A purple team project simulates attacks (the red team) and works with the organizations defenders (the blue team) to determine if they can be found by current controls and then decides how best to rectify any issues.
- Identify where your controls work and do not work in a collaborative setting, with immediate feedback between attackers and defenders.
- Seeks to improve relationships between internal parties who are used to external assessment teams coming it to play ‘gotcha’.
- If you are using the ATT&Ck framework elsewhere, this can provide a useful measure of progress in your security program.
Purple teaming is a collaborative exercise and usually takes one of two forms:
- Our team works with the client to simulate attacks using a variety of methods, based on our experience and the client’s knowledge of what works and what doesn’t.
- Testing utilizes the Mitre ATT&CK framework to provide the structure of the test. Systems are deployed which replicate a range of areas from the framework. This is used as the measure (and basis for reporting) of the project.
In both cases, we work with the client to identify areas of concern, expected control responses and develop a testing scheduling. Testing is then executed, results analyzed and recommendations provided.