Posted by
Share this article
Purple teaming is a collaborative adversary simulation testing exercise that involves your defensive security team (blue team) combating simulated attacks from an offensive security team (red team). In a purple team test, the blue team is aware of the threat scenario and may collaborate with and receive updates and guidance from the red team before, during and after the exercise. This type of testing differs from red team testing, where the blue team is unaware that an offensive exercise is running until it ends, culminating with a post-test washup and report.
Red teams vs blue teams vs purple teams
| Red Team | Blue Team | Purple Team | |
|---|---|---|---|
| Goal | Attack organisational assets in a capture-the-flag or goal-oriented adversary simulation test. | Defend the organisation against security attacks. | Red and blue team members working together during an adversary simulation test. |
| Prior knowledge of test exercise | Yes | N/A | Yes |
| The team | Typically outsourced | In-house cybersecurity team, possibly supported by 3rd party (e.g. MDR) | Typically a mixture of in-house (blue team) and outsourced (red team) |
| Planning involvement | Secret planning involving the red team and the upper management of the blue team. | No | Collaborative, involving both the red team and the blue team, possibly based on known identified threat actors. |
Purple team objectives
Test security defences
As with all adversary simulation testing techniques, the main objective of purple teaming is to test the defences of an organisation’s people, processes, and technology in practice. Purple teaming specifically tests the capabilities of your in-house blue team.
Knowledge-sharing
Knowledge-sharing is a central objective in purple teaming. Rather than blind testing with a post-exercise wash-up, as is conducted in red teaming, the blue team is involved in knowledge sharing throughout the purple teaming process.
The purple teaming process
Planning phase
The planning phase involves both teams and their security managers working together to define the objectives of the exercise and the assets of interest, the threat scenario, the known vs unknown qualities for the blue team, the rules or constraints of the red team, and who will be involved from both sides.
Live exercise
Purple team exercises can vary, based on the goals of the exercise, and on the level of engagement by the blue team. In the best case, a Purple Team exercise can be an iterative process.
During the exercise, the red team can run various test cases, and immediately verify with the blue team as to whether each technique was detected. If not, the blue team might rapidly develop a detection, and request the red team to re-run the test case. Conversely, if it is detected, the red team might attempt to bypass the detection, and re-run the test, asking the blue team whether it was detected. This collaborative, iterative process can provide great security outcomes for the defensive team.
Post-exercise debrief
Once the exercise has concluded, a full feedback session or sessions with blue and red teams can occur. This will include a wrap up of what went well and what didn’t, plus tips and strategies for real-world scenarios. The teams produce a collaborative report for all stakeholders.
The benefits of purple teaming
Experience real-world attack scenarios
Rather than waiting for a real-world attack to see how security teams respond, purple teaming offers the experience of an attack while maintaining safety across the organisation.
Continuous learning and Iterative improvement
With an engaged blue team, the iterative process of testing can mean that your organisation can have even better security outcomes, faster than simply implementing recommendations in a report at the end of the engagement. In addition, the collaborative environment provides a great learning opportunity for less experienced blue team members; who are able to see attacks in action, and gain a better understanding about how they work.
Detailed assessment
Purple teaming can produce detailed collaborative assessments of how your organisation stood up to various real-world attack techniques. This assessment can help determine whether your team’s skills, processes, and technology need upgrading, or their security maturity is already high.
How Tesserent can help
By working with your cybersecurity team, a Tesserent purple team engagement will give your organisation a detailed understanding of how a threat actor is likely to attack you, your current ability to repel the attack, and immediate actionable advice to ensure the ongoing protection of your information and system assets.
Written by Richard Smith
Contact us
Speak with a Tesserent
Security Specialist
Tesserent is a full-service cybersecurity and secure cloud services provider, partnering with clients from all industries and all levels of government. Let’s talk.
