Collaboration in Cybersecurity
Red and Blue Teams Get Better by Purple Teaming
Red and blue teams don’t always get along… While the ultimate goal of the offense and defense remains the same — securing their organization and all of its precious assets from compromise — their manner of doing so creates the opportunity for plenty of tension. But how did we get here, and what are we to do about it?
Today’s blog focuses on collaboration in cybersecurity. What is the current status quo in the InfoSec industry? Why do teams need to collaborate? And most importantly, how does your team facilitate collaboration to achieve true synergy for a better, stronger security posture? We’ll talk about all of this and more in today’s reading.
Click here to learn more about PlexTrac, the cybersecurity industry’s Premier Reporting and Collaboration Platform.
The Security Status Quo: An Adversarial Red and Blue Team Relationship
We’ve all seen the vast number of #RedTeam and #BlueTeam hashtags on Twitter.
Red teamers and blue teamers are very proud of who they are and, for the most part, embrace the competitive nature of the relationship between each team. Red teams want to find vulnerabilities, exploit findings, break into networks, steal “the goods” right from under the blue team’s nose, and let everyone know about it. Blue teams want to wow their counterparts with record lows for both mean-time-to-detection (MTTD) and mean-time-to-remediation (MTTR). Each side wants to win the engagement, but at what cost?
The status quo in cybersecurity is one that may work for now, but is hardly efficient or effective in today’s cyber climate. In fact, in 2021 businesses experienced 50% more cyber attacks per week than in 2020. This, alongside many other statistics, points to one fact: We’re not doing enough as an industry today to protect ourselves from the sheer number of attacks coming tomorrow. To get better and weather the coming storm we MUST develop a new cybersecurity status quo: One built on continuous testing and cross-team collaboration.
Why Do Cybersecurity Teams Need to Collaborate?
The answer to this one may seem simple… To get more secure.
And yes, that is the ultimate goal of continued collaboration amongst your security team. But it’s deeper than that. Collaboration in cybersecurity, much like any other discipline, breeds knowledge sharing. The old adage “iron sharpens iron,” is even more clear when the stakes are high and the work is tough. In such a complex, technical, and ever-changing industry, the need to share what you know, what you’ve seen, and how you get the job done at a high level.
Additionally, the data points to collaboration being a key to security. Take a look at some of these figures from our The Power of Purple Teaming research report with CyberRisk Alliance
- 26 percent of participants have conducted purple teaming, and of those 88 percent say these exercises are “very effective” in defending their organization against ransomware and advanced attacks, compared to only 52 percent of traditional red and blue teamers.
- 89 percent of self identified purple teamers believe their purple teaming exercises are “very important” to defending their organization from breaches, and over two-thirds of these users are very satisfied with their ability to plan, design, and/or run purple teaming exercises.
- Collaboration between red and blue teams was the top driver for purple teaming adoption for all respondents.
- “Improved security team performance” and “Better understanding of the most dangerous threats to (their) organizations” were the top two outcomes of attack simulation/emulation and purple teaming exercises.
Quite simply, data points us towards collaboration and purple teaming. However, not all of us are led by data. What if you’re a traditionalist with the “competitiveness breeds success” mindset? Could shifting the paradigm towards teamwork and collaboration hurt the impact of a red/blue teamer motivated by competition? Let’s dive in deeper there.
Can the Adversarial Nature of Red and Blue Teams be a Good Thing?
While most will admit that competition often brings out the best in each other, there’s a line where competition shifts from an asset into an issue. Let’s take a look at an example most can understand: a sports team. No matter the sport you play, you are required to practice regularly against your own team. On the practice field you are competitors — both fighting for yourself and your skill set, but also to make the team better as a whole. This is healthy competition, and a large driver behind the recent movement of continuous collaboration and purple teaming.
But what happens when competition goes too far? When competition in practice turns into the “blame game” or other detrimental conduct that hurts team morale and cohesion, competition becomes a problem. Setting this collaboration standard for your team is dangerous, and will likely spill over from practice to the real game (or in this case, breach).
So, to put it simply, no, competition is NOT a bad thing if done constructively and with purpose. Much like is true in cybersecurity, competition is a form of collaboration that helps each side of the security team get better in preparation for when the real attack inevitably comes. But the problem in the industry isn’t competition itself, but the nature of competition that exists if there aren’t proper guard rails set up to facilitate healthy collaboration.
How to Facilitate Red and Blue Team Cybersecurity Collaboration
Another concise answer here… Start somewhere!
Step 1: Establish a Purple Teaming Mindset
Okay, fine, I’ll elaborate. To facilitate healthy collaboration between red and blue teams you need to work towards a purple teaming mindset. Yes, purple teaming exercises and engagements are activities that your team can conduct to collaborate. But if the exercises are conducted based on a culture formed from the status quo, you will miss out on the most rewarding aspects of collaboration.
Changing company culture and team mindset, especially in such a high-stakes environment, is tricky. But it’s a necessary first step to take in order to breed successful collaboration. Key steps here include
- Encourage question asking, 1:1 and group meetings, and mass knowledge sharing.
- Discourage the “win vs. lose” aspect of a traditional red and blue team.
- Take accountability and be willing to admit when the work you’re doing is detrimental to team-wide progress.
Step 2: Perform Tabletops and Other Purple Teaming Exercises
Once your team feels comfortable with healthy collaboration, it’s time to do some work! Tabletop exercises (TTX) are defined as a security incident response activity, taking participants through the process of dealing with a simulated incident scenario and providing hands-on training for participants that can then highlight flaws in incident response planning. This is often done with both red and blue team members, as it both outlines specific duties and responsibilities while also highlighting key collaboration moments.
Yawn, right? Your team has likely conducted similar exercises before, but this time it’s different. This time there are no wrong questions, no finger pointing, and a true experience of what a purple teaming paradigm can look like.
Step 3: Continuously Weave Collaboration into Your Cybersecurity Work
So, we’ve established a purple teaming mindset and conducted simulated collaborative exercises with our team. What’s next? The final step in the process is the one that will take the most time… Weaving collaboration into your day-to-day work.
Through our framework most of your work to this point has been done to lay the foundation for healthy collaboration. Sure, you’ve carried out forced simulations of real-world attacks through tabletop exercises, but now we’re where the rubber meets the road. Whether you’re a red teamer or blue teamer, it’s time to ask questions, communicate both healthily and continuously, and be willing to work together towards a common goal.
Now this is easier said than done, and truly takes a continuous, proactive approach to implement and become the organizational norm. Inevitably, there will be pushback and groans from traditionalists on your team. Keep going! To truly reap the benefits and outcomes of collaboration in cybersecurity you need buy in from the entire team from the top down.
Get Ahead of Threats with a Purple Teaming Mindset
So, it turns out that healthy collaboration in cybersecurity is easier said than done. But while the path is a long one requiring organizational buy-in, extensive time and resources, and a proactive attitude, the benefits of collaboration and purple teaming are well worth the investment for your team.
The truth is that the investment you make here will not only improve your qualitative goals, like overall efficiency and effectiveness as a team, but should also boost less measurable outcomes like team morale.
The future of cybersecurity is a collaborative one built on the purple teaming paradigm, and the future is NOW… Go forth and conquer, everyone!
Looking for a solution to help you facilitate a purple teaming mindset, providing a platform for true purple teaming exercises and cross-team collaboration? Look no further, PlexTrac has you covered! Click here to book your demo of the platform today.