Red teams are critical for maturing security programs. Whether operated by third party consultants or an internal capability, these assessments offer a robust offensive perspective to help your cybersecurity team plug tactical gaps and rethink their strategic approach. But while red teaming is on the rise, most organizations stand to reap more benefits by adopting a purple team approach.
A purple team approach merges efforts between your defensive (blue) and offensive (red) teams. Purple team exercises are most effective when they focus on existing workflows. Enabling direct collaboration offers a much more rapid feedback loop between red and blue teams than traditional assessments, yielding more robust outcomes and defensive capabilities. Some of the strongest leverage points for a purple team effort include:
Fusing the efforts of red, intel, hunt, incident response, and detection teams enables analysts to cross-train, collaborate, and eventually respond more effectively during an incident. It is important to break apart the functions and the processes each team follows to find out how you can integrate them.
Beyond the immediate benefit of sharper findings from red team efforts, purple teaming synergies can ease, or even resolve, common challenges faced by most cybersecurity programs.
Implementing a purple team approach does not come without challenges and it is important to keep an eye out for them. Commonly, different teams want to be able to find the answers on their own, even when they have other teams at their disposal. Think back to a recent incident and consider how much more efficient it would have been to get a red teamer’s perspective – or, more specifically, think about how you approached the SolarWinds incident and who took responsibility for each action. Would you change what team members did and were there team members duplicating efforts?
A specific workflow to consider would be detection research and development. A detection team working in isolation may feel confident in signatures or rules that did not account for practical variations of attacks that are commonly known to red teams, or for behavioral variations known to intel teams, or perhaps miss a more effective detection vector known to the engineering team. These are great examples of leverage points for team ‘fusion’ meetings because they are all trivially identifiable with the right set of eyes.
In conclusion, properly leveraging your teams is not easy - especially for organizations that do not have those capabilities in-house. The outcomes are there, however, and many organizations should look for fusion opportunities in their security teams. Through these activities you can note where certain teams could have existed until they are in play and leverage external teams as needed.
If you are interested in building or maturing your team to take advantage of purple teaming in existing processes and to create fusion between all teams, sign up for my session at the SANS Purple Team Summit on May 25 at 12:25pm Eastern. Registration is free: https://bit.ly/2QiuYas. You can also reach out to me or any of our MOXFIVE Technical Advisors at firstname.lastname@example.org or through our website at www.moxfive.com/contact .
Michael is a Sr. Director of Technical Advisory Services at MOXFIVE where he provides strategic advisory services and solutions to large enterprises during and after impactful incidents. He holds a Masters Degree in Cyber Security and is accredited through SANS for the GCFA, GCIA, and GOSI certifications. He has had a wide range of experience from building and managing global Security Operation Centers, Threat Hunting Teams, DevOps Teams, and Infrastructure Teams.
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.Learn More
With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.