The idea of blue team and red team exercises originate from military antecedents. In military operations, the idea is that a red team would conduct exercises that may trigger active controls and countermeasures in an environment whereas the blue team response would paint a more realistic picture on their readiness to detect and deal with these situations. This concept has also made its way to the public as well in terms of war-gaming an organizations perimeter and security infrastructure.

Both of these two teams ultimately serve one purpose – that is to improve the organization’s security posture. Red teams do this through attack while Blue teams do this through defense. Mixing the capabilities of these two groups becomes what is called a ‘purple team’. They serve the same purpose, but are inherently designed to enhance information sharing between to two groups to maximize and extend both of their individual capabilities.

How Can Purple Team Exercises Benefit Your Organization?

In order to understand how conducting purple team exercises can improve your organization’s security posture, it is crucial to understand the perspective of both the blue team and the red team. Even though they serve one purpose, they inevitably clash without active oversight.

From the perspective of a blue team, little to no alerts indicate that security controls are effective at thwarting threats. In addition, when many alerts fire, it also means that detection controls that are implemented are working. As a result, there is no incentive for the blue team to help the red team as the failures of the red team equate to blue team success.

From the perspective of a red team, a report that contains many findings is a job well done. For penetration testers and red team operators alike, the number of failed or bypassed controls measures success. As a result, there is also no incentive to help the blue team because as the blue team fails, the more it equates to the success of the red team.

This behaviour is more prevalent in organizations that use different external vendors for their monitoring detection and penetration testing. However, this is not uncommon in organizations that conduct both operations, in-house, due to politics and elitism mindsets. For this reason, a purple team (not necessarily a third team) exists to train both teams and encourage information sharing.

Shorter Feedback Loop

Typically, after penetration testing, or a red team assessment, is completed, a report is delivered to the client’s IT team to remediate the flaws and implement missing security controls. If such an assessment is done, the test may span a period of 2-3 weeks, while the remediation may occur over the span of months. Assuming the frequency of the vulnerability assessment or penetration test is annually, the feedback may take place only once a year.

Feedback Loop of a Traditional Assessment
Figure 1: Feedback Loop of a Traditional Assessment

For a purple team feedback loop, the same activities of attack, detection, and response are performed, but the feedback is regular and on-going. The red team would share their tactics, techniques, and procedures. They also serve as an active participant of the patch management process to help the blue team prioritize vulnerabilities to patch. On the side of blue team, they share their monitoring tactics and playbooks with the red team. Essentially, offense informs defense, and defense informs offense – this way, the capabilities of both of the teams are extended.

Purple Team diagram illustrating Blue and Red Teams working together.
Figure 2: Feedback Loop of Purple Team Exercises – This continuous information sharing reveals the blue team’s blind spots, and allows the red team to adapt to bypass existing controls.

Measuring the Effectiveness of Your Organization’s Detection and Response

Penetration testing with an emphasis on improving the blue team can address a persistent problem in SIEM/SOC vendors. They have a challenging task of installing and enabling detection at certain points in the networks. It requires them to pull log sources from strategic areas in a network. This inevitably means that some areas would have limited to no visibility. In short, the blue team faces this challenge: “they don’t know what they cannot see.” On the other hand, to pull log sources from every single endpoint and perimeter would render them blind because it would take a large amount of time to sort through, build alerts, and action on the data. Therefore, penetration testing and red team assessments would do well to measure and identify the blind spots and response of the blue team.

Conclusion

Exploring your business from an attacker’s perspective is an effective way to measure the effectiveness of your organization’s detection and response plan. With countless breaches and ransomware on the rise, it becomes clear that the plans and technologies we invest in are ineffective. Contact us to learn more about Purple Teaming and how we can start improving your organization’s security posture.