Foundations of Purple Teaming

AttackIQ course: Foundations of Purple Teaming by Ben Opel approx. 1.5hrs long

This training session introduces the state-of-the-art practice of purple teaming and its essential nature as the joint operation of red and blue teams. Students will learn the core concepts, workflows, activities, and artifacts underpinning purple team methodology and will finish the class able both to explain how its programmatic implementation is essential to a threat-informed defense strategy and to plan a foundational purple-team exercise in their own environment.

  1. Foundations of Purple Teaming - red and blue separately don't work well, pace of threat is fast adversary scale and automate fast. Hence the need for purple teaming.

  • Threat informed defense is a proactive approach to cybersecurity utilising (i)Cyber threat intelligence analysis; (ii) Defensive engagement of the threat; and (iii) Focused sharing and collaboration

  • Makes attackers' job harder as it maximizes advantage of controlling shape of terrain, denies adversary easy wins and requires adversary to be circumspect and expend high-value capabilities to achieve their goals

  • MITRE ATT&CK framework for emulation

  • Emulation (Replicating the effects of a given technique by executing the actual process which produces them) vs Simulation (Replicating only the effects of a given technique)

  • Security Pipeline - The full set of technologies and processes which define an organization’s defenses from endpoint to border, inclusive of off-site, cloud, and other distributed assets.

  • Security Control - A policy, procedure, technology, or combination thereof which comprises protection against a corresponding threat or set of threats.

  • Gate - A time on the clock is defined as when the blue team should have detected a red team action before being provided with hints or debriefing.

  • Trusted Agent - A senior or supervisory staff member who knows the exact details and timing of all Red Team emulations and acts to deconflict real-world and exercise events along with guiding exercise flow.

  • Hot Wash - An informal and candid discussion of an organization’s performance following execution of an exercise, training session, or other major event, conducted immediately upon the event’s completion.

  • Purple Teaming couples and coordinates red and blue to maximize the capabilities and impact of both. It aligns the blue team’s mission focus with relevant threats, allowing them to base defensive architectures on Business Critical needs. It applies “Red” thinking to carefully balanced and curated enterprises to show (not tell) stakeholders how their most critical capabilities can be compromised and give clear guidance on defending them.

  • Optimize relationship between adversary emulation and defense teams and capabilities

  • Start purple teaming:

(i) Stakeholder support - leadership at strategic, operational, and tactical levels in addition to the operators on the floor. Director of Threat-Informed Defense (one with experience in red, blue and intelligence functions, adjudicate exercise events and call audibles to ensure safety and maximum ROI);

(ii) Plan a way to document execution - 1 month for planning to engage stakeholders seek approval, conduct terrain and threat analysis, generate solid emulation plan and define exercise administration and sequencing for final approval. Orient to your organization and threat selection e.g. who wants to disrupt your organization and input into ATT&CK Navigator. Map the emulation plan ;

(iii) Some kind of blue team - dedicated defenders; and

(iv) Some kind of red capability - emulations with relative safety and control and someone experienced in red tactics

  • Frame a purple teaming program - start small, be agile, invest in testing automation continuum, find/name expert to own exercise/testing, questions to ask in organization based on audience level e.g. CISO: strategic goals & concerns, SOC Director: control gaps, procedural strengths and weaknesses, Threat Intel Lead: updated threat profile for organization

2. Taking action with Purple Teaming

  • Who wants to hack me?

  • How might they do it?

  • Are my controls set up to stop it?

  • How can I emulate it and test them?

  • Get management understanding - purple teaming can maximize security program ROI by aligning controls to relevant threats and making good mitigations into measurable, dashboard-able effects

  • Enhance enterprise defensibility - allow security teams more time to hunt

  • Solve systemic issues through progammatic implementation e.g. collaboration across functions

  • Phase I: Understand Org's mission (value, competitors, geographic placements), Understand your environment (IT architecture), Know threats to the mission: terrain analysis (review IT architecture and how it supports organizational mission, priortize assets; enable threat picture development and actor assessments by understanding probable attack paths and targets), threat selection (consider APTs/commodity malware/tools various actors are know to use and their capabilities) and Know your controls (pipeline assessment)

  • Phase II Planning & Preparation:

(i) Scope the exercise - Establish goals, Establish Emulation Control Measures (present risk to management for informed risk decisions. Control measures such as lists of subnets, hosts, services), Determine Controls Under Evaluation

(ii) Set Timing, Sequencing, and Flow Control - set schedule, establish battle rhythm (daily tasks to make decisions for next day Exercise Control should be leading debriefs of effects, detects, and protects at least twice daily with all Do-ers in the room). and define emulation gates by technique (set time gates for blue team to detect and action each effect, advise red team to move to next or provide threat intel to point blue in right direction

(iii) Empower trusted agents - ID and in-brief trusted agents (have full knowledge of exercise scenario) and establish deconfliction procedures (exercise controller have quick access to IT Ops tech

(iv) Create emulation plan - Align Emulations to Controls, define success criteria, prepare a hint bank (when blue team stumped, blown gate has more training value, keep action moving with crafted threat intel notes)

  • Phase III Run it - Execute the emulation plan, Manage the ebb and flow and exercise judgement

  • Phase IV Reporting & Remediation

(i) Debrief in Detail and Report (debrief and deliver initial outbrief, produce audience-appropriate reports e.g. technical reports).

(ii) Mitigate and Revalidate Control Gaps - Assess and Enact Mitigations (security architecture analysis, compensating controls to fix, mitigation framework to describe and priortize exercise output). Revalidate updated controls

(iv) Plan for future iterations - Identify persistent gaps and level up next exercise (find maximum ROI)

PreviousIntroduction to EASY Framework for IntelligenceNextSANS OSINT Summit 2022

Last updated