Purple Teaming: Calculated Clash, Improving Processes and Monitoring

Experiencing Coordinated Attack and Defense

The IT security industry is in a constant state of change. Every day, new vulnerabilities and attack techniques materialize and the arsenal of tools at an attacker's disposal is forever growing. In order for your monitoring systems and team to also identify the very latest attack patterns and initiate a swift response, SySS carries out coordinated attacks. These simulated scenarios can be played through both theoretically and in practice.

Various aspects can be tested and the relevant training provided:

  • Incident response processes
  • Implementation of detection measures
  • Configuration of monitoring systems

The offensive position is assumed by the red team, while experts from digital forensics support the defense team (blue team). This interplay is known as purple teaming.

Lessons Learned

Using purposefully designed attacks, multiple scenarios can be simulated. This simulation makes it possible to identify errors in the configuration of systems for detecting active attacks as well as errors in the defined processes for incident response.

 

You are interested in purple teaming?

Steffen Stepper
steffen.stepper(at)syss.de
redteam(at)syss.de
+49 (0)7071 - 40 78 56-6157
PGP Key

Project Scope

Purple team projects are carried out over several days and usually involve the following aspects:

  • Planning workshop
  • Preparation of technical components
  • Test of predefined scenarios
  • Undertaking of active attacks and countermeasures
  • Documentation

The Purple Team Process

In case a company is still in the process of setting up a security operations center (SOC), it makes sense not to start directly with a technical purple teaming engagement because, in technical purple teaming, the processes are not the paramount concern. For a perfect defense, these processes should be modeled and put into practice first. For this reason, SySS has designed a purple team process in which the SOC is coached step by step. The objective is to create, test and firm up the processes first. Then the technical capabilities with the in-place infrastructure and skills of employees are assessed. Employees are trained directly and the in-place infrastructure is optimized in the best way possible. In the last phase, the support given by the DFIR department of SySS to the customer's blue team is withdrawn. The intention here is to put the acquired knowledge to the test. A workshop is then held in which the results are discussed.

Phase 1: "Getting Started" Workshop

As part of a workshop, the scope of the purple team assessment is defined together with you. Based on the following aspects, you can gain an initial insight into the workshop schedule. We will be more than happy at this point to address your individual requests and questions:

  • Getting to know each other
  • Presentation of the roleplay concept
  • Presentation of the purple teaming concept
  • Presentation of the modules/phases
  • Definition of the objective

The objective of the workshop is to provide the foundation on which a tailored and customer-oriented workflow can be created for the purple team assessment.

Phase 2: Theory, Roleplay

In this phase, a selected threat scenario is played through. The scenario is based on the previously convened purple team planning workshop. The objective is to stage an incident in its entirety – in a scenario that is as realistic as possible – up to the instigation of an emergency operating condition. Here, the focus is on decision-making and which measures are taken (processes). The response of your establishment to the measures taken is simulated by the gamemaster. On a smaller scale, certain tasks are also performed by individual persons to test the feasibility of the measures adopted.

Phase 3: Overt Technical Purple Team Assessment

In the overt technical purple teaming, scenarios are discussed with the respective blue team. Based on these scenarios, the exercises are put into practice. SySS complies here with the customer's requirements as to what extent it is disclosed during the process which attack vectors are chosen by SySS. The "Purple Team Playbook" contains various suggestions for scenarios and their objectives. We will gladly expand them to include scenarios of your own, which can also be developed in the workshop.

Phase 4: Covert Technical Purple Team Assessment

SySS undertakes attacks covertly with a close circle of personnel. The knowledge already gained by the blue team is the key focus. In this phase, we test whether the knowledge gained so far can be applied in everyday life. Here, too, it is possible to fall back on the Purple Team Playbook or the scenarios developed in the planning workshop.

DO NOT HESITATE TO GET IN TOUCH +49 (0)7071 - 40 78 56-0 or anfrage@syss.de | OUTSIDE REGULAR OFFICE Hours CALL +49 (0)7071 - 40 78 56-99

As a framework contract customer please dial the provided on-call service number

DO NOT HESITATE TO GET IN TOUCH +49 (0)7071 - 40 78 56-0 or anfrage@syss.de

OUTSIDE REGULAR OFFICE Hours CALL +49 (0)7071 - 40 78 56-99

As a framework contract customer please dial the provided on-call service number

GET IN TOUCH

+49 (0)7071 - 40 78 56-0 or anfrage@syss.de

OUTSIDE REGULAR OFFICE Hours

+49 (0)7071 - 40 78 56-99

As a framework contract customer please dial the provided on-call service number