LAS VEGAS — The concept of Red and Blue security team testing is one that is well understood among many security professionals. The Red Team takes an offensive penetration testing approach to security aiming to expose risks, while the Blue Team is tasked with defending against attackers.
Justin Harvey, global lead for the Accenture Security’s Incident Response and Threat Hunting practice, thinks that it’s time to move beyond Red and Blue. In a session at the Black Hat USA security conference here, Harvey is set to detail how to use a Purple Team as part of an advanced pre-breach planning exercise that can help measure effectiveness. In a briefing with eSecurityPlanet ahead of his talk, Harvey provided insight into what the Purple Team concept is all about and how it can be used to improve security outcomes.
“Our approach to Red Team is zero-knowledge and zero notice for our clients,” Harvey said. “It’s not a scheduled penetration test, it’s a hyper-realistic simulation.”
In contrast, the Blue Team that Accenture has does incident response, threat hunting and crisis management planning. Harvey noted that what Accenture has found is there is a gap between organizations that think that they are ready for a breach and those that actually are ready.
Some organization were only ready for a breach on paper. That is, they had been audited to make sure that all the tools and processes for security operation were in place, but they were not all tested in a live threat simulation.
“A Purple Team is where we use the Red Team to perform an attack,” Harvey said. “Then the Blue Team is embedded with the security operations or incident response team.”
Harvey explained that the Blue Team has several goals as part of a Purple Team exercise. One of them is to observe the security operations team during the response to the Red Team attack. The Blue Team also coaches the organization’s security operations people in the moment to help guide and instruct. Finally, the Purple Team will provide a set of recommendations at the end with the combined expertise of the Red and Blue Teams with lessons learned from the attack simulation.
“When we’re in the security operations center, the Blue Team won’t necessarily know that a Red Team operation is going on, which has led to some interesting engagements,” Harvey said. “What ends up happening is our clients get essentially a sparring partner to fight against.”
From a scheduling perspective, Accenture’s approach is that it will engage with a client to let them know that a Purple Team test will occur once a quarter, though the exact date and time of the test is not disclosed.
Harvey noted that with one client, the process helped to improve security operations by gamifying the process, as the client was expecting an attack but just didn’t know when and were constantly hunting for issues. In one instance, an Accenture client found an attack that at first they thought was the Red Team, but it turned out to be an active adversary.
Though the Purple Team approach can have a measurable impact on security, Accenture does not offer a formal warranty or guarantee that after a exercise a customer won’t have any vulnerabilities.
“A common theme with security executives is we never give a level of assurance that there are no vulnerabilities,” Harvey said. “But what we can do is we can give our clients a level of confidence that they are ready for an attack.”
In Harvey’s view, simply having an incident response plan is not enough to help organizations deal with security exploits and breaches.
“What we’re telling customers now is they need to develop a continuous response model and they need to assume they have already been breached and they have to work harder and faster to find those breaches,” he said.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.