In penetration tests and other cybersecurity risk assessments, the various participants are often assigned color names based on their roles. For example, the attackers in the engagement are called the red team, and the blue team is the defenders.
A purple team combines aspects of both the red and the blue teams. Often, this involves increasing the collaboration and feedback between the offensive and defensive teams to better guide the engagement and ensure that the test comprehensively evaluates the target organization’s security.
Often, the red teams and blue teams in a test operate independently from one another. In fact, a blue team — which is often composed of an organization’s security team — is unaware of the fact that a test is going on until the final retrospective.
The objective of the purple team is to improve the efficiency and effectiveness of the security testing process. By introducing opportunities for feedback and collaboration throughout the testing process, the offensive team can focus their efforts on where they will provide the most benefit, based on feedback from the defenders.
A purple team security test indicates that there is a greater level of communication and collaboration between the offensive and defensive teams than with a traditional red team engagement where the blue team may not be aware that an exercise is taking place. However, this increased collaboration can take a few different forms.
One option is to bring in a complete purple team from outside the organization. This single team can break into red and blue teams to perform the test, and members may even switch between teams during the engagement. This helps to keep the team’s skills sharp, and hands-on experience operating in both roles can build familiarity with the best ways to perform certain attacks and test defenses (red team) and the most effective way of protecting against them (blue team).
Another option is for the engagement to be structured in a way that allows more communication between the red and blue teams. For example, the assessment may be completed in stages with retrospectives and lessons learned performed between each stage. This way, each iteration of the attack can build on the lessons learned by both the offensive and defensive teams.
Often, when performing a security assessment, the red and blue teams are kept separate. This can help to improve the realism of the engagement because the blue team receives no hints about impending attacks that could affect their performance.
However, with a professional red and blue team, the synergy provided by a purple team exercise can dramatically improve the efficiency and effectiveness of an exercise. By communicating and collaborating, the two teams can identify and focus on areas that would benefit from further investigation and move past ones where further efforts would be wasted.
Purple teams get their name from the fact that purple is a combination of red and blue. A purple team will combine the offensive capabilities of the red team with the defensive ones of the blue team. A purple team engagement differs from one with a distinct red and blue team in the level of collaboration between the offensive and defensive teams during the engagement. In a red and blue team engagement, there is no collaboration until the end, while purple teams often collaborate throughout the exercise.
Both of these approaches have their advantages and disadvantages. For pure realism, a red and blue team engagement may be the better option. With no input from the red team — or knowledge that they exist at all — a blue team will respond to the simulated attacks like they would to a real one.
However, a purple team engagement benefits from the input of both the red and blue teams. With both perspectives and collaboration between them, the security test may identify issues that would be missed by a pure red vs. blue exercise.
Regular security testing is essential to ensure that an organization’s cybersecurity defenses are up to the task of preventing, detecting, and responding to cyber threats. With a constantly-changing threat landscape, defenses that may have worked in the past may no longer be effective.
Cybersecurity testing — such as a purple team engagement — is an ideal way to evaluate how cyber defenses would stand up to a real-world attack. The offensive side of the assessment will emulate real-world threats and the security team — potentially augmented by blue team specialists — will see how well their defenses and processes stand up to the attack.
Purple team engagements are one of the services that Check Point offers as part of its portfolio of Professional Services. To learn more or schedule an assessment, contact us.