InfoGuard AG (Headquarter)
Lindenstrasse 10
6340 Baar
Switzerland
InfoGuard AG
Stauffacherstrasse 141
3014 Bern
Switzerland
InfoGuard Deutschland GmbH
Landsberger Straße 302
80687 Munich
Germany
"Hands up! You're under arrest!" – that's what it used to sound like when we used to speed around the village armed with our bicycles and radios, playing our favourite game: "Cops and Robbers". Once all the robbers had been arrested (or so well hidden that they were not found), the teams were switched. The new cops got the radios and the robbers hid with a 2-minute lead. We switched back and forth until we had to stop and go home.
What do my childhood memories of "cops and robbers" have to do with Purple Teaming? To put it simply, the approach of both of these is astonishingly similar. Because if you have been a robber, you know the best hiding places later when you are a cop. And if you have been a cop enough times, you know how things are organised and where to look (and where not to). It is exactly the same with Purple Teaming.
But let's start all over again with the robbers – our Red Team. The Red Team simulates an (external or internal) attack within the company network and thereby checks the security deployment of a company. The behaviour and the method are the same as with a "real" hacker. This way, weak points or even deficiencies are discovered. Afterwards, the Red Team gives concrete recommendations for actions to resolve these issues.
The role of the cops is played by the Blue Team. Their task is to proactively detect attacks. Systems are monitored live with SIEM (Security Information and Event Management), log files are evaluated in real time and active threat hunting is carried out. The team tries to catch an attacker (where possible) in the act. To do this, they search the network for traces that point to an ongoing or historical attack. So the Blue Team is always on patrol.
In addition, the Blue Team proactively sets traps to detect attacks. So-called "honey tokens" are used, for example, to lay out bait in the network and for shares. As soon as a fish (attacker) bites, an alarm is triggered. The "game" between the Red and Blue Team is now all about both acting at the same time. The teams do not have to be from the same company. This allows the InfoGuard Red Team to compete against a customer's Blue Team. Or the InfoGuard teams act together in a customer's network.
But what would a game be without hidden traps?! Dangers and problems also lurk in classic Blue/Red Teaming. Analysts check how well the Blue Team has responded to attacks and how well the Red Team has been able to hide. This can be entertaining and often provide revealing insights ("How good is my SOC really? Do we have the necessary skills?"). However, this by itself does not increase security. The following problems often arise with classic Red/Blue teaming:
All this certainly doesn't seem unfamiliar to you when you think of our "Cops and Robbers" game again, does it? After all, we would never have betrayed the hiding places of the other robbers to the police. And certainly not leave the radio for the robbers...
The basic aim is, therefore, to get the issue of "communication" under control. This requires close cooperation between the members of both teams and is achieved by working on the same premises and through regular meetings where the attacks that are detected are compared with the attacks that have actually occurred. As well as this, the next steps to be taken are planned and timed together. Moreover, the Blue Team knows what it has to pay special attention to. Conversely, the Blue Team can provide the Red Team with interesting information such as network plans, patch level information, etc. This continuous calibration focuses on the essential – namely to increase security.
In "Purple Teaming", the Red and Blue Teams work very closely together, as already described. The attack steps are defined and planned together with the customer.
Communication and coordination are all well and good. But how can cyber security really be improved with Purple Teaming? Like this!
Purple Teaming is about having both defenders and attackers on your network – with the same level of knowledge. The Purple Team is equipped with tools to find gaps, not only in security planning but also in monitoring and alerting. Thus blind spots are deliberately eliminated and your security arrangements are systematically enhanced.
Now there is only one question remaining: do you dare let our cops and robbers "play" in your network? Our Purple team is always up for new challenges.