Leverage purple teams to proactively detect, prevent and respond to threats | SC Media
Threat hunting

Leverage purple teams to proactively detect, prevent and respond to threats

January 15, 2021
Walmart has been one of the leading pioneers in developing purple teams. Today’s columnists, Timothy Nary and Clayton Barlow-Wilcox of Booz Allen, offer insight into how purple teams can boost overall security efforts. JoNaylor CreativeCommons (Credit: CC BY 2.0)
  • Is the company monitoring and collecting the right data?
  • What data should the team keep and for how long?
  • Does the team trust all the rules, watchlists, and alerts from vendors and third parties?
  • Validation of true positives. Have the analytics been validated against an actual attack, ensuring that they will detect what’s expected? Without a true positive test case, purple teams are often lulled into a false sense of security as mistakes slip through the cracks. Examples are typos or syntax errors, a misinterpretation or false assumption made by the analytic author, or a misinformed or misrepresented attack in the threat intelligence source.
  • Confidence. How often do the analytics produce false positives? Make sure the team has an acceptable number of results. As in other areas of security, consider a defense-in-depth approach with multiple analytics covering the same techniques at different confidence levels. And consider the context, intelligence about what activities are “normal” can’t be gleaned from an alert or event log. The team may need to enrich its analytics with other sources of data.
  • Robustness. How effectively do the analytics detect different variations of an attack? These are often very subtle, like command line parameters being in a different order, or the use of additional spaces. Keep in mind that as an analytic becomes more robust, it also may pick up more false positives.
  • Common management and leadership. Define collective goals that drive risk reduction across the cyber defense team.
  • Processes that encourage frequent communication. Break down siloes and encourage integrated approaches to historically separated operational teams.
  • Metrics that track and encourage collaboration. Incentivize openness in reporting measurements and gamify the experience where possible
  • Functions that build upon previous activities to remove risk from the system. Take advantage of existing data sources and tools and optimize risk activities across the cybersecurity program portfolio.
prestitial ad