Threat Hunting, Threat Management

How purple teams deliver actionable data to security pros

Following the SolarWinds hack security pros are turning to purple teams to lock down security. Today’s columnist, Victor Wieczorek of GuidePoint Security, offers a four-step process for deploying a purple team.

In the wake of a multitude of ransomware attacks, fallout from the SolarWinds breach and the Oldsmar water supply attack, CISOs are looking for effective methods to reduce risk beyond traditional means such as penetration testing. Enter purple teams. From healthcare to utilities to government agencies, CISOs are using analysis and reports from these purple team assessments, where both red teams (offense) and blue teams (defense) work collaboratively to assess an organization's systems, uncover areas of vulnerability and exposure, and report to the board organization’s overall cybersecurity posture.

Traditionally, cybersecurity has been an afterthought as organizations leverage technology advances and roll out new tools and features. Even within security, functions often occur within silos – and critical context is missing. 

When people think about the purple team concept, combining red and blue teams makes sense. By working together organizations can have an open discussion and lines of communication between the teams to drive a more practical and meaningful assessment. Deploying these red and blue skills while armed with the understanding of the industry, the key assets, and the customer’s cybersecurity concerns allows for meaningful tests to be crafted with the proper context. Purple Team Assessments combine the pros of red and blue teams while eliminating the cons of doing these in silos, ultimately giving organizations a more collaborative, integrated and robust approach to addressing security issues.

There are four important stages to a purple team assessment:

In this initial stage, red and blue team resources will work to understand the problem statement and:

Validate purple team objectives through standard threat modeling processes – documenting data flows, identifying threats, and inventorying security controls;

Collect relevant documentation and information to understand the architecture, policies, and procedures;

Coordinate discussions with staff to validate existing solutions and visibility available to blue team resources, and tools and capabilities of ted team resources; and

Identify the appropriate time commitment from all stakeholders to balance the value of the Purple Team Assessment with the needs of their day-to-day responsibilities.

Armed with the right context and goals, here’s where the team plans out its assessment. The purple team will:

Develop realistic scenarios based on the highest-risk data flows from the threat modeling exercises;

Determine the assumptions (credentials, access, perspective, knowledge) the red team will start each scenario;

Establish the rules of engagement for each scenario (scope, communication pathways, timeframes);

Tag each applicable step of the scenarios to their appropriate MITRE ATT&CK framework ID to facilitate easy communication; and

Define expected/ideal outcomes of each scenario and establish a threshold for success. Unsuccessful scenarios should be repeated once defensive controls/processes are tweaked.

In the execution stage, the team plans its assessment occurs and also maps out iterations occur, because even the best plans don’t always yield the desired results. In this stage, the purple =team will:

Schedule open collaboration sessions with appropriate security operations, in-house red teamers, and incident response staff during the assessment;

Provide recommendations and incident insights into investigative techniques based on awareness of capabilities and solutions during the assessment; and

Assist with confirmation of relevant detection and prevention outcomes to ensure valuable coverage and progress.

Repeat testing scenarios with unsuccessful/non-ideal outcomes after appropriate mitigation activities have been performed.

In this stage, organizations will gain a better understanding of exploitation techniques, what attacks are actually occurring, and determine if they have the necessary visibility and processes in place to identify an incident in a timely fashion, investigate it and implement the proper remediation. More specifically, the purple team will work with the organization to:

Develop a technical debrief with key observations and associated tactical recommendations;

Translate the technical results to executive language to facilitate strategic discussion around the outcomes to re-prioritize funding and effort as needed;

Finetune their playbooks with what was learned to close that loop and ensure the organization’s plan is based on actual and not theoretical situations; and

Optional: Develop a non-technical “Table Top Exercise” using the outcomes from the purple team assessment. This ensures that it adheres to real-world activities and results.

Purple team engagement are valuable to executives and board members because instead of having a conversation around hypotheticals, the team can show real-world results based on the company’s unique environment, technologies and crown jewels. It changes the discussion from “an attacker could have done this” to “here’s what an attacker did and the impact to our organization.” The company now has something more tangible to discuss at the strategic level on policy, prioritization and funding and can make adjustments based on the findings.

Victor Wieczorek, director of threat and attack simulation, GuidePoint Security

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.