How to Organize Your Purple Teams

What is Purple Teaming?

Before we dive into the composition of a Purple Team, it’s important to understand what Purple Teaming is. Purple teaming is the collaborative function performed by Red Teams and Blue Teams to mitigate all of the pains discussed thus far. It’s a new approach to collaborative testing and remediation that seeks to break down cultural barriers, improve communication and “level up” everyone’s skills. It is also aimed at reducing the mean time to remediation for reported risks and vulnerabilities. Note that purple teaming is a role but not a job; there are no dedicated Purple Team members. A team member’s function is either Red or Blue, but everyone’s role is strictly purple with a common mission of detecting compromise as early as possible within the attack lifecycle. So what do this role look like? There is no canonical definition of purple teaming, but common tasks and objectives include:

• Design realistic tests based on shared priorities, informed by locally-derived threat intelli- gence and tailored to test the defenses’ critical assets.
• Speed up the process of remediation through established channels for collaboration
• Prevent related future occurrences of issues through knowledge transfer of root causes
• Help foster an offensive security mindset across all members of the cybersecurity team
  

  This all sounds wonderful but how does an organization build a well-functioning Purple Team? What activities are truly involved within purple teaming? And how do you know if you’re succeeding? We’ll break down the answers to help clarify the foundational elements of an effective Purple Team.

  
  

Better Reports. Deeper Assessments. More Insights. Click here to learn how you can do more with PlexTrac.

Team Organization in Purple Teaming

As discussed previously, Purple Teams are functions and not dedicated positions or job titles. However this does not mean that the relationships among team members should be unstructured. Supporting and supported roles should be clearly defined, to include:

Team Composition

Assignment of roles should be documented through internal policy documents or included in a Statement of Work / Master Services agreement. These roles should be well understood across both Red and Blue team functions. You should breakdown all current teams and activities within your security program and categorize them as either Red or Blue, and we encourage using the more expansive definitions of “red” and “blue” discussed earlier.

Team Member Functions

Roles and responsibilities need to be documented so that team members know who to go to and what deliverables to expect. In a world where everyone is always overtasked, if it isn’t in writing, it’s “not my job.” Documentation of responsibilities demonstrates the organization’s commitment to purple teaming and makes it easier for management to evaluate performance and hold members accountable.

Communications Plan

It is critical to understand what the communication lines are between Red Teams and Blue Teams as well as between the Purple Team and stakeholders. Depending on the scenario, it’s possible that junior team members may be communicating directly with internal or external stakeholders or executives, thus it is important to have clear lines of communications established.

Purple Teaming Activities and Cadence

With the team organized and clearly defined, the next phase is to establish the cadence with which Purple Team activities occur and the scope of those activities. There can be a lot of environment-driven license with these activities, but clear examples of best-practices and proven techniques are available. Purple teaming activities can be equated to that of executing a sprint within an agile workflow or scrum team. A Purple Team engagement should typically be a two or three week cycle that involves both the assessment and remediation efforts. This requires discipline on both the Red and Blue teams and also helps scope the planned activities to a reasonable and achievable set of objectives.

Let’s assume you decide on a cadence of a two week time period for all activities to be conducted for a purple team engagement. The activities with the engagement include planning, assessing, collaborating, remediating, and reporting. It is important to note that there is not a required order to these activities. Planning should initiate the engagement, but additional planning will occur throughout the engagement period.

To learn more about the 5 key activities Purple Teams carry out in an engagement, check out our blog post.

PlexTrac Author At PlexTrac, we bring together insights from a diverse range of voices. Our blog features contributions from industry experts, ethical hackers, CTOs, influencers, and PlexTrac team members—all sharing valuable perspectives on cybersecurity, pentesting, and risk management.