Understanding purple teaming benefits and challenges
Blue teams and red teams are coming together to form purple teams to improve their organization's security posture. What does this mean for the rivals? And how does it work?
Purple teaming, a cybersecurity exercise where red and blue teams work together, enables organizations to improve their cybersecurity posture, while simultaneously improving relations and collaboration between these historically separate teams.
Despite the benefits, challenges exist. Red and blue teams are often adversarial due to the competitive nature of their respective goals. Purple teaming aims to bring the two teams together to better develop offensive and defensive security strategies.
In Purple Team Strategies: Enhancing global security posture through uniting red and blue teams with adversary emulation, authors David Routin, Simon Thoores and Samuel Rossier provide organizations the blueprint needed to help red and blue teams work together.
In this interview, Routin, Thoores and Rossier discuss the benefits of purple teaming and how to get started, why the book focuses heavily on blue teams and more.
Check out an excerpt from Chapter 2 on how organizations can adopt purple teaming using a "Prepare, Execute, Identify and Remediate" model.
Editor's note: The following interview has been edited for length and clarity.
Is the purple team a physical team or a joint red-blue team exercise?
Samuel Rossier: It's often a virtual team. People from the blue and red teams come together to perform a purple team exercise together. That's the most common way. I've seen some big organizations create a dedicated purple team, but that's rare.
What are the benefits of purple teaming?
David Routin: Purple teaming improves an organization's security posture by performing regular checks. You can review your current cybersecurity strategy to see how the blue team reacts to attacks. Red teams conduct different threat activities to see how they impact your current security posture. Purple teaming enables higher-ups to see what kind of ROI they're getting for their cybersecurity spend.
Rossier: Purple teaming allows organizations to focus on what threats they will really face and how well the team will handle a threat. Threats can be specialized based on real-world challenges. For instance, I'm located in the UAE [United Arab Emirates], and Iran is a threat here. We often focus on emulating Iran attacks to improve our security posture.
Purple teaming involves red and blue teams, but the latter gets more coverage in the book. Why is that?
Routin: A lot of focus of purple teaming is on the attacks. The SANS purple teaming course even focuses on how to attack, how to automate attacks, etc. But the challenge of purple teaming lies more on the defensive side and the collaboration between red and blue teams. We want readers to understand that purple teaming isn't just for red teams to perform, rather it's a real collaboration between the two teams.
If you want to increase security, use the red team first, then use the blue team to enhance security posture. Teams have to collaborate and feed each other with information to make this work. It's important to implement a purple teaming process to ensure everything works correctly on both sides.
Rossier: The red team runs tools, performs attacks and possibly collects telemetry -- all of which is the easy part. The aftermath and remediation are harder to do -- and those are on the blue team. We wanted to give as many blue team-focused tips as possible to help organizations because, in the end, the final goal of any activity is to enhance the global security strategy of the organization.
Why has purple teaming gained traction? Is it due to the adversarial nature of blue and red teams?
Simon Thoores: A long-time cliche exists around the opposition between red and blue teams. It's true to an extent -- if the red team can compromise the network, the blue team 'lost.' That's why purple teaming has gained popularity. The point of view is that, if you work together, you are better. The red team will help the blue team with their detection methods and determine better configurations that improve the overall security posture.
Routin: It's due to the natural competitiveness between the two teams. Purple teaming has gained traction because it improves both sides of security. The red team can see where it was detected during its attack and respond by performing new kinds of attacks. For the blue team, it gets to see where it was able to detect new or advanced evasion attempts. It's a win-win exercise for both red and blue.
How can organizations get blue and red teams to be friendlier with each other?
Routin: We suggest several ways organizations can improve collaboration between red and blue teams in the book. Above all, it's important to have a purple team manager to not only drive the operation, but also to build a bridge between the two teams. One newer method to improve collaboration between teams is to create purple team assessments around gaps, detection engineering, etc.
Thoores: I'd also suggest organizations sit red and blue teams together so they're near each other often. Working side by side helps team members improve and will boost the security posture overall.
Rossier: Part of the struggle is that not every organization has a red and blue team. It's not uncommon for organizations to not have a red team. It becomes hard to create a bond between teams when one works at a third-party vendor. For those organizations, I recommend, when conducting penetration tests, to have the tester note the time of each action they take. Then, sit them down with the blue team, and have them go through all their pen test steps to help the blue team improve prevention and detection efforts.
You said it's not uncommon for organizations to not have a red team. How can companies conduct purple teaming with just an internal blue team?
Rossier: Purple team exercises can still be done even if an organization only has a blue team. Just outsource the red team to an external provider. This can help organizations save money because they won't need to hire additional employees.
Thoores: Depending on the cybersecurity maturity of an organization, start by doing an internal assessment before implementing a new process or exercise. Then, start training blue teamers to become a little bit red. Or, like Samuel said, hire an external company to play the role of the red team. In the end, the goal is to improve the capacity for defensive evasion and detection engineering, while remaining within your cybersecurity budget.