In traditional exercises, the red team uses both simple and sophisticated tactics borrowed from real-world attackers to probe the organization’s defenses. The red team may do this on a scheduled basis, where the blue team is expecting the attack, or it may conduct a surprise attack designed to better test the blue team’s skills. When the red team launches its attack, the blue team’s job is to identify that an attack is in progress, deploy controls to stop the attack in its tracks, and then use the lessons learned from the exercise to improve the organization’s defenses against future attacks.
Purple teaming differs from this standard red team/blue team approach in that the methods of attack and defense are predetermined. Instead of simply launching an attack on their own, the red team members sit down with the blue team members and work side by side to run exploits and assess the results. This collaborative approach to cybersecurity exercises provides three main benefits:
1. Purple Teaming Removes the Adversarial Component of Exercises
Traditional exercises are set up in a manner where either the red team or the blue team clearly wins, and the other team loses. When the two teams collaborate during the exercise, they learn together and are able to better improve the organization’s security posture.
2. Purple Teaming Aligns the Interests of the Red and Blue Teams
In many cases, the red team and blue team personnel are permanent parts of an organization’s security staff. Purple teaming builds the relationship between those groups, helping them to better align themselves with the organization’s security objectives. Purple teaming creates a feedback loop that improves the organization’s detection and prevention controls.
3. Purple Teaming Builds Security Knowledge
When members of the blue team are able to observe and participate in the attacks, they gain a better understanding of how attackers operate. This allows them to effectively deploy honeypots and other technologies to deceive actual attackers and study their tactics, techniques and procedures.
Purple team exercises are a valuable component of an organization’s security program, but they are effective only when the organization already has a strong cybersecurity foundation. Before engaging in purple teaming, the organization should ensure that it already uses email and web security tools, defends itself with a next-generation firewall, and conducts periodic vulnerability scanning and penetration testing. Once those controls are deployed, purple teaming can probe those deployments for undiscovered weaknesses.
CDW’s security professionals can help organizations with purple teaming exercises, integrating these assessments into the organization’s security testing and professional development processes.