In this comprehensive guide, our team of ethical hackers dive into the nuances of Purple Team security assessments, their relation to traditional penetration testing, and the unique security benefits Purple Teaming can provide.
The takeaway? A solid understanding of the activities, methodologies, and benefits of the Packetlabs Purple Team assessment service offering, what you should expect from a Purple Team engagement, and cybersecurity statistics and information specially gathered to increase your understanding of the assessment process.
Let’s get started:
This guide will benefit an organization’s leaders, such as CEOs, CTOs, and CISOs, as well as other senior team leaders, including, but not limited to, security engineers, network engineers, and administrators.
There are a few key indicators that a team is ready for a purple team engagement:
Has implemented enterprise SIEM and/or SOAR solution
Understand current security product limitations
Ingesting logs according to industry best practices
When it comes to the question of “What is Purple Teaming?” the definition is more nuanced than some expect. Like many of the terms in the industry such as Red Teaming, threat hunting, and adversary simulations, Purple Teaming is an abstract concept. Here are a few examples:
Coursera: “[Purple Teaming is] a collaborative approach to cybersecurity that brings together red and blue teams to test and improve an organization’s security posture.”
SANS SEC699: “In true purple fashion, the goal of [their Purple Teaming course] is to educate students on how adversarial techniques can be emulated (manual and automated) and detected (use cases/rules and anomaly-based detection.”
GitLab: “[Purple Teaming assessments are used to] better understand our organization’s ability to detect and respond to real-world attacks.”
Although, at first glance, these definitions may appear different–and indeed do focus on different aspects of Purple Teaming security assessments–there are four connecting threads that tie them together:
Collaboration between Red Teams and Blue Teams to combine an organization’s cybersecurity offense and defense
An emphasis on a better understanding of a wide range of adversaries
A focus on the self-evaluation of an organization’s existing security posture
The bolstering of security posture via preventative controls, detective controls, and response procedures
The "Purple" part of Purple Teaming refers to how engagements leverage the power of communication and collaboration between offensive cybersecurity experts (known as the "Red Team") and defensive IT security professionals (known as the "Blue Team"). If an organization does not have a Red Team, Purple Teaming aims to fill in the fundamental understanding of attack techniques, as organizations cannot build detections without it.
Purple Teaming's unique collaborative approach supports Blue Team skill development and ensures that defenders can gain the insight and experience they need to detect sophisticated adversarial tradecraft. As such, Purple Team Assessments supports the direct skill transfer required for a Blue Team to successfully detect unauthorized activity within a network. It's most commonly defined as the following: [Purple Teaming] is “the evaluation of security control efficacy through atomic testing using deliberately selected test cases.”
When it comes to Purple Teaming security assessments, there are a number of common cybersecurity concerns and questions that they address, and they all largely have to do with security investment. Below are two common examples:
“How do I know that the security product (e.g. EDR) that I have invested would actually increase the security of my organization?
"I have a security team that has spent effort to build an alert or a detection for, how would I know if these alerts would actually trigger if an attack really happened in our environment?"
As a result, a common request we have from our customers is for a Red Team or a penetration test to validate the quality of the organization’s security investment.
Traditionally, the usage of penetration tests and red team exercises have been used to attempt to address this problem. Red Teaming is the exercise of building a coherent attack path from point A to point B, and penetration tests are security testing that aims at finding and exploiting vulnerabilities in a target system often times attempting to leverage the lowest hanging fruit to obtain a foothold. Both of these approaches never addresses the above bullet points adequately.
A detection is a prediction of a particular variation that the defenders expects an attacker to use, an alert triggered does not sufficiently mean that the specific control or the specific security product can is working adequately. Most attackers only run a single variation of an attack to show and produce impact. One very good example of this is during a debrief of a red team exercise, a client decided to upgrade their SIEM to include packages that can detect the popular Active Directory tool Bloodhound. Upon a deeper investigation, this package was marketed to be able to detect Bloodhound, but it was only really detecting when an executable “SharpHound.exe” was written to disk and not detect the behavior that this tool generates. Security investment without transparency leaves gaps in an organization defense strategy, therefore, a Purple Team aims to address this gap.
Organizations across all industries invest in purple teaming to accomplish the following: achieving security control efficacy through testing. This will allow a security team to create an action-oriented project plan to assess the direction and the investment of security products in their overall security strategy.
A Purple Team primarily evaluates the efficacy of security controls, and it does through deliberately selected test cases. Since detection is a prediction of what an adversary might do, how does a security team or an organization predict what variation an attacker woud likely use?
This requires the expertise of a red team. A Red Team can inform, educate, and curate for an organization through selected test cases that best represent that organization’s threat model and perform tests that would adequately represent a subset of an attack technique. This largely has to do with the protocol used in security testing. One request that Packetlabs has consistently received is whether or not a penetration test can be used to check whether or not their environment has been compromised. This is a good illustration of choosing the right protocol for the security goal. In this case, it is not that penetration test is a bad program, but it is the wrong exercise for a compromised assessment.
Take for example, if the configured logs are not ingesting from all the right sources, rules and alerts having parsing issues, detections have erroneous logic, delay in response times can all affect whether or not a cyber incident would occur within the organization. Atomic test cases are capable of evaluating detective security controls, but it is also important to test preventative controls. If an organization can prevent a particular technique from occurring, then an organization can allocate its finite resources to areas in the security strategy that require more attention.
To successfully navigate the cybersecurity landscape in 2024 and beyond, proactive security assessments are critical–especially for organizations operating in high-risk sectors because real-world adversaries are continuously adapting their tactics. Purple Teaming is the assessment model of choice for bolstering the strongest defensive capabilities required to detect highly targeted attacks. These assessments aim to harden an organization's cybersecurity defenses against the biggest risks such as nation-state threat actors, apex ransomware gangs, and other criminal cyber enterprise, and insider threats.
It's no longer safe to simply rely on perimeter or endpoint security products for protection. Organizations need to strengthen their adaptive defenses to achieve faster and more reliable detection at all stages of a cyber attack. As attackers covertly gain unauthorized access, assess the landscape, attempt to move laterally within a network, and take action on objectives they leave evidence that well-trained and experienced defenders can identify, allowing them to stop an attack at an early stage. Without this ability to recognize the key indicators of a cyber attack, defenders risk allowing an initial compromise to progress towards higher-value targets, significantly increasing the potential damage and the financial costs of response and recovery.
Purple Teaming offers hands-on attack simulation along with collaborative sharing to enrich Blue Team skills and bolster an organization's core cybersecurity competencies.
Purple Teaming has emerged as a distinct approach to security testing that sets itself apart from the traditional Penetration Testing and Red Teaming methodologies. These other forms of security assessment focus on identifying vulnerabilities in an organization's perimeter attack surface so security gaps can be mitigated. Purple Teaming's goals are different, making it a unique and valuable addition to an organization's cybersecurity activities. It answers the question: "Can defenders effectively detect unauthorized activity happening in an organization's IT infrastructure and protect it against threats that are real and present?”
Many organizations invest heavily in advanced cybersecurity solutions such as next-gen Antivirus, Network Intrusion Detection Solutions (NIDS), Unified Threat Management (UTM), Unified Endpoint Management (UEM), and Endpoint Detection and Response (EDR) products. These are undeniably crucial components of an enterprise cybersecurity stack. However, despite substantial investments, detection products are not infallible: Purple Teaming assessments help organizations evaluate their detection capabilities and detection rates beyond the simple installation and configuration of security tooling.
The infamous SolarWinds breach exemplified that determined adversaries can circumvent even the most robust detection solutions. Once security solutions are bypassed, the average organization has no means to protect itself. Purple Teaming enhances "threat-hunting" skills; actively searching for indicators of compromise (IoC) or suspicious activities that could indicate compromise, even if they haven't been flagged by automated alerts. This threat-hunting capability extends an organization's detection capabilities beyond those bestowed by NIDS, UTM, UEM, and EDR products.
Advanced threat detection solutions may capture extensive telemetry, but if not configured properly for an organization's specific IT infrastructure, they do not alert on every potential threat. For organizations that face high-risk scenarios a "set it and forget it" mentality is a risky approach. Purple Teaming provides insights into what happens when detection-based security products are bypassed and verifies that defenders can detect the latest and most evasive cyber attack techniques.
Due to the intense nature of Purple Team assessments, target organizations need to consider several important factors before starting an engagement. By preparing properly for a Purple Team engagement, the target organization can ensure higher return on security investment (ROSI), and Blue Team participants can acquire the most knowledge, skills, and experience possible.
Some special considerations for Purple Team targets include, but are not limited to:
Clear Objectives: Objectives must be clearly defined in order to ensure the assessment aligns with the target organization's specific security concerns. Conducting a risk assessment with the Red Team prior to the engagement helps prioritize which assets, systems, and data to focus attacks on and which types of attacks an organization is likely to encounter
Engagement Scope: Determine the scope and duration of the Purple Team assessment and decide which attack perspectives should be assessed and which should be off-limits. It is also beneficial to outline a roadmap of the tactics, techniques, and procedures (TTP) the Red Team will use to ensure the required experience and knowledge can be gained by the Blue Team
Rules Of Engagement: Distinctly define the boundaries for the Purple Team. This includes specifying the tools and methods that can and cannot be used, the times of day when tests can be conducted, and any other constraints to ensure the safe and legal handling of systems and data. Define a process for escalating any unforeseen challenges that may arise during the engagement and ensure a clear decision-making hierarchy exists
Collaboration Activities: Plan the engagement's collaboration activities such that the Red Team and Blue Team have sufficient time to exchange knowledge. Define when and how often the Red Team will report their activities. This allows the Blue Team to gain a full understanding of the Red Team's strategy and techniques to extract the most possible value from the engagement and learn how to adapt and analyze attack IoC in real-time
Post-Engagement Activities: Plan for post-engagement activities, including a debriefing session between management and the Red Team, to discuss overall findings, recommendations, and lessons learned. Use the assessment results as a roadmap for enhancing the organization's security posture
The core activities of the Packetlabs Purple Teaming methodology include the activities of a Red Teaming assessment and periodic collaboration with the Blue Team at regular intervals.
If an attack goes undetected, the Blue Team is allowed to assess the security gaps and adjust their defensive strategy accordingly. For a Purple Teaming assessment to be successful, the testing methodology must be dynamic and cover a wide range of TTP commonly used by sophisticated real-world adversaries.
Here at Packetlabs Ltd., we take cybersecurity beyond the checkbox: as a SOC 2 Type II accredited cybersecurity firm specializing in penetration testing services, we employ only OSCP-minimum certified ethical hackers that offer 95% manual penetration testing.
Instead of outsourcing our work or relying on automated VA scans, we guarantee zero false positives via our in-depth approach and passion for innovation: our security testing methodology is derived from the SANS Pentest Methodology, the MITRE ATT&CK framework for enterprises, and NIST SP800-115 to ensure compliance with the majority of common regulatory requirements. Our comprehensive methodology has been broken up based on which areas can be tested with automation and those which require extensive manual testing.
When seeking out a penetration testing vendor, we recommend that, like our team, they possess the following other certifications:
Alongside recently celebrating our twelfth year in business this year, our 95% manual penetration testing yielded a partnership with the SickKids Foundation, which was another one of our 2023 highlights: the SickKids Foundation is a fundraising organization based in Toronto that supports the Hospital with sick children. With over 1.5 million active donors, the foundation collects and manages sensitive information, which could result in reputational damage and loss of donors if breached.
Whether you are looking to develop the advanced capabilities required to mitigate high-risk scenarios, protect proprietary data, or meet regulatory or compliance standards, selecting the right partner is crucial. When choosing a security consultant many things should be considered such as reputation, trust, size of the entity, degree of experience, and professionalism (including certification achievements).
Packetlabs' advanced offensive cybersecurity capabilities go far beyond industry standards. With our consultative approach, we ensure that our clients understand our reports and assessments and go the extra mile to provide support when helping our clients plan the next steps in their journey toward a stronger security posture and a bulletproof cybersecurity strategy. Packetlabs conducts 100% of our testing activities in-house and does not outsource to external third parties, and we have been rated an average 9.5/10 NPS score by our customers upon project completion. We’re committed to the highest standards for communication– and that includes a strict dedication to your right to quality security services.
Alongside Purple Teaming assessment, our team is also proud to offer the following security solutions:
DevSecOps: DevSecOps is integrated early in your development cycle and acts as an extension of your development team to flag vulnerabilities within your existing detected management systems
Red Teaming: Red Teaming is a full-scope simulated attack designed to get a holistic review of the level of risk and vulnerabilities across people, processes, and tech in an organization
Cyber Maturity Assessments: A Cyber Maturity Assessment supports the tactical direction of your cybersecurity strategy. As the first step in strengthening your security posture, this assessment generates the roadmap to strengthen your overall security program
OT Assessments: OT Cybersecurity Assessments simulate the likelihood of an attacker reaching the control centre from an external and internal perspective with production-safe testing
Ransomware Penetration Testing: A ransomware penetration test evaluates the preparedness and risk of a ransomware attack and identifies gaps in people, processes, and technology, to determine the likelihood and readiness for a ransomware attack
Cloud Penetration Testing: Multiple perspectives help with strengthening your security posture. These include Cloud Penetration Testing, which simulates an attacker in the environment, and a Cloud Penetration Review, which provides insights into cloud-specific vulnerabilities originating from an insecure configuration. Each of these services can be conducted separately or, for maximum effectiveness, combined as an enhanced cloud security bundle
Objective-based Penetration Testing: Following a preliminary penetration test, objective-based testing conducts a more advanced simulated cybersecurity attack. The test is conducted by persistent ethical hackers who deploy multiphase attacks to gain access to your organization's data so that you can discover gaps and vulnerabilities unique to your organization and test your ability to detect and respond to threat actor
Application Security Testing: More targeted in scope than a regular pentest, application security testing uncovers vulnerabilities residing in your web and mobile apps. Application Security Testing actively explores your application from an attacker’s perspective
Infrastructure Penetration Testing: An infrastructure penetration testing assessment uncovers vulnerabilities in your IT and network systems and provides a tailored approach to each environment
These are in addition to the Packetlabs Portal, which enables you to quickly view findings, prioritize efforts, request retests after remediation, and monitor progress.
Are you ready to unlock the benefits of Purple Teaming assessments?
Our team is always just one click away. Our specialized experts can answer any further questions you may have and can start the process of kickstarting the most proactive security assessment of your organization’s most mission-critical people, processes, premises, and technology.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.