These tools will work better if your team has elite red teamers that can get into reverse malware engineering and custom exploit development, and detection engineers who can write rules in more than just Splunk — think Security Data Lake (SDL) level crunching capabilities.
Regular red/blue exercises: Implement routine red team exercises and blue team defenses, followed by thorough debriefings to share insights and strategies. Ideally by now, the red team should have its own cadence of operations and each of these can be followed up by a purple team exercise to focus on and close those TTPs to the best of their ability. Purple Team can also intake its own testing objectives and should be included much sooner than the go live pentest in the SDLC. Use the purple team to validate sophisticated threat models and punctuate security gaps. Use the influence of recent breaches and CTI to ensure those same conditions do not exist in your systems. Begin to ask yourself not just “what does the adversary do, and does that apply to us?” but instead, “what is the most harmful or easily done thing that applies to our most critical systems and have we defended against that?” By now, you might also have abandoned solely open-book exercises and begun face-off style exercises.
Training and certifications: Budget for industry-recognized certifications and advanced training for team members. Start shelling out for SANS courses and GAIC certifications because that’s where the higher echelons of tradecraft are being taught. Also, train the defenders. Send them to learn the advanced coding, SDLC, AppSec, DevOps, and tool-specific skills they lack to unleash the full potential of that jazzy enterprise suite you spent so much money on. Stop relying on vendors to teach you how to use their tools fully and effectively.
This budget range allows for a robust purple team that can keep pace with complex threat landscapes and advanced attack vectors. Dedicating the FTE hours and resources to conducting regular attack-and-defend simulations, allows each member to learn from the other’s methodologies and procedures. Have them explain why and how each side acts and reacts and get a dialogue going. One of the most beneficial exercises I was ever a part of I saw my red teamers in a side chat saying: “So, if they detect x they have to go investigate it this far and we know it takes them that long. If we theoretically set off decoy callbacks over here to keep them occupied, we could inject here, here, and here and they wouldn’t know for weeks.” Boom.
The risk here is that you’re going to find a lot more than you bargained for and it won’t make everybody happy. But they’re growing pains you’ll be happy to endure when you can prove due diligence to get cybersecurity insurance coverage for another year.
With a larger budget, an organization can afford a comprehensive purple team with different areas of focus.
Specialized roles: The purple team is a mix of specialists, including penetration testers, security analysts, incident responders, and cyber threat intelligence analysts. Even dedicated IaaC developers for custom tooling and social engineers to take phishing and physical tests to the next level.
Enterprise-level solutions: Deploy enterprise-level solutions like advanced persistent threat simulation, automated incident response systems, and integrated threat management ecosystems. You should have a fully equipped team of architects ensuring smooth input/output across tooling and teams, and infrastructure engineers to make their wildest custom dreams come true.
Catch me if you can ‘testing’: By now each team should have enough moxy to face unannounced, truly clandestine style testing. Red teams shouldn’t be a slam dunk every time and have to get really creative with their pivoting to be successful, and blue teams should stand a fighting chance against them. If this is not the case, go back a few steps and revisit some regression testing. By now, the purple team operators could leverage the ISSOs, architects, and infrastructure personnel to create automated custom pipelines of testing and TTPs not published to the world, but relevant, known, and tracked only to your organization. This is the ultimate peak of collaborative security and proactive resilience.
Continuous improvement programs: Regular training, industry conferences, and workshops to keep skills sharp and knowledge current.
Strategic partnerships: Look into partnerships with cybersecurity firms for external audits and threat hunting services.
This well-funded purple team is a formidable force, capable of not only defending against but also predicting and preventing potential breaches. And should the zero-day happen, all the team will be well-versed in working with each other and can readily and seamlessly rely on each other’s strengths to identify, contain, and eradicate the problem before an incident becomes a breach. Well, in an ideal world anyway.
By assessing needs, allocating resources wisely, and focusing on continuous improvement, even the most budget-conscious departments and teams can craft a purple team that provides a significant return on investment. It is often these limitations and needs that makes building a purple team such a customized and organization-specific effort. But, while they are not one-size fits all, there certainly can be proactive resilience and purple teaming for all.
