Headline
How Talos IR’s Purple Team can help you prepare for the worst-case scenario
A Purple Team exercise is a collaborative approach between offensive (Red) teams and defensive (Blue) teams.
Thursday, June 29, 2023 08:06
Purple Team exercises are included within the Cisco Talos Incident Response Retainer service and our experts can help your organization find security holes before the bad guys can.
As your trusted advisor, our purple team, which is a combination of both red and blue teams, emulates one joint attack scenario, executes the scenario, and records how your current incident response capabilities perform to evaluate your current gaps and inform future enhancements.
Can your organization’s current security incident response program withstand an emulated adversarial attack? Need to put your current TTPs detections to the test? Not sure where to start, what to test, or what gaps exist in your program? No fear, Talos IR can partner with you to provide Purple Team expertise and exercises, tailored for your organization to proactively test and enhance your prevention, detection and response capabilities.
During the Purple Team exercise, an external Red Team acts as an Advanced Persistence Threat (APT) actor while the Talos IR Blue Team, together with the organization’s defender team, is responsible for detecting those activities and responding to the attack in accordance with the existing security procedures.
If you want to learn more about Talos IR’s Purple Team, tune into the next Talos IR On Air stream on July 27 at 12 p.m. ET. The stream will be available live on Talos’ Twitter and LinkedIn, with a replay going up shortly after on our YouTube page.
Organizations of all sizes can benefit from the Purple Team exercises Cisco offers to proactively test your current cybersecurity risks and solidify your team’s TTPs and increase your overall security knowledge in advance of a cybersecurity incident.
Purple Team value for joint teams
Cisco can partner with you to provide Purple Team expertise and exercises, tailored for your organization, to proactively test and enhance your detection and response capabilities. A Purple Team exercise is a collaborative approach between offensive (Red) teams and defensive (Blue) teams. The Red Team emulates adversary TTPs, while the Blue Team, which consists of seasoned Talos IR responders, works side-by-side with your organization’s defenders to detect and respond to those attacks. During the exercise, the Blue Team is challenged to use the organization’s existing internal security TTPs policies and procedures and test available security tooling. This type of dynamic emulation helps proactively identify any gaps in training and resources and increases the organization’s security awareness and preparedness for the future.
These Purple Team exercises also help organizations optimize their security investments by identifying weaknesses in their current security toolsets. Once these gaps are identified and shared your organization has more insightful data to support future cybersecurity solutions investments. Making informed decisions about where to allocate resources will mitigate the risk of wasting resources on ineffective cybersecurity solutions and can ensure your financial investments are optimized to meet your needs today and tomorrow.
Purple Team exercises also offer a valuable opportunity for knowledge exchange between members of the Blue and Red Teams.
- The Red Team learns more from the Blue Team about the different security controls that are in place and tries to identify new ways to circumvent these controls.
- The Blue Team, on the other hand, gains insights into the specific techniques used by the adversaries to compromise the environment, including specific tools and attack scripts.
Internal defenders, employed by the organization, use the firsthand experience from the Purple Team to update and optimize their monitoring and detection capabilities and build new processes.
Testing approach and steps
Purple Team exercises have been designed around the MITRE ATT&CK Framework to provide common terminology for identifying and blocking commonly used adversarial TTPs.
During the engagement, Talos Red Team and Talos Incident Response teams work together with the customer’s team to exchange knowledge about common attacks and corresponding detection. The responders from Talos IR collaborated closely with the customer security teams to properly identify all techniques executed by Talos Red Team and verify the defense’s actions. The workshop-style Purple Team engagement increases team trust among members of the internal security team and creates a base to improve the overall organization’s resilience against active threats. With clearly defined steps Talos IR collaborates with your organization’s security teams to properly identify all techniques executed by Talos Red Team and verifies the recorded activity.
The Purple Team exercise starts with the customer and Cisco Talos jointly defining and testing attack scenarios based on the organization’s existing security capabilities. An important part of this process is an evaluation of the strengths and weaknesses across different deployed security capabilities and the identification of areas of concern.
The final scenario is uniquely crafted to meet the risk concerns of the organization in terms of protecting its environment and “crown jewel” assets. A document with scenario details is agreed upon with the organization’s representatives before launching the agreed attack. Throughout the active execution of the attack, the Cisco Talos team will document the response of the security team by collecting detailed notes on topics such as the coverage of the security capabilities, availability of telemetry to detect and analyze the TTPs and, finally, the overall organization.
Integrating threat intelligence into our exercises helps organizations better understand the threats that they face and identify potential vulnerabilities in their security defenses. The intelligence data from Cisco Talos is a key differentiator of our Purple Team capabilities. The Cisco Talos team incorporates threat intelligence data from historical threats related to your organization’s unique industry vertical and geography, as well as information on current adversary activity to create your tailored attack scenario. To protect your organization, Cisco Talos offers publicly available Threat Assessment Reports, which are published quarterly and yearly, and are an integral component used to build scenarios based on the latest threat intelligence. The final scenario aims to emulate as closely as possible a specific real-life threat that was analyzed by Talos in the wild, often leveraging existing research on observed threats and direct emergency response experience.
The outcome of the Purple Team exercise heavily relies on visibility into the organization’s environment. The Security Operations Team within your organization relies on the existence of sufficient logs and properly configured security tools to quickly identify threats targeting the environment and stop them at an early stage. Verification of detection capabilities and visibility gives the team insights about potential gaps and better preparation for incidents.
Below is a list of standard tools that the Purple Team could use depending on the specific needs of the engagement:
- Antivirus and Endpoint Detection and Response (EDR)
- Traditional, Next-Generation and Web Application Firewall(s)
- NetFlow and Network Telemetry
- Email Server and Security Appliance Logs
- DNS Security and Visibility Logs
- Operating System and Application Logs
- Auxiliary Operating System Logs
- Proxy Network Logs
- Application Logs
- Data Loss Prevention Logs
Attack scenario execution
During the delivery of a Purple Team exercise, Talos IR team supports actively but non-intrusively the security team with detection and identification activities. As the Talos Red team executes step-by-step the pre-defined attack, compromising selected hosts or parts of the environment, Talos IR, in collaboration with the customer’s security team, works on detection across applicable security capabilities and cross-referencing logs to gain full identification of the attack.
For each TTP used by the attacker, the Talos IR team documents the following attributes of the security team’s response:
- Logged, Alerted, and Mitigated
- Logged and Alerted
- Logged and Mitigated
- Alerted and Mitigated
- Not Detected
This type of detailed documentation builds up the foundation for the post-exercise report.
Attack scenario results and reporting
The Purple Team engagement concludes with a report and a debrief session. The report summarizes the overall activities during the exercise, the preparatory actions in the scenario-building phase, and the results of the detection and response verification. This engagement report serves as a foundation for future improvement of environment detection capabilities and paves the way for enhanced security resilience of the company.
Please contact your Cisco Account Team representatives or directly email Talos IR if you are interested or have questions regarding our new Purple Team service.