With a tradition stemming from military training exercises, the idea of pitting a “Red Team” of trained attackers against a “Blue Team” defending the organization has been taken up over the years by a diverse set of institutions.
These include government bodies like the U.S. National Security Agency and the Government Accountability Office and corporate enterprises in which war-gaming exercises are used to test the security infrastructure of active businesses. The concept has also been used to test the physical security measures deployed at places like nuclear facilities, or the Department of Energy’s National Laboratories and Technology Centers.
It’s an adversarial technique that can too often lead to the same outcome as many a sporting event: Two opposing sides give their all for the designated time period, one of them wins or forces a stalemate, then both teams go home. No post-game analysis – and no lessons learned.
And it’s for this reason that some form of middle ground or mediating element is often proposed to round out the war-game cycle, and make it possible for ideas and observations from the opposing forces to be traded and logged – a so-called “Purple Team”.
Red Teams are usually defined as consisting of a group of highly skilled experts brought in from outside, to test the effectiveness of a security program. This is typically accomplished through an orchestrated assault on the security resources and personnel of an organization, using tactics and techniques currently employed by active cyber-attackers in the wild.
Their work is often equated with that of penetration testing, but the attack goals of a Red Team may be highly specific, and their remit frequently requires the use of finely-honed strategies focusing on a specific objective.
Blue Teams are made up of the dedicated security personnel within an organization, whose day to day responsibility is guarding the enterprise against the onslaught of real cyber-criminals, and the occasional assaults of a designated Red Team.
Their remit is more focused than that of the workaday professionals on a standard security operations team (whose concerns may be more operationally and/or business-related) and requires the more attack-defense oriented mindset associated with a constant state of vigilance.
From the results of the staged conflict between these two opposing forces, knowledge and skills needed to improve the security posture of an enterprise should be gained. But too often, this isn’t the case.
Problems With Assimilation
Though initially outsourced as a third-party group of specialist contractors, there’s been a tendency for enterprises to go on and co-opt Red Teams to be part of their own internal security apparatus.
For large companies with big IT budgets (and the freedom to offer lucrative pay packets), this has become a logical step, in addressing the ongoing cyber-security skills shortage. After all, Red Team members are recruited for their prowess in circumventing existing security protocols – a skill set which can prove invaluable, when turned toward preserving the security status of an enterprise.
However, a number of problems may arise from this attempt by commercial organizations at bringing Red Team talent on board.
Red Teams which are formally attached to an organization as part of its structural hierarchy may (in an ideal scenario) become loyal and trusted members of the enterprise – and therein lies one major problem.
Since the purpose of a Red Team is to probe an organization’s security defenses in the manner of a real attacker, being able to maintain some objectivity and ruthlessness while doing so is essential to the job description. Becoming well assimilated into the enterprise and taking its values and goals on board can create a protectiveness and bias that dilutes the effectiveness of such a Red Team in staging potentially damaging attacks.
On the flip side of the coin to in-house Red Teams that become “institutionalized” are those whose members may have origins working outside the box, or outside the law. To such specialists, the rules and restrictions imposed by a corporate setting of which they’re officially a part may also dilute their effectiveness or enthusiasm for the work they’re required to do.
Problems With Red-Blue Interaction
Besides the conduct of the exercise itself – and the chance to observe the performance under pressure of enterprise security personnel and infrastructure – a “Red Team vs. Blue Team” face-off should also give value in the lessons learned from the conduct and observations of both teams, throughout and after the encounter.
For this knowledge and insight to be made available to an organization, there should ideally be formalized methods for recording and reporting the events of a war-games exercise – and a willingness for Red and Blue Teams to communicate with each other and exchange relevant information.
Because of a number of factors, however, this typically does not occur.
Part of the problem may stem from the intensity and urgency of the cyber-attack simulation, itself. In the heat of the moment, observations made by the defending Blue Team may be lost or forgotten – observations that could, in the light of more detached analysis off the “battlefield”, yield valuable insights into vulnerabilities or previously overlooked aspects of the enterprise security configuration.
For their part, the elite operators on the Red Team side may have a “gun-slinger’s” attitude to the “regular soldiers” of the opposing Blue Team and feel that it’s beneath them, or beyond their remit, to tell them how they should be doing their jobs.
In addition, there may be no formalized channels of interaction or communication between the two groups – a situation which may be compounded by a failure on the part of an organization’s security management officials to see both Red and Blue Teams as integral parts of the same effort to improve security for the enterprise as a whole.
The Purple Team – Mediation and Middle Ground
It’s precisely because of these breakdowns in communication between the Red and Blue Teams – and the lack of benefit to the enterprise due to insight and information gleaned from a war-games exercise – that the proposal for a mediating element or “Purple Team” has been gaining in popularity.
Purple Teams are instigated to ensure that both Red and Blue Teams perform to their maximum effectiveness and that their combined efforts contribute to a security narrative that benefits the enterprise. Ideally, Purple Teams will accomplish this through a comprehensive analysis and interpretation of the threats and security vulnerabilities discovered by the Red Team, and of the defensive tactics and counter-measures employed by the Blue Team in meeting these challenges.
The Purple Team – Collaborating for the Greater Good
In theory, at least, the fundamental purpose of a Red Team exercise is to improve the performance of an organization’s Blue Team, and to strengthen the security posture of the enterprise hosting the “sponsored attack“.
Though the perceived need for a third entity to mediate between the two opposing sides and facilitate communications between them may lead some organizations to appoint a separate team of personnel to accomplish this (perhaps drawn from representatives of the Red and Blue Teams), there are some who argue the wisdom of establishing the Purple Team as a physical entity, at all.
Rather, there’s a school of thought exemplified by security researcher Daniel Miessler, who argues that a Purple Team (when deemed necessary) should exist as a conceptual framework, setting out the rules of engagement, meeting places, and lines of communication required to get Red and Blue Teams actually talking to each other, sharing information, and trading insights and interpretations of what was observed during the war-games exercise.
It’s only by promoting such collaboration – and establishing a “Purple Team” culture of cooperation, feedback loops, and continuous improvement – that the ultimate aim of using attack simulations to strengthen the organization’s security practices and infrastructure may be achieved.
Can Your Company Withstand a Cyber-Attack?Contact CybeRisk Now to Schedule a FREE CONSULTATION.
Share this Post