Purple-teaming is a coordinated effort between a red team (penetration testing) and a blue team (network defense) with the common goal of ensuring a company’s controls are working effectively and as expected. Too often, the efforts of red and blue teams are segregated. The red team works hard to get into the network, and the blue team implements controls to secure it. But, without purple-teaming, the two groups rarely work collaboratively. Individually, the teams are doing their jobs, but they’re each working toward different goals. The blue team has the goal of protecting the network, and the red team has the goal of compromising it.
What Does a Purple-Teaming Engagement Look Like?
In short—purple-teaming is not entirely different from what you might already be doing. But, instead of each team working separately, the two work together in a chess match of sorts. An important distinction between purple-teaming and standard red-teaming is that the methods of attack and defense are predetermined. This is because the goal of the red team is no longer solely to exploit the network, it’s to improve the network’s security by putting the organization’s controls (and the blue team capabilities) to the test.
By adopting a common goal, the teams are no longer just identifying vulnerabilities and working based on assumptions, they’re testing controls in real-time and simulating the type of attack scenario likely to occur if a network is attacked. Another major difference between purple-teaming and red-teaming is that standard penetration testing and the implementation of controls are passive processes, whereas purple-teaming is active.
By simulating an actual attack environment, the blue team is able to test its technical controls, as well as the people responsible for implementing them, in a simulated attack. No matter how strong your controls are, they’re useless if personnel do not know how to properly identify and respond to threats in real-time.