Blog: Red Teaming

Purple Teaming. Red Team attacks and Blue Team defences

PTP Red Team 03 Sep 2019

Red + Blue = Purple

Purple Teaming is a process involving Red Team consultants and Blue Team Security Analysts.

Red Team vs. Blue Team

This represents how different teams can work; a collaboration wheel:

Based on  experience of attacker tactics and techniques as witnessed in our Incident Response division, our Red Team develops and applies attack use-cases on your network, with the goal of measuring Blue Team response efficacy.

Use-cases are mapped to the MITRE ATT&CK framework, and cover the breadth of the kill-chain to maximise coverage of the Blue Team response evaluation.

Was the attack picked up? How quickly was it picked up? Was an alert triggered? What was the response to the alert?

Attacks patterns are applied in elevating levels of sophistication until the blue team cannot see them at all.

Red and Purple Team Differences

Red Team Purple Team
Attacking the client Working in coordination with client
Used to evaluate the effectiveness of technological and procedural controls against a particular real-world attack Used to evaluate the effectiveness of technological and procedural controls against a variety of threats
Used for “Shock” value Tangible metrics
Takes further work to extract “To Do list” Map progress of decreasing attack surface
One or few pathways to compromise Identify multiple pathways to compromise

Threat Modelling

Purple teams need to reflect the reality of the threat landscape.

We choose Tools Techniques and Procedures that reflect that reality.

Nation States – Geopolitically or economically motivated to gain intelligence on current news or gain access for sabotage or espionage.

Organised Criminal Gangs – Criminals constantly attempt access or buy it in order to extort, steal or commit fraud for financial gain.

Blackhat hackers – Attacker who may or may not have been made aware of the organisation through the news but would use the opportunity to attempt access.

Journalists – Investigating and reporting all news and events using any means possible.

Competitors (Or nation states on behalf of competitors for economic reasons) – Steal intellectual property or sabotage to gain a competitive edge or damage reputation.

Activists – Motivated by an ideology or message perhaps related to drug costs or the “EvilCorp” mentality.

Insider threat – Either an accidental or malicious disclosure, damage, or modification with existent access.

Possible attack vectors used

In a more mature Blue Team these are the actions we would be expecting to see:

Click on image to enlarge. Opens in new tab.

Kill Chain

Use-cases are mapped to the MITRE ATT&CK framework, and cover the breadth of the kill-chain to maximise coverage of the Blue Team response evaluation.

Click on image to enlarge. Opens PDF in a new tab on https://attack.mitre.org/.

Tools Tactics and Procedures

We maintain a comprehensive threat library with dedicated TTPs for different industries and sectors.

Reporting examples

The prevention, detection, and response as a percentage of techniques performed, sorted by testing phase:

Individual Technique detail: