In another blog post, we busted a few myths about the “What, how, and why” of purple team testing.
This time, we want to go further and talk about the “when” of purple teaming.
Below, we explain when an organisation is ready for purple team testing, the exact situations where purple teaming will deliver the most value, purple team testing timelines, and what happens after a purple teaming exercise is done.
Are You Ready for Purple Team Testing?
As we explained in our previous blog post, there are two critical participants in a purple teaming exercise: The red team (typically an external team, like SECFORCE) and the organisation’s blue team (BT).
Optionally, purple team testing could involve a threat intelligence (TI) provider (which could be the same external team providing red teaming or an internal function of the organisation).
For purple team testing, only the blue team (BT) comes, by necessity, from the organisation being tested. Red teaming (and optionally TI) support can and typically is brought in from outside for the duration of the purple teaming exercise.
Purple teaming requires an organisation to have an active blue team, as their involvement is crucial for the success of the engagement. The BT’s job is to monitor the relevant controls and logs as the attacks occur, provide feedback to the RT about the performance of their defences, and implement any recommended changes.
To do this, the blue team often needs to have access to a security information and event management (SIEM) solution and run a security operations centre (SOC). These capabilities can be run in-house or outsourced to a managed security service provider (MSSP) or another partner.
You could theoretically do purple team testing with a very small security team, provided they have outsourced support. The only truly essential ingredient is that there are people in the organisation able to actively participate in the purple teaming exercise, with access and expertise to monitor security events, and who take responsibility for implementing the exercise’s findings.
The core security technology needed for purple team testing is a way to collect and analyse logs (for example, a SIEM). Purple team testing will be customised to whatever controls are in place beyond this.
A simple question a security leader could ask to determine whether the blue team is ready for purple teaming is, “Does the blue team have the necessary tools and are its members engaged in their jobs?”
The best purple teaming exercises happen when an organisation has an active blue team.
“Dormant” teams, who silently sit in on purple teaming exercises, won't be able to give the red team enough information to do a thorough test and won’t expand their knowledge by participating. Even if you hire the best red team in the world, you still need your blue team to be engaged in the purple team testing exercise.
When to Do Purple Team Testing?
Purple teaming is a way to test security controls. The best time to do purple team testing is when something changes, or there is a knowledge gap.
We would advise a CISO to do purple teaming:
- After implementing new security controls. Say you installed a new endpoint detection and response (EDR) solution. A purple team testing exercise can train the blue team on how the EDR works in their environment and get real telemetry they can map to the MITRE ATT&CK framework.
- When preparing for CBEST, TIBER, or other regulated testing scenarios. Purple team testing can show you where your gaps are before a regulated test, reducing potential oversight and the possibility of fines and increasing your chances of good results.
- If the organisation’s security posture hasn’t been tested in a while or there is a lack of clarity around the efficiency of security controls and teams. This is a great use case for purple teaming, where you can mimic a vast range of tactics, techniques, and procedures (TTPs) up to and including advanced persistent threats (APTs).
How Long Does Purple Team Testing Take?
We recommend dedicating three to four weeks to a purple team testing exercise.
During this period, the purple team exercise is managed weekly. The red team prepares attacks in the first part of each week, and the blue and red teams run through the TTPs being tested in the second part (typically two to three days).
Purple teaming does not require an entire blue team's participation for an exercise’s duration. For however many days of testing take place, the blue team must (typically) be present for about half of the time, e.g., if there are 5 days of testing, the blue team might be involved for two or three days.
Who's involved in the actual testing will depend on what's happening on any given day. For example, a purple teaming consultant will not call on an active directory team when running TTPs limited to workstations.
Purple Team Testing Deliverables & Outcomes
After the purple team testing period ends, a consultant will give the organisation tested an executive report.
As well as a high-level summary, this report gives the organisation data collected about:
- TTP execution metrics: How many TTPs were executed, detected, and blocked, both initially and after any changes that were implemented during the engagement (While SECFORCE helps the blue team develop custom rules or reconfigure/enhance certain detection controls, not all offensive security providers do this. Ask a potential provider whether they provide this kind of support). This section includes performance comparisons before and after the exercise.
- Timestamps and log correlation: Detailed timestamps of command executions, allowing for precise log correlation and analysis of events.
- Kill chain metrics: Metrics across different kill chain phases, showing where detections and blocks occurred thus highlighting strengths and weaknesses per area.
The tested organisation also receives a roadmap and recommendations for how to boost its cyber resilience.
Part of this includes mapping purple team testing findings to the MITRE ATT&CK framework, providing a clear view of coverage and areas that need improvement.
Most of the time, it's up to the blue team to implement any recommendations.
However, a dedicated purple teaming consultancy like SECFORCE will go a step further and provide custom rule development. Our team can work with your blue team to develop and implement custom detection rules tailored to your environment, improving detection and response capabilities.
The SECFORCE Purple Teaming Advantage
At SECFORCE, we go the extra mile to design and run the best possible purple teaming exercises for our clients.
Want to learn more about our purple teaming services?
Contact us today.
