Many organizations break down cybersecurity into red, blue, and intelligence teams. A purple team approach takes this a step further by combining the blue team’s defending capabilities, the red team’s attacking skills, and the intelligence team’s expertise to address cyber threats.
“Experts from the red, blue, and cyber threat intelligence teams work together to test, measure, and improve the defensive security posture,” says Camilo Ruiz, information security manager at $2.9 billion asset Dupaco Community Credit Union in Dubuque, Iowa, which implemented a purple team in October. “For Dupaco, the purple team is a security structure where all members work together with an offensive mindset that helps increase detection capabilities, lower response time, improve skills and processes, and use security tools to their maximum capabilities.”
Purple team exercises rely on adversary emulation, which is when security teams try to determine how an adversary operates. The goal is to identify the tactics, techniques, and procedures (TTPs) adversaries use in attacks around the world. This improves an organization’s resilience and detection capabilities.
“If we improve visibility and tune our tools to be alerted based on TTPs, we can learn more about the adversary,” Ruiz says. “Then we can make things more difficult for them. When you identify and understand the TTPs used, it’s hard for adversaries to change them. They need to rewrite their attack with new tactics, techniques, tools, methods, and procedures. Sometimes they look for an easier target. That’s the ultimate goal.”
Dupaco’s purple team, which should be fully implemented by summer 2023, uses SCYTHE's adversary emulation platform. SCYTHE offers a purple team framework and has about 80 free frequently used TTPs organizations can examine to prepare for potential attacks.
A purple team uses those TTPs to see how adversaries attack around the world. They can select specific TTPs, execute the attack in their own environment, and see if their cybersecurity system alerts them of the attack.
“We research what TTP we want to emulate, the team discusses the security controls and expectations, and we emulate the TTPs, putting them in the SCYTHE tool so we can execute that to whatever machine we want, as many times as we want” Ruiz says. “We follow the process to detect and respond to the TTPs used. We document the results. If we get an alert from a tool, the purple team logs it and notes that an alert for that specific TTP was received.”
If a certain TTP doesn’t trigger an alert, the purple team researches why the security tools failed to create an alert of the event. They then tune the tool or write a detection alert to respond in the future.
The purple team continues executing attacks to improve their cybersecurity resilience and response. They identify gaps and determine if they need another tool, or if they need to tune their current tools.
Dupaco’s purple team considers several questions when determining whether a purple team exercise was successful:
Ruiz adds that having a log for each specific TTP is crucial because, “If you execute a command, don't receive an alert, and don't have a log anywhere, you're blind. You don't know what’s happening.”
Dupaco’s purple team meets with SCYTHE each month to fine-tune the process. SCYTHE representatives tell Dupaco’s team to execute certain commands, then they meet to analyze the results.
However, credit unions don’t need to partner with security providers to develop a purple team framework.
Ruiz says purple teams can take many forms. Some common misconceptions about purple teams include:
“You don’t need to have tens or hundreds of analysts, a blue team, a red team, or cyber-intelligence experts to implement a purple team,” Ruiz says. “You just need great security people interested in researching and understanding attacks. To start, you just need one TTP and a tool capable of receiving logs and generating alerts.”