Perhaps you’ve implemented a purple teaming strategy in your cybersecurity practice, or perhaps you’re hearing about it for the first time. Either way, there’s more to purple teaming than meets the eye. Take a look at this list and see if you’re surprised by any of these facts.
1. It’s a cybersecurity team construct that’s changing the way organizations prevent breaches and attacks.
Purple teaming is a relatively new construct in which red teams and blue teams work together collaboratively to overcome silos in an organization’s cybersecurity strategy. Essentially, it’s bringing together the best of the red, and the best of the blue. By holistically looking at processes, information flows, and cycles, teams are able to minimize limitations of red and blue teams performing their duties with the “right hand not knowing what the left hand is doing.”
2. According to Bob Ross, blue and red make purple — but purple teaming isn’t “blending” teams.
In a purple teaming structure, a red or blue team isn’t eliminated. Teams aren’t integrated from an org chat perspective either. Blue and red teams continue to perform their separate functions but introduce a highly communicative, cooperative relationship that spans across those functions. Red teams have a better idea what blue teams are doing and how it affects the overarching cybersecurity strategy and vice versa. The end result? A shared, “offense/defense” mindset that vastly improves cybersecurity effectiveness.
3. Purple teaming eliminates finger-pointing between red and blue.
A traditional blue/red structure sometimes (inadvertently, usually) pits red teams against blue teams, causing consternation and sometimes resentment of the “other side.” Purple teaming focuses teams on shared goals, like successfully passing assessments for security gaps or compliance. It requires an attitude of continuous improvement, focusing on the greater good of the company and team rather than getting mired down in siloed concerns. With today’s increasingly rampant and sophisticated attacks, the companies that are able to thwart the enemy successfully require teams that are committed to continual learning.
4. MITRE ATT&CK and purple teaming are meant for each other.
The best way for purple teams to organize their testing is by utilizing the MITRE ATT&CK framework of adversarial TTPs. It’s a “periodic table” of the global threat landscape that purple teams can use to think like adversaries and run continuous tests. From there, teams are able to prioritize investments, assessments, and future planning. Using the MITRE ATT&CK framework, purple teams can work as one to design testing plans, find security control errors and gaps together, mitigate risks as a tightly aligned team, and stand up a true threat-informed defense.
Get a roadmap to using MITRE ATT&CK in your organization in the MITRE ATT&CK for Dummies eBook
5. To properly go purple, automation is essential.
Manual, infrequent testing isn’t enough to ensure control gaps aren’t opening up, sometimes without the knowledge of them occurring for days or even weeks. To prevent adversaries from slipping through undetected cracks, continual control testing and validation are needed—which is nearly impossible to maintain without automation. A breach and attack simulation (BAS) platform that aligns to the MITRE ATT&CK framework of adversarial TTPs can emulate adversarial threats on a continual basis and validate the effectiveness of security controls. Not only that, but teams benefit from real-time data and detailed reporting for executives, auditors, and boards.
Want to see what you could save with automation? Take this 5-minute assessment and get a personalized report.
6. Purple teaming helps navigate cloud security controls.
Organizations have made a mad dash to the cloud. The problem? Not everyone has a sound strategy in place for how to secure their cloud. Fortunately, purple teaming can help here, too. You understand as a team which cloud security controls you have, what they’re able to do—and how to apply them to protect your organization. New research from the MITRE Engenuity Center for Threat-Informed Defense that maps cloud security controls native to Azure and AWS to TTPs in the MITRE ATT&CK framework provides a starting point. Purple teams can map cloud controls to threat behavior and increase their cybersecurity readiness, and then consistently test security control effectiveness through threat emulation.
If you’re looking for an excellent rundown of how this works from several perspectives, be sure to listen to this Purple Teaming in the Cloud webinar featuring cybersecurity experts in purple teaming and leaders from MITRE Engenuity Center for Threat Informed Defense.
7. Purple teaming is a way to detect internal problems — not just outside threats.
Sometimes imminent threats lie within your own four walls, with security program issues across operations. Here’s an example from the Purple Teaming for Dummies eBook:
One company is underpaying its key staff, and the staff is leaving. The human operations capability is downgraded, and the board may not know about it until a red team operation is performed. By knowing what the company needs to test for, and deliver against, it’s crucial to justify increases in salary for its teams.
If you run an automated purple test, it may show a security control failure. After further investigation, you learn that teams are failing to perform because of staff turnover—but that the turnover is driven not by technology but by problems in salary. Only through a security outcome-driven test do you learn that there’s a performance problem within the team. Only by investigating the problem further do you discover that security personnel are leaving because of problems with their salary. The human resource department wouldn’t discover this on its own necessarily, but, by discovering security program degradations and investigating how and why it’s happening, you learn something and make change happen.
8. Purple teaming can help you assess your success with MSSPs.
Internal problems can be detected and remedied with purple teaming, but the construct also gives you the opportunity to uncover issues with external managed security service providers (MSSPs). Perhaps a purple teaming exercise might reveal that MSSPs are taking days to detect and report any issues that could have been uncovered and remediated internally with greater speed and efficiency.
Here’s another example from Purple Teaming for Dummies:
Say, for an MSSP, the salesperson has the invoice for the renewal of a certain license of that service that you need for your security. Your organization hasn’t signed the contract. It just shut it off. It might be like the oxygen of your operation, but no one has told you where it is. It’s stuck in procurement somewhere, stuck in receivables. So the person who is dependent on it at your home organization doesn’t know that the purchasing department hasn’t paid the invoice.
The role purple teaming can play here is extremely significant. While your red team might have detected the issue with MSSPs above, a purple team could stand up a process of continual controls assurance—based on continuous testing made possible by a BAS platform and the purple teaming strategy.
9. It only takes 4 steps to build a purple teaming practice within your organization.
Building a purple team isn’t hard when you follow this simple roadmap:
Dig into the strengths and weaknesses of each group: Red teams are your pseudo-attackers, while blue teams are your frontline defense with a deep understanding of your business and its inner workings. The key to creating a purple team in your org is cohesively working the value of both teams to your advantage. Red teams should work with blue to help them understand unique features and high-value assets within an organization, while blue teams should lean on their counterparts to dig into the anatomy of an attack and the most prominent adversarial behaviors being exhibited against similar organizations.
Think “improve, improve, improve”: As previously noted, an attitude of continuous improvement is vital for your purple team to work. CISOs are vital for this part to work as well; as a leader, you need to be prepared to foster and feed this improvement attitude and set a consistent and supportive tone. Security is a difficult world where threats are dynamic and evolve. Leaders need to encourage teams to work AS a team and view assessments as opportunities to increase their overall effectiveness—learning together, and succeeding or failing as a team.
Build a testing strategy for a threat-informed defense: As a purple team, conduct an audit of your current security posture including documenting controls and identifying weaknesses in the infrastructure. Then test against those assumptions, focusing on threats that have the most potential to do the most damage. Testing should be automated and continuous so you’re relying on today’s data—not last month’s.
Foster communication: Build formal, structured feedback loops, conclude assessments with joint debriefing sessions, look into remediation reports, and ensure you have a clearly articulated testing policy that shares how often testing should occur, who performs the tests, and what objectives tests should produce.
10. You can get a full purple teaming education–today.
It takes more than a blog post can cover to learn how to properly build a purple team—but resources are available to you. To get a full deep dive and all the advice, tips, and tricks you need to start purple teaming in your organization, download Purple Teaming for Dummies. Additionally, AttackIQ Academy offers free cybersecurity education including a specific course on the Foundations of Purple Teaming where you and your team will have the opportunity to do exercises and labs that allow for you to fully learn how to employ a purple teaming strategy.