Purple Team increases the effectiveness of the Red Team and Blue Team in SCI

Posted date 27/07/2023
Author
INCIBE (INCIBE)
All about Purple Team increases the effectiveness of the Red Team and the Blue Team in SCI

Every day the focus on industrial environments increases, attracting the attention of different malicious actors who seek to make a profit by carrying out attacks on these architectures, and it is expected that, by 2023, the percentage of attacks on these environments will be at least 40% of the total number of cyberattacks produced.

All this data means that both Blue Teams and Red Teams are of vital importance for companies in the industrial environment, but due to the growth in the production of cyberattacks, it is necessary to improve the effectiveness of the exercises they carry out. For this reason, Purple Team exercises are becoming increasingly relevant to strengthening industrial cybersecurity, as they enable collaboration between the two teams, maximizing learning and responses between the two.

The Purple Team can be defined as the mix between the Blue Team and Red Team, but always seeking to ensure and maximize the effectiveness of both, thus reducing the deficiencies presented by both teams separately. This new team can provide a new scope in the development of attack and defense exercises in industrial environment companies. Its characteristics differ completely from those presented by some of the other two teams, being its main feature the integration and direct communication with both the Blue Team and the Red Team.

Among the main features of the Purple Team are the following:

  • The Purple Team seeks to achieve integration of offensive techniques, tactics and procedures (TTP), such as Red Team threats and vulnerabilities, together with Blue Team defensive techniques to protect against attacks.
  • The main purpose of the Purple Team is to improve communication, ensuring information sharing between Blue Team and Red Team.
  • Aligns the Blue Team's approach to relevant threats, allowing defensive architectures to be based on the organization's criticalities.
  • Organizes and provides information to the Red Team so that it can obtain information on sensitive assets and plan more elaborate attacks.
  • He is in charge of the governance operations of the exercises to be carried out.
  • He is also in charge of documenting and processing all the information from the teams so that it is transmitted in a correct format following the methodology established before the start of the tests.

Differential characteristics between the three units

The Red Team, as described in the "Red Team in mysterious waters" article, has the main purpose of attacking the different targets transmitted by the Purple Team, which the Blue Team will then defend. Although at first glance they may appear to be three completely different teams, in reality the three form a single team with the same objective: to improve the organization's cybersecurity, either by carrying out attacks (Red Team), defending infrastructures (Blue Team) or coordinating the other two teams (Purple Team).

Below is a table with the different characteristics and the most important functions of the three teams, thus making a visual differentiation of the functions of each one.

Blue, Red y Purple Team. Source: AttackIQ Academy 
 

Blue, Red y Purple Team. Source: AttackIQ Academy

Methodology

The Purple Team exercise must be based on a clear, concrete and replicable methodology. This methodology is comprised of five very noteworthy phases:

  • Definition of roles and responsibilities: Strategic, operational, tactical and operator levels must always be included in the Purple Team roles. All roles and responsibilities must be clearly defined so that everyone has a complete understanding of their function. The following are the minimum roles to form a Purple Team correctly:

    Roles and responsabilities 
     Roles and responsabilities

  • CTI (Cyber Threat Intelligence): Through CTI, the necessary information is collected and analyzed to determine the target to attack, the identification of the adversary, the collection of threats, their characterization, and the use and determination of TTPs.
    • Understanding the organization: knowledge about the possible attack surface of people, processes, technologies and systems that may be part of the organization, thus creating a global vision.
    • Identify the adversary: identify who is targeting the organization or a specific asset.
    • Characterize the threat and extract the TTPs: using the ICS MITRE ATT&CK matrix, the possible tactics and techniques to be employed during the Purple Team by the attacking team can be determined and their use provided to the Blue Team.
    • TTP: as mentioned above, this type of intelligence is vital during the exercise and is also the most difficult for the Blue Team to obtain. During a Purple Team, the definition of the TTPs is very complex, since it is a broad view of the attack, and a modification of any of the TTPs can cause a great variation on the Red Team's attacks.
  • Analyze and organize: the organization and creation of an attacking profile is one of the most important aspects of a Purple Team, as it allows to establish at a high level a plan of execution of the tasks to be performed by the Red Team and, in turn, will allow the Blue Team to have a clear and concise control of the possible tactics and techniques. In addition, within the organization's scope the sharing tables are critical, as they lay out the objectives, tactics, techniques and ATT&CK mapping, where the attack may fail and who it is believed will detect it.
  • Development plan: The development plan allows both teams to be clear about the steps to be taken, establishing the TTP, method and objective in a clear way. This plan should be followed and established prior to the start of the Purple Team exercise and, in case of modifications, the Purple Team leader in charge of communicating with both teams should communicate this to them.

Development Plan

Development plan. Source: AttackIQ Academy

  • Execution: after having a plan, an analysis and the rest of the defined sections, the attack will be executed. After the completion of each point defined in the development plan, both teams must communicate and perform a retraining exercise on the attack performed, in order to improve the defense with the knowledge of both the Red Team and the Blue Team. After this retraining, they would proceed to the next point of the development plan.

Purple team benefits

Purple Team exercises are not penetration tests on the organization or a device, as they are not used to identify specific vulnerabilities, but are intended to provide more generalist security benefits, such as the following:

  • Improved security awareness: allowing the Blue Team to know, observe and participate in attacks gives them a better understanding of how an attacker may operate. In addition, the Purple Team enables better identification, sharing and utilization of information from both the Red Team and the Blue Team.
  • Better performance: the combination of both teams through Purple Team exercises allows the developing organization to increase security monitoring performance faster and at a lower cost.
  • Optimization of defenses and security improvements: the use of Purple Team exercises at the organizational level in either IT or OT environments allows the organization to create a global learning environment, fostering a culture of collaboration for continuous cyber security improvement.
  • Critical information uncovered: the execution of a Purple Team exercise, in addition to the benefits mentioned above, allows the organization, and especially the Blue Teams, to have a better understanding of critical assets or security breaches, thus being able to identify and defend them against a possible real attack.

Conclusions

Purple Teams strengthen the entire system or organization in a very obvious way, as they include both Red Team and Blue Team teams, providing integration and communication at another level, if a separate Blue or Red Team is taken as a reference.

The guidance and communication capabilities provided by the Purple Team during the exercise will allow the organization conducting the exercise to review all processes, provide advanced information to each team on hotspots or vulnerabilities and take the exercise to a paradigm that without the Purple Team as an intermediate team would not be possible.

Although it is true that this type of exercise helps to create a good defense against an attack and improve existing protection mechanisms, we must not forget that cyber attackers are constantly training and evolving.

That is why the implementation of these Purple Team exercises, in which Blue and Red Team participate together, allow finding security flaws in systems, as long as these exercises are carried out on an ongoing basis, since, just as attackers continue to evolve and improve, organizations must continue to inspect and improve their systems and architectures in order to be protected.