Purple Team is an iterative, collaborative process of checking and improving cybersecurity measures through realistic, prioritized adversary emulation.
- Purple Team Exercise Framework (PTEFv3) (Scythe on GitHub)
- Purple Team Exercise Framework (PTEFv2) (Scythe, PDF)
- MAD20Tech (YouTube)
- The Difference Between Red, Blue, and Purple Teams (Unsupervised Learning)
Tools: Atomic Red Team, MITRE ATT&CK Framework, DeTT&CT (GitHub)
Purpose
Purple Team is a purpose-driven activity. Huge impact towards threat-informed improvements.
Highlight impact of Purple Team by asking “Where and how do we defend against threat x?”. Our goal will be to understand and improve these answers.
Idea: Find new vulnerabilities (the Red Team part). Opportunity to fix.
Planning
Use the MITRE Attack Navigator from the MITRE ATT&CK Framework.
Determine the Purple Team type
Purple Team Exercise: Purple Team Exercises are “hands-on keyboard” exercises where attendees work together with an open discussion about each attack technique and defense expectation to test, measure, and improve people, process, and technology in real-time.
Operationalized Purple Team: Red and Blue teams work together as a virtual team. When new TTPs are discovered, they are analyzed, discussed, and emulated to continually build and improve detection and response.
Dedicated Purple Team: Dedicated purple team roles. These roles vary from dedicated Purple Team Exercise Coordinators to engagement management of operationalized purple teams to the main stakeholders operating Breach and Attack Simulation solutions.
Prioritize threats
What threats are most important to us?
- Applicable to your technology stack and your environment
- High risk (likelihood x impact)
- Commonly and/or recently used by relevant adversaries
- Any known adversaries targeting your organisation or business sector?
- What techniques do these adversaries use?
- Impact key resources, assets and/or business functions, safety, privacy
- Current defensive gap, what do we need to improve?
- Choose techniques that would benefit from iteration with emulation
- Focus: e.g. specific sub-techniques, techniques, campaign, or groups
Limitations
Realistically, we cannot test all attacks. And we may not want to, as some are not applicable.
Determine the defensive scope
Are we focused on mitigation, detection, investigation, or response actions?
Documentation
Documentation is a functional requirement of a purple team event.
Have a template to purple team successfully.
| What did we execute? | What did we expect? | What did we actually see? |
|---|---|---|
| Clicked malicious payload (T1204.002) | Untrusted macro execution should be blocked | Prompt allowed user to bypass controls |
| … | … | … |
Emulation: document a playbook with tools to use (like which post-exploitation framework to use) and commands. It needs to be repeatable, and well-documented.
Infrastructure
- Ensure that you have the infrastructure to test. Target machines up and running and configured correctly.
- If done in production, ensure the proper written approvals from system owners.
- Ensure you have all the accounts needed
- Data sources and SIEM up and running
- Queries and analytics working as expected
Scheduling
For Purple Team Exercises:
- Establish Purple Team Event date and prep schedule
- Invite emulators, defenders, facilitators to the event
- Invite stakeholders to a post-event read-out
Execution
Operationalized Purple Team
The Red team executes the prepared playbooks. Document the execution date/time. Take screenshots.
The Blue team validates detection. Document.
Purple Team Exercise
Purple teaming is adaptable. Consider on-the-fly changes for red to adapt to blue, or vice versa. However, keep in mind the initial objectives.
Live cat-mouse game – may need to adjust difficulty or behavior in real-time. It the Blue Team struggles, give more information to the Blue team about the machine targeted, or exact timestamp.
Encourage collaboration and sharing. Share viewpoints and ways to circumvent each other. Everyone wins; it is NOT about one team stomping the other.
Follow Up
Purple Team Exercise
Follow-up actions to optimize benefit. Incorporate results into next purple team exercise.
- Document what you uncovered during the purple team exercise:
- Analytics that were developed, analytics that did not work so well
- Vulnerabilities / weakness discovered
- Defensive gaps discovered
- Next steps and todos
- Act:
- Deploy identified mitigations
- Update Response documentation / training / automation
- Plan for the next Purple Team:
- Update defensive posture assessment
- Identify next priority gaps to fill
- Consider making this a recurring event
- Address feedback from participants