Organizations sometimes opt only for a full red team exercise during cybersecurity testing and penetration exercises. However, red teaming is often perceived as an adversarial exercise with little or no visibility into the process until the results are
revealed. Mature security teams practice a valuable collaboration of the red and blue teams – known as “purple teaming” – because offensive activities inform defense, and defensive responses inform offense.
Harnessing this power of purple teaming ultimately means fostering a cooperative combination of red/blue activities. This piece details the prerequisites, roles and responsibilities, as well as best practices for conducting effective purple team exercises.
Using Penetration Testing Vendors
Most penetration-testing companies offer various services, such as vulnerability scanning, external and internal network testing, and critical security control planning exercises, all the way to the penultimate red team exercise.
A small or midsize organization just starting out is probably going to have shared systems administration and security roles, and might have begun to collect asset and vulnerability information. On the other end of the spectrum, a larger, more mature
organization has a dedicated security team, a pre-existing vulnerability management process and contracts for regular penetration-testing services.
Regulatory compliance is often a significant driver of penetration testing. However, too many companies view this activity as a “check box” that needs to be completed simply to satisfy compliance and audit requirements. This results in a failure
to use these services holistically to properly evaluate business risk.
READ: How to Use Pen-Test Reports to Improve Security
Gaining Value from Penetration Testing Services
While achieving compliance and checking off items from the audit list tend to be the least but necessary activities, organizations focused on gaining the most value realize the importance of:
- Understanding the type and value of services for the cost: Downward cost pressure exists on the penetration-testing industry, resulting in a number of low-value, low-quality products.
- The big picture: Organizations should not view their security posture in terms of individual vulnerabilities that need to be rapidly remediated, but rather should view the environment holistically.
- Red/blue team synergies: The more discussion and collaboration that occurs between the red and blue teams, the better the organization’s overall defensive posture.
- Knowledge transfer: Organizations should seek one or more mature penetration-testing partners to appropriately seek a diversity of results. Always insist on a comprehensive post-mortem discussion for all activities, and scope training activities
with advanced red teamers.
Going From Red to Purple Teams
Organizations approaching penetration-testing for the first time must resist the urge to treat a penetration-testing exercise like a dramatic story plot. While today’s media focuses on the sensational aspects of hacking through darkened rooms and
images of hooded bad actors typing rapidly on keyboards, the reality is quite different.
Instead, penetration-testing teams should work toward an incremental, staged approach to achieving better maturity and value at each stage.
An example testing sequence could include:
- External network vulnerability assessment.
- Specific web application assessment.
- Assessing internal controls, such as custom malware and command channel testing.
- Fully scoped internal network penetration tests.
- Red team exercises that pivot toward purple teaming as they progress.
As the organization matures through the process, it is inevitable that purple teaming emerges as the desired testing methodology.
Purple Team Prerequisites
Not all organizations are ready and able to jump headlong into purple teaming. To get the most benefit from a purple teaming engagement, organizations should have a strong security strategy and framework in place that includes:
- Clearly defined information security policies, standards and procedures.
- Mature asset inventory and vulnerability management/patching program to encompass both hardware and software assets.
- Networks that includes centralized logging, SIEM systems and appropriately deployed defensive technology and processes.
- Secure, managed software configurations for all mobile devices, laptops, servers and other hardware.
- Well-defined and controlled use of administrative privileges across the environment.
- Staffed security operations center with threat hunting and incident management roles. Technology support and monitoring efforts can be supplemented with one or more managed security service providers.
Managing a Purple Teaming Exercise
A key factor to purple team exercise success is how the red team engagement is managed by both the penetration testing company and the organization itself. A red team with some level of information exchange
at or near the midpoint of testing naturally becomes a purple teaming solution.
As organizations approach purple teaming, they must set goals and objectives for the exercise. Make sure to include testing of tools, technology, process and people as part of the engagement. When scoping, it’s critical to determine and establish
up-front:
- Clear points of contact and communications between red team and exercise leads.
- The organizational leaders that are “in the know,” at least before the pivot toward purple. Often only the CISO and associated leadership will be aware of testing activities. As the test matures through the cycle, security operations
personnel will be added to foster the purple teaming information exchange process.
- Threats the target organization wants to model and what specifically can be considered an end state or win.
- The percentage of scoped time that should elapse before the blue team starts directly communicating with red team. A “rule of thumb” guideline would be for approximately 60 percent of testing time be conducted as a red team exercise
before pivoting to purple.
Penetration Testing Tools, Tactics and Procedures (TTPs)
Most penetration-testing companies engaged in red team exercise activities work toward a true representative threat model of perceived adversary activities. This includes activities such as:
- Targeted spear-phishing and voice-phishing originating from highly trusted sources such as Office 365 and other large source domain names providers.
- Leveraging social media to engage targets in a longer play scenario using sites such as LinkedIn. Creating custom malware designed to bypass common software and human defense mechanisms including:
- Use of common operating system tools to deliver malware into memory.
- Avoiding any potential techniques that leave disk artifacts in favor of a fileless/memory-only attacks.
- Highly custom and malleable command channels designed to evade detection in memory and on-network.
- Using as much built-in OS functionality or tools considered benign to evade defenses.
- Deploying an adversarial infrastructure for the duration of the red teaming engagement. This includes acquisition of appropriate resources such as domain names, virtual cloud infrastructure that is in diverse geographic locations, and other services such
as email providers.
Blue Teams: The Threat Hunters
During purple and red team exercises, defensive players can’t simply look at automation-based solutions for indicators of compromise (IoC). Compromises bypassing defensive software controls will continue to occur, and only applied human intelligence
combined with data analytical techniques will truly be effective in identifying anomalies. Within the context of any engagement, this requires blue teams to:
- Fully understand their environment, and whether appropriate instrumentation, vulnerability management, asset management and security controls are properly implemented.
- Be familiar with common TTPs of attackers. Knowing social engineering techniques and associated malware delivery methods, in addition to escalation and lateral movement techniques is important.
- Understand the pattern of evidence that will commonly be left behind after an attacker compromises an endpoint, escalates, pivots and potentially extracts data from the environment. Examples include:
- Event information in security operations endpoints, including script block logging events. Endpoint detection and response (EDR) tools combined with strategic, selective and centralized event logging keep focus on the endpoints as well as the servers.
- A trail of sequential authentication failure events for all users in the environment in a relatively short time period. This indicates password spraying, so it’s important to manually craft and save selected event logging searches focused
on attack techniques.
- Windows events that track a service being installed and started are direct evidence of potential psexec-based lateral movement activity.
READ: Threat Hunting 101: Understand the Basics
Purple Teaming: Transparency Is Key
Organizations engaging in red team exercises are seldom involved during the test. When the final deliverable is discussed, penetration testers generally have achieved significant traction within the environment and failed to reveal any details along
the way.
Purple teaming with a red team component at the outset enables penetration testers to slowly ramp up communications and engagement so that a significant degree of transparency exists before the test ends.
If transparency begins at or near the halfway point in a purple team exercise, and slowly increases as the testing continues, then the shock factor can be minimized at reporting time. It also results in less frustration, greater understanding and better
knowledge transfer for all parties.
This implies that some preliminary status reports and discussion will contain elements of the final deliverable report, and equally, that defenders will share some screenshots and evidence of their ability to detect.
The end deliverable will be a comprehensive report containing executive summary, findings and methodology that will encompass as much feedback as possible in the form of screenshots and ongoing email communications.
At the conclusion of all purple teaming engagements, the parties should meet for a minimum one-hour debrief, whereby each of the detailed stages of testing will be discussed transparently with associated lessons learned on both ends. These meetings
will be educational for both the red and blue teams.
Purple Teaming: A Collaboration
Red teaming can and should lean more toward a purple team approach, but in a controlled manner. Collaboration between offensive and defensive players will naturally evolve everyone’s skills to a higher level. Penetration testing attacker and
defense techniques tends to trigger somewhat of a competitive atmosphere, which is very beneficial for the organization’s security. Security teams interested in purple teaming should:
- Ask prospective red/purple team vendors for sample report information. The report should clearly communicate stated business risks, detailed findings and methodology information. It should also have different sections to address different audiences. For
example:
- Executives must understand business risks and how to strategically mitigate them.
- Technical staff should know what configuration, patching, policy enforcement and deployment changes need to be made, along with detailed information on how the testing activities succeeded or not.
- Look for a clear, concise, technically accurate and well-written report. These documents will be heavily redacted to prevent revealing confidential information. This level of redaction may slightly impact report quality, so be prepared to ask questions
about style and approach to reporting.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.