Skip to content


Red and Blue, Together Forever: Committing to Purple Team Collaboration

Category: Informational Series



Please start sharing my slides. I’m going to tell a little bit of the backstory.

I came up with this amazing like, oh, this is going to be perfect on the theme of collaboration. And I sent it over to the site team and said, here’s my title, stop, collaborate, and listen. And then they’re like, you know what? The esteemed Katie Nichols has already selected that as a title. So I’m like, oh, darn. Well, at least I’m not alone in coming up with somewhat of what I thought was a great idea. We were great minds with one other theme we could go with. And so we kind of came up with this 80s theme and it started to flow.

And so I apologize in advance, but I’m really excited about this. So here we go. Let’s dive in. I’m going to share this and make sure everyone can see it. All right, let’s see. Are you seeing this? Holy smoke. Okay, now you just took it to a whole new level.

All right. I’m incredibly depressed. That’s your entertainment for the post lunch hour here.

You get 25 minutes of it with me, which is more than enough. So thanks for joining and thanks for having me. Bryson and the site team excited to kind of share with you some of the exciting things around Purple Timing that we’ve learned. And then obviously that we see our customers working with and we have such a great partnership with sites in the whole team there. So just can’t be more excited to be able to have an opportunity to share what we’re learning and what we’re seeing in the industry. As you mentioned, brief background on me. I’ve been in this space a long time.

Founded PlexTrac with the notion of trying to help people solve the right problems. I was a pentester. Hated coming back and rewriting the same reports. Hated seeing people not making progress of some of the most significant risks that we’re finding in their environments and in their industry, in their organizations. So that was really the impetus for starting PlexTrac. Let’s find ways to get this information disseminated to the right people in the right ways so that we can solve the right problems. And so it just flows perfectly with the mission of sites as well and really collaborating on all the right things in order to move the needle forward from an organization’s security posture.

So brief agenda. Again, I didn’t realize how closely I might have looked like Rick Astley until our marketing team kind of put this together. But there’s obviously a whole other story around Rick Astley with Rick Rowland, but kind of went with the theme of, like, together forever, right? Red and blue need to be joined at the hip from now on. Right? So we’ll kind of go through a theme like, why now? And what is the impact that red and blue have together? And then we’re going to share some research that we joined with the Cyber Risk Alliance and did in the fall to kind of see, is purple teaming actually making an impact? Is purple teaming actually make a difference? And surprise, it is for organizations. And so then we’ll share some resources. You’ve already heard some great talks on purple teaming and adversary emulation and simulation. So we’ll just share a few resources of how to get started.

If you haven’t gotten done, if you’re not a site customer, or if you don’t have a team to really feel like you’re ready to do that. How do we get started? We’ll show off a little bit of some of what we’ve got with PlexTrac. We really enjoy the partnership with Sites and how we can use the two platforms together. And so then we’ll kind of have some takeaways and hopefully leave a little bit of room for questions if there’s any. So let’s take the way. I think this is actually going to start playing the video because I tested it. I’m going to quickly move through this, but hopefully you’re getting a little jazz up for the talk.

Okay. All right. So if you were to listen to all the lyrics of that song, the theme of these titles of the slides is along the theme of the song. So why should we start this now? Right. And there’s no doubt there’s tons of statistics out there. This is just another group of stats that we gathered that a lot of organizations still don’t feel confident in their security posture. They’re feeling the hits of ransomware specifically.

There’s still a lot of misconfigured systems out there for this to continue to run rampant. Cybercrime is obviously going to continue to cost the world a lot of money as we grow as technology shifts and everything. So I’m probably preaching to the choir, but there’s always this sense of urgency. And so how do we get better? How do we know we’re making progress instead of always feeling behind the eight ball or always being in this reactive mode? So the real answer is, let’s define the relationship. Let’s get on the same page between the red team and the blue team and collaborate to develop a winning culture. The offensive teams are going to be very focused on pentesting, emulation, threat intelligence, and hunting and tabletop exercises. And these all translate to perfect skill sets that the defense team needs to be focused on.

How can we identify the activities that are going on? And so our system is configured correctly. Are we managing the risks appropriate to the level of our business? You’ve heard some of that be discussed today, and Katie gave a great talk on how intelligence and threat intelligence really plays a huge factor moving forward. And I think that it’s so vital that we continue to focus on bringing these two teams together in a purple mode to really move the needle forward. So we say that this is really important. And so the biggest question I have is how do we measure this? Are we making a difference? Is Purple Teaming actually moving the needle forward the way that we think it is and the way that we perceive it to be? And then how do we continue to preach that message so that the world really knows? So we did actually join with the Cyber Alliance to ask those questions. Is Purple Teaming working? Are people that do Purple Teaming seeing a difference? And would they continue to invest in this notion whether that’s through a platform like site or Breaching attack simulation activities or just continue to actually do the exercises in some capacity? Right. We really set out like, hey, can we identify if these activities and Purple Teaming is actually making a difference? So I’m going to share a few statistics that came out of it.

I’ll have links resources to be able to get this later. But the truth is that Purple timing actually does make a difference. And if Red and Blue teams continue to collaborate together, they will continue to see more resources assigned to their team. Their management has better confidence that they’re actually moving the needle forward in security and their security posture and overall the morale of the team and the security program improves. We’ll kind of dive in. One of the key things that we started out when we did this research, like, hey, do organizations actually understand the importance of understanding their adversarial behavior? Obviously most organizations do, right? They will say, hey, we understand that it’s very important or somewhat important that we know our enemy, we know what kind of activities they could conduct in our environment. And we also got some great quotes out of this research.

But I think it’s important that most people do know that it’s important to understand what an adversary can do in their environment and how deep they could go and what are the techniques that would actually be successful within their organization.

The next notion was, have you ever tried Purple teaming? And for those that have, we kind of say, don’t knock it till you try it, right? So it’s easy to dismiss Purple Teaming as something that, hey, we’re not mature enough to be doing just yet. But of those that have started doing Purple Team exercises, whether that’s in a limited capacity or with a very mature, continuous mindset, they’ve definitely recognized that it is very important to their overall posture moving forward and how they can detect the true gaps in their environment. And I think this really comes down to the fact that when you have a penetration test that’s coming at a quarterly or an annual basis, you’re still not able to have that translate fully to the defensive team that can go through the forensic logs and see the results and identify, hey, these are the actual remnants of those activities because it’s not as much in real time. And so if you bring that in house and you start doing these on a continuous basis, the organizations actually see an improvement in how valuable it is and improvement in their security posture in a healthier culture, as you can see here. So don’t knock it till you try it. Definitely. Let’s start focusing on how do we do this moving forward in a continuous basis, regardless of how we feel about our security maturity.

Because once you’re there, you tend to not look back. Right. Of the people that had actually started doing Purple Team exercises, they saw the importance of it and they were very likely to invest in Purple Teaming moving forward, whether that’s through retained engagements or bringing that capability in house, doing more automation around the Purple Team activities, they saw immense value in how it helped them move the needle forward in a much quicker pace than their traditional activities around pentesting and general security management.

This was definitely an interesting statistic that, hey, yes, not only do people see that it brought a lot of value, they’re going to continue as an important part of their program moving forward.

And I think this is a really interesting statistic to me as well that we identified out of the this one made it into the paper. Some of these other ones didn’t make it into the final research paper, but we’re happy to share more results. But this one was really fascinating to me because it’s the breakdown of those that just do penetration testing versus those that have done penetration testing and purple timing. Obviously, everybody feels that when you do pentesting and Purple Teaming, you’re going to get an improved security team performance and that you’re going to identify the right gaps in your environment. But I thought what was very fascinating out of the Purple Team use case is that it really helped build the use case in the ROI business case for investing in more security technology solutions and more security resources. So from a team member perspective, they definitely saw that they could grow their team and they saw the needs of what skill sets they were missing in their team environment by doing Purple Team exercises and doing this on a continuous basis. One of the statistics that didn’t make the slide deck is around how often people started doing Purple Teaming and those that started doing it on at least a monthly basis saw a demonstrable impact in results.

Right. And it drove to these results around more technology resources, bigger budgets, and a more defined notion of what they should be investing in from those technologies and those team member perspectives. So I thought this was a fascinating statistic that came out of the research and it just highlights why Purple Teaming is actually moving forward and helping build morale for the teams.

So when we talk about how can I get started in Purple Teaming, and I may not feel like I’m in this maturity scale. This is kind of a different look at how organizations might mature and grow into adversary emulation and purple teaming. But we kind of put purple teaming in this category. You can do purple team exercises all throughout this progression, and it helps you become more collaborative to know what you should be focused on today versus things that you might actually punt to tomorrow. Part of Plextrac’s mission is to help teams win the right security battles for this time in their maturity scale. Right. So how can you know what that is if you haven’t started to measure it? So this is kind of our notion of the maturity scale.

Most organizations are going to start with vulnerability scanning and move into pentesting and red teaming, and then adversary emulation, where you’re emulating the TTPs that an adversary would conduct out of, say, an Apt 29 or something like that, and then simulation, where we kind of branch that out to be just an adversary is going to have full rain, what is the full scope of things they could do and not a specific campaign, but you can piece together those pieces yourself and move throughout the environment based on what you’re living off the land, so to speak. So really, the notion of purple team collaboration is let’s start somewhere and let’s start measuring and tracking against ourselves so we can continue to show progress as we work together.

So how do I do that? How do we get started? Well, we’re obviously huge fans of safe community threats. Atomic Red Team, the Minor emulation plans, these are all freely available to you. Now, you don’t have to have purchased anything from any of these organizations. Obviously, Minor is a nonprofit, but you don’t have to have a large amount of budget to at least go and download some of these things and start to identify what are some of the things that we want to get testing in our environment today? And how would we identify the gaps that we might have based on certain threats? Right. So these are great resources to be able to start getting into your environment and collaborating with your defensive teams to execute these tests.

Now, it’s a little bit of a PlexTrac plug because we have a great partnership with Sight and Atomic Red Team and Minor that you can bring these things in and start actually testing them and comparing the results. Right. So you can bring the results in from your site campaigns, have the blue team start to analyze. Here’s where we found we found evidence of this. We logged it, but we didn’t block it. And this is an important piece of how you start small. It’s just being able to collaborate together and being able to show like, hey, this was what was executed.

It was successful, but we did have forensic evidence around it. So the next time we want to be able to start showing progress, did we get the outcomes we were expecting on the coverage that we were expecting, and then we can continue to improve over time. So we have ways to actually show as we continue to execute these campaigns, we’re seeing progress. And that’s the whole goal is that we’re collaborating together to show progress over time, comparing against ourselves and not other people. Right.

Some kind of sneak peek into some stuff that’s coming within PlexTrac because like I said, we can bring in the Site data. We’re working on a more in depth integration with Site. But the goal of PlexTrac is to be able to aggregate this data across your entire environment so you can bring in minor Emulation plans and test those as well. And then you can also bring in the Atomic, Red Team, Atomics, and create test plans out of those. The goal later this year is to actually be able to send those campaigns to a group like Site and be able to execute those automatically and have that data collected back for trending and being able to aggregate that across your other Pentests and things like that. So the goal is to, hey, let’s start from you can start with existing test plans that would come from the Site community, threats from Atomic Red Team, and minor Emulation plans, and then be able to actually track progress across your environment over time and then actually showing within an engagement, how are we making progress? How are we showing the coverage that we’re having at any one given time and then ultimately being able to collaborate deeper on these assessments and being able to identify what’s working, what’s not? And so the real goal is don’t get caught up on how mature we are as an organization, because definitely in our research and in our data, it didn’t have anything to do with the feeling of being mature. Once we got started doing Purple Team exercises, we were able to show demonstrable progress over time for our environment.

And so the notion of, like, don’t just do it, just do something right. Let’s get going and get started. Start small, take one Thursday campaign at a time and just start executing it and then see how we’re doing as the Blue Team and the Red Team start to really learn how they work together as well. And then you can actually start to show, are we getting better? Do you have trends and analysis to show? Like, hey, over time we’re able to fix these things as they get reported and being able to show that we’re continuing to move the needle forward from a security perspective. So brief talk, hopefully we were able to at least show that there was definitely demonstrable evidence that those that do Purple teaming and are collaborating on a consistent basis are making significant strides in improving their security posture much faster than they were with their traditional pentesting, quarterly or annual pentesting that they know that understanding adversarial behavior in their environment is a top priority. And the best way to do that is through purple teaming and collaboration. This results in better team morale, faster results, the ability to secure bigger budget and better resources, and particularly more head count, which I think is a really important aspect, as well as deeper visibility into your security posture.

And the biggest takeaway is like, let’s do something now rather than nothing, or try to wait on some kind of magic maturity measurement that can be very organization, independent or dependent. Use what you have available to you. Start somewhere, start small, and then continue to show how you’re making progress over time, and that’s how you’ll continue to win the battle. So with that, I’ll pause for a few minutes worth of questions.

All right, Dan, let’s see if we got some Q and A. I’m taking a look.

Come on. Nothing for Dan. Must have something for Dan. They just want me to play the video. You know what, Dan? You’re right. At a minimum, I was thinking somebody’s going to say, bring me some more Rick Astley right? I mean, you can’t get enough of that.

I have a question for you. So, Daniel, we wouldn’t be exploring this all day today. Can we talk about size of organization, where this is applicable? Because I think we probably have folks on spreading the gamut, some from organizations that are reasonable in size that say, hey, I’m learning a lot here, but I’m not even big enough yet to deploy, let’s say a full red blue team. And here we are talking about all the great stuff around purple. I’d love to get there. And then we’ve got folks probably on the higher end of the scale at the enterprise level who are like, hey, look, we’re doing some of this. There’s some great ideas.

We’re going to even augment those. So maybe we start on the left side that I mentioned. If you’re a smaller company and you’re gathering ideas and this is a future state, how do they kind of start so they don’t get overwhelmed and kind of almost everything that they’re hearing and going, my God, I’m missing the boat here. I’m not doing any of this today. What would that ramp look like for you? Yeah. And I think I can kind of just share some of my personal experience before I go into PlexTrac. I was a security director, CSO at a smaller company.

We had four people on our security team at the time, so five, including me. And we had a decent amount of budget now. That’s one plus for us. But we were able to invest in technologies that were able to continue to that we felt help move our security posture forward. But we’re like, how do we actually validate this? Right? So we started small where we took what we thought was maybe our biggest area of gap within the Miter attack lifecycle. So we started cherry picking a few techniques out of the lateral movement tactic within minor attack. And we said, hey, we’re just going to test these, and we’re going to start on a bi weekly cadence where we’re going to have part of our team go out and actually do the test.

They were not red teamers by trade, but they were able to learn enough about how to do some execute those exercises. And then the blue team was able to say, hey, yes, we saw this in our environment, or we didn’t, or it actually got blocked. I think that the notion of kind of destroying the notion of, hey, there’s nowhere to get started. Just start small. Right. And there’s plenty of resources with just some small tactics and techniques to at least start getting your appetite wet for it. And if you’re a really small organization where you don’t have an internal security team, you’re likely deploying the resources of an MSSP or something like that.

And you can certainly start to talk to them like, hey, we want to start getting these activities into our service agreement. Right. So that would be my advice.

Got it. Yes, I appreciate that. I think starting small, and I appreciate you sharing some of your personal backdrop there, because I see the same thing. People get overwhelmed. Not to sound cliche, but they get overwhelmed, and then they almost shut down on that particular venture and move on to what is a daunting list of priorities in operations or other areas that they just haven’t gotten to. And you don’t want to dismiss something as important as this. So I guess one last thing.

So let’s go to the other side. Your big organization, you’ve got a pretty mature red blue team. This is something that you’ve been sitting on a little bit. How would you say they should take the first step based on everything they’ve heard and specifically what you’ve seen work for the larger enterprises.

It’s not a dissimilar notion of like, I think it’s really a more bigger organizations have kind of that sprawl in terms of the mentality of, like, man, I’ve got so much to do, and I’m a little overwhelmed from my experience. And what we’ve seen is they tend to focus more on all of the legacy stuff that they’re trying to shore up. And so it’s really disciplining themselves to get out of the reactive mindset and into the Proactive. Right. Hey, we want to actually validate if what we’re doing is making sense again, maybe a threat actor using some of that threat intelligence that you’re getting to say, like, hey, in the health care sector, we’re more susceptible to this type of ransomware or something like that. And let’s go try to emulate that in a consistent basis and just start with using those resources I shared before. It really at that point is a mentality shift because it’s not going to necessarily be a resource constraint.

And it’s more mentality and how do we budget our time? So really having some internal Champions to take the reins and say, hey, we’re just going to start this. We’re going to start focusing 10% of our time on the Proactive side of our security program and then we’re going to move to 20% and then 25%. Right. And then whatever that balance is, they will start to see significant progress and then that is a motivator in and of itself to keep improving that and increasing that focus. Yeah, that’s a great point. In fact, you triggered something. We got one more minute here.

I’ll pick your brain on this. So we look and we have a lot of data protection conversations and big organizations or even medium size usually have somebody dedicated to BCDR or at a minimum, data governance and information management. And I continue to see a significant conversational, if you’ll permit the term disconnect between the CSA organization and the data protection group or data protection individual or group that handles that piece that they usually sit over in operations or in advanced engineering or whatever you like to call in a lot of organizations. Do you see that? Do you see a sort of a missing communication opportunity there to improve or do you see good communication in the clients that you’re involved with? I think largely you’re probably correct. There’s going to be some probably outliers, but I think there’s always going to be communication. And I think one of the things that I really even more recently have been trying to kind of emphasize Is like use more data and less words to help bridge that gap with communication, maybe coming together and say, hey, what are the key metrics that both of us care about that we should start focusing on So that we can actually speak the same language, whatever that may be. Right.

Because you also see this in the Privacy sector or the risk management sector Versus the more technical security things. So I think that’s an important aspect. But at the end of the day, everybody needs to recognize that the mission is to avoid or identify the breach as early as possible in that attack life cycle. That’s why I think the attack lifecycle miter attack is such a great conduit for how we can start talking about these activities that really move the needle forward.

Excellent. Thank you for letting me pepper a few questions there. And if there are some that end up in the discord, Dan, we’ll make sure we highlight them. And I think we’re going to send out any that we don’t get a chance to do now. We’ll make sure we send out a post email after the event. So thank you very much for your time. Thank you for, as I mentioned, the questions and Congratulations on the success and the round that you just got and excited to see where you all go.