Purple teaming and MDR

This article will delve into the importance of establishing a close working relationship between purple teamers and threat hunters, and what your organization can do to achieve this. 

In any cyber security setting, a purple team is an amalgamation of a red team and a blue team – essentially fusing together both attack and defense mindsets.

Purple teams focus on detection by taking a little from each; blue teams look for potential risks and security gaps, while red teams take an objective-based approach, actively trying to break in.

Blue team exercises are valuable in that they provide defense teams with the opportunity to practice their techniques against various types of malicious activity, but within a safe setting.

A red team engagement tests an environment’s degree of vulnerability to a cyber threat by simulating real-world cyber attacks, while assessing current defense tactics and readiness to a potential threat.

In a purple team, the red team joins forces with the blue team to combine their objective-based approach with the blue team’s collaborative. This boosts the organization’s defenses against real-world cyber threats by improving of vulnerability detection capabilities, network monitoring, and threat hunting. 

Threat hunters are a proactive component to the blue team. They actively and manually look for – and mitigate – threats and malicious artefacts that may not have been detected by solely automated means. In some cases, threat hunters may also perform red team exercises to test the security of an asset – making them a valuable addition to any purple team.

During a purple team engagement, threat hunters can provide valuable insights to the red team by using their skills and current threat hunting methodology to identify exactly what sort of attack they are dealing with and determine how they can foil it.

Purple teamers and threat hunters each have unique skills which, when blended, can provide their clients with elevated defense capabilities. However, the two teams can also benefit from each other’s experiences as the combination of offensive and defensive strategies can be extremely useful. When combined and put into practice, as well as providing clients with better advice about what they should do to prevent attacks and safeguard critical data, red teamers get the chance to adopt a defense mindset to keep in view evolving threats. For a threat hunter, the opportunity to see how an attack is carried out through red team exercises will help them gain a better understanding of how attackers think, and allows them to put their current threat hunting methodology to the test. 

Establishing a collaboration between the two teams means both attackers and defenders will progressively gain deeper, more accurate insights into how each of them work. When combined with purple teaming, threat hunting can effectively help organizations to identify any gaps that may be present in their threat detection capabilities and expose undetected risks and compromised environments in the process.

This evidence-based approach can help increase credibility of these services to clients and means they are able to offer better advise and recommendations as a result, ensuring a more accurate, outcome-based approach.

It is important that purple teamers and threat hunters can have an open dialogue and a mutual understanding of their roles and what they entail. In practice, this can be achieved by creating a work environment that allows both teams to engage in mutual activities, exchange knowledge and learn valuable lessons from each other. Ensure both sides can support the idea of building a closer work relationship with each other, and equally agree to invest both time and resources into making this happen.

Purple teams should also aim to work closely with Threat Intelligence (TI) to ensure that they are aware of the latest techniques used by attackers, and any potential or current cyber attacks. Some clients are already familiar with the type of threat actors they want to protect their organizations from, so learning to identify the threat is a good starting point and an effective way for purple teamers to align their goals with those of threat hunters. Our current purple team engagements with clients usually combine a broad set of security testing methods, not only to help us compare between the different security needs of clients, but also to effectively measure their improvement. Working with threat hunters to prioritize, identify and understand potential threats can help set that baseline for comparison and tailor a suitable security monitoring system. During a recent engagement, one of our clients was able to generate their own threat intelligence, which can be achieved using information from known or past attacks, and reliable third-party research groups. If a client does not have internal access to threat intelligence, they can benefit greatly from a purple team with an active threat intelligence agenda to help them implement a successful adversary emulation and identify what they need to test for.