Purple Teaming

What is Purple Teaming?

Most companies regularly perform penetration tests. This is a good practice because it gives insight in how a company’s network can be breached. From the outside, as well as from within. Purple Teaming takes a penetration test or Red Teaming to the next level by integrating the Red- (hackers) and Blue- (defenders) teams closely together, hence the name.

The hackers and defenders work closely together to improve a customer’s network overall security.

A normal penetration test is usually followed by an extensive report by the penetration testers detailing all findings and possible solutions. It then takes an organization several weeks or months to mitigate all the findings and improve their network security. Whereas in a Purple Teaming assignment, the findings will be mitigated by the blue team together with IT staff during the engagement.

The end result of a Purple Teaming assignment is a more secure network, improved network detection mechanisms and better trained IT security personnel.

How does it work?

During an assignment, the red team tries to identify weak spots in the network and abuse them to gain access to a company’s crown jewels such as sensitive business information. The actions performed by the red team are a bit like a regular penetration test. However, while discovering vulnerabilities the red team will communicate with the blue team to let them know what decisions have been made, what the current attack path is, and which exploits are used to gain access to specific parts of the network.

In the meantime, the blue team is hard at work to use the customer’s already existing network security and monitoring tools to detect the red team. In addition to using already existing network security tools, the blue team may also suggest implementing temporary new security measures such as installing network probes or reconfigure Windows Active Directory logging to improve visibility. These tools will remain in place after the assignment. This means that the company being tested improves their network detection and incident response procedures as well.

Advantages:

In a Purple Teaming assignment, the hackers (penetration testers) work closely together with experienced defenders. These defenders then work with the customer’s IT Security team to improve the overall security posture of the network. Because of this collaboration, findings can be quickly mitigated, and the blue team can teach IT staff how to improve their network monitoring.

Furthermore, IT staff will learn to react to security incidents. As the red team hacks their way through a company’s network, the blue team will work with IT staff to improve their monitoring and react to servers and other machines getting hacked.

At the end of the assignment, a detailed report will be written. It will detail all steps taken by the red team to compromise the network, and the decisions and actions of the blue team to detect and mitigate the attacks. Vulnerabilities as well as mitigations not implemented during the test, will be explained in detail in order for the IT staff to be able to solve those as well. The end result is a more secure network and a better trained IT staff.

Contact us for more information.

DeepBlue Security & Intelligence