We have recently expanded our capabilities with the launch of a formal Purple Team, forming a bridge between our Penetration Testing service (Red Team) and Managed SOC (Blue Team). Who knew Cyber Security was so colourful? With that said, what is a Purple Team and what does this new capability mean for our customers?
We sat down with our newly appointed Head of Purple Team, Joel Dyer so he can fill you in on all you need to know.
Joel’s role as Head of Purple team is unique in that it allows him to engage customers from both a red and blue team perspective. Whether this is working alongside existing teams within an organisation to help develop a more collaborative experience or representing an offensive/defensive perspective when reviewing an organisation’s security posture. Joel brings a fresh approach and viewpoint when looking to assess and improve an organisations security posture.
What Does a Purple Team Mean?
Purple teaming is the concept of Offensive Security professionals (Red Teamers) and Defensive Security professionals (Blue Team) collaborating closely together in order to enhance an organisations’ cyber security effectiveness through imitation of real-world threats against an organisation.
With an ever-evolving threat landscape it is important to undertake these exercises to ensure that your security posture remains up to date, whilst also allowing your methods of prevention and defence to be validated and improved upon.
Performance optimisation through double blind exercises can help test your incident response capabilities, in a real-world threat scenario. Enabling the entire lifecycle of an incident allows for you to track and monitor both processes and lessons learnt, allowing for the evolution and growth of your security functions.
Mature state organisations will likely run annual purple team exercises or with higher frequency, but this really depends on the business needs and priorities.
What Does Our Purple Team Exercise Bring to Our Customers?
A red team’s role is to identify security gaps and vulnerabilities through simulation of real-world cyber-attack conditions and test the defence capabilities of an organisation. The blue team, on the other hand, is responsible to detecting, hunting, and responding to threats to remediate them.
By collaborating together closely and utilising purple team concepts, organisations can greatly improve their security posture through a continuous improvement cycle:
Improving Security Knowledge and Experience
Through simulating a real world attack the blue team is able to achieve a better understanding of how attackers operate. This allows for more effective deployment of technologies and rules to detect any malicious activity as well as to study the tactics, techniques, and procedures of threat actors. This is best achieved through a double-blind exercise, if the blue team is not aware of the test, they have to respond as if it were a real-life incident, following the exercise, bringing both teams together to discuss lessons learnt and areas for improvement allows for greater insight into vulnerabilities and better mitigations to be carried out.
Gaining insight into security posture effectiveness
Working as a purple team provides a critical understanding of the gaps in the security posture and identifies areas that require improvement. Was the simulation run by the red team detected by the blue team or did the attack go under the radar? Through close collaboration new detection rules can be developed and technologies tuned to close gaps and improve your security posture.
Faster turnaround of remediations
Depending on the organisation identified gaps to the security posture can be worked upon and remediated in a more agile continuous improvement cycle as soon as they are identified.
By combining red and blue team activities, an organisation can increase velocity of delivering improvements to its security posture at potentially lower costs.
Overall, a purple team approach allows for more collaboration, which in turn leads to better efficiency, creates the ability to understand an attacks mindset and allows for an organisation to raise their security posture in line with these threats, with the end goal of achieving a better security posture and understanding of both the threats and remediations to ensure that your organisation is protected as the threat landscape continues to evolve.
What are the Current Challenges and Threats Organisations are Facing?
As well as the usual suspects such as ransomware and phishing being significant threats to organisations, perhaps one of the biggest challenge faced is ensuring that your cyber security maturity is moving with the pace of change.
The world is a very different place since pre-Covid and has provided many great opportunities for home/remote working, increased usage of cloud services and new technologies. With this comes new risks, misconfigurations, and vulnerabilities, which make it difficult for organisations to effectively manage and improve their cyber security posture.
Whether this is through technology awareness/knowledge, improved monitoring, increased education and updated cyber security policies, this does impact both at a budget and resource level and can come at a cost to investment into improving security posture.
What Does a Purple Team Exercise at CyberCrowd look like?
Although we are only now formalising the role of Head of Purple Team, we are not new players on the pitch.
A popular use case for our Purple Team is testing the effectiveness of existing investments into a security operations centre. Both from a return-on-investment perspective, as well as a test of the controls that have been deployed.
A recent project with an organisation in Ireland was carried out specifically to understand how the SOC team would respond to a potential attack.
The scope was to assess the effectiveness of the organisation’s Managed Security Operations Center (SOC) in detecting, analysing, and responding to security incidents. Identify areas for improvement and enhance the collaboration between the organisation’s internal security team and the Managed SOC provider.
The project included the following steps:
- Define the scope and objectives of the assessment.
- Review the existing Service Level Agreements (SLAs) and contracts with the Managed SOC provider.
- Identify key performance indicators (KPIs) to measure the effectiveness of the Managed SOC.
- Share relevant security documentation, network architecture, and incident response procedures with the Managed SOC provider.
- Facilitate knowledge transfer sessions between the internal security team and the Managed SOC analysts.
- Establish communication channels and escalation procedures for incident reporting and coordination.
Red Team Assessment:
- Simulate realistic attack scenarios to test the detection and response capabilities of the Managed SOC.
- Conduct penetration testing, vulnerability scanning, and social engineering exercises to evaluate the effectiveness of the Managed SOC’s incident response process.
- Document the findings, including the time taken to detect and respond to simulated attacks.
Blue Team Analysis:
- Monitor and analyse the alerts and incidents handled by the Managed SOC.
- Evaluate the quality and accuracy of incident triaging, investigation, and response activities.
- Review the efficiency of communication and coordination between the internal security team and the Managed SOC.
Collaboration and Feedback:
- Arrange regular meetings and workshops between the internal security team and the Managed SOC provider to discuss findings, observations, and recommendations.
- Share insights and knowledge gained during the assessment to improve incident response capabilities.
- Collaboratively develop strategies and action plans to address any identified gaps or weaknesses.
Enhancements and Remediation:
- Implement recommended changes and updates to the incident response procedures and workflows.
- Conduct training sessions and awareness programs to enhance the skills and knowledge of the internal security team and Managed SOC analysts.
- Enhance the integration of security tools, log management systems, and threat intelligence feeds to improve detection and response capabilities.
Documentation and Reporting:
- We prepared a comprehensive assessment report documenting the evaluation methodology, findings, and recommendations.
- Highlight strengths and weaknesses of the Managed SOC and provide actionable insights to the organisation’s stakeholders.
- Present a roadmap for continuous improvement and alignment between the internal security team and the Managed SOC provider.
We are really excited about having Joel on board and expanding our service offering to formally cover purple team exercises, if you’d like to hear more about how this could help your organisation or you would like to better understand how CyberCrowd can help, please Contact Us.