The world of cybersecurity is constantly developing, with new security assessment methods cropping up all the time. As a result, some of the best methods can go by unnoticed, or can be misunderstood. The purple team is one of these.
In this article, we’ll clarify what purple teaming is and tell you how it can maximise value from your pentest engagement.
Differentiations: Purple, red, and blue teams
Purple teaming is essentially a collaboration between the red and blue teams.
The red team, in security assessments and penetration testing, simulate the attackers to test defences. Their goal is to uncover how effective a company’s security is, and test its defences. This is done by mimicking strategies of malicious actors.
Then we have the blue team, who are the defenders. Their task is to implement the defence systems and techniques and protect the organisation. To do this, they must understand the attackers’ strategies, and they must adjust their own strategy as they learn new information.
From this, we understand that the overarching purpose of the red team is to test the effectiveness of the blue team. But, in order for this process to be effective, the two teams need to have strong communication. This is where purple teaming comes in.
The purpose of purple teaming is to strengthen the effectiveness of both teams through an increase of information sharing and collaboration to drive improvement.
The purple team: A deeper look
The purple team is not a separate entity. It should be thought of, instead, as a method of security testing in which the red and blue teams mix and cooperate – when you mix red and blue you get purple.
This is why it’s better to think of purple teaming as a process. Purple teaming is the outcome of the red and blue teams working together well, communicating effectively, and transferring knowledge.
A purple team activity could be:
- The two teams meeting to share knowledge
- Monitoring both teams in action to examine how they work with each other – in other words, how they work together to improve overall security, not against each other
If the red and blue teams always collaborate effectively, then they are already purple teaming.
Red team exercise vs Pentest engagement
Before we can dive into the ways that purple teaming optimises your security assessments, we should clarify the differences between a pentest and a red teaming exercise.
A pentest is a technical evaluation that is meant to realise a predetermined goal. The goal may be to achieve access to the domain, alter company data, or steal valuable company information. This engagement usually occurs in a short, specified period of time.
On the other hand, a red team exercise is a long-term event or evaluation, in which real world attack and defence scenarios are tested in real time.
Both tests have the goal of improving the overall security of a company, and both uncover problems in the current security methodology that an organisation has in place.
Using purple teaming to maximise the value of security assessments
As you can imagine, collaboration and communication are important in these testing situations. In fact, you may lose much of the value of the test without proper knowledge sharing. Purple teaming can be used to improve both red teaming exercises and pentest engagements.
Red team engagement
In this assessment, the red and blue team must work together to improve the company’s security. Despite the common belief that they are two opposing teams, they are actually working toward the same goal. Here’s how purple teaming increases the value of a red teaming exercise:
- It enhances the lessons learned on both sides, red and blue. Particularly in the case of the blue team, understanding of attack methodology would be increased, leading to both faster detection and stronger protection in the future.
- The test is more effective as everyone involved has all the information they need.
- Heightened visibility – of strategies and tools – allows for better development of newer, better protection strategies.
- It removes the competitive atmosphere and aligns the interests of the two teams which makes for a better outcome.
- The insights gained will be more apparent.
Can effective purple teaming be accomplished with a pentest as opposed to a red teaming exercise? Yes, there is certainly an opportunity for the blue team to learn from a pentest engagement.
With pentests generally being shorter engagements, the level of collaboration and planning that can happen between the teams is limited. However, collaborating after the pentest could also be done to accomplish a similar goal. For example, the teams could meet up after to discuss and share insights.
Purple teaming can be done with pentesting, not only red teaming. It bridges the gap between simply uncovering security issues and actually understanding those issues deeply, in order to make realistic and useful changes to the security strategy. For more insights into the world of cybersecurity, follow our blog.