Purple team cyber ranges: Hands-on training for red and blue teams
Businesses are always adapting and innovating when it comes to cybersecurity. While the use of layered defenses and red and blue teams used to be enough, many businesses are taking this thinking to the next level.
One of the more recent evolutions builds on the common and well-established use of red and blue teams to create one singular purple team that practices and prepares for the worst together. As the name implies, purple teams seek to bring together the best individual qualities of each team to make the whole more effective.
Red, blue and purple team overview
A red team is the offensive group of security professionals, tasked with using techniques, tactics and procedures (TTPs) to help organizations identify and mitigate vulnerabilities in systems, applications and infrastructure. A blue team represents the defenders — which could be a security operations center (SOC), hunt team or incident response team — tasked with actively protecting the organization from cyberattacks by any means available to them. During an exercise, red and blue teams work separately to replicate real-world situations where actions and timing on either side are unknown to the other.
Why a purple team?
While they have the same end goal of improving the security of their organization, red and blue teams have different perspectives, skill sets and tools that they employ during an exercise. This can lead to the teams diverging operationally, limiting how much communication and knowledge sharing can occur during and after an event. Adding to the complications, each team often reports to different team leads during and after the event.
As its name implies, a purple team seeks to bring the experiences of both teams together and to encourage them to communicate more effectively during an exercise, despite having different roles. This allows insights, knowledge and perspectives to be shared beyond just the reporting stage and creates stronger feedback loops that could lead to more prevention and security controls to be implemented faster. Finally, operating under a purple team construct can help participants build bonds that could make a difference during a real cyberattack.
How are purple team exercises different?
A purple team exercise is primarily different from traditional red and blue exercises in that it is considered to be an “open engagement.” Each step and stage of the red team’s attack activity is shared and explained to the blue team before and as it happens. Although there is this new element of open communication between both red and blue teams, purple team exercises still employ real or simulated TTPs, which allows for ongoing, open discussion about each attack technique and expected defensive measure as it happens. This cause and effect type structure can be used to better explain attack vectors, improve the understanding of defensive capabilities and improve overall skills and processes in cybersecurity systems in real-time.
Many types of collaboration can occur:
- A walkthrough of the overall targeted attack surface and the types of exploits or techniques to be attempted before initiating the event
- Blue team members follow along as red team members scan and probe networks and systems
- Blue team members alert the red team when abnormal logs, controls or artifacts appear that could initiate remediation activities
- Blue and red teams work to perform needed adjustments to security controls in real-time to determine if they can be more effective during future runnings of a scenario
- Blue and red teams both contribute to a singular final report and lessons learned discussions
How can a cyber range help purple teams?
In addition to the usual benefits of a cyber range — which include their ability to easily create, modify and enable access to realistic environments — these training grounds also offer the visibility that purple teams need to work effectively. Activities on both sides can be recorded, discussed and reviewed as they occurred in the range, while additional participants — no matter where they are physically located — can observe the event as it happens. These features can support the continuous development and the feedback loop that is a critical part of the purple team construct.
To help better illustrate the technical benefits that cyber ranges can provide, we have a few key examples below of exercises that purple teams can utilize to bolster their organization’s defenses.
Vulnerable web applications
Having a web presence is vital for nearly every business, so it makes sense to ensure that your web-facing applications and servers are as secure as possible. Given this common understanding, this scenario makes for a great first exercise a purple team could experience.
To expedite the entire process, Infosec offers its own Purple Team Web Application Security Project, which is currently available via the Infosec Skills platform. Each part of the exercise is already set up and structured to offer participants the ability to play the role of both the red team and the blue team as they attempt to exploit and defend web-based devices and a content management system. This includes the tools needed to intercept and review web traffic with Burp Suite, perform a local file inclusion attack and decompile the attack using a static code analyzer. Upon completion, the participants will leave the exercise with specific defensive and mitigation approaches and necessary web application firewall rules to employ.
Many organizations put a lot of faith and trust in their antivirus products to catch malicious code entering their environment. Instead of having to test the reliability of their current product and signatures in a realistic environment, however, cyber ranges offer a safe proving ground.
Organizations can replicate key infrastructure components, install their antivirus product and apply their rule sets and use the purple team construct to discuss each attack as it happens to see how defenses should perform. For example, a team can utilize open source scanning techniques, combined with available exploits or Meterpreter payloads with various options, to assess the risk to their network.
Replicating advanced persistent threats
Purple teams can also utilize published reports of recent advanced persistent threat (APT) actors’ own TTPs to better understand innovative attack methods and measure the performance of existing security controls. Two widely available examples include APT 3 and APT 29.
Also known as Operation Clandestine Wolf, APT 3 is a China-based threat group that security researchers have attributed to China’s Ministry of State Security. A purple team can set up a cyber range to replicate their environment or one similar to that of a victim of APT 3, and follow their TTPs to simultaneously learn new techniques and evaluate defensive skills. Specific sections of the APT 3 Adversary Emulation Plan can be followed, including the use of open-source tools and methods.
For example, as APT 3 is especially known for its wide use of open-source tools, deployed to avoid the known gaps in security controls, a purple team can follow the same vulnerability research processes, exploitation customization approaches and security product evasion techniques presented to see how they would respond if confronted with the same type of adversary.
Those in the security community are well aware that the name Cozy Bear has nothing to do with the warm and fuzzies. This suspected Russia-based group of hackers most recently breached key parts of the U.S. Department of Treasury and Department of Commerce in 2020, successfully pivoting these networks and exfilling data from key databases for months.
While the group is suspected to have the ability to perform very targeted compromises, they are also known for their large-scale phishing-based campaigns that lead to “smash and grab” data exfiltration, such as the Democratic National Convention in 2016. Having the opportunity to walk through each step of the emulation and understand the techniques that an organized hacking group would take to breach an organization and wreak havoc in a virtual cyber range can help to flag new defensive measures to immediately implement.
Bringing it all together
These are just a few of the many scenarios that purple teams can replicate in a cyber range. Considering the versatility and safety of these virtual environments, organizations can think up and leverage so many more.
This flexibility and visibility inherent to a cyber range are critically important for organizations to experience. Continuing to utilize the same techniques, training methods and team structures in the face of evolving cyberthreats is not going to be enough anymore. While there will always be a place for enterprise and endpoint monitoring tools, incident response plans and the experience that red and blue teams provide, your organization needs to move beyond these measures and take the necessary steps to form those bonds and muscle memory in a safe environment before a real event strikes.
- The Rise of ‘Purple Teaming,’ DarkReading
- Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign, FireEye
Emulation Plan, Github
Purple Team Web Application Security Project, Infosec Skills
- Adversary Emulation Plans, MITRE
- Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies, including Treasury and Commerce, Washington Post