Redefining Purple Teaming in Cybersecurity

And Why Your Team Needs to Start

If you haven’t been living under a rock — or maybe under that behemoth of a pentest report — you’ve probably heard a lot of buzz around the concept of purple teaming. And you may have some preconceived notions about what it is, who is doing it, and why your team is or isn’t interested in it.

Before we dive into the “why” of purple teaming and even more importantly, the “why now,” let’s start out with a shared definition.

To get a deeper dive on PlexTrac’s definition of purple teaming, download our Effective Purple Teaming white paper today!

PlexTrac’s Definition of Purple Teaming

At PlexTrac we define the term broadly as any activities where offensive (red team) and defensive (blue team) practitioners plan, collaborate, and share knowledge to better understand and improve their security posture.

Of course, purple teaming can be highly complex and involve many experienced specialists on both sides of a large-scale engagement, but, by our definition, it can also include a couple of individuals conducting a tabletop exercise focused on a specific threat vector. When the concept of purple teaming includes cross-team collaboration on any type of adversary emulation or simulation activity, then it doesn’t have to be reserved for only the most mature security programs.

That’s all well and good, but isn’t this just semantics?

The Power of Purple Teaming

Well, yes and no. The cybersecurity landscape is changing and the methodologies that were once sufficient just aren’t enough to thoroughly defend against the expanding threats. While what you call your strategy isn’t important, having the right mindset is. We’d argue that purple teaming as a paradigm for cybersecurity practice is becoming essential. And there is plenty of evidence to support that programs practicing purple teaming are reaping some serious benefits.

A September 2021 study by CyberRisk Alliance asked 315 security practitioners from the US and Canada about their security strategy including purple teaming. Of those surveyed who had conducted purple teaming exercises (26 percent), 89 percent deemed purple teaming activities “very important” to their security operations. Additionally, 88 percent of purple teaming users — compared to only 52 percent of those using more traditional pentesting strategy — say their exercises are “very effective” in defending their organization against ransomware and advanced attacks.

Purple teaming at its core is about proactivity and collaboration. And with the rise of ransomware and the persistent talent shortage in the industry, it’s becoming clear that siloed teams and reactive strategies just aren’t cutting it.

Large Doesn’t Equal Mature

If your immediate response echoes the old Steve Martin quote, “First, get a million dollars,” then you are overthinking it. While large and well financed, cybersecurity teams obviously have more than a few things going for them, organization size and even budget do not guarantee security program maturity. Even very small teams with limited resources can benefit from a purple teaming mindset. You have to start somewhere, right?

Any proactive security activities that are carried through to remediation and that move the needle on security posture are going to make a difference. Purple teaming as a strategy seeks to make the most of any size or type of adversary emulation engagement by emphasizing collaboration across roles to ensure that prioritization and remediation actually occur and that every team member is learning and getting better. In fact, purple teaming in short, iterative, laser-focused cycles can be just as effective as long, large-scale engagements. The key is frequent cycles of testing and fixing and then testing again.

Where to Start

It’s true that purple teaming, even in small bites, can be overwhelming. If you are in a program that primarily functions reactively or has a large backlog of legacy issues that no one can seem to get to, making the strategic changes to start not only thinking but actually acting proactively can be daunting. The key is to start somewhere … and to get the right help.

PlexTrac can help organizational cybersecurity teams of all sizes and maturities gain control of workflow and multiply their efforts so they can get ahead of the threats. While you don’t need a tool to run a tabletop exercise, a MITRE adversary emulation plan, or outsource a pentest, making the most of results of the activity by prioritizing and remediating and testing again (and doing so as soon as possible) takes coordination among team members that can be sorely lacking in many programs.

With PlexTrac’s Runbooks module, getting started with purple teaming is simple. Use prescripted engagements that are mapped to MITRE ATT&CK, collaborate in real-time while testing, and easily generate reports or assign and track remediation right on the platform.

Ready to learn more?  Book a demo today to see how our platform can transform cybersecurity team collaboration and workflows.