Effective Purple Teaming Empower, Equip, And Enhance Your Cybersecurity Operations. PlexTrac, Inc. | Effective Purple Teaming Table of Contents 02 Introduction 03 Definitions, Terminologies, and Assumptions 05 The Status Quo: Red vs. Blue 07 Challenges with the Status Quo 13 Purple Teaming to the Rescue: Shifting the Paradigm 23 Conclusion PlexTrac, Inc. | Effective Purple Teaming 01 Introduction Cybersecurity is hard, presenting complex challenges to effectively managing enterprise risk. As the role of the Cybersecurity team has matured within organizations, the traditional roles of “Red Teams” and “Blue Teams” have been supplemented with the concept of “Purple Teams”. Security leaders have drawn an overwhelming consensus that purple team engagements, also known as purple teaming, provide immense value to rapid improvements in prevention, detection, and response techniques. Despite this consensus, little has been written to capture best practices for actually implementing Purple Team operations. In this paper, we will review the problems with the status quo that have given rise to the purple teaming concept. We will discuss how purple teaming attempts to mitigate these problems at the theoretical level. Finally, we will offer guidance on how to put the theory into practice with concrete actions in your environment. PlexTrac, Inc. | Effective Purple Teaming 02 Definitions, Terminology, and Assumptions Cybersecurity is a relatively new discipline, and as such even popular terms like “Red Team” and “Blue Team” may be interpreted and used differently by members of the community. So before leaping into discussion of the emerging concept of purple teaming, it is prudent to be clear about key terms. Assessment - An assessment is any activity that is used to identify weaknesses or gaps in an organizations security controls or risk posture. This definition is purposely broad as it is intended to capture all proactive activities conducted towards an organization. Examples of assessments include penetration tests, vulnerability scans, risk assessments, compliance assessments, security questionnaires, etc. Blue Team - Traditionally, the Blue Team refers to a subset of an organization’s technology team tasked with implementing the organization’s security controls and defending from cyber attacks. These key players are specifically tasked with the prevention, detection, triage and eradication of malicious cyber activity. As the defenders of the realm, they deploy a web of sensors that collect and aggregate data from across the environment using tools like Security Incident Event Management (SIEM) systems. They regularly build and exercise playbooks to guide their actions during the fog and friction of an actual incident. Increasingly, they are automating responses with tools like Security Orchestration and Response (SOAR) tools. Many IT professionals not specifically assigned to the security team routinely perform defensive functions such as patch management, hardening and ACL configuration. At PlexTrac, we take an inclusive view when referring to the Blue Team which incorporates all staff performing defensive activities. The Blue Team’s responsibilities are vast and often overwhelming, but in general the blue team is responsible for protecting the organization’s technology infrastructure from a breach. PlexTrac, Inc. | Effective Purple Teaming 03 Definitions, Terminology, and Assumptions Red Team - Red Teams exist to test the effectiveness of Blue Teams through proactive assessments. These professionals ideally use a defined methodology to thoroughly evaluate defenses, employing tools, tactics, techniques and procedures modeled after actual threat actors. These teams perform technical penetration testing, but may also use social engineering and counter-physical security skills to simulate adversary activities. Their tradecraft is often referred to as “offensive security,” a nod to their role in supporting the overall security objectives. From the PlexTrac perspective, we also incorporate any form of assessment team as part of the Red Team. We broaden the definition to include teams such as Governance, Risk, and Compliance (GRC) or internal and external audit teams. Effectively we consider the Red Team to be any person or team charged with conducting assessments that result in actions to be taken by the Blue Team for remediation and risk reduction. Purple Team - Traditionally, a Purple Team is considered a