Purple Teaming: Red & Blue Living Together, Mass Hysteria

When you set focused objectives for the red team, you get your blue team to work the weak muscles they need trained most.

Red teams beat up on blue teams all the time. However, while there can be plenty of sore muscles on both sides, theyre not always the muscles that needed the most exercise: security teams dont always learn as much from the bruising and battering as they could. Enter purple teaming -- an exercise in which every bruise and muscle strain has a purpose.
In a purple team exercise, the red teams objective is to test the effectiveness of a
specific
security control or to challenge the blue team on a
specific
skill set. The objective would usually be set by someone who is familiar with the security teams needs -- an incident response manager, CISO, or security operations director.
Chris Gates, senior incident response engineer at Uber, and Haydn Johnson, senior consultant of KPMG Canada, will outline the ins and outs of the technique Oct. 18 at SecTor Canada in their session,
Purple Teaming the Cyber Kill Chain: Practical Exercises for Management.

The mindset is about working together, says Johnson. He likens it to sparring with a partner instead of merely shadowboxing in a mirror. Its also better than getting into a street fight.
Gates says the idea appealed to him because after years of being on the red team side and watching most blue teams fail to improve their defenses even after an exercise, hed become disillusioned with his role.
I wanted to be a fixer instead of a breaker, he says.
Johnson and Gates gave a few examples of how purple teaming can be used: If an organization has implemented ways to limit the effectiveness of Mimikatz, for example, the red teams efforts would focus on trying to run Mimikatz. If the sec ops director wants his or her team to have practice responding to a malware attack on a corporate device on corporate wifi, the red team would build their attack accordingly. Generally, the blue team would not be informed ahead of time, and they approach the event as a real incident.
Purple teaming does not need to be a Herculean endeavor; it merely needs to accomplish the particular objective. At Uber, Gates says, the exercise might be an active adversarial simulation, but it might also just be a controlled test or a table-top exercise. If the goal is simply to test the effectiveness of a security tool, Johnson and Gates explain, a purple team exercise may be as simple as an attempt to get a malicious email past the mail proxy.
Another key part of purple teaming is what happens after the exercise: both red and blue teams share information about their experiences -- the attacks, the alerting and instrumentation, the detection and response procedures. The goal of a blue team vs. red team exercise in this case is ultimately to make the organization better, not to be adversarial.
By purple teaming, I get to see what my attacks look like on the other side, which makes me a better attacker, Gates says.
You might think that this takes giant squadrons of people and months of planning. Johnson and Gates say it neednt be that way: One or two internal people, plus consultants as necessary, can get the job done.
Gates says, though, that while purple teaming doesnt need a big team, it does need a
mature
team. An immature security organization wont have the knowhow to set the objectives and know where the gaps in knowledge are.
I dont think you can do it with a one-man shop without consultants, Gates says.
Though they wouldnt go quite as far as to say that purple teaming would save an organization money, Gates and Johnson say purple teaming lets them put time and money where its most needed in an organization.
Related Content:
CISO Playbook: Games of War & Cyber Defenses
To Better Defend Yourself, Think Like a Hacker

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Purple Teaming: Red & Blue Living Together, Mass Hysteria