As the variety, complexity, and frequency of security vulnerabilities continue to increase, the need for red and blue teams has never been more critical in the context of building and safeguarding innovative computing technologies. Here is how to promote a purple-team culture.
What is purple-team culture?
Initially introduced into the cybersecurity culture in the early 1990s, the role of red and blue teams has changed little over the past 20 years.
At a high level, red teams are focused on penetration testing as a means to identify vulnerabilities (often considered an offensive approach). Blue teams assess a system and look for ways to protect it (usually considered a defensive strategy).
Organizations work tirelessly to combat rising cyber threats, and many are looking for new ways to instill the “think like a hacker” or “break what you make” mentality into every engineer. As a result, we’re starting to see the emergence of purple team culture within organizations.
In its simplest form, a purple team is the combination of red and blue team members with the goal of creating better collaboration around security.
The collaborative method is especially deployed during the product lifecycle (from architecture and development to validation and support). While it’s not designed to eliminate the need for blue and red teams, it is designed to generate planned moments in time when both teams come together to solve specific problems and learn from one another.
This consistent team immersion should have a rising tide effect on security.
For example, blue teamers gain increased hacking knowledge during the development lifecycle. And red teamers should better understand the complexities and assumptions of new technologies so they can focus more on identifying advanced attack vectors.
Unfortunately, many organizations are still stuck in the adversarial model of red vs. blue. After all, it can be hard to convince the blue team that an exercise won’t just be a product slam-fest and that the red team won’t be wasting their time on displays showing “boring vulnerabilities.”
The reality is that there are significant benefits to purple team exercises.
Number one is a more secure end product. Others include creating a culture that embraces a “security first” mindset. Blue teamers also get to see how hackers think in real-time, which can have a significant impact on the development approach.
Security becomes top of mind throughout the entire lifecycle, not just at the end when red teamers are brought in to break things. The process grooms engineers to be the first, second, and third line of defense. Red teamers move away from identifying simple vulnerabilities to begin tackling more sophisticated and advanced threats. And the list goes on and on.
At Intel, we’ve been embracing the purple team culture since 2007.
The first exercise was purely an experiment of bringing blue and red team members together for a capture the flag event. That progressed to adding hackathons into the product development lifecycle (for example, during the design or validation stages).
As these exercises grew over time, we saw the benefits increase by orders of magnitude regarding how teams approached security. Today at Intel, purple team exercises are an essential part of product development.
What are some keys to success?
Here are some tips to consider if you want to start a purple team or you’re just looking to refine an existing program.
- Make roles clear from the beginning.
The fact is, red teamers are here for their hacking and security expertise, and they’re not expected to be product experts. And vice versa for blue teamers. Each requires the other to evaluate a product, service or business segment successfully. Establishing clear roles and expectations, and encouraging the group to have an open mind, is key to the collaboration process.
-
Don’t make purple teams permanent.
Red and blue teams still have an important role in the development process. Collaboration of the two should be done in exercise form. Consider breaking off specific chunks of the product and have the purple team attack a problem (in a day, week or month).
-
Be inclusive of all engineers.
Purple teams can have a dramatic impact across the entire organization when other engineers are involved as well (remember you’re trying to instill that “think like a hacker” mentality). For example, Intel has the goal of having every engineer involved in a purple team exercise at least once a year.
- Eliminate turf battles.
There is a natural sense of conflict between defenders and attackers. Blue teamers can easily feel attacked. It’s important that managers set ground rules, and it’s important that red teamers don’t just focus on the shortcomings of products. The red teamers must also recognize positive efforts in protection that blue teamers have achieved.
Also, consider the “help me help you” approach with red teamers. The more they help educate blue teamers to eliminate simple errors, the more they can focus on cutting edge research and advanced attacks.
-
Track your progress.
As more purple team exercises happen, you should see the red team finding fewer and fewer repetitive errors or known vulnerabilities. You should also see more complex security issues being discussed in purple team exercises.
You will begin to see better security knowledge retention organization-wide. Watch for the increased red team excitement for sessions, and ultimately more secure products (less successful attacks in the wild).
- Propagate your learnings.
Purple teams should not operate in a vacuum. Issues should be broken down into architectural, design and validation types. The root cause and solution should be shared with other systems and teams.
For example, you might choose to create a top 10 vulnerabilities list for a type of hardware.
In addition, these key learnings should be applied to your security development lifecycle so they can help with architectural reviews, design reviews, code development, pen-testing.
- Encourage sharing outside the organization.
Contributing to the greater effort of security is a community initiative. For example, Intel participates in the industry to help define and create new hardware security taxonomies.
Sharing will not only likely help your organization down-stream (for example with better security analysis tools), but it can motivate your security team and spur academic interest.
As we work to address a variety of complex security challenges, we need all parties involved to start thinking more like hackers.
Blue teamers are capable of contributing to robust security outcomes in a powerful and effective manner if encouraged to do so. And red teamers have a plethora of insights to offer beyond just breaking things.
Purple team culture is a fantastic gateway to security collaboration that can have lasting effects on an organization’s security mindset and raise the bar for product security.