Purple Teaming is More Than Just Red & Blue Team Collaboration

Purple teaming is often perceived as the collaboration between the red and blue teams. Many know it as the joining together of the attacker and defender forces to come up with a stronger cybersecurity posture. It is more complex than plain collaboration, though.

It is not as simple as having both the blue and red teams together or getting new members to form a new team. In fact, no new team is created. Instead of establishing a new group, what purple teaming requires is a change in mindset and someone with the right skills to lead the endeavor.

“The role will not require a new team member, but someone who is dual-hatted to lead purple teams forward in a threat-informed defense strategy,” says former Chief Strategy Officer for Cyber Policy Jonathan Reiber, who is also a co-author of the book Purple Teaming for Dummies. Reiber attests to how purple teaming helped the Pentagon in dealing with aggressive cyber attacks.

Leveled-up collaboration

To be used in the military and be successful in serving its purpose, there has to be something more than collaboration in purple teaming. Cybersecurity experts working together to formulate strong defenses against attacks are nothing new. In fact, security firms worldwide are in constant collaboration to detect, track, and address all kinds of cyber threats.

Groups such as the Cyber Threat Alliance, the Trusted Computing Group, and the Global Cyber Alliance regularly exchange information about the most recent threats and attacks to come up with a collective level of cyber protection that benefits everyone. They also work together towards the development of security best practices and the accelerated development and adoption of new and more effective security technologies.

However, these collaborations cannot cover everything necessary to achieve optimum protection from cyber attacks. They are great at collecting and analyzing cyber threat intelligence but not dynamic enough to respond appropriately to new threats that continuously get re-tooled to bypass security controls or take advantage of newly discovered vulnerabilities in devices and networks.

What makes purple teaming different for it to be a level higher than conventional collaboration? This is its focus on becoming “threat-informed.” A purely defensive security strategy no longer suffices given the rapid evolution of cyber attacks and the persistent ingenuity of bad actors. Rectifying misconfigurations, software patching, and the deployment of state-of-the-art security solutions are crucial, but they must be complemented by inputs or insights based on an adversary’s perspectives to provide well-rounded protection.

As Rieber noted in a webcast on threat-informed defense and purple teaming, security teams are transitioning to a threat-informed defense strategy to improve cybersecurity effectiveness. There is a need for a change in mindset, not just the enhanced collaboration among experts in network defense.

Change in mindset

Rieber identifies three important lessons that drive this new paradigm: the need to understand the adversary’s approach, the identification of valuable data and defense capabilities, and the establishment of tight bonds between the red and blue teams to test defenses. Conventionally, organizations spend most of their resources on the blue or network defense team.

“Blue teams were naturally larger given their ever-expanding responsibilities and, over time, compliance requirements. Red teams were smaller and testing occurred periodically and not at the requisite scale to validate the blue team’s defense effectiveness,” says Rieber. As such, if collaboration is bolstered without a change in mindset based on the lessons mentioned above, it will continue to go along the traditional blue/red organizational paradigm.

It is like security firms taking advantage of operational alliances for cybersecurity to augment their threat identification and response capabilities. They forge partnerships with other cybersecurity firms and cyber threat intelligence sources but are fixated on the same defensive concerns.

If they were to broaden their perspectives and adopt a threat-informed approach, they would consider something out of the ordinary like using an automated purple teaming solution designed for managed security service providers (MSSPs). No matter how good cyber threat intelligence is, if the focus is stuck on conventional defensive priorities, it would be a challenge to greatly improve threat-hunting skills, SOC detection capabilities, and incident response processes.

Purple teaming facilitates the correlation of security control findings and the validation of their effectiveness. It can significantly improve APT resiliency while reducing detection and response mean times. Moreover, when using automated and granularly customizable purple teaming modules, MSSPs can produce reusable template-based security tests that can be trained to focus on specific stages of a cyber attack situation or even a full kill chain APT event.

Purple teaming and MITRE ATT&CK

MITRE ATT&CK is also a form of global collaboration among cybersecurity experts, but what makes it different is that it emphasizes the importance of keeping abreast with and thoroughly understanding adversarial attacks. As the name itself bears out (ATT&CK stands for Adversarial Tactics, Techniques, and Common Knowledge), the framework’s goal is to inform cybersecurity teams of the latest attacks so they can be more prepared in dealing with them.

Established in 2013, MITRE ATT&CK is a relatively new framework that provides a globally accessible curated knowledge base of cyber adversarial tactics and techniques. It depicts the different phases of the life cycle of an adversarial attack and the platforms they are targeting. It is integrated into many modern cybersecurity solutions to systematically challenge existing security postures and come up with insightful assessments and meaningful optimizations. It is worth noting that end-to-end coverage of this framework has become the gold standard for automated and continuous security testing solutions.

Collaboration emphasizing common goals

Traditional blue and red teaming entails the isolation of the defense and attack teams for them to undertake the tasks without previous knowledge that can influence their actions. It simulates what happens in the real world wherein internal cybersecurity departments (blue teams) are unaware of what potential attacks they will face while hackers or cybercriminals do their best to find and exploit vulnerabilities.

The problem with this kind of setup, though, is that teams tend to branch out into their specific goals and the likelihood of unnecessary cut-throat competition. Certified Mattia Reggiani has a good summary for this: “Typically, the two groups never speak: the red team is hired by the CSO…without informing its own technical departments. After finishing this engagement, if the results and the follow-up of the walkthrough are not communicated to the blue team in a useful way.”

Purple teaming stresses the importance for organizations to understand adversarial attacks better. It is not enough that they know the results of the cyber-attack simulations. Even if the simulated cyber-attacks were blocked, they cannot settle with the satisfaction of knowing that their security controls were able to hold up. It is important to know if variations or modifications of the attacks can also be prevented.

The red team can offer valuable insights on possible vulnerabilities that may have not been detected because of certain circumstances. Similarly, the red team can learn something from the blue team on how they can tweak their attacks to penetrate defenses. They cannot settle with just fulfilling their narrow respective goals.

Purple teaming is more than just simple collaboration. It entails the broadening of perspectives and the exploration of different approaches and scenarios that would otherwise be ignored if the red and blue teams are working in silos. It is about being threat-informed while emphasizing the achievement of common goals, which are mainly about optimizing the cyber protection of an organization.