Bottom Line Up Front: Purple Team engagements - with their focus on collaboration and shared outcomes - are great options to build up the skills of blue team defenders.
Let’s hit this right out of the gate: cybersecurity is not easy. Regardless of how talented your team is or how much you spend on technology, the odds are stacked against you in today’s cyber fight. No one is immune. And nothing drives that fact home more clearly than the recent SolarWinds breach that has impacted hundreds of organizations across the public and private sector. Many of those affected are well resourced and have sophisticated cyber defenses such as leading security firms, Fortune 500 companies, and large government departments.
The reason for this lack of immunity is simple. Given enough time and motivation, cyber adversaries will find a way in, especially against a static defense. Couple that with the fact that security teams are overwhelmed by threats, alerts, and technology options, the vulnerability of defenses to a breach becomes even clearer.
The risk is real for both large and mid-sized companies. Large companies have invested in technology and people which could lead to a false sense of security. Mid-sized companies, on the other hand, have grown just big enough to be on an attacker’s radar but may lack the maturity to have effective security programs in place.
So, what can you do about it?
GETTING PAST THE “US VS THEM” FEELINGS OF RED TEAM ENGAGEMENT
One approach is the often-used red team engagement, which provides a significant benefit when properly executed. But with defensive teams constantly under siege from actual threats, it is understandable when the presence of an outside vendor's red team results in contentious feelings with your security team, even if it is directed by company leadership.
If you are getting the sense of there being another way, you nailed it. Indeed, there is.
The other way is going purple – a simplified notion of red and blue (offense and defense) melding together. Unlike red team engagements where attackers take their best shot at blowing up your defenses, purple team engagements constructively collaborate with your blue team network defenders during scripted attack sequences. Communication and learning is the focus of a purple team and not a “game day” simulation of a real attack.
To use a football analogy, if red team engagements are the final scrimmage of fall camp, then purple team engagements are the practices that lead up to it. In our view at Pathfynder, this is a natural progression that small and mid-size companies should take. Build-up your network defenders constructively through progressive challenging purple team engagements, then test them.
Just like a football coaching staff can’t expect the team to scrimmage well without walkthroughs and practices before a game, corporate leadership shouldn’t expect their defenses to be sharp without first building up the team’s capabilities and confidence.
Another benefit to this approach is that it eliminates the “us vs them” mentality that often comes with traditional red teaming. When IT leadership understands that the focus of purple teaming is collaboration and skill building, it becomes much easier to have productive and shared outcomes.
No one likes to be tested when they have not been provided the chance to fully prepare. Why should we ask those charged with defending our corporate networks to be any different? GO PURPLE FOR A BETTER NETWORK DEFENSE
Because of their collaborative and instructive nature, purple team engagements can take one to two weeks longer to complete than red team assessments (plan for 3 to 4 weeks overall).
If your company is just starting to build its cyber capabilities, then it may be worth investing in a few purple team engagements before testing those newly formed skills with a full-on red team assessment. Or if you have established a red team assessment cadence, perhaps it is worth considering the purple team approach every now and then to get new feedback in the system.
Build the confidence and capabilities of your network security team with the constructive collaboration of purple team engagements. Again – just like any sport – getting quality practice reps in before a final scrimmage makes your team more game ready than simply tossing them in the fray and hoping for good results.
Pathfynder is a service-disabled veteran-owned small business with offices in Washington, D.C. and Bozeman, MT. Shaped by decades of US military and intelligence community experience, we provide cybersecurity expertise and solutions trusted by small and medium-sized businesses as well as Fortune 50 companies.