Purple Teaming: a new approach to red teaming

Over the past few years, it has become clear that today, no company can take IT security lightly, and as a result, trustworthy security tests have become much more important to business leaders. These include red teaming, which is used to test companies’ cybersecurity measures as a tried and tested practical method. These tests can be used to check how prepared an organization is against cyber-attacks. In the classic situation, the red and blue teams usually work separately, but the purple team brings red teaming to a new level, focusing on transparency and cooperation rather than isolating teams.

Managed security now includes many different components and methods. Those who want to test their security infrastructure not just in theory but also in practice often choose red teaming. Unfortunately, even the most carefully designed security measures can have weaknesses, and these can only be discovered through practical testing. Red teaming has been proven to be a good choice for discovering vulnerabilities, but even well-proven methods like this are worth improving: purple teaming is the next step in the evolution of cybersecurity testing.

Red teaming: close to reality, through isolated teams

The basic principle of red teaming has so far been as obvious as it has been tried and tested: an attack scenario as close as possible to reality is played out and security measures are tested for effectiveness and speed of response. Their aim was to break down the walls protected by a group of security experts, the blue team. The different exercises differed mainly in the attack patterns tested and how much the red team needed to know about the security structures in advance (black box vs white box). However, one thing was common to almost all red teaming: the red and blue teams worked independently of each other, in secret, to make the scenario as close to reality as possible. In such cases, it should always be borne in mind that this testing only provides the right information through technical preparation.

Transparency leads to more accurate results

The basic idea behind Purple Teaming is evident from its name: unlike Red Teaming, it mitigates the prohibition of cooperation between Red and Blue teams. Instead of working in complete isolation from each other, Purple Teaming sees both groups working transparently. If the red team makes the first move and starts the attack, they inform the blue team of the strategy and techniques used. The blue team can see how security tools are working and also see how the procedures put in place for such an event are reasonable and effectively designed. This involves measuring values that serve as indicators. The collected metrics are thus comparable to the incident response strategy defined in theory and their effectiveness can be evaluated in practice.

More effective learning with collaboration

The advantage of this new-found transparency lies in the accuracy of the assessment. However, Purple Teaming achieves a new level of accurate reporting because instead of just checking whether an attack worked, it can directly identify vulnerabilities and identify at which stage of the attack the system was compromised. If the red team directly informs the blue team during the attack where vulnerabilities are located, it saves time and energy for the blue team, as they can directly eliminate existing vulnerabilities.

Another advantage of the purple teaming is the repeatability. If all attack plans are open, they can be repeated in a targeted way, so defenders can test in a second attempt whether their newly developed defences will stop intruders.
Last but not least, Purple Teaming also has a huge impact on learning: the red team not only explains to the defenders the strategies and technologies used, but also explains step by step why they chose this particular method. In this way, the blue team gets to know the attackers and understand their mindset. Any operational blindness can be effectively countered.

The success of Purple Teaming

For Purple Teaming to be effective, there are a number of aspects to consider, perhaps the most important of which are:

• Technical skills in the different methods: Service providers must know the methods of both the blue and red teams. This includes, for example, security monitoring and response to attacks, so-called incident response for the blue team, or automated attacks for the red team. The result is that the correct content settings and other system-specific tips are also available.
• Team leadership and management: Purple Teaming focuses on the success of learning and requires regular checks to see if progress is being made, so providers also need to become skilled at leading and managing teams.
• – Planning: As in all testing methods, a precise plan is important for the success of Purple Teaming. If the team is meticulously prepared, the results will be of a higher quality and more convincing.

In order to give the blue team an idea of what to expect in the final exercise, teams usually use a cyber killchain of known APT attackers.

Together for success

The success of Purple Teaming depends on the two teams working closely and transparently together. This means, on the one hand, that the Red Team discloses how, why and what kind of procedures it uses. This gives the blue team a better understanding of the attackers and their behavior patterns. In the meantime, the blue team must also communicate the mistakes it has made and where it can improve its attitude. When the teams work hand in hand in this way, the exercise can have a lasting effect and help to increase safety levels. Purple Teaming, despite its many advantages, is not intended to replace red teaming completely, but rather to develop them. Depending on the situation, teams may also work independently of each other, bringing the test environment closer to reality.

In the case of Purple Teaming, the use of a SOC provider can also be an advantage: this provider has additional options that can be used to make the test more comprehensive. With a high level of expertise in cybersecurity and state-of-the-art tools and methodologies, the SOC provider can tailor the process to your company’s specific needs and fully exploit the potential of Purple Teaming.