Purple teaming gets its name from the combined effort of both the blue (defensive) and red (offensive) teams
Here at JUMPSEC, we are huge advocates of the value of purple teaming and so are our clients, and so we wanted to clarify what purple team really is and some of the advantages that it has.
To understand a purple team, you need to understand its two constituent parts. The blue team and the red team. With the blue team, they are the defensive security team.
Typically, they are in-house or a managed service provider. And the red team, they are the offensive security team, typically consultancy, sometimes in-house as well.
With a purple team engagement, our red team and your blue team work collaboratively towards a common goal. Our expert red teamers will sit alongside your blue teamers and recreate the actions of a motivated attacker. After every attack, we could review in terms of alerting, detecting, and preventing. First and foremost, we can cover several attack paths to your critical assets, not just the path of least resistance.
Additionally, when we’re not concerned about getting detected or burned, then we can simulate adversaries across all levels of sophistication, not just the most sophisticated.
Most importantly, though, we give your staff the opportunity to sharpen their skill sets and their tools before a real breach takes place. Here at JUMPSEC we have a blueprint for purple teaming and we think it works quite well.
Phase one
Is a threat modelling session, in which we map out your infrastructure, we understand your business, we understand your current security controls as well as your greatest security concerns.
Phase two
Is a threat intelligence phase. This is where we take a profile of the threat groups who are most likely to target an organisation like yourselves, and making sure that we can mimic that behaviour later on in the engagement.
Phase three
Is where we go away, and we create the test cases that we and you believe to be of paramount importance.
Phase four
Is where we go to execution, in which each test case is executed, time stamped, and discussed with the blue team. Here, we’re looking to judge the ability to detect, alert, and prevent each of these attacks. In this way, each individual test case becomes its own learning opportunity.