PURPLE TEAMING

What Is Red Teaming?

Instead of focusing on merely presenting exploitable vulnerabilities to an Infosecs team, Red Teams have traditionally been focused on achieving defined objectives.  They have actively taken on the role of the aggressor, practicing offensive security techniques so as to reach the defined goal or objective.  Red Teams typically only ever need to identify 1 way of achieving the objective.  They are not expected to iterate through every possible permutation to determine all possible paths to achieving the objective.  (This exercise would be more of an attack path, attack tree activity).

In sophisticated penetration testing engagements, security professionals often conduct red teaming exercises to deliver objective-based assessments of an organisation. For instance, an objective might be to determine whether a sophisticated external attacker could gain access to an internal database system and exfiltrate a specific set of sensitive records. In this instance, the red team would simulate an external threat actor and determine whether they could find a series of exploitable vulnerabilities that would cause them to exfiltrate sensitive data from the target database.

What Is Blue Teaming?

The blue team are expected to be the defenders.  They need to defend against every single attack that is launched by the red team.  For the blue team to be effective, they need to be able to defend against all attacks, all of the time.  Blue teams need access to log data, SIEM data, threat intelligence data and to network traffic capture data. The blue team needs to be able to analyse vast swathes of data and intelligence to detect the proverbial needle in the haystack.

The Need For Purple Teaming

There is increasing recognition that Red Teams and Blue Teams should work together; thus creating a Purple Team.  This purple team isn’t necessarily a new ‘uber specialised team’, but rather a combination of both existing red team and blue team members coming together.  It might be regarded more as a process (that engages red and blue together), as opposed to a unique team in its own right.

The red team should be conducting objectives-based assessments that mimic known and quantifiable threat actors. As part of this process, the threat actor’s Tactics, Techniques and Procedures (TTPs) should be known.

The blue team must educate themselves around these TTPs, and build and configure their detection and response capability in-line with these known approaches. For instance, if a threat actor is known to use spear-phishing as part of a campaign, the blue team must ensure that it has the ability to detect and respond to spear-phishing activity. It is no use relying on SIEM technology in the hope that it will alert you to a spear-phishing campaign if the mail servers and relays are not configured to log or alert on specific types of mail content.

If a threat group is known to be trying to exfiltrate sensitive data from a specific industry or market segment, the red team should be attempting to simulate this type of activity. As an approach, this might result in the red team compromising an end-user host, with the intent of reusing their credentials to launch further information gathering campaigns across the internal network infrastructure.

The end objective of the red team might be to escalate their credentials to access a core database before exfiltrating traffic through a web-based protocol into a cloud-based service provider. The blue team needs to have tools and techniques that give them the ability to detect this type of traffic at every hurdle. The blue team needs to be able to respond to the attack and prevent the red team from carrying out its objectives.

By creating a scenario where the Red Team and Blue team work together, (Purple Team), organisations will be able to benefit from much more tailored, real-world assurance.  The blue team will be able to measure their detection and response capabilities in a way that is much more closely aligned with real-world threats.

How Purple Teaming Helps

It is clear that the penetration testing sector and red teams in particular can really sharpen an organisation’s detection and response capability. Through the sharing of intelligence data across the purple teaming process, it is possible to understand threat actors’ TTPs. By mimicking these TTPs through a series of red team scenarios, the blue team has the ability to configure, tune and to improve its detection and response capability.

Too often an organisation gets compromised, and the Blue Team does not see a thing. This is not because of poorly skilled or ineffective people, process or technology. It is merely the case that the threat actor used a technique that goes undetected. By delivering Purple teaming engagements, Organisations are able to address this challenge head on.  To understand more about how LRQA Nettitude can help you with your purple teaming requirements, please complete our contact form and a consultant will respond to your enquiry.