Terminology and acronyms in cyber security can get confusing. What makes it even more challenging is that the way one organization uses a particular term may be different from how another group uses the same phrase. For example, trying to distinguish between Blue Team, Red Team, Black Box, White Box – and now Purple Team exercises, it can be hard to know if you are dealing with terminology or marketing buzz words unless you are a security testing insider. Even more confusing, some organizations have begun advocating for yellow, orange, and even green teams! When it comes time to plan your security initiatives for the upcoming year, however, you need to know what kind of security testing is going to give you the best results. Are we talking about offense or defense? Internal or external? Penetration testing or a vulnerability assessment? One-time or ongoing? We can explore a number of these topics going forward, but I am going to specifically focus on Purple Team exercises in this blog, laying out key definitions, the purpose behind this style of exercise, key stakeholders you will want to involve, and what outcomes you should expect.
Going Beyond the Traditional Attack – Defend – Report – Repeat cycle
The recent trend of increased granularity when conducting a penetration test, along with its associated colorful naming system, demonstrates a strong requirement to align security testing with the capabilities of the organization. What this should signify is not the need to have a team for every color in the rainbow, but recognition of a significant shift in organizations’ approach to IT-Security. These new color assignations are primarily tied to the processes around remediation and proactive steps that will actually turn the dials on your security posture, quarter over quarter. In other words, people are starting to catch on to the fact that many will go pentest to pentest or scan-to-scan, without any significant improvement to their security posture. So, there is a push for someone within (or on behalf of) your organization has to own the tasks and outcomes. Whether you call them yellow or green teams, someone has to be proactively implementing new controls, patching and remediating identified vulnerabilities, pushing policies out to end-points, training end users–basically growing your existing program.
The reality is that as hard as folks are working to protect themselves, budget or internal staff constraints mean that for most organizations, there is a strong disconnect between Red Team and Blue Team at the end of the day. What this means is that despite annual or quarterly penetration tests, many of the vulnerabilities identified are likely to go un-remediated due to the lack of time, budget, and internal expertise needed to effectively address the underlying gaps and vulnerabilities. Not to mention the gaps or vulnerabilities that were not uncovered.
What kinds of testing and which kinds of teams do I need to understand?
Firstly, let’s define terminology. While there are many terms and buzz words people may reference, the most important thing to define are the goals and anticipated outcomes of your security testing process. Narrowing down which kind of testing that will make the most impact can be a challenging question, but here are some key questions to help you through the selection process:
- What is your ultimate goal for testing?
- Do you have a dedicated IT Security team?
- When was the last time you undertook a live test of your Incident Response plan?
- Have you deployed new technologies since the last security test?
- During the last breach or IR exercise, were there gaps or blind spots identified?
Red Team Defined
In its purest form, a simulated attack is what you’ve heard called a Penetration Test, wherein a Red Team (typically external/outsourced) takes an adversarial approach to launching an attack on some part of your environment or a particular application to see how far they can get before the Blue Team finds or stops them. The goal of a Red Team is to identify any areas you may have thought were secure, but which may need some attention before they actually hold up in an attack. A Red Team goal is not to necessarily find every single weakness, every single time, because their goal is to take whichever route gets them in the door first, exactly like a real cyber criminal would. That’s why many organizations undertake a full-scale penetration test multiple times throughout the year, and does not take the place of, other security duties such as vulnerability management.
Blue Team Defined
A Blue Team is defined as the group of people who comprise your organization’s cyber defense, each person who is tied into the implementation, ongoing evaluation, and effective management of security controls within your environment. Depending on how you have assembled your team, that should include your internal IT-Security teams, whoever is managing your Security to an outsourced cloud platform host or manager, to numerous cyber security vendors. Before you turn a Red Team loose to undertake a formal attack on your environment, you will want to be sure the Blue Team has had a chance to assess for high-level gaps and remediate them first. Metaphorically speaking, no coach would walk into a preseason scrimmage without at least running a few practices, assigning positions, trying out some key plays, and providing instruction around known areas of weakness first. Essentially, security testing is like a war game, in that the attack scenarios are exactly like those cyber criminals utilize, but no one actually gets hurt and your data is not actually stolen – nor are your systems actually highjacked or destroyed.
Where does Purple Team fit?
Purple Team Exercises pull everyone on the Red and Blue teams together for a pre-planned exercise that will include testing and remediation in one setting, like a coached scrimmage. Additionally, Purple Team Exercises typically include more than just the first available path to compromise your defenses. More like Tabletop Exercises, the Red Team will emulate multiple Tactics, Techniques, and Procedures (TTPs) throughout the engagement, launching the attack and waiting for the Blue Team to indicate detection and response of that particular style of attack, identifying any weaknesses or gaps in detection and response, and immediately supporting remediation of the issue. So, you walk away with a more comprehensive picture of what needed to be addressed, in addition to knowing that dials are actively being turned to harden your environment, right away.
Benefits of Purple Team Testing
Purple Team Exercises are extremely useful in validating the efficacy and security of your comprehensive security program, in addition to other testing you perform. Without this kind of testing, you either simply rely on each of your vendors’ and stakeholders’ word when they tell you they are secure, or you hand your Blue Team a report and hope the necessary remediation happens sometime in the coming months or year. In cyber security, however, nothing should be taken for granted, and you have no way of knowing that between today and remediation day, you won’t be attacked.
Security is a Team Sport
In conclusion, taking proactive steps to identify weaknesses in your defense strategy is the only way to maintain a strong security posture. Attackers simply have too many resources and capabilities for an organization to only be reactive in their security program. If everyone rolled out a flawless defense on day one, you wouldn’t see the ongoing high-profile breaches we see regularly. It’s not reality and there is no such thing as a perfect defense. By way of example, FireEye and their vendor SolarWinds, a network, cloud, and endpoint security provider recently disclosed a major breach, where a potential nation state attacker seemed to be ultimately targeting their key government clients. First of all, the fact that FireEye publicly disclosed their breach demonstrates best practice that other organizations can learn from. Secondly, this occurrence also highlights the fact that every system, every team, and every expert should undergo testing and validation. TRUE subscribes to this practice, testing and monitoring our internal environment, as well as those of our clients. We acknowledge that security is a team sport, and as trusted members of our clients’ teams, we are always looking for ways to “take a dose of our own medicine” internally, but also partner with them in helping them constantly harden and improve their security posture. Purple Team Exercises are just one more example of our commitment at TRUE to achieving cyber security by design together with our clients, as a team.
To learn more about what kind of security testing could be right for you, visit https://truedigitalsecurity.com/cyber-security-vulnerabilities or simply reach out to us: firstname.lastname@example.org.