Security Bloggers Network 
SBN

Do We Need a Purple Team?

by Alejandro Herrera on October 3, 2019

A good way to think of Purple Teams is that they are a mixture of Red or
sword, and Blue or shield teams in pentesting processes. They are
professional hackers that simulate attacks and protect an organization’s
information.

Concept

In cybersecurity,
organizations should understand that
a Purple Team is a communication bridge
that allows Blue and Red Teams
to work together
in a simulated cyberattack.
The main goal is to help improve organization security posture.
In other words,
they can help coordinate
and increase the effectiveness of both teams.
We have to be careful with the implementation
and execution of a Purple team [1],
as Julian Arango [2] says:

In some cases,
this interaction can propitiate malfunctions inside the organizations,
especially when the affected parties are biased by their interest
and can manipulate or conduct the results of a pentest.

What does a Purple Team do?

Important features are [3]:

  1. Analyze: They analyze the behavior and interactions between the
    Red and Blue Teams. Throughout the process, they can also generate
    recommendations, suggestions, and improvements for both parties.
    However in practice, if there are not well-defined cybersecurity
    objectives     [4] and
    there are personal interests regarding the test outcome, it is
    likely that there will be a conflict of
    interest    . The organization can then
    encounter a variety of problems including tampering of pentesting
    outcomes and lack of blindspot detection [5],
    among others.

  2. Detection: How the Red Team can bypass the detection
    capabilities of the Blue Team.

  3. Remedial Actions:: They can suggest fixes to avoid
    vulnerabilities.

  4. Transfer: Ultimately a company derives the maximum value from a
    Purple Team exercise by applying the new knowledge it acquires,
    while at the same time, ensuring stronger defenses to guard its
    information.

When does an organization need a Purple Team?

When Red and Blue Teams get out of sync with each other and/or have
cooperation issues, it’s time to consider using a Purple Team. Some
common causes that signal the need for a Purple Team are
[6]:

  1. Bad Politics: Bad organizational politics does not encourage a
    good flow of internal information within an organization. An
    organization may evaluate the success of the Red Team by the amount
    of failed controls from the Blue Team, while the success of the Blue
    Team may be evaluated by the number of alerts. Therefore, partners
    may not be motivated to share information.

  2. Slow Feedback Loop: Needed information moves too slowly between
    the Red and Blue Teams or, in some cases, does not even move at all.
    There is poor communication between the teams.

  3. Mindset: Each team works separately to obtain its objectives.
    For instance, the Red Team enhances offensive exploit. The Blue Team
    enhances defensive findings. This mindset can weaken and damage the
    overall security system of an organization.

  4. Arrogance: Each team believes they are superior to the other
    team, and therefore, neither team recognizes the need to share
    information between them.

  5. Restricted: The Red Team is pulled inside the organization and
    becomes restricted, ultimately resulting in a catastrophic reduction
    in its effectiveness.

  6. Bad Design: The Red Team and Blue Team are not designed to
    interact with each other continuously, as a matter of course.
    Therefore, lessons learned on each side remain within each team but
    are effectively lost to the other.

  7. Separate Efforts: Information security management does not see
    the Red and Blue Teams as cooperating partners within the same work
    project. There are no shared metrics between them.

"Red vs Blue"

Figure 1. Red vs Blue, source: Photo by Samuel Zeller on
Unsplash.

If your organization has one or more of these issues, a Purple Team
could be your solution. Rather than considering it as a separate group
of people, organizations should consider a Purple Team as a bridge
facilitating maximum effective communication between Red and Blue
partners.

What is not the solution?

It is not, under any circumstances, recommended that an organization use
a permanent and separate Purple Team as intermediaries between the Red
and Blue Teams. This would not solve the underlying problem, which is a
breakdown in communication and collaboration between these teams.

So what are the possible solutions?

We need to improve communication and cooperation between teams. The
following techniques can be used to accomplish both of these.

  • Team Engagement: A third party analyzes how the Red and Blue
    teams regularly communicate and cooperate. Based on this analysis,
    the third-party makes recommendations. This measure is momentary and
    finite. The main goal of this technique is [7]:
    to make the communication process smoother and to ease knowledge
    transfer.

    1. Team Exercise: Both teams are monitored in real-time to see
      how they work. The main goal of this technique is
      [8]: to evaluate your security controls and
      ability to detect attacks, to compromise, for lateral movement,
      to command and to control communications, and data exfiltration.
      This technique enriches and validates the detection mechanisms
      used in situ and helps to identify and reduce cyber attack
      paths.

    2. Team Meetings: Periodically, Red and Blue Teams meet to
      share knowledge and give feedback about attacks and defenses
      used in the pentest process.

The benefits of appropriate implementation

Appropriate implementation will create a better flow of information
between Red and Blue Teams which means, Red Team will learn how Blue
Team is detecting and mitigating their offenses, and Blue Team will
understand how Red Team is bypassing their defenses. This loop of
enhanced communication and knowledge sharing between teams improves the
organization’s security posture.

Conclusion

A Purple Team should be understood as a temporary intermediary
facilitating communication and collaboration between Red and Blue Teams,
allowing information to flow in a continuous loop which enhances the
abilities of both teams. Under no circumstances should it be used as a
permanent group to mediate the relationship between a Red and Blue Team.

References

  1. My Experience Coleading Purple
    Team.    .

  2. The Roles of Red, Blue and Purple
    Teams    .

  3. The Definition of a Purple
    Team    .

  4. The Purple Team
    Pentest    .

  5. Purple Team Assessment
    Service    .

  6. A Conflict of Interest?

  7. Attacking Without Announcing.

*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Alejandro Herrera. Read the original post at: https://fluidattacks.com/blog/purple-team/

Alejandro Herrera