There is some confusion about the definitions of Red, Blue, and Purple teams within Information Security. Here are my definitions and concepts associated with them.
- Red Teams are external entities brought in to test the effectiveness of a security program. This is accomplished by emulating the behaviors and techniques of likely attackers in the most realistic way possible. The practice is similar, but not identical to, Penetration Testing, and involves the pursuit of one or more objectives.
- Blue Teams refer to the internal security team that defends against both real attackers and Red Teams. Blue Teams should be distinguished from standard security teams in most organizations, as most security operations teams do not have a mentality of constant vigilance against attack, which is the mission and perspective of a true Blue Team.
A Purple Team is better thought of as a Purple Function.
- Purple Teams are ideally superfluous groups that exist to ensure and maximize the effectiveness of the Red and Blue teams. They do this by integrating the defensive tactics and controls from the Blue Team with the threats and vulnerabilities found by the Red Team into a single narrative that ensures the efforts of each are utilized to their maximum. When done properly, 1 + 1 will equal 3, but this should be happening naturally as the benefit of having a Red and Blue team.
The purpose of a Red Team is to find ways to improve the Blue Team, so Purple Teams should not be needed in organizations where the Red Team / Blue Team interaction is functioning properly.
Analogies of broken
I have some story-based analogies that I use when I hear about Purple Teams being used to force Red Teams to interact with the Blue Team.
Waiters Who Don’t Deliver Food: A restaurant is having trouble getting their waiters to pick up food from the kitchen and bring it to tables. Their solution is to hire “kitchen-to-table coordinators”, who are experts in table delivery. When management is asked why they hired this extra person to do this instead of having the waiters do it themselves, the answer was:
The waiters said it wasn’t their job.
Elite Chefs Who Keep the Food in the Kitchen: An expert is brought in to figure out why a restaurant is failing when they have all this top-end chef talent. Evidently customers are waiting forever and often not getting food at all. When the reviewer goes into the kitchen they find stacks of beautiful, perfectly-arranged plates of food sitting next to the stoves. They ask the chef why this food hasn’t gone out to the tables, and the chef answers:
I know way more about food than these stupid waiters and stupid customers. Do you know how long I’ve been studying to make food like this? Even if I allowed them to eat it they wouldn’t understand it, and they wouldn’t appreciate it. So I keep it here.
Great, so we have waiters to who refuse to take food to tables, and we have chefs who don’t allow their dishes to leave the kitchen.
That’s a Red Team that refuses to work with the Blue Team.
If you have this problem, the solution is to fix the Red Team / Blue Team interaction dynamic, not to create a separate group that’s tasked with doing their job.
Concepts and philosophy
Red and Blue teams ideally work in perfect harmony with each other, as two hands that form the ability to clap.
Like Yin and Yang or Attack and Defense, Red and Blue teams could not be more opposite in their tactics and behaviors, but these differences are precisely what make them part of a healthy and effective whole.
Red Teams attack, and Blue Teams defend, but the primary goal is shared between them: improve the security posture of the organization.
Some of the common problems with Red and Blue team cooperation include:
- The Red Team thinks itself too elite to share information with the Blue Team
- The Red Team is pulled inside the organization and becomes neutered, restricted, and demoralized, ultimately resulting in a catastrophic reduction in their effectiveness
- The Red Team and Blue Team are not designed to interact with each other on a continuous basis, as a matter of course, so lessons learned on each side are effectively lost
- Information Security management does not see the Red and Blue team as part of the same effort, and there is no shared information, management, or metrics shared between them
Organizations that suffer from one or more of these ailments are most likely to think they need a Purple Team to solve them. But “Purple” should be thought of as a function, or a concept, rather than as a permanent additional team. And that concept is cooperation and mutual benefit toward a common goal.
So perhaps there’s a Purple Team engagement, where a third party analyzes how your Red and Blue teams work with each other and recommends fixes. Or perhaps there’s a Purple Team exercise, where someone monitors both teams in realtime to see how they work. Or maybe there’s a Purple Team meeting, where the two teams bond, share stories, and talk about various attacks and defenses.
The unifying theme is getting the Red and Blue team to agree on their shared goal of organizational improvement and not to introduce yet another entity into the mix.
Think of Purple Team as a marriage counselor. It’s fine to have someone act in that role in order to fix communication, but under no circumstances should you decide that the new, permanent way for the husband and wife to communicate is through a mediator.
- Red Teams emulate attackers in order to find flaws in the defenses of the organizations they’re working for.
- Blue Teams defend against attackers and work to constantly improve their organization’s security posture.
- A properly functioning Red / Blue Team implementation features regular knowledge sharing between the Red and Blue teams in order to enable continuous improvement of both.
- Purple Teams are often used to facilitate this continuous integration between the two groups, which fails to address the core problem of the Red and Blue teams not sharing information.
- The Purple Team should be conceptualized as a cooperation function or interaction point, and not as a superate and ideally redundant entity.
- In a mature organization the Red Team’s entire purpose is to improve the effectiveness of the Blue Team, so the value provided by the Purple team should be natural part of their interaction as opposed to being forced through an additional entity.
- All these terms can apply to any kind of security operation, but these specific definitions are tuned towards information security.
- A Tiger team is similar, but not quite the same as a Red Team. A 1964 paper defined the term as “a team of undomesticated and uninhibited technical specialists, selected for their experience, energy, and imagination, and assigned to track down relentlessly every possible source of failure in a spacecraft subsystem. The term is now used often as a synonym for Red Team, but the general definition is an elite group of people designed to solve a particular technical challenge.
- It is important that Red Teams maintain a certain separation from the organizations they are testing, as this is what gives them the proper scope and perspective to continue emulating attackers. Organizations that bring Red Teams inside, as part of their security team, tend to (with few exceptions) slowly erode the authority, scope, and general freedom of the Red Team to operate like an actual attacker. Over time (often just a number of months) Red Teams that were previously elite and effective become constrained, stale, and ultimately impotent.
- In addition to being a bridge organization for less mature programs, Purple Teams can also help organizations acclimate their management to the concept of attacker emulation, which can be a frightening concept for many organizations.
- Another aspect that leads to the dilution of effectiveness of internal Red Teams is that elite Red Team members seldom transition well to cultures at companies with the means to hire them. In other words, companies that can afford a true Red Team tend to have cultures that are difficult or impossible for elite Red Team members to handle. This often leads to high attrition within internal Red Team members who make the transition to internal.
- It is technically possible for an internal Red Team to be effective; it’s just extremely unlikely that they can remain protected and supported at the highest levels over long periods of time. This tends to lead to erosion, frustration, and attrition.
- One trap that internal Red Teams regularly fall into is being reduced in power and scope to the point of being ineffective, at which point management brings in consultants who have full support and who come back with a bunch of great findings. Management then looks at the internal team and says, “Wow! They’re amazing! Why can’t you do that?” That’s usually a LinkedIn-generating event.
- Other analogies to Red Teams that don’t collaborate: Professional footballers who kick but don’t pass, professional applauders who only use their right hand, professional auditors who don’t write reports, professional teachers who don’t interact with students. You get the idea.
- Thanks to Rob Fuller, Dave Kennedy, and Jason Haddix for reading drafts.