Purple Teaming

Red + Blue = Purple

Based on experience of attacker tactics and techniques as witnessed in our Incident Response division, our Red Team develops and applies attack use-cases on your network, with the goal of measuring Blue Team response efficacy.

Use-cases are mapped to the MITRE ATT&CK framework, and cover the breadth of the kill-chain to maximise coverage of the Blue Team response evaluation.

Was the attack picked up? How quickly was it picked up? Was an alert triggered? What was the response to the alert?

Attacks patterns are applied in elevating levels of sophistication until the blue team cannot see them at all.

Red and Purple Team Differences

Threat Modelling

Purple teams need to reflect the reality of the threat landscape. We choose Tools Techniques and Procedures that reflect that reality.

Nation States

Geopolitically or economically motivated to gain intelligence on current news or gain access for sabotage or espionage.

Organised Criminal Gangs

Criminals constantly attempt access or buy it in order to extort, steal or commit fraud for financial gain.

Blackhat hackers

Attacker who may or may not have been made aware of the organisation through the news but would use the opportunity to attempt access.

Journalists

Investigating and reporting all news and events using any means possible.

Competitors

Steal intellectual property or sabotage to gain a competitive edge or damage reputation.

Activists

Motivated by an ideology or message perhaps related to drug costs or the “EvilCorp” mentality.

Insider threat

Either an accidental or malicious disclosure, damage, or modification with existent access.

Possible attack vectors used

In a more mature Blue Team these are the actions we would be expecting to see:

Kill Chain

If there has been no previous penetration testing carried out, it is recommended that a sample of vessels are tested. Initially, a “typical” vessel should be chosen and examined in-depth. This will often identify issues that could impact the entire fleet and can be solved fleet-wide with simple fixes. 

A typical engagement would involve the following stages: 

• Assessing the maturity of the company in terms of the identify, protect, detect, respond, recover framework, normally using interviews and documentation review. This helps to direct further testing. 
• Gaining understanding of the systems onboard the vessel. This would normally use a combination of documentation review, interviews, network exploration, and physical survey of the vessel.