Purple Teaming as a Paradigm

The New Frontier for Cybersecurity

As the need for cybersecurity grows, the entities organizations put together to perform this function have matured. IT professionals have morphed over the years into cybersecurity experts — changing focus, becoming separate teams, birthing CISOs, and growing infinitely more adept at preventing and mitigating nefarious activity.

An industry that is now as sophisticated as information security has become has its own lingo, professional organizations, regulating bodies, and dedicated government branches. But despite its maturity, the infosec industry can never stop adapting. As long as technology keeps advancing, bad actors will never stop exploiting it, and infosec must continue to rise to that challenge.

Methodology and mindsets have to expand as well if we are to stay ahead of the enemy. Reactive measures must move toward offensive tactics for mitigating risk. The tribalism that separates so many into red and blue or internal and external needs to change if cybersecurity teams are to keep up with the growing threats.

The future is purple.

A New Definition of Purple Teaming

Purple teaming as a concept is a relatively new approach gaining traction, but its definition has been somewhat limited. Most think of purple teaming only within the confines of a finite engagement. You are practicing purple teaming when you collaborate and share information between the red and blue teams during a planned exercise. Although this definition is accurate, it fails to tap the potential that the concept can have when applied across all aspects of a cybersecurity program.

Purple teaming can become a paradigm, a mindset, a new way of getting the real work done. Purple teaming as a paradigm seeks to break down cultural barriers, improve communication and level up everyone’s skills across all team member whether internal or external to the organization. It is also aimed at reducing the mean time to remediation for reported risks and vulnerabilities. Note that purple teaming is a role but not a job; there are no dedicated purple team members. A team member’s function is either red or blue, but everyone’s role is strictly purple with a common mission of detecting compromise as early as possible within the attack lifecycle.

Moving Toward a Continuous Assessment Mindset

Purple teaming isn’t just for occasional engagements or attack simulations — although these are obvious times to employ purple teaming principles. Purple teaming goes hand in hand with a continuous assessment mindset.

Organizations functioning with a continuous assessment mindset are seeking to have a real-time view of their security posture through constant monitoring and remediation. Purple teaming facilitates and enhances continuous assessment by encouraging interaction between red team functions — testing for weaknesses — and blue team functions — identifying and responding to threats. When these roles are preformed not just in occasional large-scale engagements or audits but in frequent laser-focused iterative cycles, the data produced creates a real-time picture of security posture.

Purple teaming in this situation means that red and blue team members are not siloed but are in regular communication working toward the same goal. They are sharing methods, checking findings, and pooling knowledge to continuously improve.

Fostering Constant Collaboration

The secret of purple teaming is that it puts the common goal of detection and response at the forefront instead of isolating offensive or defensive strategies for getting there. For many teams, success is determined by meeting objectives relating to their individual job as a blue teamer or red teamer. The trouble with success measured this is way is that it encourages silos, information hoarding, and apathy for the other team. None of these outcomes promote success for the organization as whole.

A purple teaming paradigm, on the other hand, gauges success based on the ability of the whole group to find and remediate threats before a real attack occurs. When everyone is more overtly working toward the same objective as a single team with different functions, collaboration instead of competition become the modus operandi.

Collaboration, especially consistent and structured, helps team members hone their own job skills by gaining the perspective of their former “adversaries.” Less experienced cybersecurity or IT professionals benefit from the knowledge of the whole team, and everyone begins to take on a proactive approach.

Gaining a Real-Time View of Security Posture

Purple teaming is best done in short iterative assessment cycles with focused objectives. The point is to constantly be testing and remediating in small manageable chunks. This continuous assessment process can provide a real-time view of security posture.

While large events or audits are good, they by nature happen infrequently and result in the red team handing off a huge report of findings without much, if any, debriefing. By the time some of these reports are even read, the situation is likely to have changed or some vulnerability has already been exploited.

Adopting a purple teaming paradigm for a cyber security program means finding a way to collaborate between teams regularly and not just through a static report. It means asking outside contractors to factor in post-assessment collaboration time and fostering in-house teams that work in tandem sharing their processes and results regularly. To achieve these goals, organizations need to shift the paradigm and support the new ways of doing with the tools and platforms that facilitate communication, track the data, and streamline reporting.

Purple teaming is much more that occasional information sharing in the midst of an assessment event — it’s a new way of thinking about cybersecurity work. Learn more about how PlexTrac facilitates a purple teaming paradigm for security teams by requesting the white paper “Effective Purple Teaming.”