When hashing out your offensive security strategy, it’s not all about winning – especially when you’re role-playing as the hacker.
Red teams are out to attack. Blue teams are out to defend. While many assume that the goal of an engagement is for Red to best Blue, adopting a “Purple team” mindset focuses more on learning. It prioritizes growth over outcome and trains Blue so that Blue does better. And although a sense of competition can be fun, creating a more secure infrastructure ensures that everyone’s a winner.
The Purple Team Mindset
When it comes to the Purple mentality, it’s all about recognizing Red and Blue as the same team.
However, a Purple team is not a separate set of resources or its own actual team. It’s simply a mindset security practitioners need to adopt when strategizing offensive security and going into red team engagements.
Teams with a Purple mindset will attack the challenge like this: Instead of just spinning up an all-out engagement in the hopes of catching your “target” unawares, a Red team will play Purple and act as a training arm for the Blue. Is infiltrating and testing the overall environment still part of the job? Yes. But the attack is more of the process, not the true goal.
This team will not look at Blue’s “pass/fail” rate but rather measure their ability to detect and respond to attacks. Where do they fall on a sliding scale? What is required to improve? This hybrid team will prioritize documentation and the after-learning, much like a football coach will show game film and review errors made during practice. An occasional scrimmage is nice, but let’s not forget the point – to beat the actual enemy at the big game.
How to Purple Properly
Communication and learning are at the core of the process, but here’s where the rubber meets the road. In order to transition from a Red vs. Blue to a solid Purple culture, teams must:
- Begin with metrics in mind | Plan the engagement, limit your scope, know your focus, and have pre-determined metrics ready that you want to chart. It’s like reading the questions before you look for the answers – you'll get a lot more.
- Leverage Red and Blue strengths | Don’t miss out on the opportunity to get the best from both teams. Ideally, this should be collaborative. Blue teams and Red teams have different strengths, so they can bring different ideas to the table and ensure your organization is getting the most out of engagements. They’re going to see things from two different perspectives, so get the leaders in the room and talk out the specs beforehand with an ear for each side. Doing so before the actual engagement could be just as valuable as doing it after.
- Establish communication channels | While talking through the engagement may not always be practical, teams should know how and when they can communicate and be provided avenues to do so securely. The object of a Purple team is to follow up, correct, and touch base for the purpose of learning. This can only happen when an established time and space for doing so is set aside, prioritized, and highlighted.
- Show your work | Good Red teamers jump through hoops and get creative, and so do good hackers. That’s important. But remember the most important part is making sure the Blue team understands what you did, how it worked, and why they (might have) failed. The whole point is that given the same scenario, they won’t fail again. This can be part of the final retrospective, as it can provide additional guidance on remediation and how to move forward. The engagement is the means to an end; education is the ultimate goal, and understanding where things went wrong is key to doing them better.
Once these steps are executed, it's good to retest on a regular basis to avoid having your work go to waste. You never want to stop the cycle of learning, especially after putting in so much work to get your team to collaborate effectively on their first true Purple team engagement. Keep in mind that threat actors change their tactics all the time, so retesting will not only keep teams’ communication skills sharp but help them stay up to date with the latest attack techniques.
The Right Red Teaming Tools for Purple Engagements
Effective Purple teaming comes down to the tools on hand to get the job done. Sophisticated tools mean a larger learning curve and more opportunities to learn. They also mean that your team has a better chance of not meeting a certain attack technique for the first time in the wild, with real data on the line and your systems at stake. Prevent this if you can.
And if you can’t, keep in mind that while it may be intimidating to use tactics your team has never seen before, it’s the only way to prepare them for tactics they’ve never seen before. At some point, they’ll need to develop the reflexes, and what better way than a safe skirmish with adversaries who can give advice?
For an effective engagement, you need the right Red team tools. While Purple is synonymous with learning and cooperation, if you don’t have a proper “Red team engagement” to go off of, there will be nothing to learn from. These Red team tools from Fortra will let you engage your teams at the highest levels, and do so from a Purple perspective:
Fortra’s Cobalt Strike mimics techniques used by today’s advanced adversaries, so your teams get the best preparation available. A sophisticated threat emulation tool, it can replicate the moves typical of a stealthy threat actor that's laid hidden on the network for months. Test your team and your technologies as both will be challenged to catch malicious patterns of attack. Beacon, Cobalt Strike’s asynchronous exploitation agent, allows you to go beyond the initial attack and prime your team on how to deal with everything that comes after, which is where the real trouble begins.
Outflank Security Tooling (OST) is a suite of tools created to simulate the sophisticated techniques of APTs and organized crime groups. This diverse set of tools covers every part of the attack chain and makes it easy for advanced teams to perform technically specific tasks with ease. Additionally, they are designed to get past defenses, evade detection, and give teams of any color a run for their money. After all, attackers will.
With the right tools and the right mindset, old “Red vs. Blue” teams can retool into Purple teams, mindfully sharpening skills and getting the full mile out of every engagement.
Want to Find Out More About Purple Team Tools?
Learn how to take your offensive security strategy to the next level in our webinar, Elevating Red Team Engagements with Advanced Tooling.
