Managed Simulated Attack - AKA Purple-Team

About Purple Teaming

Purple Teaming is the symbiotic relation between Red and Blue Teams in a way that improves the security of the organisation, constantly improving the skills and processes of both teams. Both Red and Blue Teams should operates in a open manner in terms of results and 'Tactics, Techniques & Procedures' (TTPs) so that both units can improve their own techniques and understanding to combat 'Advanced Persistent Threats' (APTs).

This level of consultancy becomes more prevalent during CREST CSTAR and/or Bank of England's CBEST regulated testing.

Current Situation

Having already participated in a number of red-team engagements and regulated CBEST assessments; our consultants have encountered similar problems across different organisations:

Co-operative Engagements

To get the best value out of a simulated attack assessment, we advise a co-operative strategy. This does not have to happen at the same time, but can be undertaken as a staged approach, as not to distract staff members from possible real world threats that may incidentally occur during the testing window. It may be more appropriate to review the attack with the blue team after the red team have completed all scenarios. However, it is important to adhere to the following points:

Threat Simulation

The Threat Intelligence (TI) model will often determine and drive the level of sophistication for the TTPs that will be storyboarded. The TI may include physical security, social engineering and/or technical operations that will be conducted. TTPs are selected by impact and likelihood since more often than not, all possible TTPs for a threat model can't be exercised due to: From our experience the TI models have missed one very important threat actor 'Insiders'. From our experience most incidents or breaches are the results of internel employees (due to a lack of security awareness) or possible espionage (from competitors of another organisation that has similar processes and systems), or lastly the most destructive - disgruntled employees that want to harm the business.

Running a Simulated Attack Assessment

Here are our tips for running a successful engagement: