GRC is the existential foundation of security for an organization: without it, they can’t legally operate. But, GRC is not security: that is the extra resource investment in identifying and protecting exposure gaps in the environment. And, it is a continual process since internally the environment is constantly changing with business requirements and people and externally as threats continue to evolve. But, how do we put the two, internal changes and external threats, together? With purple teaming, you use threat intelligence to emulate threat behaviors on your internal network so you have the context of an attack, then fix issues as you go so that you don’t need to go through a lengthy report of problems that need to be fixed like a traditional risk assessment.
What is ‘purple teaming’?
Purple teaming is a collaborative, milestone driven approach where you bring people and processes into your security assessments. Cross functional teams (typically red and blue, hence “purple”) work together, leading to immediate and measurable improvements. It’s similar to the approach for tabletop exercises: everyone gets together in a room with realistic hypothetical scenarios to walk through what would happen. Except, the process is done with technical actions on the environment, ie – this test on these machines. The scope can be:
- narrow such as validating a gold image;
- matched to reduced risk appetite such as executing tests only in a lab;
- Or, conducted in production for truly realistic environment.
Bringing in the threat
Threat intelligence informs realistic testing. We can build the tactics, techniques, and procedures (TTPs) that threat actors are using for our tests. Cyber threat intelligence (CTI) provides information about risks to different business functions based on things like systems or geography. Large enterprises use complex CTI, including custom investigative teams, but companies of all sizes have access to it.
However, you also need to recognize that CTI is more than “just” data. It starts with data, but you need to enrich the data with context. This means asking the following questions:
- Is my technology stack vulnerable to these new TTPs?
- Are threat actors actively targeting my industry?
- Is my supply chain at risk?
CTI provides meaningful threat modeling as the roadmap for the purple team tests. With threat modeling, you develop the actionable model of a potential attack that could impact your business, not a general one. Start with a framework for breaking down the threat components. MITRE ATT&CK is the industry standard providing a common vernacular to describe TTPs and most CTI reports map to it. Think of MITRE ATT&CK like the periodic table. It gives you the basic elements that make up the attack, then you can build more complex attacks like you would with a chemical equation. If you’re just getting started with threat modeling, MITRE ATT&CK is free, available online, and is easy to search based on industry and threat groups for the information you need.
Using threat emulation based on threat intelligence creates a flexible and repeatable approach so that:
- Red teams can emulate real-world threats
- Blue teams can validate controls and the supply chain
- Executives can validate the portfolio of technical resources and people
Purple teaming formalizes the red and blue team joint goal of securing the organization. Using threat intelligence mapped to MITRE ATT&CK creates:
- A common language for everyone involved
- A “Meta-Layer” where the defensive evaluation is focused on threat behavior instead of ephemeral techniques
- Visualizations for reporting to measure progress over time
With the right CTI feed, you can aggregate the information that’s unique to your business. This might be:
- Third-party business partners / supply chain
- Changes in the threat
You can match this information to the ATT&CK MITRE framework and build out purple team exercises that help your security team take a proactive approach to threat hunting and defending.
So how does this tie in to GRC? Purple teaming is a cross-functional sample that processes are aligned and functioning as expected, that risks are identified and mitigated in practice, and that the tested elements are legally compliant. While the core elements of a purple team are red and blue, that does not have to be the only functions that participate just like a table-top exercise. The process provides a technical way to validate defensive assumptions, but can also accomplish statistical sampling for an audit– do the configuration items in scope match what’s on record?