GUEST ESSAY: Here’s why ‘purple team’ mock attacks trumps traditional ‘red team’ assaults
Purple teaming is a way to use red teaming to understand and improve your defensive posture. Militaries improve operations through wargames. In the 1820s, the Prussian military labeled the two teams for this as “red” and “blue,” with red traditionally associated with the attackers, while blue represented the defender.
Related: Deploying human sensors
With increased dependence on computers, the military applied this war-gaming concept and color scheme to cyber. It became clear that the blue team could benefit from a more collaborative relationship with red, leading to the creation of “purple teaming.”
This collaboration is the key ingredient to successful purple teaming. The blue team decides on specific threats they want to test themselves against and the red team emulates those threats. The red team helps the blue team understand what’s working – and what they’re missing – by sharing information about their actions. By seeing blue team’s defenses, the red team can modify their attack to help highlight defensive gaps relative to real threats.
Marshaling defenses
While traditional red teaming often aims to motivate a network owner to take the threat seriously and identify vulnerabilities, purple teaming focuses on illuminating exactly what actions defenders must take to effectively mitigate or respond to the Tactics, Techniques, and Procedures (TTPs) of real adversaries. This allows cyber defenders to gain valuable insight about what realistic malicious TTPs will look like in their network and how they are impacted by existing defenses.
Luke
The entire process is a much more collaborative effort to truly understand how the current defenses are working and where improvements can be made.With increased communication, defenders can confidently and rapidly design, test, and tune new defenses to keep pace with the constantly evolving threat landscape.
Although it’s still somewhat of a niche practice, there’s a great opportunity to provide defenders more resources to effectively defend their organizations through purple teaming. Also, implementing it on a regular cadence – weekly, monthly, or quarterly – can be beneficial. This way, it’s a regular part of security operations and the industry will see more cases where the first targeted organization detects and stops an attack.
One of the biggest benefits provided by purple teaming is that it leads to meaningful and actionable insight for the defenders. It clearly shows them their current posture, both strengths and weaknesses, against real-world TTPs to see what is and isn’t working to make the appropriate modifications.
The red team can now emulate a known threat that the defenders are very likely to encounter and the blue team will now have known malicious activity in their data to validate that their mitigations and detections will work.
It’s like a scientific experiment, where teams can repeatedly control and update each variable until the desired outcome is achieved.
Flexibility is essential
However, there are a couple challenges associated with implementing purple teaming. For example, there’s often a psychological challenge associated with purple teaming. It’s human nature to always want to “win,” but in the case of purple teaming, the red team can’t be preoccupied with getting the best of defenders. Both sides need to ensure they’re using a repeatable and intelligible process that can mitigate this challenge.
Teams also must be flexible enough with their plan to achieve what the blue team is trying to accomplish, and clearly communicate what TTPs were used in the event. This means that organizations need a red team that understands real adversary TTPs.
Often, the events detected by the blue team are consequences of the red team actions, but not the actions themselves. The red team and blue team must work together to bridge this gap to check if the blue team detections are connected to the red team actions.
Since cyber operations can often be the most appealing approach for criminals to achieve their goals, one of the best ways to fight back is to hit them where it really counts: their wallets. With a threat-informed approach to defense that includes the benefits of purple teaming, defenders have the potential to make cyber intrusions cost more than they’re worth to adversaries.
About the essayist: Steve Luke is Director of Training and Certification, MITRE ATT&CK Defender.
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/guest-essay-heres-why-purple-team-pen-tests-trump-traditional-red-team-assaults/
