Is your organization looking to validate the effectiveness of its security program? A purple team exercise may help measure your ability to detect and respond to a security incident before experiencing an actual incident.
A purple team exercise combines the capabilities of offensive (red) and defensive (blue) security operations. It’s not an actual team, but a function or methodology designed to simulate common threats and test your security program. A purple team exercise can be a collaboration of various teams including threat intelligence, pentesters, threat hunters, incident responders and a SOC. It could also be as simple as evaluating, “can we detect X with our SIEM/AV/IDS/etc?”
If your team doesn’t have red or blue team expertise, you may consider hiring a third party to execute an engagement. Pentesting organizations may be hesitant to share information about their actions with a blue team or your MSSP, so it’s important to outline predefined actions and not uncover their “secret-sauce.” If you can’t rely on external organizations and have limited resources, you may focus on a dedicated table-top exercise. MITRE is a great resource to leverage for this approach as It can help prioritize topics to discuss by identifying specific tactics and techniques. If you feel confident in your security team’s capabilities, you may approach purple teaming from an operational capacity, continuously testing individual TTPs based on newly discovered intel.
If your team has the specialized capability to execute an in-depth purple team simulation, you should involve the following parties:
CISO, managers, director
Required for buy-in, approval, staffing decisions, scheduling
Appointed by sponsors or third-party consultant
The point-of-contact or purple team planning, prepares each stage of PT, records minutes, lessons learned, generates final report
Threat Intelligence Team
Identify adversaries, tactics, techniques and procedures to be simulated during exercise
Emulate TTPs identified by threat intel team. Leverage generic and tailored tools/exploits
Identify and respond to red team simulations. SOC, threat hunters, Incident responders, third-party MSSP.
Prepare infrastructure, networking, OS deployment and configuration
Once you’ve identified participants for your the purple team exercise, you can begin to prepare each step:
The pitch > planning phases > threat intelligence > table-top > execution > lessons learned > operationalize
The first step in a successfully purple team exercise is the pitch. If your organization’s leaders don’t see value in a purple team exercise, you’ll never get the effort off the ground.
When creating your pitch, don’t focus solely on the benefits, but what happens if you do not purple team. Reference a previous compromise or incident and how purple teaming may have better prepared you to respond. How can purple teaming highlight your exploited weaknesses or gaps in visibility?
Purple teaming is in essence, security validation. We deploy and configure security controls, but rarely test their effectiveness. How many times does your organization say “Why didn’t we detect X?”
Purple Teaming provides metrics for management to prove how your security program is advancing its prevention and detection capabilities.This part of the purple teaming process may be a formal meeting or evolving conversations, but will take continued championing to allocate a budget and become established as a priority for your leadership.
Phase 1- Initial Planning Meeting
Once you’ve convinced leadership, it’s time to start researching and compiling info about your adversaries and their TTPs.
The first phase of planning relies on the ability of your threat intelligence and security teams to leverage previous incidents and/or research TTPs observed attacking your industry. MITRE is a great source for this information. This will be similar to a threat modeling exercise.
During this phase, you should assign action items to relevant stakeholders and plan the technical aspects of the exercise. This will involve steps to prepare your environment, tools, payloads, communication channels, procedures, and security controls.
Phase 2- Follow up Planning Meeting(s)
Phase two planning should consist of reviewing the CTI and TTPs prepared during phase one. Define the process you’ll follow during the purple team exercise.The Lockheed Martin kill-chain is a great resource for this. Identify the appropriate tools for recon, exploit, lateral movement, exfiltration, etc.
Identify how your blue team should respond to each phase of the kill-chain. Prepare your DFIR tools and process and decide when you’ll need to leverage process/memory/disk dumps for additional visibility.
Ensure you have outlined your infrastructure requirements and your sysadmins have begun preparing the testing environment.
Based on the information you’ve identified so far, run through a mock tabletop exercise, executing your proposed purple team exercise. Use this to determine where you still need to focus efforts to prepare a successful exercise.
Phase 3- Infrastructure Planning
Your red team should begin preparing their attack tools to emulate the CTI & TTPs identified by your threat intel team. They should determine what machines their sysadmins should deploy for them to attack the purple team infrastructure. They may request a specific unix distro, or windows 10 machine with common or custom tools. You can also test and deploy emulation tools such as scythe, caldera or atomic red team. This will ensure testing is consistent during this and future purple team exercises.
During this phase, sysadmin should prepare target machines (both workstation and server endpoints) with the same configuration as production systems. This will also require deploying domain services like LDAP, AD, DHCP, DNS, etc. To mimic your infrastructure, you may choose to deploy physical hosts, virtual machines, terminal servers, and leverage cloud infrastructure. Depending on your OS requirements, it’s recommended to deploy at least 2 machines per OS to emulate lateral movement. Sysadmins should create domain and local users, administrators, and email accounts for your red and blue team.
Your blue team should ensure your security controls are deployed and configured properly in your purple team environment. They should mirror your production infrastructure as close as possible. AV/EDR for endpoint visibility, IDS/IPS, web proxy, etc for network visibility, SIEM as the central place to perform investigations and threat hunting, DFIR tools to provide context to SIEM results, enhance detection IOCs and feed additional threat hunting operations.
Your Sysadmins should ensure both red and blue teams have network and internet access to the appropriate resources. They should also prepare cloud resources, C2 servers, SMTP accounts, domains and certificates associated with testing resources.
Phase 4- Final Planning Meeting
The final planning phase should address logistical concerns around the physical or remote location you intend to execute the exercise. If your SOC exists in a physical location, it’s ideal to perform the exercise there, as physical communication between multiple teams is most effective. If your teams exist in dispersed locations, utilize a video conferencing software that allows you to control participants actions and share screens and resources.
The agenda should be transcribed and distributed to all participants outlining phases of the kill chain and the associated TTPs being tested during each phase.
Agree upon the metrics which will be used to determine the success of the purple team. The exercise coordinator will track these metrics. They should determine the organizations’ ability to detect and respond to the simulations performed by the red team. Detection metrics can be divided into the blue teams’ ability to detect, alert and automate similar investigations of TTPs.
After all these planning steps are executed, this phase should be complete. All parties should agree to the agenda and how each stage will be executed. After that, you’re finally ready to begin a purple team exercise!
Start the exercise off with introductions by each team member and a high level agenda. The exercise coordinator will present the adversary being simulated, their TTPs and the technical details that accompany them. Before simulations begin, the exercise coordinator will lead a high-level table-top exercise outlining the actions and reactions each team should perform during each phase of the simulation.
When the hands-on exercise begins, the red team will share their screen and simulate the first tactic and technique in the testing environment. It’s important for stakeholders to follow along with the presentation, so they can view each action and effectiveness of the blue team’s ability to react.
Next, the blue team will share their screen and respond to the actions taken by the red team. They will walkthrough their process to fingerprint the attack in as many ways as possible.
Depending on their ability to detect a specific attack, configuration changes should be researched and changed (if required) to enable the blue team to identify red team simulations. The exercise coordinator will record these changes and action items, which will be included in the final report. This is also where the DFIR team can leverage tools to augment the ability of the blue team and/or SOC. While they are pulling data/process/memory dumps, the red team can continue simulating the next phase.
After each attack is complete, methods have been exhausted to identify the attack, decisions made to increase visibility or reaction time, and results have been recorded, the execution loop will continue to the next tactic and technique.
Engineering new detection and configuration changes can take time, so limit the time the blue team and sysadmins have to make configuration changes. You want to keep a steady workflow for each team. Additional research and changes can be followed up after the lessons learned report.
These steps will continue until all tactics and techniques in the agenda have been executed and observed by the blue team.
During the simulation, the exercise coordinator must be diligent in recording as much detail as possible and work with each team involved during the execution of tactics and techniques.
How was each attack executed? What tools were used? What command line flags were issued? How was the blue team able to respond? What tools did they leverage in doing so? Was the blue team able to alert or simply identify the actions of the attacker? What level of investigation was required to identify actions as malicious? Did they use off-the-shelf or custom tools? Was the blue team able to leverage their SIEM, or did detection require more in-depth analysis with DFIR tools? Was the blue team able to put together a cohesive story related to the simulated compromise? These and many other questions should be recorded by the exercise coordinator with the intent to present during an initial and formal report.
Consider using current reporting and tracking tools already used by the organization such as JIRA, Archer, or other GRCs. You may also consider using dedicated purple team tracking tools such as PlexTrac or VECTR.
After the exercise is complete, the coordinator will produce a rough draft of the meeting notes and deliver an initial lessons learned report to all attendees. It id from these notes they will produce a formal report, which should be delivered to stakeholders and sponsors within two weeks after completion.
This report should detail the organization’s strengths, weaknesses and prioritize areas where short and long term wins can be achieved. Based on this report, it’s the responsibility of the stakeholders to determine how and when to enact these recommended changes. Doing so should increase the organization’s security posture, decrease time to detection and strengthen everyone’s understanding of standard operating procedures in the event of an actual attack.
Following details from the lessons learned report, analysts should be able to retest each scenario and determine if their ability to detect attacks has improved. Retesting may consist of a small team and does not require the formality and involvement of all stakeholders.
Once the organization feels confident in their ability to emulate and detect new TTPs, they can begin to operationalize their purple team efforts. Attack simulation tools can assist in these efforts. While some tools require deploying infrastructure, others can be scripted and leverage current infrastructure.
When new TTPs are identified by your threat intelligence team or MSSP, they can be added to a weekly/monthly/quarterly testing schedule. Depending on staff availability and expertise, an exercise may only require the involvement of a core team of individuals.
Operationalized Purple Teaming
When your purple team matures, you can begin to operationalize your process. When a new TTP or exploit is identified, it can be referenced against the MITRE ATT&CK matrix and integrated into the testing process. The organization may hold a small tabletop exercises to determine their hypothetical ability to detect a TTP. If you are not confident in the teams ability to identify a similar attack, you should leverage the testing environment to run another simulation.
When a new tabletop or simulation has been executed, detection engineering should research necessary changes that will enable detection and alerting. Once these changes have been made, it’s important to discuss how an attack may circumnavigate your confidence to alert or detect such an attack.
This process can be scheduled, weekly/monthly/quarterly or yearly depending on the teams’ resources. If an exercise requires the involvement of all sponsors and stakeholders, it will likely be annually or bi-annually. If a small group can dedicate time to the purple team exercise, an organization can better operationalize these steps, and prove it’s value to stakeholders.