InfoGuard Cyber Security and Cyber Defence Blog

What Purple Teaming has in common with “cops and robbers”

Geschrieben von Stefan Rothenbühler | 05 Okt 2018

"Hands up! You're under arrest!" – that's what it used to sound like when we used to speed around the village armed with our bicycles and radios, playing our favourite game: "Cops and Robbers". Once all the robbers had been arrested (or so well hidden that they were not found), the teams were switched. The new cops got the radios and the robbers hid with a 2-minute lead. We switched back and forth until we had to stop and go home.

What do my childhood memories of "cops and robbers" have to do with Purple Teaming? To put it simply, the approach of both of these is astonishingly similar. Because if you have been a robber, you know the best hiding places later when you are a cop. And if you have been a cop enough times, you know how things are organised and where to look (and where not to). It is exactly the same with Purple Teaming.

The classic Red and Blue Teaming

But let's start all over again with the robbers – our Red Team. The Red Team simulates an (external or internal) attack within the company network and thereby checks the security deployment of a company. The behaviour and the method are the same as with a "real" hacker. This way, weak points or even deficiencies are discovered. Afterwards, the Red Team gives concrete recommendations for actions to resolve these issues.

The role of the cops is played by the Blue Team. Their task is to proactively detect attacks. Systems are monitored live with SIEM (Security Information and Event Management), log files are evaluated in real time and active threat hunting is carried out. The team tries to catch an attacker (where possible) in the act. To do this, they search the network for traces that point to an ongoing or historical attack. So the Blue Team is always on patrol.

In addition, the Blue Team proactively sets traps to detect attacks. So-called "honey tokens" are used, for example, to lay out bait in the network and for shares. As soon as a fish (attacker) bites, an alarm is triggered. The "game" between the Red and Blue Team is now all about both acting at the same time. The teams do not have to be from the same company. This allows the InfoGuard Red Team to compete against a customer's Blue Team. Or the InfoGuard teams act together in a customer's network.

Dangers may lurk even when playing

But what would a game be without hidden traps?! Dangers and problems also lurk in classic Blue/Red Teaming. Analysts check how well the Blue Team has responded to attacks and how well the Red Team has been able to hide. This can be entertaining and often provide revealing insights ("How good is my SOC really? Do we have the necessary skills?"). However, this by itself does not increase security. The following problems often arise with classic Red/Blue teaming:

  • Lack of communication: The Red Team does not share all information about the attacks with the Blue Team. After all, you want to be better than the other team and information may be concealed, either consciously or unconsciously.
  • Self-protection: If the Blue Team is provided by the client, it will be careful not to draw the Red Team's attention to known and actual security risks.
  • Organisational problems: It can be difficult to organise the sharing of information. Teams usually work at different times, in different locations and at a different pace.

 

All this certainly doesn't seem unfamiliar to you when you think of our "Cops and Robbers" game again, does it? After all, we would never have betrayed the hiding places of the other robbers to the police. And certainly not leave the radio for the robbers...

Communication is the key to success

The basic aim is, therefore, to get the issue of "communication" under control. This requires close cooperation between the members of both teams and is achieved by working on the same premises and through regular meetings where the attacks that are detected are compared with the attacks that have actually occurred. As well as this, the next steps to be taken are planned and timed together. Moreover, the Blue Team knows what it has to pay special attention to. Conversely, the Blue Team can provide the Red Team with interesting information such as network plans, patch level information, etc. This continuous calibration focuses on the essential – namely to increase security.

Purple Teaming – when cops and robbers work together

In "Purple Teaming", the Red and Blue Teams work very closely together, as already described. The attack steps are defined and planned together with the customer.

The benefits of having a Purple Team

Communication and coordination are all well and good. But how can cyber security really be improved with Purple Teaming? Like this!

  • The teams work towards a common objective – to optimise your security.
  • Blind spots in your security system are detected by comparing attacks and detections.
  • The Red Team is not slowed down by dead ends (so-called Rabbit Holes). If the Red Team gets stuck, the Blue Team can provide information. It is also possible to recognise that a system is compromised and proceed from there.
  • The Red Team receives much more information than before about network / internal company systems. This makes the Red Team an attacker with real superpowers.
  • The Blue Team can refine its detection mechanisms through exchanges with the Red Team and thereby eliminate false positives.
  • At the same time, the Incident Response Plan is optimised to quarantine attacks even faster and to initiate the appropriate countermeasures.
  • The client is kept up to date by the regular exchange meetings with the Purple Team and can intervene in a controlling manner.

 

Purple Teaming is about having both defenders and attackers on your network – with the same level of knowledge. The Purple Team is equipped with tools to find gaps, not only in security planning but also in monitoring and alerting. Thus blind spots are deliberately eliminated and your security arrangements are systematically enhanced.

Now there is only one question remaining: do you dare let our cops and robbers "play" in your network? Our Purple team is always up for new challenges.