Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Purple Team Exercises: Preparing a Cybersecurity Team for a Red Team Attack

This is the second in a series of blogs that describes the importance and inner workings of conducting Red and Purple Team exercises. Part 1 of this blog series gave an overview of how to properly conduct these drills. This blog examines the role Purple Teams play in an effective security testing strategy.

One of my favorite conversations with a client is when I take a call, and the first thing I hear when I ask how can we help is "We need a Red Team!" I love the enthusiasm; I love the fact that this client recognizes that security needs to be tested to ensure it's operating as advertised. 

But while the client understands what the organization needs, there is a very important intermediate step that the organization must take before we can jump into a Red Team engagement.

Shift Your Cyber Thinking: The Need for a Purple Team

Once upon a time, much earlier in my career, I would have skipped the Purple Team step. Instead, I would set up a time to visit, show up, use my skills to work over the client's security team, and think, "voilà, the Red Team performed!" 

After testing a less mature organization, we would generate a 250 some odd page report that, in short, said not only did you "fail," but you have so many holes and flaws in your security plan that you probably don't have any idea where to start to fix the problem. 

However, I quickly realized that this approach was unfair to the client. In reality, the organization in question knew it needed security help, so simply exposing all its flaws was not as helpful as I initially believed.

Revelations similar to mine were likely why infosec companies developed the Purple Team concept. Instead of lunging right in with an attack, we suggest starting the process with more of a controlled test, conducting some basic walk-throughs, and at first teaching rather than testing. 

The Trustwave Philosophy: Why Purple Team

At Trustwave SpiderLabs, we think of security as a three-legged stool Logical (computers, network, and infrastructure), Physical, and of course the human element, Social Engineering.

Less talked about, unfortunately, is the most important part of the analogy, the client, which our three legs support. Therefore, it is imperative that if a company truly wants to secure its data, then all three of the legs of this security stool are given equal attention. 

Sure, your stool can balance on one or two legs for a short time, but sooner or later, it will inevitably fall, and when it does, the company comes crashing down. 

Purple Team exercises are a controlled scrimmage, just like when you your favorite sports team splits into two sides, and they play each other. In these cases, the manager or coach will divide the team in a specific way. Sometimes, he will swap players, mimic the other team's playing style or game plan. However, the one constant is the coaches. There is always a coach nearby, guiding the action and running certain plays, trying different things to put the team through its paces and make the team better overall. 

But in the case of a Purple Team security exercise, an organization splits its security team with one side playing the role of attacker and the other defender. This situation differs from a true Red Team exercise when the players from that squad come from an outside security firm and play the role of threat actor.

A person from the organization's security team is designated as a "coach" and directs the Purple Team scrimmage. 

The attackers (typically referred to as the Red Team) will begin a quiet attack on the defenders or Blue Team. If you remember back to art class in elementary school, you can see how the descriptor Purple Team is derived.

The Anatomy of Purple Team Exercise

Let's play out a scenario. The Red Team attacks the unsuspecting Blue Team, which doesn't have any idea an attacker is in the system. No one notices anything, and everyone sits there. The Blue Team, in this case, just isn't up to the task and needs a bit of help.

So, to move things along, one of the coaches directs the Red Team to be "noisier" to test the threshold of the Blue Team. The Blue Team finally notices the unusual traffic and starts checking logs and doing its job. 

Now that the Blue Team has caught up, one of the coaches informs the Red Team to change targets and attack something else to see how the Blue Team reacts to this new activity. Does the Blue Team detect the Red Team? Do they figure out someone is in their network, and can they follow them? 

For this example, the result is not important, but the above scenario shows how these events are supposed to play out. At the end of the exercise, the Purple Team collaborates with the Blue and Red Teams as they learn from each other.

The Role of a Purple Team in Your Security Strategy

Purple Teams and the collaborative environment they create are vital to finding issues within a company's security set up using the personnel on hand. It gives all the team's players a chance to work together to help strengthen security and ultimately prepare the organization for that big game against a real attacker where the gloves come off.

A Purple Team event is also necessary before an organization plunges ahead and sets up a Red Team exercise. As I initially found out earlier in my career, launching an intense Red Team event against an unprepared foe is not unfair but, in the end, benefits nobody. 

This is something to keep in mind when you are looking for an organization to partner with for a Red Team exercise. Don’t be pulled into an unfair situation where the results may not truly be indicative of your security team’s capabilities.


Trustwave SpiderLabs Red Teaming


Trustwave SpiderLabs Red Teaming

The Trustwave SpiderLabs Red Team is backed by our world-renowned research team. Our research team has access to billions of security events, multiple threat database feeds and years of cumulative experience discovering zero-day vulnerabilities. Combined with our core red team, the research team assists in building bleeding edge custom implants / RATs and various other toolsets.


Latest Trustwave Blogs

De-Risk Technology Transitions and Save Money with Trustwave

With all the issues happening in cybersecurity technology lately, such as CrowdStrike’s software update that caused massive outages worldwide last week, it behooves all organizations to take a...

Read More

How Cybercriminals Use Breaking News for Phishing Attacks

Trustwave SpiderLabs issued a warning that threat actors may attempt to take advantage of CrowdStrike’s software update that caused widespread outages by using the news as the center of a social...

Read More

Trustwave Response: CrowdStrike Falcon Outage Update

Trustwave is proactively assessing and monitoring our clients who may have been impacted by CrowdStrike’s recently rolled-out update for its Windows users. The critical issue identified with...

Read More