How Purple Teams Help Federal Agencies Enhance Security
Purple teaming is a proven way to provide stronger, deeper assurance — with more certainty — that the agency is being protected. In this cybersecurity testing approach, the functions of both red and blue teams are taken on simultaneously, with members working together to enhance information sharing.
A common misperception of purple teaming is that a new, separate, third team must be created; in reality, that’s not necessary. Purple teaming is more of a philosophical approach as to how blue and red teams operate that goes beyond getting them to work together.
To start, some agencies bring the teams together for a one-time engagement, coupled with a process for examining lessons learned. A third party may analyze how the teams work together and recommend ways to improve communication.
To work best, however, purple teaming requires a change in mindset. Many agencies find that it is more practical — and yields longer-term results — when they establish a permanent purple team framework with clear communication channels and a collaborative culture.
There are two keys to successful purple teaming: maintaining an external focus and ensuring continuous learning and communication.
The external focus places heavy emphasis on how the adversary works in order to understand and continuously update knowledge of the tactics, techniques and procedures (TTP) being used. Purple teaming determines which adversaries pose the greatest risk to an agency and then develops a deep, rich understanding of TTPs.
Purple teaming also helps the combined groups focus their defense capabilities on the threats that really matter. This shared deep understanding of the adversary helps both teams to fine-tune their focus on real-world threats.
Continuous learning and communication help the red and blue teams overcome the competitive nature of their work. Instead of working in isolation, they instead align their processes and information flows to test how well they can counter those high-risk TTPs and protect the agency.
This active communication helps the teams leverage skill sets while overcoming the limitations of a siloed approach. The red team can offer valuable insights into possible vulnerabilities that might not have been detected. The blue team, in turn, can educate the red team on how it can tweak its attacks to penetrate the agency’s defenses.