Fluid Attacks logo
Contact Us
Young hacker smiling
Zero false positives

Expert intelligence + effective automation

Multicolored hallway. Photo by Efe Kurnaz on Unsplash: https://unsplash.com/photos/RnCPiXixooY

Do we need a Purple team?

How can we understand purple teams?
In this blog, we will show you the basics of Purple teams. We will address some topics such as what they are, what they are not, when they are needed, what they do, what an organization should not do and possible ways to implement them successfully in an organization.
User icon Alejandro Herrera
Folder icon politics
Calendar icon

2019-10-04



We can interpret the Purple teams as a mixture of Red or sword and Blue or shield teams in pentesting processes. They are professional hackers that simulate attacks and protect an organization.

Notions

In cybersecurity, the organizations should understand the Purple teams as a communication bridge that allows Blue and Red teams to work together in a simulated cyberattack. The main goal is to help improve organization security posture. In other words, they can help coordinate and increase the effectiveness of both teams. We have to be careful with the implementation and execution of a Purple team [1], as Julian Arango [2] says:

A Conflict of Interest?
" In some cases, this interaction can propitiate malfunctions inside the organizations, especially when the affected parties are biased by their interest and can manipulate or conduct the results of a pentest.”

What does a Purple team?

Some of the highlights are [3]:

  1. Analyze: They analyze the behavior and interactions between the Red and Blue teams. Along the process, they can generate recommendations, suggestions and improvements for both parties. In practice, if there are not well-defined cybersecurity objectives [4] and there are personal interests on the test outcome is likely that a conflict of interest appears. The organization can suffer conducted Pentest, tampering of pentesting outcomes, lack of blindspot detection [5], among others.

  2. Detection: How can the Red team bypass the detection capabilities of the Blue team.

  3. Remedial actions: They can suggest fixes to avoid vulnerabilities.

  4. Transfer: Ultimately deriving maximum value from the exercise by applying the new knowledge and ensuring strong defenses.

When does an organization need Purple team?

Unfortunately, Red and Blue teams can get out of sync with each other and have some cooperation issues. Some common causes are [6]:

  1. Bad politics: Organizational politics does not encourage the flow of information, they evaluate the success of the Red team for the amount of failed controls from the Blue team, and the success of the Blue team for the number of alerts. Therefore the partners are not motivated to share information.

  2. Slow feedback loop: The information moves too slow between teams or in some cases, does not even move. There is poor communication between teams.

  3. Mindset: Each team works separately to obtain its objectives. For instance, the Red team will enhance offensive exploit. The Blue team will enhance defensive findings. This mindset can damage the overall security system of an organization.

  4. Arrogance: The Red team thinks itself too elite to share information with the Blue team.

  5. Restricted: The Red team is pulled inside the organization and becomes restricted, ultimately resulting in a catastrophic reduction in its effectiveness.

  6. Bad design: The Red team and Blue team are not designed to interact with each other continuously, as a matter of course, so lessons learned on each side are effectively lost.

  7. Separate efforts: Information security management does not see the Red and Blue team as part of the same work. There is no shared metrics between them.

Red vs Blue
Figure 1. Red vs Blue, source: Photo by Samuel Zeller on Unsplash.

If your organization presents one of these illnesses is more likely to think in a Purple team as a solution. Rather than considering it as a separate group of people, the organizations should consider it as a help function between Red and Blue partners.

What is not the solution?

Under any circumstance, it is recommended to create a separate group of people who permanently carry out the intermediation between the Red and Blue teams. This measure would not solve the underlying problem, which is to improve communication and collaboration between teams.

So which are the possibles solutions?

We need to improve communication and cooperation between teams. The following techniques can be used to enhance these two aspects.

  1. Team engagement: A third party analyzes how the Red and Blue teams communicate and cooperate regularly. Based on their behavior, the third-party makes recommendations. This measure is momentary and finite. The main goal of this technique is [7]: to make the communication process smoother and to ease knowledge transfer.

  2. Team exercise: Someone monitors both teams in real-time to see how they work. The main goal of this technique is [8]: to evaluate your security controls and ability to detect attacks, compromise, lateral movement, command and to control communications, and data exfiltration. This technique enriches and validates the detection mechanisms used in situ and helps to identify and reduce cyber attack paths.

  3. Team meetings: Periodically, Red and Blue teams meet to share knowledge and give feedback about attacks and defenses used in the pentest process.

The benefit of appropriate implementation

It will create a better flow of information between Red and Blue teams which means, Red will learn how Blue is detecting and mitigating their offensives, Blue will be able to know how Red is bypassing their defenses. This loop of enhancing between the Red and Blue teams improves the organization’s security posture.

Conclusion

A Purple team should be understood as a function of Red and Blue teams, a mixture of both sides of the same coin, where the information can flow in an infinite loop of enhancing the abilities of Red and Blue teams. Under any circumstance should it be understood as a permanent group of people who will mediate the relationship between the Red and Blue team.


Author picture

Alejandro Herrera

Tourism Business Administrator

Passionate about programming



Related




Service status - Terms of Use