Contact us
Search
English

Do We Need a Purple Team?

Understanding Purple Teams

Blog Do We Need a Purple Team?
default

Alejandro Herrera

| 4 min read

Table of contents

Contact us

A good way to think of Purple Teams is that they are a mixture of Red or sword, and Blue or shield teams in pentesting processes. They are professional hackers that simulate attacks and protect an organization’s information.

Concept

In cybersecurity, organizations should understand that a Purple Team is a communication bridge that allows Blue and Red Teams to work together in a simulated cyberattack. The main goal is to help improve organization security posture. In other words, they can help coordinate and increase the effectiveness of both teams. We have to be careful with the implementation and execution of a Purple team [1], as Julian Arango [2] says:

In some cases, this interaction can propitiate malfunctions inside the organizations, especially when the affected parties are biased by their interest and can manipulate or conduct the results of a pentest.

What does a Purple Team do?

Important features are [3]:

  1. Analyze: They analyze the behavior and interactions between the Red and Blue Teams. Throughout the process, they can also generate recommendations, suggestions, and improvements for both parties. However in practice, if there are not well-defined cybersecurity objectives [4] and there are personal interests regarding the test outcome, it is likely that there will be a conflict of interest. The organization can then encounter a variety of problems including tampering of pentesting outcomes and lack of blindspot detection [5], among others.

  2. Detection: How the Red Team can bypass the detection capabilities of the Blue Team.

  3. Remedial Actions:: They can suggest fixes to avoid vulnerabilities.

  4. Transfer: Ultimately a company derives the maximum value from a Purple Team exercise by applying the new knowledge it acquires, while at the same time, ensuring stronger defenses to guard its information.

Get started with Fluid Attacks' Red Teaming solution right now

When does an organization need a Purple Team?

When Red and Blue Teams get out of sync with each other and/or have cooperation issues, it’s time to consider using a Purple Team. Some common causes that signal the need for a Purple Team are [6]:

  1. Bad Politics: Bad organizational politics does not encourage a good flow of internal information within an organization. An organization may evaluate the success of the Red Team by the amount of failed controls from the Blue Team, while the success of the Blue Team may be evaluated by the number of alerts. Therefore, partners may not be motivated to share information.

  2. Slow Feedback Loop: Needed information moves too slowly between the Red and Blue Teams or, in some cases, does not even move at all. There is poor communication between the teams.

  3. Mindset: Each team works separately to obtain its objectives. For instance, the Red Team enhances offensive exploit. The Blue Team enhances defensive findings. This mindset can weaken and damage the overall security system of an organization.

  4. Arrogance: Each team believes they are superior to the other team, and therefore, neither team recognizes the need to share information between them.

  5. Restricted: The Red Team is pulled inside the organization and becomes restricted, ultimately resulting in a catastrophic reduction in its effectiveness.

  6. Bad Design: The Red Team and Blue Team are not designed to interact with each other continuously, as a matter of course. Therefore, lessons learned on each side remain within each team but are effectively lost to the other.

  7. Separate Efforts: Information security management does not see the Red and Blue Teams as cooperating partners within the same work project. There are no shared metrics between them.

"Red vs Blue"

Red vs. Blue (photo by Samuel Zeller on Unsplash).

If your organization has one or more of these issues, a Purple Team could be your solution. Rather than considering it as a separate group of people, organizations should consider a Purple Team as a bridge facilitating maximum effective communication between Red and Blue partners.

What is not the solution?

It is not, under any circumstances, recommended that an organization use a permanent and separate Purple Team as intermediaries between the Red and Blue Teams. This would not solve the underlying problem, which is a breakdown in communication and collaboration between these teams.

So what are the possible solutions?

We need to improve communication and cooperation between teams. The following techniques can be used to accomplish both of these.

  • Team Engagement: A third party analyzes how the Red and Blue teams regularly communicate and cooperate. Based on this analysis, the third-party makes recommendations. This measure is momentary and finite. The main goal of this technique is [7]: to make the communication process smoother and to ease knowledge transfer.

    1. Team Exercise: Both teams are monitored in real-time to see how they work. The main goal of this technique is [8]: to evaluate your security controls and ability to detect attacks, to compromise, for lateral movement, to command and to control communications, and data exfiltration. This technique enriches and validates the detection mechanisms used in situ and helps to identify and reduce cyber attack paths.

    2. Team Meetings: Periodically, Red and Blue Teams meet to share knowledge and give feedback about attacks and defenses used in the pentest process.

The benefits of appropriate implementation

Appropriate implementation will create a better flow of information between Red and Blue Teams which means, Red Team will learn how Blue Team is detecting and mitigating their offenses, and Blue Team will understand how Red Team is bypassing their defenses. This loop of enhanced communication and knowledge sharing between teams improves the organization’s security posture.

Conclusion

A Purple Team should be understood as a temporary intermediary facilitating communication and collaboration between Red and Blue Teams, allowing information to flow in a continuous loop which enhances the abilities of both teams. Under no circumstances should it be used as a permanent group to mediate the relationship between a Red and Blue Team.

References

  1. My Experience Coleading Purple Team..

  2. The Roles of Red, Blue and Purple Teams.

  3. The Definition of a Purple Team.

  4. The Purple Team Pentest.

  5. Purple Team Assessment Service.

  6. A Conflict of Interest?

  7. Attacking Without Announcing.

Tags:

Subscribe to our blog

Sign up for Fluid Attacks' weekly newsletter.

Recommended blog posts

You might be interested in the following related posts.

Photo by James Lee on Unsplash

On the CrowdStrike Incident

A lesson of this global IT crash is to shift left

Photo by CardMapr on Unsplash

Securing Online Payment Systems

Users put their trust in you; they must be protected

Photo by Wilhelm Gunkel on Unsplash

Commitment Should Show

Transparency for fewer supply chain attacks

Photo by Sarah Kilian on Unsplash

Site Crashed? Not Your Bank's!

Develop bank applications that resist DDoS attacks

Photo by Towfiqu barbhuiya on Unsplash

The Complex Path to Bank Compliance

Ensuring compliance and security in the banking sector

Photo by Andre Taissin on Unsplash

Cybersecurity in Banking

With great convenience comes increased risk

Photo by FlyD on Unsplash

Safe Supply Chain in Financial Orgs

Software supply chain management in financial services

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which hundreds of organizations are already enjoying.

Start your 21-day free trial
Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Service

Continuous Hacking

Platform overview

Solutions

Application security

Compliance

Systems

Testing Techniques

ASPM

SAST

DAST

MPT

MAST

SCA

CSPM

PTaaS

RE

SCR

Plans

Essential

Advanced

Resources

Blog

Learn

Advisories

Clients

Downloadables

Documentation

Company

About us

Certifications

Partners

Careers

Contact us

Ethics Hotline

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.

Service status

Terms of use

Privacy policy

Cookie policy