Purple teaming is when a red team (penetration testers) and the blue team (security operations centers) work together to improve threat detection. The red team would deploy attacks that the blue team would attempt to identify them. If an attack is missed, the blue team would need to identify the gap in their alerting tools. In order for purple teaming to succeed, the testing methodology must be robust and cover the techniques commonly used by adversaries.
The MITRE ATT&CK Framework
The MITRE framework lays the foundation for the most common types of tactics and techniques used by adversaries. It contains the following pillars:
- Initial Access – techniques that use various entry vectors to gain their initial foothold within a network.
- Execution – techniques that result in adversary-controlled code running on a local or remote system.
- Persistence – techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.
- Privilege Escalation – techniques that adversaries use to gain higher-level permissions on a system or network.
- Defense Evasion – techniques that adversaries use to avoid detection throughout their compromise.
- Credential Access – techniques for stealing credentials like account names and passwords.
- Discovery – techniques an adversary may use to gain knowledge about the system and internal network.
- Lateral Movement – techniques that adversaries use to enter and control remote systems on a network.
- Collection – techniques adversaries may use to gather information and the sources information is collected from that are relevant to following through on the adversary’s objectives.
- Command and Control – techniques that adversaries may use to communicate with systems under their control within a victim network.
- Exfiltration – techniques that adversaries may use to steal data from your network.
- Impact – techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes.
Each pillar contains multiple tests that, when run, should trigger an alert or block by the blue team. For example, LLMNR/NBT-NS poisoning is one of insecure network protocols checked when internal access is obtained and is under the credential access pillar within the MITRE ATT&CK framework. When the poisoning is occurring, the attacker is responding to requests, capturing authentication data, and relaying it to other systems in an attempt to gain access. The blue team should identify this traffic, but many do not.
Testing the MITRE ATT&CK Framework
With the MITRE ATT&CK framework, each pillar is rigorously tested and reported on which assists organizations in finding gaps that are often overlooked. It only takes one missed alert for a breach to occur, and those can be easily identified if the MITRE ATT&CK framework is being detected.
As each test is run, the red teamers will make a note of areas where the attack detection is high, medium, or low, as depicted in the photo below using green, orange, and red. Areas that will not be detected or may not be detected all the time will be takeaways for the blue teams to address.
Below is a diagram showing the result of various attacks.
Given LLMNR/NBT-NS poisoning is coloured red, the blue team has to work on tuning its tools to alert on it appropriately. Below is a sample finding in a report that clearly defines the threat, provides supporting evidence and helps with enabling detection.
Once each test has been completed, the full report will be provided to the blue team for remediation efforts.
Where Do I Start?
A simple phone call may be enough to guide your organization into preparing for a purple team exercise. At Packetlabs, we specialize in red teaming and hold the most challenging certifications in the industry. The knowledge we obtain through training and experience is used to add the most value to all of our engagements. Contact us if you are interested in learning more about purple teaming.