Beyond Red vs. Blue: Bring on the Purple Team

What Is a Purple Team?

In cybersecurity, a purple team is a group that combines offensive red team capabilities with defensive blue team insights to provide a truly collaborative, well-balanced security posture. “Purple teaming” is more than a work group; it should be a philosophy.

If you’re familiar with offensive security, red and blue team structures are well known. To review:

• Red Teams: Perform offensive security maneuvers (adversary simulations) to ethically hack an enterprise using advanced capabilities.
• Blue Teams: Defend against red team maneuvers and protect the enterprise in adversary simulations.

Purple teams eliminate a blinder-like focus on competition and keep the big picture in mind: protecting your organization against the real enemy—outside threat actors.

Sometimes red teaming gets so competitive that a “successful” engagement can be seen as one in which the opposing red team simply defeats the blue team. No lessons learned, no extensive reviews, no open communication.

However, the point is for red teamers to come into these offensives with the understanding that the priority is to provide blue teams with training exercises to sharpen their skills. To that end, red team operations should give blue teams ample opportunities to practice their defensive skills and ultimately point out ways to strengthen them.

There is some sense to preserving a level of anonymity when discussing detailed red team actions. After all, you don’t want to give blue teams an exact road map, or there would be no skills involved in detection. Sharing TTPs (tactics, techniques, and procedures) therefore is the safe middle ground. 

However, keep in mind that the better they understand these things, the better they can defend against the real threats.

Benefits of Implementing a Purple Team

Developing a purple team mentality is the ultimate goal of every growing cybersecurity strategy. As teams prepare to fend off attacks by the most advanced, most subtle, or simply most common threat actors in the world, shared intelligence from both red teams (where to attack) and blue teams (how to defend) is critical.

Benefits of implementing a purple team mentality include:

1. A cybersecurity think tank with one objective in mind: improved cybersecurity through training
2. Mutual learning between teams . Red teams learn what defenders look for; blue teams learn the latest offensive tactics. Round after round, they make each other better.
3. No wasted engagements. Red team offensives are well worth the investment, but only if blue teams mine the knowledge gained through them. The point is not to walk away defeated, but to use every tactic that successfully got through and deconstruct it. This teaches the blue team what to do so such tactics are far less likely to succeed in the future.

How to Develop Your Purple Team

Purple team cybersecurity requires the best of both worlds in terms of technology.

• Offensive security solutions like red team software and advanced red team toolkits
• Defensive security solutions like data protection, email security, and XDR

Next, you can expand your “purple team mindset” into an actual, staffed team that collaborates as one. 

You need cybersecurity experts skilled in offensive techniques to form your red team. 

Defenders with advanced investigation and response should form your blue. 

It is important to find cyber professionals that come with these honed skillsets already intact, as you want the practice (and the protection) to be as realistic as possible. 

Almost invariably, experts lean towards one realm of expertise or the other. If you are struggling to staff your SOC as it is—or find the time—consider an expert MSSP that knows the offensive security industry and can lead out on these engagements for you, helping provide the red team portion you need.

How Fortra Solutions Support Purple Teaming

Fortra supports companies as they create purple team mindsets within their own organizations. By bringing world-class offensive and defensive security solutions to the table, Fortra arms both red and blue teams with the tools they need.

Most security companies out there focus on one element (and that’s typically defensive). With cybersecurity household brands like Outflank Security Tooling (OST) and Cobalt Strike, Fortra offers the industry-leading red teaming software and advanced toolkit that are known in the industry as the de-facto standard for offensive security.

Perform your own red team engagements with Cobalt Strike, where you can build scenarios based on an in-depth understanding of your environment, raise alarms for blue teams, and create outbriefs stating where exploits could and should have been caught.

Add to this Fortra VM and Core Impact (penetration testing) and you have your offensive bases covered—from start to finish. That leaves Fortra’s top-tier defensive lineup to complete the package, creating the ultimate arsenal for purple team performance. 

Fortra’s defensive security solutions include:

• Data Classification
• Data Loss Prevention (DLP)
• Integrity and Compliance Monitoring
• Human Risk Management
• Vulnerability Management (good for both)
• Email Security
• XDR
• Brand Protection

Purple team cybersecurity is coming to encompass the kind of comprehensive, 360-degree approach that’s necessary to defeat advanced adversaries today. 

Fortra is one of the first in cybersecurity to understand this, anticipate the technological needs behind it, and provide a security suite that supports organizations as they reach their purple team goals.

Purple Teaming FAQs

What is a purple team in cybersecurity? 

Purple teaming in cybersecurity is an approach to adversary simulation (red teaming) that emphasizes the growth of blue team defensive tactics over immediate red team wins. Under a purple team mindset, red teamers prioritize blue team learning and share TTPs and other insights post-engagement to improve the organization’s defensive capabilities overall.

How does a purple team work? 

A purple team launches red team adversary simulations and defends with blue team strategies. After the engagement, purple teams facilitate open sharing of insights and TTPs so both teams know better how to attack and defend in the future.

What are the main objectives of a purple team? 

The main objectives of a purple team are to eliminate informational siloes between red and blue teams, reduce unnecessary competitiveness and gatekeeping, create a “cybersecurity think tank,” and thereby improve cybersecurity posture faster than typical red vs. blue team engagements alone.

What skills are required to be part of a purple team? 

Purple team members should have positive communication abilities and be able to facilitate productive and open discussions post-engagement. The point of these conversations is to create a collaborative experience by getting red teams and blue teams to share insights on how cybersecurity defense strategies can be improved, based on the results of the preceding adversary simulation. Because purple teaming is a mindset rather than an actual “team,” this role can be assumed by red and blue teamers, the outsourced offensive security provider, or relevant security stakeholders and members of the SOC.