With the threat landscape evolving faster than most can respond, understanding and embracing approaches such as purple teaming is becoming paramount.
It goes beyond the mere cataloging of vulnerabilities, transcending traditional pen testing methods. By intertwining the best of both red and blue teams — the offensive and defensive worlds — purple teaming fosters an environment of collaboration, understanding, and resilience. Initiating these practices early, nurturing collaboration through precursor activities, and addressing pentest findings as a unit, can set organisations on a path of true cyber resilience.
It ensures not just a strong defensive posture, but an adaptable, unified, and proactive approach to threats.
Understand what a purple team is and isn’t
The emergence of the purple team concept has been both a revelation and, occasionally, a source of confusion. At its core, a purple team isn’t merely an extension of pen testing; it represents a symbiotic blend of the offensive prowess of the red team and the defensive expertise of the various blue team functions. While pen testing seeks to validate vulnerabilities in a system’s armor, purple teaming delves deeper, exploring how these vulnerabilities can be both exploited and efficiently defended against in real-world scenarios.
Purple teaming is a function of collaborative security. Historically, it has literally brought together offensive security engineers or pen testers from the red side of the team and investigators, detection engineers, and CTI analysts from the blue side of the team. More recently, however, purple teams have looked very different, including a variety of members including developers, architects, information system security officers, software engineers, DFIR teams, and BCP personnel as well as other departments.
To view the purple team simply as a tactical unit would be an oversimplification. Beyond the immediate operational benefits, the true value of a purple team lies in fostering cyber resilience. It is about building an organisational capability that can not only withstand cyber threats but also adapt and recover swiftly from them. By collaboratively assessing, learning, and adapting, the purple team approach instills a resilience mindset, ensuring that the organisation is prepared for evolving cyber threats and is capable of bouncing back even when breaches occur.
In essence, understanding the true nature of purple teaming requires recognising its dual mandate: to provide a comprehensive, real-world evaluation of cyber vulnerabilities and to bolster the organisation’s overarching cyber resilience. It’s not just about finding weaknesses, but about continuously strengthening and adapting the fortress.
Use collaborative precursor activities to purple teams
Before diving into full-fledged purple team exercises, organisations can benefit immensely from precursor activities such as threat modeling and tabletop exercises. These are not required but highly recommended. Collaborative efforts provide teams with a platform to communicate, understand shared objectives, and delineate potential threats in a controlled environment.
Threat modeling, for instance, serves as an invaluable bridge between offensive and defensive mindsets. It allows both builder (yellow) teams, defender (blue) teams, and occasionally members of offensive (red) teams to jointly analyse potential threat vectors, identify vulnerabilities, understand the potential impacts on the organisation’s assets, and prioritise remediating them. Additionally, results from the threat model exercise can drive targeted testing efforts in the first purple team exercises; focusing on control validation and baselining defenses. This shared understanding ensures that when the purple team exercises commence, both sides possess a unified vision and strategy.
Similarly, tabletop exercises can simulate real-world cybersecurity incidents, promoting a collaborative response and offering insight into potential gaps in protocols or communication. All too often, the first time these teams work together with a shared interest or common objective is in response to a real-world incident or event. In fact, it is often the first time most incident response procedures and personnel are put to the test.
Bringing teams together to flush out an efficient and effective incident response procedure for the company is an ideal first step towards purple team operations. While these teams do work closely throughout the purple exercise, and it can work if that is when it’s happening for the first time, having rapport and familiarity with each other’s procedures and people ensures that when the red and blue teams converge to form a purple team they’re not meeting as strangers but as collaborators with a mutual understanding and shared goals.
Put a purple team together sooner
Many organisations begin a purple team program after sophisticated and robust red team programs have created a finding backlog and a general sentiment of blue team defeat. This results in exhausted, demoralised defenders and expensive, under-utilised offensive teams. The purple team doesn’t need to come after adversarial emulation on the roadmap, it doesn’t even need to wait until after pen testing. It should be done much, much sooner in maturity to maximise its benefits.
Implementing purple teams early on in the cybersecurity roadmap ensures the synergy of both teams right from the onset. It efficiently leverages their unique skills for immediate feedback and remediation, reducing long remediation cadences and preventing the accumulation of a vulnerability backlog, ensuring a proactive defensive posture.
It also eliminates the “us versus them” mentality many red teams encounter with the blue side by working towards a common goal in the same trenches from development. They get to work together as allies, leaning on each other’s expertise and building the continuous feedback loop that offensive operations should have with remediation teams. Further down the line, this results in less dissension and opposition to testing approaches such as “assumed breach” and clandestine-style operations. The baselining and defense-in-depth testing that results from purple teaming also means that when the clandestine stage does arrive, defenses and investigators will stand a better chance.
By re-envisioning the cybersecurity maturity roadmap, organisations can build a culture of collaboration, unity, and shared goals. This early integration not only avoids the pitfalls of the traditional sequential approach but also maximises the benefits of combined offensive and defensive strategies.
Purple team pen test findings
Pairing offensive testers with the seemingly desperate defenders who have to fix everything they find is one of cybersecurity’s most intricate dances. But they are crucial growing pains to undergo because the insights unearthed from pen testing are invaluable. Uncovering and working through them can be less adversarial and defeating especially when integrated within the purple team framework. When a pentest concludes, the findings should not merely be cataloged and shelved but should serve as a nexus for collaborative action between the offensive and defensive teams.
Such findings, when shared in a holistic manner, enable the blue team to gain a deeper understanding of potential threats, real-world attack vectors, and areas requiring immediate attention. Instead of a one-sided critique, the red team can offer insights into the tactics, techniques, and procedures (TTPs) they employed, while the blue team can propose defensive measures and strategies for remediation. This dynamism fosters a learning environment, where the insights from pen testing evolve into actionable intelligence.
The organisation then emerges from the pentest not with a sense of unease due to increased and unmitigated attack surface, but a place of objective due diligence, assurance, and improved resilience. This is the ultimate goal of a purple team program.