You know what blue teams and red teams are. Red is our attack side, or the adversaries, and Blue is the defense side. Unfortunately, we don’t see both teams working together in many situations. Having a red team test your network or application provides a great service to understanding the weaknesses. But this is not all we should be thinking about when we are trying to increase the security posture of the company.
The idea of purple teaming is that you do the assessment with both teams at the same time. Have the blue team ready and looking for what the red team is doing. Have the red team let the blue team know what they are doing and what they should be looking for. The goal here is that the blue team is going to get a better understanding of what the attackers are doing and what that looks like on the network.
Done right, the blue team should come out with better monitoring and response plans. Seeing the attacks come through will help tune the systems and ensure that items that should be sent via alerts, are actually alerting. This also helps because now the blue team doesn’t have to go look through logs to see everything. They can see it much more quickly and more accurately.
Don’t fall into the trap of allowing the blue team to do something they normally wouldn’t do during the test. You want this to be as realistic as possible. Make note of what is happening and where your deficiencies are so you can remediate them properly. For example, you wouldn’t want to block specific IP addresses or turn off servers just because you know a test is about to happen. The red team is bound to find some way of accessing something. Watch what they are doing and learn from it.
Of course, this doesn’t guarantee that attackers will not be able to get in, but it will help build your defenses. It will give you more confidence in what your systems are monitoring and how they are working.
We need to start having better communication between the two sides of security. It isn’t an “us against them” situation. We all have the same goal: help make your company more secure. We need to take advantage of the time we have together to really get things going rather than just testing and sending over a report that may or may not be acted upon.
James Jardine is a Principal Security Consultant at Secure Ideas. If you are in need of a penetration test or other security consulting services you can contact him at firstname.lastname@example.org, @jardinesoftware or visit the Secure Ideas – Professionally Evil site for services provided.