A Guide to Purple Teaming: What, Why, Who, When & How 💜
Recently, I presented this topic to an audience of post-secondary students and I thought it might be valuable to share this content with a broader audience.
This information is based on my (and my team’s) experience building, operationalizing, and running a purple team program in a global enterprise. My hope is that this information is useful to the reader in understanding applicability, approach, engagement models, and value.
What is Purple Teaming?
At its most fundamental, Purple Teaming is the process of employing offensive and defensive skills to assess, analyze, and improve resilience to cyber attack. Improvements gleamed from these activities can be in people, process, or technology.
The process by which this outcome is realized can vary greatly, and we will cover some example engagement models shortly.
The key point to take away here is that purple teaming involves offensive and defensive skillsets working in active collaboration to drive improvement.
Who Exactly Is A Purple Team?
The purple team is a collective of team members that work in a variety of different functions within an organization. We call it a purple team because it includes red and blue teams — creative, right?
In some mature organizations, these individuals may be part of a dedicated purple team, where they work together in this collective on a continuous and full-time basis.
In most other organizations, the purple team is formed by seconding members from other teams for the duration of the activity. Once the purple teaming exercise is complete, the team members will return to their regular duties.
Given that readers are likely to be in the latter situation, I have written this post with that in mind.
The following are the groups of team members that generally comprise a purple team.
Team members that are skilled in appropriate offensive tradecraft; possessing abilities to execute a broad variety of Tactics, Techniques, and Procedures (TTPs), with strong situational awareness and operational security understanding. Most commonly, this group of team members is responsible for executing red team operations within the organization.
Team members that are skilled in security operations, incident response, threat intelligence, threat hunting, and security control configuration. They are generally the team members that actively protect the organization from real-world threats, although there may be some exceptions.
Optional team members that can be included to provide exercise steering, oversight, and / or learning opportunity. Being passive members of the purple team, they do not have a hands-on role during execution.
Why do Purple Teaming?
One of the core advantages to purple teaming is the significant reduction of time between identification of security weaknesses and action to remediate or mitigate. Shortening this timeframe ensures that increased resilience to offensive activity is realized as soon as possible, which is generally always desireable.
Purple teaming is also an effective method by which knowledge is transferred, skillsets are enhanced, and practical experience is gained.
As purple teams involve the active collaboration of red and blue teams, they open significant opportunity for these team members to educate, understand, and learn from each other. This mutual knowledge transfer creates more well rounded professionals, but equally as important, it helps to establish an atmosphere where all participants feel like they are part of the same team and working towards the same goals; increasing mutual understanding, empathy, and relationship building.
While collaborating and educating each other, participants will implicitly enhance their skillsets. Attackers will have a better appreciation for the capabilities, challenges, and constraints facing defenders. Defenders will have a more thorough understanding of offensive mindset, behaviour, and tactical execution trails.
Blue team participants have a unique opportunity to use their security controls, tool stack, processes, and procedures in their environment. They amass experience with the same tools, in the same environment, where a real attack may happen. This experience is more valuable than performing exercises in labs or environments that don’t mimic production tools and constraints. Tooling, process, and procedure deficiencies can also be improved upon before these problems are realized during a real attack.
Red team participants also gain a solid understanding of blue team detection strengths and weaknesses, allowing them to design future activities where insights can be gained in areas of known weakness. It’s worth noting here that there is some risk of the red team beginning to know too much about the environment and, as a result, having difficulty accurately emulating real-world threat actors. Rotation of red team members engaging on purple team exercises can help mitigate this risk, however the benefits of purple teaming generally outweigh this risk. Mitigations such as parallel reconstruction can also be used to avoid scenarios where red teamers take action simply because they know it is the safest.
When to Purple Team?
Most typically, a purple team program is the evolution of the services provided by the red team in an organization. Organizations often build red teams with the intent of executing purely covert Red Team Operations (RTO). While this works well at first, after a number of years, the value reaped from consistent use of just the Covert RTO engagement model becomes limited. This may be due to a number of factors, but here are some of the major ones I have seen in the past:
- The time it takes to remediate or mitigate many findings in the organization is generally longer than the iterative RTO exercise loop; resulting in similar attack path abuse and reducing value of subsequent exercises until findings are addressed.
- Many defensive teams do not have access to all detailed log data after an RTO concludes, making it more difficult to investigate the attack chain and engineer appropriate detection and protection capabilities.
- Due to the consistently competitive nature of covert RTOs, it is difficult to nurture fruitful relationships between offensive and defensive teams. While some competition is always healthy, a relationship based purely on competition is not nearly as fruitful as one based on mutual respect, trust, and feeling like everyone is on the same side and striving for the same outcomes.
Invariably, most internal red teams will move away from a covert-only RTO-only service model and expand to include additional services that provide more transparency to defenders and even encourage collaboration; overt red team operations, purple team exercises, analytical exercises, and so forth.
It’s also possible that your organization has just built a red team and they are looking to start engaging the blue team by way of purple teaming. This is certainly a way to build strong relationships and trust between offensive and defensive, but caution should be exercised to ensure that the red team also grows to deliver covert operations as soon as possible.
In summary, if you’ve been doing red team operations for some time and you feel your organiztion would benefit from new engagement models that provide unique value, encourage collaboration, and forge relationships; consider introducing purple teaming.
Why Not _______, Instead?
While there are other ways to engage these teams and provide value, purple teaming provides some genuinely novel advantages over alternatives. To be clear, purple teaming is not a replacement to other services a red team may deliver, but rather a complement to augment existing services and provide value using a different approach.
Covert Red Team Operations
These exercises are ideal for assessing organizational cyber resilience across people, process and technology, when under a simulated cyber attack. They provide a strong understanding of how the cyber security program will respond under real-world attack.
Covert RTOs involve the blue team from an incidental perspective; if a detection is made, activity is kicked off to respond. The blue team does not generally have a full understanding of the exercise until after it has concluded.
While Covert RTOs are absolutely valuable and I would never advocate for discontinuing these exercises, they do fall short in some areas where purple teaming does not:
- Incidentally involve the blue team
- Do little to encourage thorough knowledge transfer and cross skillset development
- May provide data to blue teams after detailed telemetry is no longer available
Overt Red Team Operations
If you aren’t familiar with an Overt RTO, the concept is quite simple; execution of an RTO but with members of the blue team riding along with the red team. This engagement model moves in the right direction, but the blue team is still not an active contributor to the exercise. This does allow them to engineer improvements inline, but it lacks in the knowledge transfer and relationship nurturing aspects.
How to Purple Team
Now that we have established a mutual understanding of of what purple teaming is, and why we may want to do it, we can cover the how.
Let’s take a look at the high-level anatomy of a typical purple team exercise. Some other engagement models will differ in anatomy and we’ll cover these shortly in the Engagement Models section.
During this phase, the team initiating the purple team exercise plans execution and outcome specifics with input from a variety of stakeholders. Purple team exercises can be initiated by the red team or the blue team.
Planning generally entails definition of the focus area and desired outcomes, selection of an engagement model, and creation of an execution plan. The execution plan details all involved parties and their respective responsibilities, as well as including an execution schedule that details activities, durations, and associated participants.
The execution plan is then distributed to all involved teams that will comprise the purple team. I recommend seeking agreement on the plan from all involved parties before initiating execution. This ensures that all participants have a clear understanding of their responsibilities, when they are needed, and how much time they will need to dedicate to the exercise; minimizing execution disruption and delay.
Almost all engagement models will require some level of preparation before moving to execution. Preparation is often on the red team side and may include:
- Collaboration with threat intelligence teams to provide insights on specific threat actor groups, campaigns, and associated TTPs
- Preparation of attack infrastructure and commercial / open source tooling to facilitate execution
- Development of custom tooling to facilitate execution of TTPs
The execute, analyze, and improve phases are cyclic. The process will repeat until all offensive actions have been executed, analyzed, and where possible, improvements made.
Execution generally concerns itself with the red team performing some kind of offensive action. This is generally broken down to a single or small set of associated actions; facilitating iterative analysis and improvement. Actions are generally executed on assets provisioned for the exercise, although this may differ depending on the engagement model,
To make this more concrete, the red team may execute actions related to Credential Dumping (T1003) on a Windows endpoint. This would generally involve the execution of one or more commercial, custom, or open source tools on a defined target endpoint.
All execution should be done in the production environment. Non-production environments are generally never configured to be identical to production with respect to configuration, control stack, and blue team visibility, process and procedures. With the exception of extenuating circumstances, all efforts should be made to avoid purple teaming in non-production environments.
Blue team members are generally present during the execution of these action(s). This provides an excellent opportunity for red team members to dive in to the details of the executed action(s); what they are doing, why an attacker may do something like this, what their next steps may be or what their previous steps may have been. This knowledge transfer helps the blue team understand offensive mindset more thoroughly, making them more effective at defending the organization.
This collaboration and knowledge transfer is a unique and compelling outcome of purple team exercises. As the teams work together instead of being on opposite sides, they form relationships between each other while also exchanging knowledge. Defenders learn more about attackers and vice versa. The importance of this collaboration and knowledge transfer cannot be overstated.
Throughout execution, discoveries may drive the desire or need to execute additional or unforeseen offensive actions. These should be included, provided that actions are aligned with exercise intent and timeframes / resource availabilities allow.
After the red team has completed execution of an action or set of actions, blue team members work to analyze security telemetry to determine whether there was successful detection, blocking, and / or automated response to the action(s). In some scenarios, the blue team may choose to exercise manual response activities to validate playbooks and increase operational experience. This analysis generally commences right after execution.
The red team should be present or, at least, made aware of the outcomes of this phase. This allows them to better understand blue team constraints, lack of visibility, strengths and weaknesses. This information can then be used as input to future activities, illuminating weaknesses or blind spots that may not otherwise be investigated. It also allows the red team to understand the challenges the blue team faces when trying to identify malicious activity at scale. This helps to drive empathy and understanding between red and blue teams, as team members begin to understand the challenges that each faces within their respective domains.
Analysis findings are socialized with all purple team members. This creates an opportunity for collective interpretation and determination on improvement opportunities.
If analysis indicates that there are opportunities to improve detection, protection, and / or response capability, some members of the blue team may begin working on these engineering efforts immediately or after the exercise has concluded. There is generally value in initiating detection and protection engineering immediately as it is convenient to validate the improvements given that teams and tools are immediately available to repeat the actions.
It is possible that some improvements require significant research, total redesign, or procurement of new tooling and solutions. As these insights aren’t items that we can tackled as part of the exercise, they are included in the exercise deliverables for socialization with senior and executive management; driving desired tactical change and positioning the organization to better defend itself from cyber attack.
Again, the red team (or any other team) may also be consulted or included during this phase.
After all actions have been executed, the outcomes of the exercise should be documented. This is generally a deliverable that details:
- Drivers for the purple team exercise and intended outcomes
- Observations that detail systemic issues, blind spots, and challenges that prevent the blue team from being optimally effective
- What was executed and the respective outcomes (detection, blocking, response)
- Improvements that have been made as a result of the exercise
- Improvements that require a longer duration to implement
This deliverable can be a traditional PDF report, a presentation, or some kind of interative application. Familiarity with the purple teaming at the executive, management, and participant levels will dictate the level of detail and depth that deliverables should document.
As purple teaming becomes an exercise that is familiar to various levels of seniority, there is will be less need to perform thorough and rigorous documentation. This is a win for all parties, as lighter documentation frees time availablility for hands-on-keyboard execution.
Regardless of the deliverable format, it should be authored by all members of the purple team. Specific sections will be written by the red team and others by the blue team, however the overall deliverable should be collaboratively assembled and peer reviewed, ensuring that all parties agree to the contents and feel fairly represented.
The socialization process involves showcasing the results of the purple team exercise to stakeholders and executives. This process can vary significantly based on organizational maturity and culture. Regardless of approach specifics, it is strongly recommended that all teams within the purple team have fair representation and speak to their components of the exercise.
As purple team exercises implicitly drive pragmatic change in the environment, they are a strong showcase of the capabilities that can be unlocked when offensive and defensive teams work together. For your executive audience, you are able to tell a story of discovery and improvement, while also informing them of strengths and weaknesses.
Findings that could not be addressed during the exercise, should be tracked in some medium that is accessible to all participants and management. This ensures that these insights aren’t lost.
Common Engagement Models
The following are some examples of purple teaming engagement models. These are absolutely not the only options; be creative and develop engagement models that work best for your teams.
This engagement model involves the simulation of an end-to-end attack campaign that is modelled after a real-world attack. Alternatively, the attack campaign may be entirely contrived or formed from specific threat actor group TTPs. Regardless, the general concept here is that the exercise contains an attack campaign that emulates TTPs throughout the kill chain.
The general workflow of this engagement model is very similar to the one we have previously defined, with the exception of performing threat intelligence collection and analysis.
Threat intelligence is collected in relation to the threat actor group and campaign of interest. This information is used to build an execution plan that will detail which TTPs are to be executed and, if applicable, in what order.
There may be a requirement for the red team to perform preparation work in these scenarios; likely involving the development of custom tooling to closely simulate specific threat actor loaders, implants, and other TTPs.
Your organization is a large retailer operating in North America. You are concerned that the threat actor group FIN7 may target your organization for financial gain. If you have access to commercial threat intelligence feeds, you will likely have convenient access to detailed reports that outline this threat actor groups previous attack campaigns, targets, and detailed TTPs. In mature organizations, there is likely a threat intelligence team that can curate this data for you. If you don’t have access to this kind of data, the MITRE ATT&CK framework has free data on prominent threat actor groups.
You can navigate to the FIN7 ATT&CK resource and read the references for detailed campaign information. After some understanding has been established with respect to previous activity, the MITRE ATT&CK group resource page can be used for insights on techniques that have previously been associated with the group. Even more conveniently, there are comments included with each technique explaining how the threat actor specifically used this technique, with references to original articles.
The FIN7 ATT&CK resource also details software that FIN7 is known to use. Some of this software is open source, some is commercial, and some is custom closed source. Depending on your organizations appetite for accurate simulation and internal capabilities, you may choose to develop custom software that attempts to accurately simulates FIN7 software.
The attack campaign articles, techniques, and software details can be used to build an execution plan that closely simulates the FIN7 threat actor group. You may choose to omit some TTPs due to a variety of constraints.
With a completed and agreed upon execution plan, the exercise can now flow in to the execution phase. This phase would be identical to the execution, analysis, and improvement phases previously defined.
Selective TTP Analysis
This engagement models eschews the notion of an end-to-end campaign in favor of selectively analyzing TTPs of interest.
A variety of participants can provide input that focuses the exercise. After focus has been determined, specific research can be performed to assemble related TTPs of interest. This may include reviewing threat intelligence data, public articles, previous red team operations, etc.
The following are some example focal areas:
- Attachment-based phishing attacks that focus on enticing a user to run a payload
- Lateral movement avenues on endpoints and servers
- Non-exploit based privilege escalation avenues on endpoints and servers
- Persistence avenues on endpoints and servers
- Blocking of malware that performs recursive file encryption
Once TTP research has been completed, the rest of this operating model follows a flow similar to the aforementioned high-level anatomy.
Less Common Engagement Models
The following are some examples of purple teaming engagement models that are less common. These may or may not provide value to you and your organization, but they are included to demonstrate the creative ways offensive and defensive teams can actively collaborate to make the organization safer.
An exploration based engagement model is similar to an overt red team operation, except that there is far more communication and discussion with the blue team.
In this engagement model, there are no rigidly defined schedules and execution plans. Instead, objectives are defined for the red team. These can be assembled through formal or informal threat modelling or alternative methods. With objectives defined, the red team can ideate on potential attack paths and plan accordingly.
Execution is entirely exploratory with the red team working towards achieving objectives while communicating with blue team members in near real-time; providing discussion opportunities to understand attacker mindset, tradecraft, etc. During this exploration, observing team members can provide input to guide the red team and cut down on time spent diggin in areas that are unlikely to be fruitful. As the red team operates in the environment, the blue team actively works to identify indicators activity and engineers improvements where appropriate.
This engagement model can be effective when assessing areas of the organization that are perhaps new to both the offensive and defensive teams. They are also effective in identifying creative alternative approaches.
Planted Attack Campaign
In this scenario, the red team plants an attack campaign in the environment. Generally, this would be an attack where initial access was gained, privilege was elevated, lateral movement was performed and some objective achievement was being performed. The idea here is to orchestrate an attack that looks to be well underway inside of the organization.
Once the attack has been planted by the red team, threat intelligence is crafted by the threat intelligence and red teams that details IOCs related to this fictitious threat actor group. The intelligence is then fed into the blue teams information feeds and acted upon.
As blue team members receive the intelligence, they will hunt for IOCs in the environment. Discovering some of the IOCs mentioned in the intelligence brief, they go through the process of uncovering, containing, and eradicating the attack from the environment. Red team members can assist with the hunting and response process to ensure the blue team is well supported.
This engagement model is interesting as it exercises a broad spectrum of the organizations defensive capabilities and provides the blue team with a full response, allowing them to flex their muscles and gain operational experience.
Blue team members may be made aware that the threat intelligence they are consuming is part of a purple team exercise, or not.
If you use the notion of purple teaming being an offensive and defensive collaboration that results in improved resilience to cyber attack, you will more or less always be doing this right. One of the strenghts of purple teaming is it’s malleability to fit engagement models that work for your teams and your organization.
Never hesitate to explore more ways to work together and learn from each other - everyone wins.