What is Purple Team?
For those that remember art class, what happens when you take some red paint and some blue paint and mix them together? You get purple.
It is commonplace for organizations that have built out an offensive (red) team and a defensive (blue) team to adopt the idea that the two will seamlessly collaborate, work together often and be very open to communication. Unfortunately, this is easier said than done and usually not in practice. No one can whistle a symphony.
The purpose of the purple team is to bridge this historical gap between these two teams in order to create the communication channels needed for success. It is critical to create an open dialogue to not only facilitate knowledge transfers and cross-training opportunities between these teams but also to aid in their maturity. You are investing in your people so why not get the best possible ROI.
If 60%, 80%, or all of your workforce has now gone full remote WFH, what does that mean for your security controls? How are they being re-evaluated for effectiveness during this transition? If initial access makes a shift to the home user, given they likely have remote connectivity right into the corporate network from home, does that then mean the corporate network initial access has now become lateral movement? Aggressors will (and some already are) make shifts to targeting the potentially softer target your users present while they WFH. Once they are compromised, even an unintentional compromise through some iffy software or pirated movies into the home network may lead an otherwise low-level threat to now have a direct line into the organization.
Security posture is never done. It is not a checkbox that will ever have the complete option ticked. Through purple team engagements, we put the spotlight on habits, trends, gaps, practices, and processes for both technical elements as well as human beings. One could almost argue it’s an investigation designed to elevate these questions high up and then go low-level into why they are what they are.
You must stay a moving target in a sense. Given the statements above regarding WFH and aggressor tactics, it is truly critical to have your capability to adapt tested. When the threat suddenly shifts tactics or decides to come back at you with an entirely new intrusion set, how do you prepare? You train. Just like anything else. It is paramount to keep “security fit”. The purple team workflow keeps your red and blue teams in the gym, in the dojo, practicing, training. To be prepared for the title fights to come as best as possible.