Purple teaming is a blending of offensive actions (RED) and defensive detection and validation (BLUE). The overall goal of any offensive engagement is to improve the defensive stance of an organization’s security program. During a purple teaming exercise, the goal of the offensive team is to emulate specific threats in a way that is highly repeatable with minimal drift between executions. This allows for a highly collaborative approach where red and blue can work together to increase detection speed, alert resolution, and overall response time. As one of NuHarbor’s REDSEC operators Randy explains, “Purple teaming allows us to work with an organization to understand their threat model, recommend scenarios, or campaigns that fit the real-world threat, and then emulate them against the organization.” Purple Teaming enables an organization to get a different perspective into their defensive capabilities as well as their security procedures.
Purple Teaming vs. Penetration Testing
Traditional penetration testing looks to assess all potential vulnerabilities and other weaknesses within the scope defined. While this is valuable to an organization, what a traditional penetration test doesn’t do is provide the organization’s defensive team dedicated access with the attacker in order to replay attacks until they can properly detect, contain, and respond to them. When conducting a Purple Team, the organization will know what threats are going to be emulated and when the attack will come as well as against what specific systems or networks. Purple teaming allows the organization to work directly with the tester to monitor the response. In the event that the detection and response is not sufficient, the event can be replayed with minimal drift from the first attack. This gives the organization the ability to increase the alert resolutions as well as determine which logs are security relevant.
Purple teaming is significantly more focused than a traditional penetration test. Randy describes, “Let’s say I’m performing a traditional penetration test and I’ve got two weeks in your environment. I’ve got to provide complete coverage of the scope in order to identify as many exploitable paths into the organization that I can. When performing purple teaming I’m able to focus on what concerns the organization most, and work with the defenders to confirm they can identify and stop my actions.” By decreasing the scope and having a more focused engagement, the testers can work with the organization to ensure the correct detections are in place and the response timely. It also allows the blue team to work with the tester directly in order to gain efficacy. As Randy explains, “The goal is always to bring the most value to the organization.”
What's the Right Time for a Purple Team?
Purple teaming can be a good fit at any point in an organization security program. NuHarbor typically recommends engaging with your NuHarbor account executive to assess where your security budget will do the most work. Typically, organizations further along in security program maturity see a larger benefit to a purple team than ones who maybe are less mature. It is also important to understand that Purple Teaming does not replace traditional penetration test, as outlined above.
Randy is an experienced Offensive Operator with over 15 years of technical expertise in the Information Security space. Over the course of Randy’s career, he has developed and supervised penetration testing and red team operations for both private-sector and government clients. As a member of the U.S Army, Randy served in numerous technical roles within the Cyber Operations realm. When not helping clients discover their security shortcomings, Randy enjoys spending time with his family and coaching youth hockey.
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.