Purple Teaming: Calculated Clash, Improving Processes and Monitoring

Experiencing Coordinated Attack and Defense

The IT security industry is in a constant state of change. Every day, new vulnerabilities and attack techniques materialize and the arsenal of tools at an attacker's disposal is forever growing. In order for your monitoring systems and team to also identify the very latest attack patterns and initiate a swift response, SySS carries out coordinated attacks. These simulated scenarios can be played through both theoretically and in practice.

Various aspects can be tested and the relevant training provided:

• Incident response processes
• Implementation of detection measures
• Configuration of monitoring systems

The offensive position is assumed by the red team, while experts from digital forensics support the defense team (blue team). This interplay is known as purple teaming.

Lessons Learned

Using purposefully designed attacks, multiple scenarios can be simulated. This simulation makes it possible to identify errors in the configuration of systems for detecting active attacks as well as errors in the defined processes for incident response.

 

Project Scope

Purple team projects are carried out over several days and usually involve the following aspects:

• Planning workshop
• Preparation of technical components
• Test of predefined scenarios
• Undertaking of active attacks and countermeasures
• Documentation

Phase 1: "Getting Started" Workshop

As part of a workshop, the scope of the purple team assessment is defined together with you. Based on the following aspects, you can gain an initial insight into the workshop schedule. We will be more than happy at this point to address your individual requests and questions:

• Getting to know each other
• Presentation of the roleplay concept
• Presentation of the purple teaming concept
• Presentation of the modules/phases
• Definition of the objective

The objective of the workshop is to provide the foundation on which a tailored and customer-oriented workflow can be created for the purple team assessment.

Phase 2: Theory, Roleplay

In this phase, a selected threat scenario is played through. The scenario is based on the previously convened purple team planning workshop. The objective is to stage an incident in its entirety – in a scenario that is as realistic as possible – up to the instigation of an emergency operating condition. Here, the focus is on decision-making and which measures are taken (processes). The response of your establishment to the measures taken is simulated by the gamemaster. On a smaller scale, certain tasks are also performed by individual persons to test the feasibility of the measures adopted.

Phase 3: Overt Technical Purple Team Assessment

In the overt technical purple teaming, scenarios are discussed with the respective blue team. Based on these scenarios, the exercises are put into practice. SySS complies here with the customer's requirements as to what extent it is disclosed during the process which attack vectors are chosen by SySS. The "Purple Team Playbook" contains various suggestions for scenarios and their objectives. We will gladly expand them to include scenarios of your own, which can also be developed in the workshop.

Phase 4: Covert Technical Purple Team Assessment

SySS undertakes attacks covertly with a close circle of personnel. The knowledge already gained by the blue team is the key focus. In this phase, we test whether the knowledge gained so far can be applied in everyday life. Here, too, it is possible to fall back on the Purple Team Playbook or the scenarios developed in the planning workshop.