GoSecure Ethical Hacker Maxime Nadeau shares his perspective on the quickly growing, industry capability that delivers fast and long-lasting security improvements through a collaborative engagement.
What are Purple Team Services?
Purple Team services are a collaborative engagement where professional security testers work through real-world attack scenarios by dividing those activities into individual steps and executing those elements with in-house security teams. Purple Teaming works best as a complement to a robust Penetration Testing program with advanced, multifaceted scenarios to test defense and response capabilities with an organization that has some dedicated security resources that can benefit from the partnership. A Purple Team engagement allows an organization to pinpoint strengths and weaknesses in people, processes and technology in a safe environment– before the threats become a reality.
Why Would an Organization Consider Purple Team Services?
There are many reasons an organization would consider a Purple Team engagement. In my experience, a few of the top reasons are:
- Organizations want to see a fast and long-lasting improvement in security maturity – At GoSecure, we focus on continuous improvement over the course of the engagement that can elevate security maturity posture for the organization quickly, but in a way that will last. We do this through a “Test, Fix and Test Again” approach — and by providing as much information as possible to the in-house teams during workshop sessions. With each scenario, we’re able to make immediate adjustments, test again to see if there is improvement and then make more adjustments to ensure that defenses and response capabilities are fully optimized.
- Teams want to improve their detection processes and learn new techniques to identify vulnerabilities or conduct proactive threat hunting activities – The collaborative approach to Purple Team engagement offers a unique opportunity to train and mentor the organization’s security team. Through the scenarios, we can determine where there may be skill gaps and target those areas for knowledge transfer from our highly experienced and certified professionals. Training sessions to bridge certain gaps observed during the activities can be offered to further enhance the capabilities of the in-house teams.
- The security team may want to identify areas for potential investment and build a case they can take to leadership – The real-world attack scenarios pinpoint gaps in capabilities, processes and technology that may require added investment by the organization. We can help make that case through our collaboration–and show improvement from the baseline we documented after the technology is implemented. It’s important to note that we are vendor-neutral, we can recommend adding some tools or resources—not what to buy or where to buy it from. And we will keep existing budget/vendor requirements in mind as we make recommendations.
What is the difference between a Purple Team and a Red Team engagement?
Red Team engagements are an important tool for in-house teams to get a point-in-time assessment of preventive security controls, as well as detection and response capabilities, against professionals who specialize in breaking through defenses. With a Red Team exercise, the security professionals within an organization will not know exactly what to expect or when the attack will happen. Professionals like the team at GoSecure will design a series of real-world attacks with multiple threat vectors that we feel have the best chance of breaching the defenses. During Red Team engagements, the offensive security team will use technical, social engineering, and physical threat vectors to try to get access to predefined targets referred to as the “Crown Jewels” or the end goals of the assessment. The client will receive a report filled with actionable recommendations specific to the risks and gaps we find. A year later if we test that client again, we’ll likely find improvement in those areas, but other weaknesses may present an opportunity for us to infiltrate their environment once again.
Purple Team engagements are a collaborative engagement where our professionals work together with the in-house team through real world attack scenarios or granular attack techniques. Both Red Team and Purple Team services include real world testing of the organization’s defenses and response capabilities. The difference is that with a Purple Team engagement we take a Test, Fix and Test Again approach and focus on empowering the internal team. This can be via training sessions or live exploitations, hunting, and/or use case creation or remediation in a mini workshop format. The report we provide shows the improvements we have already made within the client environment and how we tested them again to demonstrate the resulting enhanced security maturity. With Purple Team services, the in-house team gains the benefit of knowledge transfer from our experienced professionals who have industry certifications and years of experience identifying advanced threats.
What makes GoSecure different from others offering Purple Team services?
GoSecure Purple Team engagements are conducted with detection, threat hunting and offensive security experts with years of experience in their fields. This enables identification of improvements which can be implemented at a faster pace, since all aspects of the attacks and questions are covered during the activities. The other key element for GoSecure is flexibility. The activities can change based on the previous observations, newly identified threats or toolchain currently used in the environment to offer the most value possible. If the in-house team needs to build their skills, we have the resources to offer mentoring and training in areas like threat hunting.
In addition, GoSecure’s approach to “Test, Fix and Test Again” helps ensure we leave the organization more secure than when we started the engagement. GoSecure also considers the day-to-day budget and vendor requirements of the customer in our recommendations, which can include the use of free or open-source tools to make improvements.
Do you have any examples of positive results from a Purple Team engagement?
A recent Purple Team engagement comes to mind. The team we were working with had minimal detection use cases, limited event sources, issues with their Identity and Access Management (IAM) practices and no proactive threat hunting program.
We started by identifying new events that could be collected without changing the technologies they had in place and immediately offered visibility by creating multiple use cases. After those new baseline recommendations were implemented, GoSecure found opportunities to add tools to the environment and identified more use cases that could further the enhance detection capabilities of the team.
We also conducted training activities to help improve the team’s IAM capabilities and developed an integrated proactive threat hunting practice. While improvements continue, the client has already detected and properly responded to multiple incidents, as well as demonstrated a noted improvement on their last Red Team engagement.
About the Expert: Maxime Nadeau
Maxime is a GoSecure ethical hacker. Having studied programming and software engineering, he has been working as a cybersecurity professional for the last five years and obtained multiple certifications including the Offensive Security Certified Professional (OSCP) and Pentester Academy Certified Enterprise Security Specialist (PACES). He has an interest in adversary simulation and physical security. When he is not coding new tools, he can be found transforming everyday objects into physical network implants or woodworking.
