Purple Teaming
Red + Blue = Purple
Purple Teaming is a process involving Red Team consultants and Blue Team Security Analysts.
Red Team vs. Blue Team
This represents how different teams can work; a collaboration wheel:
Based on experience of attacker tactics and techniques as witnessed in our Incident Response division, our Red Team develops and applies attack use-cases on your network, with the goal of measuring Blue Team response efficacy.
Use-cases are mapped to the MITRE ATT&CK framework, and cover the breadth of the kill-chain to maximise coverage of the Blue Team response evaluation.
Was the attack picked up? How quickly was it picked up? Was an alert triggered? What was the response to the alert?
Attacks patterns are applied in elevating levels of sophistication until the blue team cannot see them at all.
Red and Purple Team Differences
| Red Team | Purple Team |
| Attacking the client | Working in coordination with client |
| Used to evaluate the effectiveness of technological and procedural controls against a particular real-world attack | Used to evaluate the effectiveness of technological and procedural controls against a variety of threats |
| Used for “Shock” value | Tangible metrics |
| Takes further work to extract “To Do list” | Map progress of decreasing attack surface |
| One or few pathways to compromise | Identify multiple pathways to compromise |
Threat Modelling
Purple teams need to reflect the reality of the threat landscape.
We choose Tools Techniques and Procedures that reflect that reality.
Nation States – Geopolitically or economically motivated to gain intelligence on current news or gain access for sabotage or espionage.
Organised Criminal Gangs – Criminals constantly attempt access or buy it in order to extort, steal or commit fraud for financial gain.
Blackhat hackers – Attacker who may or may not have been made aware of the organisation through the news but would use the opportunity to attempt access.
Journalists – Investigating and reporting all news and events using any means possible.
Competitors (Or nation states on behalf of competitors for economic reasons) – Steal intellectual property or sabotage to gain a competitive edge or damage reputation.
Activists – Motivated by an ideology or message perhaps related to drug costs or the “EvilCorp” mentality.
Insider threat – Either an accidental or malicious disclosure, damage, or modification with existent access.
Possible attack vectors used
In a more mature Blue Team these are the actions we would be expecting to see:
Click on image to enlarge. Opens in new tab.
Kill Chain
Use-cases are mapped to the MITRE ATT&CK framework, and cover the breadth of the kill-chain to maximise coverage of the Blue Team response evaluation.
Click on image to enlarge. Opens PDF in a new tab on https://attack.mitre.org/.
Tools Tactics and Procedures
We maintain a comprehensive threat library with dedicated TTPs for different industries and sectors.
Reporting examples
The prevention, detection, and response as a percentage of techniques performed, sorted by testing phase:
Individual Technique detail:
