PlexTrac for Purple Teamers

There’s a PlexTrac for Every Security Team

Henry Ford once said that “If everyone is moving forward together, then success takes care of itself.” While Ford was no infosec expert, the quote stresses the importance of collaboration and communication in the quest for success. Likewise, in cybersecurity your red and blue teams must collaborate and communicate their findings and all of their work in order to succeed in the war against adversaries. Purple teaming is the key to effective collaboration.

Collaboration-focused red and blue teamers need a platform that empowers them to become purple teamers. After all, purple teaming is a role, not a job. PlexTrac is that platform for purple teamers.

There’s a PlexTrac for Everyone is a blog series designed to show the depth and versatility that makes PlexTrac the mission critical platform for security teams of all shapes and sizes. This time around, we’re going to be diving deep into purple team functionality, including the tabletop exercises, breach and attack simulations, and adversary emulation.

Click here to learn more about the benefits of purple teaming.

Tabletop Exercises: Collaboration Breeds Success

Tabletop exercises (TTX), sometimes referred to as “Gold Teaming”, are a powerful collaboration tool for security professionals. These exercises often are frequently mandated exercises in regulatory regimes, and are a best practice for organizations committed to a strong security program. These sessions highlight specific incidents that may arise while working and have participating team members talk through the problem and decide on proper incident response. These TTX help management flesh out incident response plans, refine existing protocols, and train personnel on their roles if the hypothetical becomes reality. You can conduct these tabletop exercises directly in PlexTrac’s Runbooks module.

Using PlexTrac’s web-based platform means that teams and team members don’t need to be physically together to conduct tabletops. To conduct a tabletop exercise, create a blank engagement in Runbooks that’ll serve as a canvas for participating members to collaborate on. From here, participating teams may begin collecting and inserting information to the tabletop, enabling both a red and blue perspective to be documented. This functionality allows everyone to review each other’s findings and execution steps, and also determine an agreed-upon and standardized way that your team will respond to a specific threat or incident.

Additionally, once these tabletops are conducted, enhanced, and finalized, they can be saved, stored and used in the future as a learning tool for your junior testers and all relevant members of your team. Using Runbooks to conduct and store findings from tabletop exercises ensures that the work that your team does is unified and consistent, and execution steps are clearly defined.

Does your team prefer to conduct tabletop exercises offline? No worries. Documented tabletops executed offline may still be uploaded and stored for future use in PlexTrac after the fact.

Breach and Attack Simulations: Keep Your Enemies Closer…

Breach and attack simulation (BAS) tools are some of the most important in your cybersecurity team’s tech stack. These tools, like SCYTHE and AttackIQ, help automate common red and blue teaming exercises, allowing you to measure and manage your cybersecurity effectiveness, improve security operations, and free up your most valuable human resources. PlexTrac can ingest findings from popular BAS platforms including SCYTHE… These findings can be analyzed with our powerful Analytics module, and included in the reports you create and deliver through PlexTrac.

While PlexTrac has an open API that plays nice with many BAS tools, we have a native integration with SCYTHE that keeps the process simple and pain-free. This integration allows you to upload all of your data directly into our platform. Click here to learn more about how PlexTrac integrates with SCYTHE data.

Once in PlexTrac, data from BAS platforms can instantly be viewed in PlexTrac’s rich graphical interface, where it’s easily reviewed and enriched with supporting evidence. Each of your team members can rapidly access the information they need, from a birds-eye view all the way down to the raw data. This is especially valuable for blue teamers, as they can collaborate on remediation approaches and track remediation efforts at the asset level, facilitating the mitigation through detective or preventative controls. Managers can assign levels of severity, provide guidance, and assign work to technicians in a single platform.

Lastly, the data you gather from your BAS platform of choice may be aggregated and integrated with the rest of your risk identification sources to provide your team with a holistic security risk register. Gone are the days of blind spots in your security posture, as risks are easily identified with data from all of your scans, pentests, audits, and assessments in PlexTrac.

Adversary Emulation: Imitation is Flattery

If you thought we were done talking about BAS tools, you were mistaken. Just as Security Operation Centers (SOCs) have playbooks for incident response, threat actors have playbooks of common procedures used to achieve their objectives. And adversaries are like anyone else — they will continue to use the same techniques and procedures as long as they remain effective. Enter adversary emulation plans, a collection of tactics, techniques, and procedures (TTPs) attributed to specific Advanced Persistent Threats (APTs) that security teams may use to conduct highly realistic testing of their defenses. Testing that can be conducted directly in PlexTrac.

Out of the box, Runbooks comes pre-populated with a vast library of effective procedures built by Red Canary’s Atomic Red Team, which is freely available to the community. You can always create your own procedures in the PlexTrac platform, or import new adversary emulation procedures from other valuable sources including:

1. MITRE Engenuity’s Center for Threat-Informed Defense
2. SCYTHE’s Adversary Emulation Library

Additionally, as you execute an emulation plan in Runbooks, both red and blue teams have a single place to document the results of the attempted exploits from both the offensive and defensive perspective. This allows both sides to gather their evidence and create detailed, time-stamped execution logs that will be valuable for the team’s debrief. These runbooks can be repeated iteratively, allowing the team to execute, remediate, re-test, and measure to show improvement over time and demonstrate the value of your remediation efforts.

Lastly, your team’s triaged evidence and findings found in Runbooks can be used as attestation for evidence-based reports created in PlexTrac. Submitted purple teaming engagements can be turned into an intuitive report format that organizes and structures all of your data. Enrich and refine these results, then easily export to a .docx format, or better yet, use PlexTrac as your remediation tracking platform.

PlexTrac MiniDemos: Using MITRE and SCYTHE Adversary Emulation Plans

Security Workflow Management: Purple Teaming Collaboration

As a purple teamer, whether you’re using the platform to conduct tabletop exercises, to ingest and analyze BAS data, to execute adversary emulation plans, or for another use case altogether, rest assured that there are PlexTrac features that will streamline your team’s workflows, and help everyone work more effectively and efficiently.

In addition to a slew of red and blue team functionality, the platform also helps unify security teams of all types and sizes, streamlines workflows and makes purple teaming collaboration easy. Gone are the days of siloed teams and an adversarial relationship between red and blue. Instead, use PlexTrac to employ a program of continuous assessment and watch your security posture strengthen.

From one-person security consultancies to large in-house security teams, and everything in between, there’s a PlexTrac for everyone.

Learn how PlexTrac can boost your security team’s efficiency today by booking a Demo today!