This is the second in a series of blogs that describes the importance and inner workings of conducting Red and Purple Team exercises. Part 1 of this blog series gave an overview of how to properly conduct these drills. This blog examines the role Purple Teams play in an effective security testing strategy.
One of my favorite conversations with a client is when I take a call, and the first thing I hear when I ask how can we help is "We need a Red Team!" I love the enthusiasm; I love the fact that this client recognizes that security needs to be tested to ensure it's operating as advertised.
But while the client understands what the organization needs, there is a very important intermediate step that the organization must take before we can jump into a Red Team engagement.
Once upon a time, much earlier in my career, I would have skipped the Purple Team step. Instead, I would set up a time to visit, show up, use my skills to work over the client's security team, and think, "voilà, the Red Team performed!"
After testing a less mature organization, we would generate a 250 some odd page report that, in short, said not only did you "fail," but you have so many holes and flaws in your security plan that you probably don't have any idea where to start to fix the problem.
However, I quickly realized that this approach was unfair to the client. In reality, the organization in question knew it needed security help, so simply exposing all its flaws was not as helpful as I initially believed.
Revelations similar to mine were likely why infosec companies developed the Purple Team concept. Instead of lunging right in with an attack, we suggest starting the process with more of a controlled test, conducting some basic walk-throughs, and at first teaching rather than testing.
At Trustwave SpiderLabs, we think of security as a three-legged stool Logical (computers, network, and infrastructure), Physical, and of course the human element, Social Engineering.
Less talked about, unfortunately, is the most important part of the analogy, the client, which our three legs support. Therefore, it is imperative that if a company truly wants to secure its data, then all three of the legs of this security stool are given equal attention.
Sure, your stool can balance on one or two legs for a short time, but sooner or later, it will inevitably fall, and when it does, the company comes crashing down.
Purple Team exercises are a controlled scrimmage, just like when you your favorite sports team splits into two sides, and they play each other. In these cases, the manager or coach will divide the team in a specific way. Sometimes, he will swap players, mimic the other team's playing style or game plan. However, the one constant is the coaches. There is always a coach nearby, guiding the action and running certain plays, trying different things to put the team through its paces and make the team better overall.
But in the case of a Purple Team security exercise, an organization splits its security team with one side playing the role of attacker and the other defender. This situation differs from a true Red Team exercise when the players from that squad come from an outside security firm and play the role of threat actor.
A person from the organization's security team is designated as a "coach" and directs the Purple Team scrimmage.
The attackers (typically referred to as the Red Team) will begin a quiet attack on the defenders or Blue Team. If you remember back to art class in elementary school, you can see how the descriptor Purple Team is derived.
Let's play out a scenario. The Red Team attacks the unsuspecting Blue Team, which doesn't have any idea an attacker is in the system. No one notices anything, and everyone sits there. The Blue Team, in this case, just isn't up to the task and needs a bit of help.
So, to move things along, one of the coaches directs the Red Team to be "noisier" to test the threshold of the Blue Team. The Blue Team finally notices the unusual traffic and starts checking logs and doing its job.
Now that the Blue Team has caught up, one of the coaches informs the Red Team to change targets and attack something else to see how the Blue Team reacts to this new activity. Does the Blue Team detect the Red Team? Do they figure out someone is in their network, and can they follow them?
For this example, the result is not important, but the above scenario shows how these events are supposed to play out. At the end of the exercise, the Purple Team collaborates with the Blue and Red Teams as they learn from each other.
Purple Teams and the collaborative environment they create are vital to finding issues within a company's security set up using the personnel on hand. It gives all the team's players a chance to work together to help strengthen security and ultimately prepare the organization for that big game against a real attacker where the gloves come off.
A Purple Team event is also necessary before an organization plunges ahead and sets up a Red Team exercise. As I initially found out earlier in my career, launching an intense Red Team event against an unprepared foe is not unfair but, in the end, benefits nobody.
This is something to keep in mind when you are looking for an organization to partner with for a Red Team exercise. Don’t be pulled into an unfair situation where the results may not truly be indicative of your security team’s capabilities.
The Trustwave SpiderLabs Red Team is backed by our world-renowned research team. Our research team has access to billions of security events, multiple threat database feeds and years of cumulative experience discovering zero-day vulnerabilities. Combined with our core red team, the research team assists in building bleeding edge custom implants / RATs and various other toolsets.