The Art of Purple Teaming: Red and Blue Working in Tandem

"Purple teaming" is a trending and exciting concept in cybersecurity, but its application can be misunderstood and subsequently dismissed or not fully explored. When applied methodically, purple teaming will revolutionize the way security work gets done and how the C-suite understands and communicates the security posture of an organization.

The cybersecurity industry is at an inflection point. The last two to three decades have provided a good foundation of principles for security operations and compliance. But it is becoming evident that despite this strong foundation, companies are still getting breached and teams still struggle with what work to prioritize. Additionally, security programs are increasingly inundated with new tools and vendors pushing the latest technology while they are also facing a skills shortage. Essentially, the mission of the security program can easily get lost in the chaos of technology choices, time limitations, and data overload.

Ultimately, what every organization needs to answer is "How do adversaries breach our environment and how quickly can we stop them?" Although dramatically simplified, this question should be what everyone is aiming to answer and act on every day. When the focus of the work shifts too far away from this core question in any direction, we are vulnerable.

Purple teaming offers a solution for keeping everyone focused on that critical question but only if applied as a mindset, a way of approaching and prioritizing the endless demands facing security teams.

What Is Purple Teaming, Really?
On the surface "purple teaming" seems easily defined as collaboration and communication between red and blue teams during a series of scoped and well-defined security assessments. Red and blue make purple, after all.

Although purple teaming is a valuable concept, a purple team isn't necessarily a thing in the way a red or blue team is. Purple teaming is a role but not a job; there are no dedicated purple team members. A team member's function is either red or blue, but everyone's role is strictly purple with a common mission of detecting compromise as early as possible within the attack life cycle.

A better understanding of purple teaming is as a paradigm for collaborative testing and remediation in a continuous life cycle. Purple teaming seeks to break down cultural barriers, improve communication, and "level up" everyone's skills. This approach can demonstrably reduce the mean time to remediation for reported risks and vulnerabilities and quickly identify key gaps in security posture.

Daniel Miessler writes in a blog post on the concept of the purple team, reiterating the idea that a purple team is not a group with a mix of red and blue responsibilities but rather a function of those separate entities that ensures effective communication between them. He also argues that communication should already be an inherent part of the job for both red and blue teamers. If teams aren't communicating information for the shared purpose of improving defenses, they are broken.

At its most basic level, purple teaming is already an essential job function of both offensive and defensive security professionals. Unfortunately, what should be happening and what is actually happening don't always align. It's incredibly easy for offensive and defensive practitioners to silo into distinct and sometimes combatant positions. The collaboration essential for identifying vulnerabilities and proactively remediating them can get lost in fragmented objectives and overwhelming reports.

Ultimately, the purple team has the responsibility to deliver a comprehensive picture of true security gaps. Using a framework like MITRE ATT&CK is extremely valuable for the purple team because it can communicate what holes exist within phases of the breach and attack life cycle. Staying focused on those measurements means the organization can get a clearer picture of how its security stacks up. The key to achieving this visibility is through a model of continuous assessment and remediation.

Leaning into a Continuous Assessment Mindset
Purple teaming is, in essence, a collaborative continuous assessment process. The paradigm lends itself to short iterative cycles with focused and transparent goals. These cycles should happen frequently and be both planned and collaborative. Limiting scope is a refreshing approach to teams that may be used to gearing up for large, drawn-out assessments that occur for weeks or months at a time. By working together from both sides to test something specific, the teams are able to learn from one another and act on the results in a timely manner. Consequently, the team works faster at identifying and resolving critical security gaps and results in a real-time trend view of security posture.

This model isn't easy to achieve — cybersecurity is hard. But with the proper attitude, support, and partnership, purple teaming as a paradigm can provide a more complete picture of security posture and allow everyone — regardless of team — to focus on getting the right work done.

About the Author

Dan DeCloss is founder and CEO of PlexTrac, Inc., a security collaboration and reporting platform. Dan has over 15 years of experience in cybersecurity, including a master's degree in Computer Science with an emphasis in Information Security from the Naval Postgraduate School and OSCP and CISSP certifications. Dan started with the Department of Defense then moved to private sector consulting, working at companies like Veracode, the Mayo Clinic, and Anthem in high-level offensive and defensive roles. Before PlexTrac, Dan built the security program at Scentsy from infancy to best-in-class.