In a recent UKFast Cybersecurity Predictions webinar, the experts anticipated that purple teaming is set to be the next point of focus in 2019. But what is this new buzzword to hit the cybersecurity world?
Before we head straight into purple teaming, let’s recap two vital components of this new security strategy.
Blue teaming is the reactive side of fighting cybercrime and refers to your own in-house security team. Blue teams defend against every attack that hits your website or server. This is done by collecting tonnes of data, like SIEM data and threat intelligence data, and building detection and response procedures.
On the flip side, red teaming involves proactive, offensive methods. This is usually done by an external cybersecurity firm. Red teams launch multi-layered simulated attacks against your organisation to find vulnerabilities that hackers are able to exploit. Both your cybersecurity and physical security are tested to find out how easy it is for someone to infiltrate your business.
Now we’ve got these definitions locked down, let’s talk purple.
Historically, red and blue teams have worked very much in silos. This creates a gap in knowledge when it comes to threat actors’ TTPs – the Tactics, Techniques and Procedures of cybercriminals. To be able to create detection and response methods that will actually protect you, your in-house team needs to know these TTPs so they are able to get inside the minds of the attackers. If not, attacks go undetected until it’s too late for your organisation to respond effectively.
So, purple teaming is the fusion of red and blue teams existing alongside each other in one continuous, collaborative process to make your business secure. Both teams are still working as usual, with the red team spotting the flaws and the blue team responding to fix them. However, purple teaming ensures that both teams are carrying out their roles with clear, shared goals.
The red team must share the threat actors’ TTPs with the blue team. This is so that it can build and configure appropriate detection and response capabilities. For example, if the red team is going to launch a DDoS attack as part of their tests then the blue team needs to know it has the ability to detect and respond to this threat. The red teaming process is much more useful if you know you’re testing the best protection you can currently offer.
If you don’t already have an in-house cybersecurity team, and receive regular cybersecurity testing from an external red team, this is the place to start. If you have, look at how you can facilitate continued collaboration between these teams.
Overall, purple teaming addresses the challenges of disconnected security teams. It also ensures the approach to your cybersecurity testing and development is as tailored and efficient as possible. With the number and sophistication of cyber-threats growing year-on-year, we must be able to protect against them. We can only do this if our cybersecurity teams are working together.