC2 credits), we have one that covers Purple Teaming from end to end on AttackIQ Academy—now 30,000 students strong and growing. Enroll today and get a crash course with actionable steps on how to bring purple teaming to life in your organization.
- The CISO’s Guide to Purple Teaming: This guide provides a roadmap for CISOs leading the charge in adopting purple teaming . You’ll learn how to bring red and blue teams together, incorporate automated testing, and make the most of scarce security resources.