Purple Teaming: A Security-Testing Collaborative
Introduction
The Red Tem term was born in the military environment to represent the highly specialized groups, able to play the role of opponents in contrast to the defensive team, which is named Blue Team. The Red Team were using their skills, knowledge, and tools to develop the real attacks, which had to be detected and mitigated by a defensive measure represented by the Blue Team. The ultimate goal was to improve their defensive capabilities against someone who acts like a real enemy. With these concepts, it also applied in the cyber security area to indicate those activities that test the resilience of an Organization against real attacks and to test the effective detection capabilities.
11 courses, 8+ hours of training
Considering the evolution and popularity of real world attacks, Organizations need to develop their own approaches to penetration testing, with the view to evaluating the effective resilience against cyber attacks and close the gap between testing infrastructure and real attack scenarios.
A typical penetration test is characterized by a semi-automated network and vulnerability scanning, then an exploitability of the identified weaknesses and flaws. This approach provides a broad overview of the vulnerabilities and preventive controls implemented by the Organization, however, it is not able to assess the effective resistance against the current attacks, since they lack the typical components of a real attacker, such as malware, social engineering, exfiltration of information and persistence.
Comparison with Penetration Testing
Red Teaming activities presents several differences compared to Penetration Testing engagements, in particular:
- Goal, as previously described, the aim of this activity is to test resilience against real attacks, instead of gain an oversight of technical vulnerabilities.
- Scope, in Red Teaming practices all access paths, are in scope instead of predefined subset or applications.
- Testing, the focus of testing is oriented on detection and response of organization, in order to test the resilience.
- Tools, in Red Teaming activities, can be used all TTPs (Tool, Tactics, and Procedures) available to a potential attacker, also included custom malware and social engineering attacks.
- Post-exploitation, which is focused on breach critical assets and exfiltration of sensible data and information.
- Positioning, generally is a periodical exercise, instead of Penetration Testing, which is generally part of the development lifecycle.
Red Teaming approach
The Red Team has to be composed by the most skilled hackers and using state of the art technology to simulate real attackers. The approach used, should be oriented to the Cyber Kill Chain:
- Reconnaissance: footprinting and information gathering of the target (domains, email addresses, information, etc.) and determine attack methods.
- Weaponization: development phase of the attack methods selected, generally into deliverable malicious payload which contains the exploit and backdoor.
- Delivery: transmission of the attack via different attack vector (email, the web, social media, physical, etc.)
- Exploitation: exploiting of a technical or human vulnerability or misconfiguration.
- Installation: installing customized malware or backdoor, to gain the remote control of victim's system
- Control: establishing the C2 (Command & Control) channel throughout the network
- Maintenance: performing the actions to achieve actual goals inside the victim's network (lateral movement, exfiltration, etc.) and "make a persistence", to maintain the remote control.
Red + Blue = Purple Teaming
The Red Teaming activities are very useful to understand the real cyber resilience of an organization. However, there may be some inefficiencies. Typically, the two groups never speak: the red team is hired by the CSO (Chief Security Officer) or the equivalent of an organization with the goal to breach the infrastructure, without informing its own technical departments. After finishing this engagement, if the results and the follow-up of the walkthrough are not communicated to the blue team in a useful way, whenever the red team (or real cyber attacker) performs the analysis always succeed to break into the Organization.
To optimize the efficiency and effectiveness of effort by both groups, and provide valuable results of this activity, it has been defined a new concept, named Purple Teaming (the purple color is obtained by mixing blue and red colors). The goal of the Purple Teaming is the collaboration of offensive and defensive tactics: the offensive team should use all TTPs (Tactics, Techniques, and Procedures) available by the attacker and the defensive team should implement and improve their detection e response capabilities.
While the mission of Red Tem is to try to follow, through and through, the cyber kill chain, the Blue Team must be able to detect these intrusion attempts, in particular the lateral movement and privilege escalation events, with the aim to shorten the cyber kill chain in the earliest stage possible in order to avoid that the Red Team bring home the "crown jewels".
Generally, the defensive group is represented by incident responder, forensics analyst or SOC (Security Operation Center) analyst, which investigate on security events through a SIEM (Security Incident Event Management) and related security probes (IDS/IPS, Firewall, Anti-malware, etc.): it depends on the complexity of Organization and his implemented technologies.
The benefit of the Purple Teaming is in the synergy and mutual feedback of both groups, and the ability to engage the challenge, continually improving the detection capacity and response capabilities. Indeed, the cooperation should aim at continuous improvement, for the offensive and defensive tactics, and in particular, for the blue which should exploit this opportunity to expand their knowledge of the techniques used by the real cyber attackers (Tactics, Techniques, and Procedures).
Furthermore, it is one of the most important indicators of this exercise; it is represented by mensuration of mean time to detect (MTTD) and mean time to recovery (MTTR) for the defense team, which should be improved for each attack performed.
Conclusion
Over the past, they have grown almost exponentially new types of cyber-attacks, more complex, such as the new evasive malware or the famous "APT" (Advanced Persistence Threat) that can create and customize the attack vectors to be fully functioning with the target environment.
Nowadays, the simple activities of Vulnerability Assessment and Penetration Testing are not sufficient to meet and mitigate the threat of a cyber-attack, since in many cases the weakest link in the security chain is the human factor and the use of the technologies in a not secure way.
The Red Teaming activities, allow getting an insight into the Organization resilience against real cyber criminals attacks that are relevant to it and improvement of the detective and response capabilities of defense security team.
11 courses, 8+ hours of training
Finally, the activities of Red Teaming can evolve in Purple Teaming, collaborate two teams to optimize the effort of the groups and the results and evaluate the return on investments of an Organization about information security.
In this Series
- Purple Teaming: A Security-Testing Collaborative
- DevSecOps: Moving from “shift left” to “born left”
- What’s new in the OWASP Top 10 for 2023?
- DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
- Introduction to DevSecOps and its evolution and statistics
- MongoDB (part 3): How to secure data
- MongoDB (part 2): How to manage data using CRUD operations
- MongoDB (part 1): How to design a schemaless, NoSQL database
- Understanding the DevSecOps Pipeline
- API Security: How to take a layered approach to protect your data
- How to find the perfect security partner for your company
- Security gives your company a competitive advantage
- 3 major flaws of the black-box approach to security testing
- Can bug bounty programs replace dedicated security testing?
- The 7 steps of ethical hacking
- Laravel authorization best practices and tips
- Learn how to do application security right in your organization
- How to use authorization in Laravel: Gates, policies, roles and permissions
- Is your company testing security often enough?
- Authentication vs. authorization: Which one should you use, and when?
- Why your company should prioritize security vulnerabilities by severity
- There’s no such thing as “done” with application security
- Understanding hackers: The insider threat
- Understanding hackers: The 5 primary types of external attackers
- Want to improve the security of your application? Think like a hacker
- 5 problems with securing applications
- Why you should build security into your system, rather than bolt it on
- Why a skills shortage is one of the biggest security challenges for companies
- How should your company think about investing in security?
- How to carry out a watering hole attack: Examples and video walkthrough
- How cross-site scripting attacks work: Examples and video walkthrough
- How SQL injection attacks work: Examples and video walkthrough
- Securing the Kubernetes cluster
- How to run a software composition analysis tool
- How to run a SAST (static application security test): tips & tools
- How to run an interactive application security test (IAST): Tips & tools
- How to run a dynamic application security test (DAST): Tips & tools
- Introduction to Kubernetes security
- Key findings from ESG’s Modern Application Development Security report
- Microsoft’s Project OneFuzz Framework with Azure: Overview and concerns
- Software maturity models for AppSec initiatives
- Best free and open source SQL injection tools [updated 2021]
- Pysa 101: Overview of Facebook’s open-source Python code analysis tool
- Improving web application security with purple teams
- Open-source application security flaws: What you should know and how to spot them
- Android app security: Over 12,000 popular Android apps contain undocumented backdoors
- 13 common web app vulnerabilities not included in the OWASP Top 10
- Fuzzing, security testing and tips for a career in AppSec
- 14 best open-source web application vulnerability scanners [updated for 2020]
- 6 ways to address the OWASP top 10 vulnerabilities
- Ways to protect your mobile applications against hacking
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Application security
Application security
Application security
DevSecOps: Continuous Integration Continuous Delivery (CI-CD) tools
Application security