Oct 18 2021

Purple Teams Add Power to Network Penetration Testing for Federal Agencies

Blending red and blue teams provides stronger assurance that a network is safe.

Pitting an offensive team that tries to find security weaknesses against a defensive team tasked with ensuring a federal agency’s cybersecurity has its benefits. Still, the concept of red and blue teaming has limitations. Blending them into a purple team can close communication gaps and enhance overall security.

Red teams are ethical hackers tasked with using adversarial techniques to attempt to breach an agency. Their actions can help the agency identify and address vulnerabilities across infrastructure, systems and applications, as well as in processes and human behavior. Unlike a real-life adversary, a red team typically only needs to find one way to achieve its objective.

Blue teams are the defenders. While the red team only needs to find one vulnerability and exploit it, the blue team needs to defend against every single attack launched by the red team — as well as by real attackers. Typically composed of analysts and incident responders, a blue team investigates security events using a variety of tools such as security information and event management, threat intelligence, and related security probes.

However, there are issues. Red teams often use a one-off, point-in-time approach. They come in to run tests, and once weaknesses are identified, leave until the next testing cycle. With this approach, a red team may not fully understand the high-value assets and security needs of the organization.

Meanwhile, blue teams are often motivated to pass red team tests to demonstrate their own effectiveness, leading to a “pass-fail” mentality. Frequently under-resourced, they may struggle to fully understand just how devious an attacker can be. When techniques such as spear-phishing are used, a blue team may not even be aware that an organization has been compromised.

In addition, the two teams sometimes get out of sync. They rarely interact on a continual basis and often don’t share information, so lessons learned may be lost.

KEEP READING: Check out these complimentary resources from CDW for guidance on building an incident response plan.

How Purple Teams Help Federal Agencies Enhance Security

Purple teaming is a proven way to provide stronger, deeper assurance — with more certainty — that the agency is being protected. In this cybersecurity testing approach, the functions of both red and blue teams are taken on simultaneously, with members working together to enhance information sharing.

A common misperception of purple teaming is that a new, separate, third team must be created; in reality, that’s not necessary. Purple teaming is more of a philosophical approach as to how blue and red teams operate that goes beyond getting them to work together.

To start, some agencies bring the teams together for a one-time engagement, coupled with a process for examining lessons learned. A third party may analyze how the teams work together and recommend ways to improve communication.

To work best, however, purple teaming requires a change in mindset. Many agencies find that it is more practical — and yields longer-term results — when they establish a permanent purple team framework with clear communication channels and a collaborative culture.

EXPLORE: Find out how your agency can enhance its cybersecurity posture.

There are two keys to successful purple teaming: maintaining an external focus and ensuring continuous learning and communication.

The external focus places heavy emphasis on how the adversary works in order to understand and continuously update knowledge of the tactics, techniques and procedures (TTP) being used. Purple teaming determines which adversaries pose the greatest risk to an agency and then develops a deep, rich understanding of TTPs.

Purple teaming also helps the combined groups focus their defense capabilities on the threats that really matter. This shared deep understanding of the adversary helps both teams to fine-tune their focus on real-world threats.

Continuous learning and communication help the red and blue teams overcome the competitive nature of their work. Instead of working in isolation, they instead align their processes and information flows to test how well they can counter those high-risk TTPs and protect the agency.

This active communication helps the teams leverage skill sets while overcoming the limitations of a siloed approach. The red team can offer valuable insights into possible vulnerabilities that might not have been detected. The blue team, in turn, can educate the red team on how it can tweak its attacks to penetrate the agency’s defenses.

5 Steps to Success for Purple Teaming at Your Agency

Crucial to the success is selecting the right person to lead the teams, driving better communication, cooperation and collaboration.

First, appoint a leader who understands the strengths and weaknesses of both the blue and red teams and has a proven ability to create a collaborative culture.

Next, work together to develop a threat-informed mindset. In this context, the purple team will use various resources (e.g., the MITRE ATT&CK framework) to understand which types of attacks are most likely to pose risk to the agency.

DISCOVER: How are agencies improving their network visibility?

Teams should also actively work to build tight bonds and establish an open communication environment, and then build a testing strategy to implement their threat-informed defense. This includes testing people, processes and technology.

Finally, purple teams should look to automation to streamline efforts. Automated breach and attack simulation platforms using artificial intelligence and machine learning can help identify vulnerabilities in an agency’s defense.

Purple teaming can bring about a culture change. When red and blue teams work together, share knowledge and understand the adversary, an agency’s cybersecurity capabilities flourish.

Evgeniy Shkolenko/Getty Images