Purple Teaming, here's what you need to know.
Information security is infatuated with colours. It started with the blue boxing that allowed anyone to make free calls, then moved to black hats, white hats, grey hats (to denote attackers), then off to black box, grey box and white box testing to define the type of testing. The latest trend in colours reference red teaming, blue teaming and purple teaming. We will deal with the last one in the remainder of this blog.
Let’s begin by defining red teaming, blue teaming, and purple teaming:
- Red teaming is a covert adversary simulation on your network. It can have a few flavours:
- one following an external to internal, where the attacked entity is targeted from an external viewpoint that later capitalises on the exploited user’s/system’s internal network placement and access rights.
- one following the assume compromise principle, where the attacker is given access to credentials and placed in a vantage point inside the network where he/she begins their work. This is meant to simulate a real-life scenario where an attacker compromises an active user session on a workstation.
- a scenario-based on a specific access pattern assigned to the attacking party e.g. that of a business partner on an organisations extranet in order to quantify the true exposure of that organisation.
- Blue teaming is the process of monitoring and threat hunting inside a corporate infrastructure. The blue team analyses events as they are collected from different endpoints and network devices. They then correlate them and try to piece together the red teams – or actual attackers’ actions, with the ultimate goal to clean up, reclaim and harden their infrastructure.
- Purple teaming is the combination of the two above actions. It involves the red team performing a set of predefined actions in a monitored and controlled environment by the blue team. In a nutshell, the goal is to help the blue team identify gaps in monitoring controls and model adversarial activities in their internal toolset. By doing so, the blue team enhances its internal capabilities and heightens the internal security of the organisation they are part of.
Empirically, red teaming and purple teaming are an indicator of an organisations information security maturity level as defined below:
- Vulnerability scanning: Those at the first layer perform a vulnerability scan in order to identify the low hanging fruit in their infrastructure and work off the report it produces. All of us who have dealt with vulnerability scanner reports know they are riddled with false positives (easier to weed out) and false negatives. The latter is the most dangerous one as it provides a false sense of security.
- Penetration testing: The vast majority of organisations perform penetration testing against their infrastructure and applications. The entity performing the penetration testing does not have to be that discreet or covert on testing what is scoped, as it has a fixed time to go over what is part of their engagement. Their goal is to cover as much ground as possible in that timeframe.
- Red teaming: A tier above the previous category is those that perform red teaming. Red teaming is a covert, highly specialised form of penetration testing. It is used by organisations that have engaged pentesting for a number of years and want to move to the next level of a covert and focused assessment. In addition, if they go for the external to internal flavour, they could test their defences against social engineering and phishing attacks that target employees versus infrastructure.
- Purple teaming: Finally, the top tier is usually performed either as a distinct exercise or on the back of one or more of the red team engagements they have ran against them. Several TTPs (tactics, techniques and procedures), possibly those that were used against them in the red teaming engagement, are replicated in a controlled environment. Gaps are analysed, the environment is modified to bridge some of the gaps and the tests are rerun to validate coverage. Other times purple teaming is run against the Proof-of-Concept implementation of a system that is being procured in order to bridge the gaps. It requires a dedicated team and lot of time for creating and running the TTPs, analysing results and tuning (lather – rinse – repeat) and as such, it is something that mature – from an information security perspective – organisations perform.
The last couple of years, a number of advancements have been made in Purple Teaming making it more accessible – and affordable – to the masses. MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) became available around a couple of years ago with the main goal of providing a common reference point for the tactics, techniques, procedures (TTP) and tools that threat actors use against a targeted entity.
It also provided a reference point of threat actor groups around the globe and their preferred TTPs and targeted industries. That way, organisations could pick which TTPs to address at a priority by looking at the industry they are part of and the TTPs that threat actors targeting said industry use. Keep in mind that the key word in the previous sentence is “at a priority”. Threat actors evolve during their lifespan and add more and more TTPS to their arsenal.
In a nutshell, the main container of information inside MITRE’s ATT&CK is Tactics. These are the main parts of a threat actor’s attack chain and include but are not limited to Initial access, Execution, Lateral movement, Persistence, Defence Evasion, etc. The Techniques are how a threat actor implements each Tactic: e.g. in the Persistence category items such as Logon scripts, Scheduled Tasks, Registry Run Keys are present among others.
There are attributes in each category regarding the initial level of access required to achieve each Technique, its applicability, etc. They help paint a fuller picture as to where this Technique fits in the overall attack chain. To cut a long story short, a lot of work has been put into building and – more importantly – maintaining the MITRE ATT&CK platform to provide defenders with as much knowledge as possible regarding attacks perpetrated against them.
Building on top of MITRE’s ATT&CK platform, a few tools started becoming available during the last year or so that take theory to practice. In other words, they take the techniques that are defined in ATT&CK and translate them into actual commands one can post on a monitored system, observe the logged information, make adjustments and repeat. This further streamlines Purple Teaming, since it provides defenders a readymade list of commands they can use as opposed to investing time in creating their own. Those tools are:
- MITRE’s Caldera platform (https://github.com/mitre/caldera ): MITRE built its own platform for running TTPs against a targeted machine. It requires defining a lab to execute the attacks on and using an agent in each machine to simulate a threat actor. Scenarios can be defined with only applicable TTPs and are run across the lab setting against a starting point. All subsequent actions are run in an automated manner with lateral movement happening automatically as exploitation progresses. The major downside of using Caldera is the very steep learning curve that is associated with it and the somewhat lack of documentation that follows it.
- Red Canary’s Atomic Red Teaming (https://github.com/redcanaryco/atomic-red-team): While Caldera above is a platform, with its pros and cons, Red Canary’s Atomic Red Teaming is a list of tools and scripts that implement TTPs and facilitate their execution in a streamlined fashion.
- Endgame Red Team Automation (https://github.com/endgameinc/RTA): A similar approach to the Red Canary’s above, Endgame’s RTA is a list of python scripts that execute TTPs. It consists of two components, the script doing the heavy lifting itself and a server-side component that hosts several other programs that may be needed at runtime, depending on the Technique that is used. Being based in Python, Endgame’s RTA is easily extendable to support more and more TTPs.
- Uber Metta (https://github.com/uber-common/metta): Uber’s Metta is a python based purple teaming tool. It uses VMs and vagrant for their instrumentation. It uses yaml to define the TTPs to be used in a list of commands that will eventually be posted either over winrm or ssh on the targeted system. While it is categorised as a platform it does not have the steep learning curve associated with Caldera above. Having said that, if you want to move away from vagrant and into a lab environment you will have to extend it to support it.
- APTSimulator (https://github.com/NextronSystems/APTSimulator): In its own words “APT Simulator is a Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised”. Being batch file based makes it applicable only on a Microsoft Windows based endpoint.
- Invoke-Adversary (https://github.com/MotiBa/Invoke-Adversary): Invoke-Adversary is a Powershell script released in April 2018 that again implements a list of TTPs on a monitored endpoint. It asks the user to download any 3rd party tools required for each TTP, where applicable, and then the Powershell script takes care of the execution of that tool. As APTSimulator above, it is a Microsoft Windows specific tool.
Summarising on all of the above, it is clear that with the recent advancements, Purple Teaming is becoming more and more accessible to the masses and is not an “elitists’” activity anymore. Don’t get us wrong, someone choosing to go down that path will still need to invest a significant amount of time getting up to speed and properly setup before delving into it; but the knowledge and technology to help him/her accelerate towards his goal is – and is becoming more and more – available.
If you need help reaching your security's peak performance, Foregenix offers a number of services, including training, workshops, mock breaches, table top exercises, and pen-testing.