Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

7/13/2016
04:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Purple Teaming: Red & Blue Living Together, Mass Hysteria

When you set focused objectives for the red team, you get your blue team to work the weak muscles they need trained most.

Red teams beat up on blue teams all the time. However, while there can be plenty of sore muscles on both sides, they're not always the muscles that needed the most exercise: security teams don't always learn as much from the bruising and battering as they could. Enter "purple teaming" -- an exercise in which every bruise and muscle strain has a purpose.

In a purple team exercise, the red team's objective is to test the effectiveness of a specific security control or to challenge the blue team on a specific skill set. The objective would usually be set by someone who is familiar with the security team's needs -- an incident response manager, CISO, or security operations director. 

Chris Gates, senior incident response engineer at Uber, and Haydn Johnson, senior consultant of KPMG Canada, will outline the ins and outs of the technique Oct. 18 at SecTor Canada in their session, "Purple Teaming the Cyber Kill Chain: Practical Exercises for Management."  

"The mindset is about working together," says Johnson. He likens it to sparring with a partner instead of merely shadowboxing in a mirror. It's also better than getting into a street fight.

Gates says the idea appealed to him because after years of being on the red team side and watching most blue teams fail to improve their defenses even after an exercise, he'd become disillusioned with his role.    

"I wanted to be a fixer instead of a breaker," he says.

Johnson and Gates gave a few examples of how purple teaming can be used: If an organization has implemented ways to limit the effectiveness of Mimikatz, for example, the red team's efforts would focus on trying to run Mimikatz. If the sec ops director wants his or her team to have practice responding to a malware attack on a corporate device on corporate wifi, the red team would build their attack accordingly. Generally, the blue team would not be informed ahead of time, and they approach the event as a real incident.

Purple teaming does not need to be a Herculean endeavor; it merely needs to accomplish the particular objective. At Uber, Gates says, the exercise might be an "active adversarial simulation," but it might also just be a controlled test or a table-top exercise. If the goal is simply to test the effectiveness of a security tool, Johnson and Gates explain, a purple team exercise may be as simple as an attempt to get a malicious email past the mail proxy. 

Another key part of purple teaming is what happens after the exercise: both red and blue teams share information about their experiences -- the attacks, the alerting and instrumentation, the detection and response procedures. The goal of a blue team vs. red team exercise in this case is ultimately to make the organization better, not to be adversarial. 

By purple teaming, "I get to see what my attacks look like on the other side, which makes me a better attacker," Gates says. 

You might think that this takes giant squadrons of people and months of planning. Johnson and Gates say it needn't be that way: One or two internal people, plus consultants as necessary, can get the job done.  

Gates says, though, that while purple teaming doesn't need a big team, it does need a mature team. An immature security organization won't have the knowhow to set the objectives and "know where the gaps in knowledge are."

"I don't think you can do it with a one-man shop" without consultants, Gates says.

Though they wouldn't go quite as far as to say that purple teaming would save an organization money, Gates and Johnson say purple teaming lets them put time and money where it's most needed in an organization. 

Related Content:

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MichaelS90701
50%
50%
MichaelS90701,
User Rank: Apprentice
7/14/2016 | 8:20:32 AM
This isn't new
This concept has been around for several years. Mark Kikta was on of the pioneers of the concept in his BSides Jackson talk in 2013 and Dave Kennedy has been speaking about it fit several years, At least one company uses it in their business model, since the own trademark on the term, while several others use the actions of purple teaming in their business model. A quick Google search of the term Purple team will show some examples of Mark and Daves talks. Just saying, the article makes it sound like Gates and Johnson pioneered this concept and they did not. While a very relevant talk, this would be better served delving into the history behind it, I'd recommend contacting both Mark and Dave for background.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Another COVID-19 Side Effect: Rising Nation-State Cyber Activity
Stephen Ward, VP, ThreatConnect,  7/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15600
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
CVE-2020-15599
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
CVE-2020-8916
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
CVE-2020-12821
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.
CVE-2020-15008
PUBLISHED: 2020-07-07
A SQLi exists in the probe code of all Connectwise Automate versions before 2020.7 or 2019.12. A SQL Injection in the probe implementation to save data to a custom table exists due to inadequate server side validation. As the code creates dynamic SQL for the insert statement and utilizes the user su...