Purple Team Assessment Service: A Collaborative Approach to Security Assessments

Aug. 14, 2017

In the realm of information security, there is a growing movement to enhance security assessments with a more collaborative model of testing. This approach supplements the traditional penetration testing services that are the foundation of any credible security analysis.

Red + Blue = Purple

To create additional value for clients with mature security postures, we have begun offering collaborative Purple Team assessments. In these exercises, Sword & Shield’s attacking force (Red Team) and a company’s defending force (Blue Team) work together to test for gaps in the organization’s detection and defense systems. It is an advancement in the evolution of penetration testing practices. This collaborative approach produces greater insight into an organization’s current security controls and practices.

Creating Additional Value

The Purple Team Assessment Service requires both sides to engage in the penetration test. The results go well beyond those produced by vulnerability assessments or network scanning tools.

While traditional pen tests remain an invaluable tool for security testing and provide vital data for security evaluations, a Purple Team assessment is perfect for organizations with mature security postures that want to more thoroughly test how their security systems and processes work in concert. A Purple Team assessment tests how well the pieces of the puzzle fit together and allows an organization to identify and remediate gaps.

The Advantages of Collaboration

Purple Team collaboration provides extra value when analyzing an organization’s security posture. When you have that cooperative environment, the defenders are invested. They take ownership because they are part of the testing as it’s going on.

When I do a Purple Team assessment, my goal is to get the most value for the customer, as opposed to merely compromising their network. For instance, if I try something and fail, both teams can look at why it failed. Or, we can try to find ways to circumvent that system, and I’ll need their knowledge to learn how to do that. I might try to run an exploit on a computer, and it won’t work. Then, we can sit down together and figure out why it didn’t. After the conversation, I might find a new attack pattern. The defenders can respond to that, and the cycle of learning continues.

No matter the plan, a Purple Team assessment allows both sides to increase their skills and capabilities. Offense informs defense and vice versa. Iron sharpens iron. When the client starts rolling out projects in their network or when they are writing policies or doing secure configurations, they can think back to the Purple Team encounter and apply the lessons.

A collaborative assessment allows the organization to adjust their security practices in ways that could basically stop the kill chain. That’s our goal. We work together to find ways to stop the attack earlier in the chain. We’re doing it together, and we’re doing it intelligently.

In addition, when we go into a system together, the Blue Team gets to see how I operate. They don’t necessarily learn everything I do, but they get insight into the logic of the attacker that they wouldn’t normally know. It’s a partnership.

Purple Team for a Mature Security Posture

Many organizations with young security programs are still having a hard time mastering the basics. With those, we provide different services to fit their position in security maturity model. For example, we may come in and find they have weak passwords, settings configured in a default manner, or a computer that is missing a patch for a known vulnerability. A combination of those things leads us to be able to compromise a network quickly, relatively speaking.

With more mature organizations, I don’t get those quick wins through documented exploits and hacks. So, I move off and try to attack the human side with social engineering or phishing. All you need is one person to open your malicious document and you can connect to their computer remotely.

Organizations can also take the right steps to configure their networks for security but not realize there is a hole. For instance, one company we conducted an assessment for had their network configured to not allow USB devices to work. We went and plugged a malicious USB device in and found that the network was secure in many places, but there was one place it wasn’t. The collaborative approach helped to fill the gaps they thought were covered.

The primary goal of the Purple Team assessment is to evaluate an organization’s advanced security controls, actual vulnerabilities, and their detection capabilities. One of the most important results is being able to show the impact to their business. The reality is the customer knows where their critical systems are, where their actual intellectual property is stored, and where there are areas that security might be weak or strong. Sitting down together, you can exercise those specific system defenses.

Security vs. Compliance

Many times, organizations have to meet compliance requirements. It is widely known in the industry that compliance doesn’t always mean security. In a collaborative environment, we’re working on real security – not just trying to meet a compliance checklist. Therefore, Purple Team penetration testing is ideal for companies who truly care about being as secure as possible.

Executives need to know that a collaborative approach is the most value they are going to get when they pay for an assessment. It focuses on security and not just compliance while providing value to their employees as well.

Purple Team Value to Executives

A Purple Team assessment is very technical in nature and gives IT professionals’ insight into how to better explain security issues to the leadership of their organizations. At the same time, I’ve also found that companies can ignore their own people’s recommendations. A Purple Team assessment led by an objective third party can help lend credence to a CIO or IT director’s concerns.

An organization can have all the best security tools and procedures in place but won’t truly know how well they fit together without a real-world test that is unique to their business and information security program. A collaborative security assessment provides a test that is targeted to provide the most value to the customer.

About the Author:  Russel Van Tuyl is a security analyst and Purple Team leader for Sword & Shield Enterprise Security. His primary role consists of conducting network vulnerability assessments, penetration tests, and web application assessments but also performs firewall configuration audits, wireless assessments, and social engineering engagements to include both phishing and pretexting. He has more than 10 years of experience in the technical field in roles such as database design, field device support, help desk, IT asset management, programming, and information security. He has obtained several Global Information Assurance Certifications (GIAC). These certifications include GIAC Security Essentials Certification (GSEC), GIAC Certified Incident Handler (GCIH), GIAC Certified Intrusion Analyst (GCIA), and GIAC Web Application Tester (GWAPT). Additionally, he has completed the Penetration Testing with Kali course and holds a CompTIA A+ certification.