How purple teams can embrace hacker culture to improve security

The security community is continuously changing, growing, and learning from each other to better position the world against cyber threats. In the latest Voice of the Community blog series post, Microsoft Product Marketing Manager Natalia Godyla talks with Matthew Hickey, co-founder, CEO, and writer for Hacker House. In this blog post, Matthew talks about the benefits of a purple team and offers best practices for building a successful one.

Natalia: What is a purple team, and how does it bridge red and blue teams?

Matthew: The traditional roles involve a blue team that acts as your defenders and a red team that acts as your attackers. The blue team wants to protect the network. The red team works to breach the network. They want to highlight the security shortcomings of the blue team’s defenses. The two teams aren’t always working on the same objective to secure information assets and eliminate information risk, as each is focused on the objective of their respective team—one to prevent breaches, the other to succeed in a breach.

Purple teaming is an amalgamation of the blue and red teams into a single team to provide value to the business. With a successful purple team, two groups of people normally working on opposite ends of the table are collaborating on a unified goal—improving cybersecurity together. It can remove a lot of competitiveness from security testing processes. Purple teams can replace red and blue teams, and they’re more cost-effective for smaller organizations. If you’re a big conglomerate, you might want to consider having a blue team, a red team, and a purple team. Purple teams work on both improving knowledge of the attacks an organization faces and building better defenses to defeat them.

Natalia: Why do companies need purple teams?

Matthew: Computer hacking has become much more accessible. If one clever person on the internet writes and shares an exploit or tool, everyone else can download the program and use it. It doesn’t have a high barrier of entry. There are high school kids exploiting SQL injection attacks and wiping millions from a company valuation. Because hacking information is more widely disseminated, it’s also more accessible to the people defending systems. There have also been significant improvements in how we understand attacker behavior and model those behaviors. The MITRE ATT&CK framework, for instance, is leveraged by most red teams to simulate attackers’ behavior and how they operate.

When red and blue teams work together as a purple team, they can perform assessments in a fashion similar to unit tests against frameworks, like MITRE ATT&CK, and use those insights on attacker behavior to identify gaps in the network and build better defenses around critical assets. Adopting the attackers’ techniques and working with the system to build more comprehensive assessments, you have advantages your attacker does not. Those advantages come from your business intelligence and people.

Natalia: What are the benefits of bringing everything under one team?

Matthew: The benefits of a purple team include speed and cost reduction. Purple teams are typically constructed as an internal resource, which can reduce reaching out to external experts for advice. If they get alerts in their email, purple teams can wade through them and say, “Oh, this is a priority because attackers are going to exploit this quickly since there’s a public exploit code available. We need to fix this.” Unit testing specific attacker behaviors and capabilities against frameworks on an ongoing basis as opposed to performing periodic, full-blown simulated engagements that last several weeks to several months is also a huge time reduction for many companies.

Red teams can often be blindsided by wanting to build the best phishing attack. Blue teams want to make sure their controls are working correctly. They’ll achieve much more in a shorter timeframe as a purple team because they are more transparent with one another, sharing their expertise and understanding of the threats. You’ll still need to occasionally delve into the world of a simulated, scenario-driven exercise where one team is kept in the dark to ensure processes and practices are effective.

Natalia: How do purple teams provide security assurance?

Matthew: Cybersecurity assurance is the process of understanding what the information risk is to a business—its servers, applications, or any supporting IT infrastructure. Assurance work is essentially demonstrating whether a system has a level of security or risk management that is comfortable to an organization. No system in the world is 100 percent infallible. There’s always going to be an attack you weren’t expecting. The assurance process is meant to make attacks more complex and costly for an attacker to pull off. Many attackers are opportunistic and will frequently move onto an easier target when they encounter resistance, and strong resistance comes from purple teams. Purple teams are used to provide a level of assurance that what you’ve built is resilient enough to withstand modern network threats by increasing the visibility and insights shared among typically siloed teams.

Natalia: What are best practices for building a successful purple team?

Matthew: You don’t need to be an expert on zero-day exploitation or the world’s best programmer, but you should have a core competency of cybersecurity and an understanding of foundational basics like how an attacker behaves, how a penetration test is structured, which tools are used for what, and how to review a firewall or event log. Purple teams should be able to review malware and understand its objectives, review exploits to understand their impact, and make use of tools like nmap and mitmproxy to scan for vulnerabilities. They also should understand how to interpret event logs and translate the attack side of hacking into defenses like firewall rules and policy enforcement. People come to me and say, “I didn’t know why we were building firewalls around these critical information assets until I saw somebody exploit a PostgreSQL server and get a root shell on it, and suddenly, it all made sense why I might need to block outgoing internet control message protocol (ICMP).”

Hiring hackers to join your purple team used to be taboo, yet hackers often make excellent defenders. Embrace hacking because it’s a problem-solving mentality. The information is out there, and your attackers already know it. You might as well know it too, so hire hackers. I’ve heard people say hackers are the immune system for the internet when describing how their behavior can be beneficial. Hackers are following what’s going on out there and are going to be the people who see an attack and say, “We use Jenkins for our production build. We better get that patched because this new 9.8 CVSS scoring vulnerability came out two hours ago. Attackers are going to be on this really quickly.” Breaking into computers is done step-by-step, it’s a logical process. Attackers find a weakness in the armor. They find another weakness in the armor. They combine those two. They get access to some source code. They get some credentials from a system. They hop onto the next system. Once you understand the workflow of what your attacker is doing, you get better at knowing which systems will need host intrusion, enhanced monitoring, and the reasons why. Hackers are the ones who have a handle on your risks as an organization and can provide insight as to what threats your teams should be focused on addressing.

Natalia: How should managers support the training and education needs of their purple team?

Matthew: Making sure people have the right training and the right tooling for their job can be hard. You walk through any expo floor, and there are hundreds of boxes with fancy lights and a million product portfolios. You could buy every single box off that expo floor, and none of it’s going to do you any good unless you’ve got the right person operating how that box works and interpreting that data. Your people are more important in some respects than the technology because they’re your eyes and ears on what’s happening on the network. If you’ve got a system that sends 50 high-risk alerts, and no one is picking up and reacting to those alerts, you’ve just got an expensive box with flashing lights.

If you’re hiring someone onto a purple team, make sure they are supported to attend conferences or network with industry peers and invest in their training and education. That is always going to give you better results as they learn and are exposed to more insights, and your people will feel more valued as well. If you want to learn about adversarial behavior and how you can use computer hacking to provide assurance outputs to businesses, read Hands-on Hacking: What can you expect? by Hacker House.

Learn more

To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us at @MSFTSecurity for the latest news and updates on cybersecurity.