Purple Teaming is the symbiotic relation between Red and Blue Teams in a way that improves the security of the organisation, constantly improving the
skills and processes of both teams.
Both Red and Blue Teams should operates in a open manner in terms of results and 'Tactics, Techniques & Procedures' (TTPs) so that both units can improve
their own techniques and understanding to combat 'Advanced Persistent Threats' (APTs).
This level of consultancy becomes more prevalent during CREST CSTAR and/or Bank of England's CBEST regulated testing.
Having already participated in a number of red-team engagements and regulated CBEST assessments; our consultants have encountered similar problems across
Both red and blue teams lack buy in from management
Red and blue teams have become to institutionalised and fail to effectively communicate with one another
Blue teams are too 'tool bound' lacking the ability to adapt and modify their toolsets to adaptive threats/scenarios
Evaluation methods often reward a single team for beating the other.
To get the best value out of a simulated attack assessment, we advise a co-operative strategy. This does not have to happen at the same time, but can be
undertaken as a staged approach, as not to distract staff members from possible real world threats that may incidentally occur during the testing window. It
may be more appropriate to review the attack with the blue team after the red team have completed all scenarios. However, it is important to adhere to the
The red team must record each action taken, so that later the blue team can review and test their detection and IOCs
The blue team must allow the red team to continue in the event of detection, this is important because:
threat scenarios should be fully played out, to fully assess detection capabilities at various stages
a real-world attacker may use a toolset or exploits that bypass traditional detection mechanism such as IDS, & Antivirus
often Antivirus and host-based IDS software may not be installed on core-servers.
A debrief is done to validate all steps taken to determine attack graph, areas where detection should have happened and creation/validation of
Impact of overall threat is evaluated and broken in to individual system or areas of impact so as to evaluate remediation and recovery plans for each
Both teams should update their knowledge base and play-books.
The Threat Intelligence (TI) model will often determine and drive the level of sophistication for the TTPs that will be storyboarded.
The TI may include physical security, social engineering and/or technical operations that will be conducted. TTPs are selected by impact
and likelihood since more often than not, all possible TTPs for a threat model can't be exercised due to:
From our experience the TI models have missed one very important threat actor 'Insiders'. From our experience most incidents or breaches are the results of
internel employees (due to a lack of security awareness) or possible espionage (from competitors of another organisation that has similar processes and
systems), or lastly the most destructive - disgruntled employees that want to harm the business.
Running a Simulated Attack Assessment
Here are our tips for running a successful engagement:
Engagement is executed with no prior warning to the blue team.
TTPs should be varied and should be in accordance to the level of simulation set in the initial scope and goals.
Constant update to a project manager or team lead is critical to coordinate actions and prevent any accidental mishap.
A list of emergency phones and channels of communications must be defined and kept in case of needed to stake holders.
As part of the action the identification of possible detection and actions to contain should be looked for and noted.
Teams should be rotated so as to maintain proficiency on all areas of specialty across the team.
Ensure that no standard TTPs and IOCs are developed and that constant sanitation evaluations are done of the toolset and TTPs as possible.
Ensure that exfiltration of confidential and IP data is secured in transit and storage.
Ensure to curtail destructive actions or risky action against business critical systems.