EXECUTIVE SUMMARY:
A purple team provides a critical lens through which organizations can see how to elevate their cyber security. But a purple team isn’t exactly what it sounds like…Here’s what to know about purple team responsibilities and incorporating a purple team into your security structure…
Purple team, what is it?
A purple team bring findings from red and blue teams together to test and improve an organization’s cyber security posture. The goal is to make the security testing process more efficient, effective and valuable.
The name ‘purple team’ is a bit misleading, as the purple team is not exactly an even mix of red and blue teams (in the way that the color purple arises due to a mix of red and blue paint).
Rather, a purple team aims to foster communication, collaboration and stronger security by uniting the reports and recommendations of the red and blue teams.
This enables everyone to focus efforts on areas of greatest impact to the business and fixes that will provide the greatest benefit.
Why a purple team is important
Cyber security exercises are structured in such a way where the red teams and blue teams do not usually communicate with one another. This is intentional and can help with effectiveness of red and blue team task execution.
The purple team provides overarching analyses of red and blue team findings. This enables an organization to identify and address security weaknesses that otherwise wouldn’t receive attention.
Advantages of purple teaming
As outlined above, purple teaming advances cyber prevention and defense capabilities. With a purple team, organizations can:
- Clearly see coverage gaps in existing security tools and pin-point misconfigurations.
- Advance network security by connecting the dots between targeted attacks and by improving breakout time.
- Encourage healthy competition among security staff and cultivate a cooperative security environment.
- Create continuous feedback mechanisms and knowledge sharing protocols between red and blue teams.
- Develop the maturity of the organization’s cyber security capabilities.
- Align goals and timelines for red and blue teams.
Red team vs. blue team vs. purple team
Red team: Red teams leverage real-world cyber attack methods to exploit vulnerabilities in a given organizations’ people, processes and technologies. The red team’s goal is to slip past all defenses, without the blue team noticing.
Red team members use phishing, social engineering, port scanning, vulnerability scanning and custom-made tools to access networks, escalate privileges and to breach an organization. After a simulated attack, red team members develop reports that include recommendations around how an organization can strengthen its security.
Blue team: The blue team must analyze enterprise systems, detect attacks and contain them. These overarching responsibilities include collecting network traffic and forensic data, monitoring networks and devices, performing data analyses, conducting vulnerability scans, running DNS audits and pursuing risk assessments.
Blue team members also create, configure and enforce firewalls, implement access controls, keep software patched and up-to-date, segment networks, conduct DDoS testing and develop response and remediation policies so that organizations can quickly resume regular operations post-attack.
As with red teams, after specific exercises are completed, blue teams create reports and make recommendations regarding how to better secure the organization.
Purple team: Purple teams enable organizations to measure detection and response capabilities in ways that reflect real-world potentialities and that allow for the elevation of cyber security preparedness levels. In other words, the purple team brings together red and blue team findings so that nothing goes unnoticed, unaddressed and under-secured.
The following table clarifies roles and responsibilities:
| Red Team | Blue Team | Purple Team | |
| Who | Cyber security offense (ethical hackers) who pretend to be cyber adversaries | Cyber security defense that aims to defend the organization from threats | A blend of offensive and defensive teams, this team unites endeavors |
| What | Hacks into an organization using the same tools, tactics and procedures that genuine hackers might use | Identifies, assesses and addresses a red team’s attack | The purple team both tests and defends an organization and its owned resources |
| Why | Exists to find gaps and vulnerabilities within an organization’s IT environment that cyber adversaries could exploit | Tests an organizations cyber security strategy and incident response playbook | Advances the overall cyber security posture of an organization by increasing security team alignment |
Should you have a purple team?
Ultimately, purple team testing enables organizations to reconsider whether or not the right security controls are in-place and whether or not they are delivering the desired outcomes. A purple team can assist organizations in determining where and how to expand or reconfigure incident prevention, detection and response capabilities.
With an effective purple team, combined with vulnerability management, and other security activities, the likelihood of a cyber attack recedes. If your organization wishes to undertake purple teaming, consider leveraging the related MITRE ATT&CK resources.
Lastly, discover more cyber security tips, get expert insights, and increase your personal cyber security – subscribe to the Cybertalk.org newsletter.
