CUNA News
  • LOG IN
  • Create Account
  • Sign Out
  • My Account
  • LOG IN
  • Create Account
  • Sign Out
  • My Account
  • Credit Union Magazine
    • Buyers' Guide
    • COVID-19
    • Digital Edition
    • Credit Union Hero
    • Credit Union Rock Star
    • Subscribe
    • Advertise
    • Contact
  • Advertise
  • Topics
    • Community Service
    • Compliance
    • Credit Union Hero
    • Credit Union Rock Star
    • Credit Union System
    • Directors
    • Human Resources
    • Leadership
    • Lending
    • Marketing
    • Operations
    • Policy & Issues
    • Sales & Service
    • Technology
  • Awards
    • Nominate Credit Union Hero
    • Nominate Credit Union Rock Star
  • Podcasts
  • Videos
  • Contact

News

Home » ‘Purple team’ approach boosts cybersecurity
Technology Subscribers

‘Purple team’ approach boosts cybersecurity

Prepare for cyber attacks by researching how adversaries operate.

November 22, 2022
Brock Fritz
One Comment
Camilo Ruiz
Dupaco Community Credit Union Information Security Manager Camilo Ruiz

Many organizations break down cybersecurity into red, blue, and intelligence teams. A purple team approach takes this a step further by combining the blue team’s defending capabilities, the red team’s attacking skills, and the intelligence team’s expertise to address cyber threats.

“Experts from the red, blue, and cyber threat intelligence teams work together to test, measure, and improve the defensive security posture,” says Camilo Ruiz, information security manager at $2.9 billion asset Dupaco Community Credit Union in Dubuque, Iowa, which implemented a purple team in October. “For Dupaco, the purple team is a security structure where all members work together with an offensive mindset that helps increase detection capabilities, lower response time, improve skills and processes, and use security tools to their maximum capabilities.”

Purple team exercises rely on adversary emulation, which is when security teams try to determine how an adversary operates. The goal is to identify the tactics, techniques, and procedures (TTPs) adversaries use in attacks around the world. This improves an organization’s resilience and detection capabilities.

“If we improve visibility and tune our tools to be alerted based on TTPs, we can learn more about the adversary,” Ruiz says. “Then we can make things more difficult for them. When you identify and understand the TTPs used, it’s hard for adversaries to change them. They need to rewrite their attack with new tactics, techniques, tools, methods, and procedures. Sometimes they look for an easier target. That’s the ultimate goal.”

Dupaco’s purple team, which should be fully implemented by summer 2023, uses SCYTHE's adversary emulation platform. SCYTHE offers a purple team framework and has about 80 free frequently used TTPs organizations can examine to prepare for potential attacks. 

A purple team uses those TTPs to see how adversaries attack around the world. They can select specific TTPs, execute the attack in their own environment, and see if their cybersecurity system alerts them of the attack.

“We research what TTP we want to emulate, the team discusses the security controls and expectations, and we emulate the TTPs, putting them in the SCYTHE tool so we can execute that to whatever machine we want, as many times as we want” Ruiz says. “We follow the process to detect and respond to the TTPs used. We document the results. If we get an alert from a tool, the purple team logs it and notes that an alert for that specific TTP was received.”

If a certain TTP doesn’t trigger an alert, the purple team researches why the security tools failed to create an alert of the event. They then tune the tool or write a detection alert to respond in the future.

The purple team continues executing attacks to improve their cybersecurity resilience and response. They identify gaps and determine if they need another tool, or if they need to tune their current tools.

Dupaco’s purple team considers several questions when determining whether a purple team exercise was successful:

  • Are the security tools doing what the team wants?
  • Did the team receive an alert? 
  • Was the TTP identified?
  • Do they have logs or any forensic artifact about the TTP? 
  • What were the responses when they got the alert? 
  • Was that response appropriate for that specific attack?

Ruiz adds that having a log for each specific TTP is crucial because, “If you execute a command, don't receive an alert, and don't have a log anywhere, you're blind. You don't know what’s happening.”

CUNA Compliance & Risk Council

Dupaco’s purple team meets with SCYTHE each month to fine-tune the process. SCYTHE representatives tell Dupaco’s team to execute certain commands, then they meet to analyze the results.

However, credit unions don’t need to partner with security providers to develop a purple team framework.

Ruiz says purple teams can take many forms. Some common misconceptions about purple teams include:

  • Only big credit unions can implement a purple team. 
  • Purple teams are only successful with expensive tools.
  • A purple team must consist of experts.
  • A world-class security program is only for big companies.

“You don’t need to have tens or hundreds of analysts, a blue team, a red team, or cyber-intelligence experts to implement a purple team,” Ruiz says. “You just need great security people interested in researching and understanding attacks. To start, you just need one TTP and a tool capable of receiving logs and generating alerts.”

KEYWORDS cybersecurity risk technology

Post a comment to this article

Report Abusive Comment

Credit Union Magazine: Spring 2023

Spring 2023

Credit Union Magazine’s Spring 2023 issue features the 2023 Credit Union Heroes and examines CUNA-League advocacy priorities, board leadership, the impact of financial well-being efforts, fee-related compliance issues, predictions for the year ahead, and more.
Digital Edition •  Subscribe

Trending

  • Compliance: FinCEN issues issue BOI reporting guidance

  • Bill would establish ‘appropriate compliance timeline’ for section 1071

  • CUNA Mascot Madness: One semifinal set; Vote for the best in the West

Tweets by CUNA_News

Polls

CUNA Mascot Madness: Which South Region mascot is your favorite?

View Results
More

Champion for the Credit Union Movement

Credit Union National Association is the most influential financial services trade association and the only national association that advocates on behalf of all of America's credit unions. We work tirelessly to protect your best interests in Washington and all 50 states. We fuel your professional growth at every level and champion the credit union story at every turn.

More CUNA

  • Membership
  • Contact Us
  • Careers

Resources for

  • Credit Union Advocates
  • Leagues
  • Press
  • Providers

Our Affiliates

  • American Association of Credit Union Leagues (AACUL)
  • Credit Union Awareness
  • Credit Union House
  • CUNA Strategic Services
  • National Credit Union Foundation
GET CUNA UPDATES
© 2023 Credit Union National Association | ADA Compliance Notice & Legal
Email Us