The Definition of a Purple Team
People debate constantly about the the different kinds of security assessment, and the one that’s perhaps least understood is the Purple Team.
Origin and meaning
If you have a dedicated Purple team, you likely need to fix the Red and Blue teams to make Purple functionality more natural.
A Purple Team is a function designed to enhance the information sharing between—and the ultimate effectiveness of—an organization’s Red and Blue teams.
The first—hopefully obvious—thing to notice is that purple is a blending of red and blue. But just like the diagram above, you want to think of it as a bridge between Red and Blue, and not as its own separate thing.
The Purple Team should not be a group that fills both Red and Blue roles—but rather a function that enhances existing Red and Blue capabilities.
Red Teams are designed to test the effectiveness of an organization’s defenses by emulating its adversaries’ TTPs in a continuous and evolving manner.
Blue Teams are designed to keep the organization safe from real-world attackers by understanding their TTPs and evolving the company’s defenses along with the adversary.
Purple Teams are designed to enhance information sharing between the Red and Blue teams to maximize their respective and combined effectiveness.
It helps to think of these as functions rather than orgs, although Red and Blue can be either.
All three functions share the ultimate purpose of improving the organization’s defenses. Red does this through attack, Blue through defense, and Purple by ensuring that the previous two are cooperating.
How not to Purple Team
Now that we understand what a Purple Team is, the next thing to absorb is that they should not be needed. You read that right—separate, independent Purple Teams should not be needed if an organization’s Red and Blue teams are functioning properly.
Thanks to Dave Kennedy for input on this crucial point.
This isn’t to stay that the function of cooperation should not be performed—for example, Red Teams walking their Blue Teams through attacks, doing demos, etc.—but this doesn’t require a third party. The Red and Blue teams themselves are the people that matter in this exchange of information.
Red and Blue have separate tactical functions, and approach the security of the organization from literally opposite sides, but their mission is the same: improving the security of the company.
Properly functioning Red and Blue teams know they have a shared goal, and they communicate regularly to maximize overall success.
Red teams are famous for being unwilling to share their tradecraft with Blue teams due to ego issues, but this situation is slowly improving.
If a Red Team is not sharing its TTPs with the Blue Team, it’s a bad Red Team. And if the Blue Team is not sharing its learnings with the Red Team, it’s a bad Blue Team. Communication is part of both jobs.
Analogies for bad communication between Red and Blue
Here are some analogies that illustrate how bad it is for attack and defense to not be talking to each other.
Waiters Who Don’t Deliver Food: A restaurant is having trouble getting their waiters to pick up food from the kitchen and bring it to tables. Their solution is to hire “kitchen-to-table coordinators”, who are experts in table delivery. When management is asked why they hired this extra person to do this instead of having the waiters do it themselves, the answer was: The waiters said it wasn’t their job.
Elite Chefs Who Keep the Food in the Kitchen: An expert is brought in to figure out why a restaurant is failing when they have all this top-end chef talent. Evidently customers are waiting forever and often not getting food at all. When the reviewer goes into the kitchen they find stacks of beautiful, perfectly-arranged plates of food sitting next to the stoves. They ask the chef why this food hasn’t gone out to the tables, and the chef answers: I know way more about food than these stupid waiters and stupid customers. Do you know how long I’ve been studying to make food like this? Even if I allowed them to eat it they wouldn’t understand it, and they wouldn’t appreciate it. So I keep it here.
Great, so we have waiters to who refuse to take food to tables, and we have chefs who don’t allow their dishes to leave the kitchen.
Unsupervised Learning — Security, Tech, and AI in 10 minutes…
Get a weekly breakdown of what's happening in security and tech—and why it matters.
Red Teams that refuse to share TTPs with the Blue Team are chefs who refuse to let their masterpieces leave the kitchen.
Red and Blue should be thought of as a single organism.
If you have this problem, the solution is to fix the Red / Blue interaction dynamic—not to create a separate group that’s tasked with doing their job for them.
When a Purple team / function is needed
Unfortunately, there are situations when the Red and Blue teams get out of sync with each other. Some common symptoms of this include:
Another decent use of “Purple” is educating someone new to attack/defense on the interaction between Red/Blue.
The Red Team thinks itself too elite to share information with the Blue Team.
The Red Team is pulled inside the organization and becomes neutered, restricted, and demoralized, ultimately resulting in a catastrophic reduction in their effectiveness.
The Red Team and Blue Team are not designed to interact with each other on a continuous basis, as a matter of course, so lessons learned on each side are effectively lost.
Information Security management does not see the Red and Blue team as part of the same effort, and there is no shared information, management, or metrics shared between them.
Organizations that suffer from one or more of these ailments are most likely to think they need a Purple Team to solve them. But “Purple” should be thought of as a function, or a concept, rather than as a permanent additional team. And that concept is cooperation and mutual benefit toward a common goal.
Many companies are selling Purple Team engagements like Penetration Tests, or Red Team Engagements. 90% of this hype is marketing and sales.
So perhaps there’s a Purple Team engagement, where a third party analyzes how your Red and Blue teams work with each other and recommend fixes. Or perhaps there’s a Purple Team exercise, where someone monitors both teams in real-time to see how they work. Or maybe there’s a Purple Team meeting, where the two teams bond, share stories, and talk about various attacks and defenses.
Think of Purple Team as a marriage counselor. You’d never imagine that husband and wife communication should depend on one.
The goal should always be to fix Red and Blue so that they perform the Purple function naturally.
The goal of both Red and Blue is to improve a company’s defenses.
Good Red and Blue teams communicate regularly with each other to share information for the overall benefit of the company.
When this communication doesn’t happen, that’s when a Purple function is often considered.
The goal of Purple is to ensure that Red and Blue are sharing information to keep both as effective as possible, but in a healthy relationship that should be happening naturally.
Think of Purple like a marriage counselor: it may be needed, but should only be used to train Red and Blue to communicate in a regular and healthy manner so that the translator is no longer needed.