Purple teaming may be a relatively new concept in cybersecurity, but it is already steadily gaining adopters. Many leading cybersecurity platforms already incorporate it in their systems to enhance security validation effectiveness.
“Single, standalone solutions, tools, and techniques will only get us so far. If we want to stop advanced adversaries effectively, we have to ensure we have an in-depth approach to defense where we can implement security controls that counter each and every one of their attacking moves,” says SANS Institute’s Erik Van Buggenhout in a webcast, explaining the significance of purple teaming in penetration testing.
Implementing purple teaming, however, is easier said and done. Just like new other technologies and methodologies, there are challenges to hurdle before organizations can take full advantage of them. Many organizations do not understand it well enough to optimize its benefits.
To explain purple teaming better, it helps to clarify the misconceptions or misunderstandings some tend to have about it. There are also those who fail to see its benefits because of wrong preconceptions.
1. Creating a new team, merging of red and blue teams
One of the most common misconceptions about purple teaming is that it entails the creation of a new security validation team. Since it is purple, a color that results from mixing red and blue together, many would think it is simply the combination of the functions of two teams. It is not the case, though.
The advanced purple team framework employed by cybersecurity posture management platforms, for example, does not call for the creation of a new team, nor does it require the fusion of the attack and defense security validation teams. It is more of a threat-informed defense that emphasizes the perspective of the attacker to better understand and handle cyber attacks. It also brings in automation to create a more robust security assurance process.
There is no new team created. Likewise, no merger of red and blue teams happens. Instead, the organization adopts a new mentality that enables some degree of collaboration between the attack and defense teams to allow both to learn from each other and accelerate the process of exploring potential attack surfaces and boosting security controls by anticipating the possible tactics and techniques the attacker would utilize.
Purple teaming enables organizations to overcome security information siloing, which is a bane to cybersecurity strategies. It facilitates the examination of information flows, processes, cycles, and other aspects of security validation to eliminate the limitations in convention red and blue teaming. When organizations use the purple team module in a cybersecurity platform, they do not need a new team to oversee the processes. What they are doing is adopting a new mindset that focuses on getting faster security control assessments and generating immediate actionable results.
Moreover, purple teaming incorporates external know-how and resources, particularly the MITRE ATT&CK framework, to better organize the security testing process. With this, everyone working under the purple team construct works as one in designing testing plans, examining security gaps, mitigating the impact of breaches, and preventing attacks.
2. Purple teaming is all about catching external and technical threats
Jonathan Reiber, former Chief Strategy Officer for (US Department of Defense) Cyber Policy, drives an excellent point in saying that purple teaming is a manifestation of the shift from a “fortress mentality of network defense” to one that is anchored on “threat-informed defense.” Organizations need to understand what and how adversaries are thinking, but this does not mean that purple teaming is only concerned with external threats.
Done right, purple teaming is also highly effective in detecting internal security problems. It helps catch weaknesses in the protocols of an organization to avoid creating opportunities for cybercriminals to successfully breach defenses. Also, it can facilitate the detection of non-technical risks such as employee turnover.
A company that underpays its security team, for example, may have problems with security staff turnover. An automated continuous red teaming process may not spot this issue, but with purple teaming, it is possible to find specific security control problems that can be further explored to determine their root cause.
The caveat, though, is that the point person for the purple teaming undertaking should not solely rely on automated assessments and auto-generated recommended courses of action. It is also important to do manual evaluations every once in a while, especially in looking into recurring problems in specific security controls.
3. Purple teaming is not necessary when using MSSPs
Some organizations use external managed security service providers (MSSPs) as a way of securing their IT assets, especially when they do not have the expertise, experience, and resources to operate their own dedicated security department. But how do organizations know if their MSSPs are really providing the security benefits they expect?
Purple teaming can be a good way to measure success with MSSPs or determine other ways to improve security posture. A purple teaming exercise can help uncover issues with an MSSP like delays in the reporting of security issues. An organization may be able to implement procedural tweaks to address the delays or work with the MSSP to find ways to improve its security response speed and efficiency.
In another scenario, purple teaming can also be useful in making sure that an organization does not suddenly get cut off from the MSSP service because of internal negligence or oversight. A purple team exercise can reveal problems, directly and indirectly, attributable to MSSP services, which should make it easy to proceed with the appropriate actions.
4. Purple teaming is complex and difficult
It would be inaccurate to say that doing purple teaming is easy, but it is also wrong to be intimidated by it because of the perception that it is too complicated and difficult to undertake.
The entire purple teaming process can be summed up by following four basic steps, as suggested by one purple team training specialist.
- Scrutinizing the strengths and weaknesses of the red and blue teams
- Enabling some level of collaboration between the red and blue teams so they can improve their actions and more expeditiously explore vulnerabilities and bolster defenses
- Creating a testing strategy anchored on threat-informed defense
- Ensuring communication between teams including the establishment of structured feedback loops, debriefing sessions, and review of remediation reports
Purple teaming would be difficult to comprehend for those who are clueless about security validation processes and cybersecurity terms. However, adopting it should not be too difficult even for organizations with basic cybersecurity proficiency.
The availability of cybersecurity posture management platforms is also an advantage to many organizations, as they can readily use a system that incorporates best practices and links to crucial collaborative resources and frameworks that help enable a dependable security posture.
Some may be confused with the idea of purple teaming especially as it relates to the existing security system of organizations. However, there is no compelling reason to avoid adopting this relatively new but highly useful cybersecurity construct to improve cyber defenses by being more aware of the threats and more effectively conducting security validation.