What is a Purple Team Engagement?

In information security, there are generally two “sides.” The Blue Team, or defenders, are comprised of those who are trying to protect a network. They are made up of SOC analysts, firewall administrators, etc. Their job is to ensure the network is secure and operational. The Red Team, or attackers, conversely attempt to hack or attack the network. Generally, red team is synonymous with penetration testers. In a previous blog, we discussed what a red team engagement is, and if you have not checked it out yet we highly recommend it to provide some additional context for this article. In this blog, we are going to talk about another type of exercise called a purple team engagement.

Purple Team Engagements

As you can surmise from the title, purple team engagements combine red team with the blue team. This can happen in a myriad of ways. In some cases, the red team will try to attack the network, while the blue team tries to actively defend against these attacks. In this type of engagement, generally Triaxiom will have one engineer acting as the adversary and then another engineer stationed in the SOC to work with your blue team and help monitor the network. The engineer who is monitoring and helping the blue team knows the plan on the red team side and can help provide active guidance and feedback to the blue team. Did they find the initial attack or point of entry? How did they respond? Can the response be improved? Were they able to determine whether customer data was retrieved? As you can quickly see, this exercise is invaluable to not only find weaknesses in the network security controls, but also to improve your blue team’s tactics, techniques, and procedures. The exercise culminates with a lessons learned table top, where we are able to demonstrate what was done, cover what the blue team did well, and provide some areas for improvement.

Another variation of a purple team engagement can be done when an organization is considering purchasing a new tool. Many vendors will allow you to sample their product through a proof of concept on your network. Let’s say you are evaluating a new antivirus software and trying to decide between vendor A and vendor B. Triaxiom can come in and test various attack vectors side-by-side on two systems (one with Vendor A’s product and one with Vendor B’s solution). This is a collaborative effort where we would work closely with the organizational security team. One by one, different types of malware, command and control, or other styles of attacks would be used and the blue team would analyze the new tool’s performance. This exercise allows you to test a major investment before pulling the trigger, providing you with the information you need to make the decision.