Purple teams are a controversial topic among cybersecurity professionals. There seems to be industry confusion regarding the definitions of Blue, Red and Purple teams. While descriptions of Blue Teams are relatively consistent, there are variations regarding Red and Purple Teams.
At Truvantis®, our position is that if the definition and role of the Red Team is complete, there is simply no need for the term Purple Teams or ‘Purple Teaming.’ We think understanding the subtle differences could be informative when choosing a trusted cybersecurity partner.
Blue Teams are proactive and creative defenders and usually employees of an organization. All Blue Teams are defenders, but not all defenders are necessarily part of a Blue Team. Distinctive Blue Teamers have a proactive mindset, endless curiosity regarding things out of the ordinary and a drive toward the continuous improvement of incident detection and response.
All the offensive security testing defined below is to inform the Blue Team’s defense. A threat-informed defense is better positioned to defend, detect, and respond to real-world cyber threats.
A vulnerability scan uses automated tools to identify hosts and host attributes
(e.g., operating systems, applications, open ports), and vulnerabilities like outdated
software versions, missing patches, and misconfigurations, default passwords, and perhaps validate compliance with or deviations from an organization’s security policy.
While vulnerability scans are valuable tools, they are limited because they lack human cunning. A motivated, imaginative real-world attacker may use any combination of existing vulnerabilities in unexpected ways, otherwise known as their Tactics, Techniques and Procedures (TTPs).
While vuln scanning is typically used as a recon tool in early-stage pen testing, vulnerability scanning is NOT the same thing as penetrating testing, contrary to messaging you may see from some vendors.
Automated vulnerability scanning and assessment tools are essential for your security strategy, but they only go so far. Pen testing goes beyond vulnerability scanning by adding the human motivation, cunning and determination factors. Pen testers may use vuln scans in the recon phase and then use what they learned to apply known TTPs and their skill and imagination to achieve their goals.
Penetration testing is all about using human cunning and the latest strategies of real threat actors. This approach allows organizations to assess their real-world risk and locate security vulnerabilities before they can be exploited. Truvantis pen testers are highly skilled specialists using tech-based tools, experience and social engineering to achieve their defined goals.
Penetration testing is a valuable tool for providing you with a snapshot of your cybersecurity risks. Still, a penetration test is NOT a Red Team engagement, again contrary to messaging you may see from some vendors.
Red Teams are often confused with penetration testers due to their overlap in practices and skills, but we believe they are not the same. Penetration testers deal with the pursuit of one or several objectives. However, Red Teams have a specific quality and goal that separates them from other security teams.
The true purpose of a Red Team should be to find ways to improve the Blue Team. Red Teaming measures the effectiveness of security controls and response mechanisms. This requires a more resource-intensive approach to measure both detection and response of specific threats.
Effective Red Teaming requires active communication and coordination with the Blue Team. Beyond just proving they can break in, the true goal of Red Teaming is to assist Blue Teams in fine-tuning the detection thresholds and security response mechanisms of defense in depth strategies until the desired performance metrics are satisfied.
Given the Truvantis definition of Red Teaming, why do you need a Purple Team? The short answer is you don’t. Industry confusion arises when for example, a vendor describes pen testing but falsely calls it Red Teaming. (The same vendor may also label vulnerability scanning pen testing.) Then they claim you need a Purple Team so that the pen testers (aka Red Team) can communicate and coordinate with the Blue Team.
Sometimes Purple Teams are sold as an actual external team. In this definition, Purple Teams are a single group of people who do both Red and Blue testing and securing of a company. Purple Team may be an IT security consulting group brought in for an audit or company employees directly. Still, they do not focus exclusively on attacking or defending – they do both.
Sometimes Purple Teaming is described as concepts, practices and exercises that enable red and blue teams to collaborate and work together more effectively. In this definition, Purple teaming is a security methodology in which red and blue teams work closely together to maximize cyber capabilities through continuous feedback and knowledge transfer – but shouldn’t they be doing that anyway?
This Purple is unnecessarily confusing. The Truvantis Red Team engagement already includes all the functions or features others may describe as Purple. We just call it ‘doing the job properly’.
The unifying theme is getting the Red and Blue team to work together and agree on their shared goal of organizational improvement and not introducing another entity into the mix. Purple Teams should not be needed in organizations where the Red Team / Blue Team interaction is healthy and functioning correctly. If you have this problem, the solution is to fix the Red Team / Blue Team interaction dynamic—not to create a separate group tasked with doing their job for them.
The more your red and blue teams communicate, the stronger your security strategy will be. Additionally, the better you can speak to company leadership and the board, the more your program will flourish
At Truvantis, you won’t find the color Purple on our menu of services. You will find a world-class team of experts with holistic cybersecurity and privacy services offering from pen testing to standards compliance.
When you select Truvantis as a trusted third-party security partner, you get intelligence-driven operations designed to uncover vulnerabilities associated with real-world risk exposure. Truvantis penetration testing and red team engagements include Attack Surface Analysis, evaluating insider threats, and comprehensive, full-spectrum testing.
Our accredited penetration testers are highly skilled specialists who have mastered the same skills used by cybercriminals. The Truvantis team of senior-level security engineers deploy our penetration testing services to help your company achieve compliance, understand the real threats to your system, and create a realistic, actionable plan to mitigate risk.
Truvantis pen testing services:
- Minimizes business disruption
- Identifies vulnerabilities and root causes
- Yields actionable results
Truvantis is a cybersecurity and privacy consulting organization with comprehensive expertise in implementing, testing, auditing, and operating information security programs. We specialize in helping our clients improve their cybersecurity and privacy posture through practical, effective, and actionable programs—balancing security, technology, business impact, and organizational risk tolerance. Contact us to get started today.