Blue, Red, and Purple Approach

By Carmine Valente, CISSP | CISM | CISA, Vice President of Information Security at Paramount Global

In the past decade, cybersecurity has emerged as a paramount concern for individuals, businesses, and governments. The rapid proliferation of technology has revolutionized how people communicate, work, and transact and opened new avenues for malicious actors to exploit vulnerabilities in systems and leverage human weaknesses to deliver successful social engineering attacks. The cybersecurity threat environment has evolved dramatically, from common malware attacks to sophisticated state-sponsored espionage campaigns that pose significant risks to the integrity, confidentiality, and availability of sensitive information and critical infrastructure.

The increasingly complex technology evolution and the social challenges of the past few years have created the conditions for the cyber threat landscape to continue its constant evolution, specifically driven by the emergence of novel attack vectors, remote working, Internet of Things (IoT), Artificial Intelligence (AI), and the growing sophistication of adversaries. According to research made by Diogenes and Ozkaya, in July 2021, around 62% of the attacks on customers were possible because of their level of trust in their suppliers, requiring organizations to expand their threat analysis to capture attacks targeting their vendors and to increase their due diligence over vendors supporting their operations. The 2020 COVID-19 pandemic has also played a critical role in changing the cyber threat environment due to the significant increase in remote working and the introduction of vulnerabilities determined by home devices and Bring Your Own Device (BYOD). In April of 2022, the share of job postings that offered remote work reached 20.3%, which was more than double the share in January 2021 and many times more than the 3% to 5% estimate used by many for the pre-pandemic period.

As organizations endeavor to safeguard their digital assets, understanding the nature, motivations, and methodologies behind these threats becomes imperative. In this context, the concepts of the blue, red, and purple teams gain prominence as a proactive and defensive approach to cybersecurity aimed at preempting, detecting, and mitigating potential threats before they materialize into breaches.

Generally, while blue teams focus their effort on the defensive side of cybersecurity, keeping day-to-day critical cybersecurity operations running, red teams focus on the offensive side, identifying weaknesses. To enhance collaboration between these two teams, purple teams facilitate knowledge sharing, increasing the effectiveness of the overall cybersecurity defense strategy.

The collaborative efforts of red, blue, and purple teams are essential for fortifying organizational defenses against cyber threats. By leveraging their distinct mindsets, perspectives, and capabilities, these teams contribute to all aspects of cybersecurity defense and help significantly raise organizations’ overall cybersecurity posture.

Specifically, blue teams are essential for designing and implementing security controls to protect the organization’s systems and system data. This may include the implementation of controls specific to secure architecture to govern access and authentication to the organization’s IT infrastructure, intrusion detection mechanisms, encryption mechanisms, endpoint security, vulnerability management, application security, and the development of incident response plans and procedures to effectively respond to security incidents, including the execution of exercises and drills to test and refine these plans. Blue teams are also responsible for configuring and hardening systems and networks to reduce the attack surface and mitigate potential vulnerabilities, and for the deployment of internal monitoring capabilities such as Security Information and Event Management (SIEM) systems, and external monitoring capabilities through threat intelligence analysis to identify potential new and advanced threats coming from outside the organization, such as supply chain attacks.

One of the pitfalls of the blue team’s contribution to secure architecture, monitoring, testing, and threat intelligence analysis stands in the fact that blue teams operate according to a perception of effective security that is often obfuscated by business criticality, known vulnerabilities, and the organization’s risk tolerance. This strategic rather than tactical approach can often result in overlooking the perspective of external threat actors, missing potential threats, and leaving threat vectors available to attack the organization.

In this context, the red team takes the floor. The primary objective of this team is to simulate real-world cyberattacks against the organization’s systems and infrastructure, testing the effectiveness of the information security program by emulating the tools and techniques of likely attackers in the most realistic way possible, to identify vulnerabilities and weaknesses. This task may be achieved through multiple techniques, such as authorized penetration testing, to identify and exploit vulnerabilities within an organization’s systems architecture and network, or ethical hacking, emulating the tactics, techniques, and procedures (TTPs) of real adversaries, often without previous notice, to assess the organization’s ability to detect and respond to sophisticated cyber threats. Depending on the specific attack simulations, red teams may use tools like Nessus, Nmap, or SQLMap to launch attacks against different targets, or they can leverage social engineering techniques to launch attacks targeted at humans. The results of the simulated attacks are usually documented through detailed reports outlining their findings, along with recommendations for remediation and improvement.

Red teams can be highly effective as they look at the organization from outside, focusing on attack techniques rather than defense mechanisms, exploring the perspective of external threat actors when dealing with the measures implemented to ensure secure architecture, gathering insights into specific areas left unmonitored by the security team, and offering this view to the blue team. Conversely, a security approach heavily focused on leveraging red teams can result in the security team losing track of the organization’s mission and alignment with the business goals. Red Team engagements may give the organization a false sense of security by focusing solely on simulated attacks rather than addressing underlying security weaknesses and deficiencies. Organizations may mistakenly believe they are secure based on the absence of successful red team attacks, even if fundamental security issues remain unresolved.

As the tasks performed individually by the blue team and the red team play a pivotal role in raising the overall organization’s cybersecurity posture, the value of these tasks increases when they are leveraged as input to each other team’s development. The blue team can learn valuable lessons by analyzing the results of the red team’s exercises and their upcoming findings and observations, and use these observations to mitigate gaps by enhancing existing controls and security mechanisms or by implementing brand-new processes, controls, and techniques to account for threats and threat vectors that had not been considered before, such as zero-day vulnerabilities or emerging threats. On the other end, the red team can leverage the existing cybersecurity control framework and business know-how of the blue team to gain valuable knowledge and build more effective attack strategies tailored to specific business areas and operations.

In this scenario of cooperation, the purple team is critical to ensure collaboration between the blue and red teams, integrating the defensive tactics and controls from the blue team with the threats and vulnerabilities found by the red team into a single narrative that maximizes both. Some examples of purple team’s tasks include joint exercises between red and blue teams, such as tabletop exercises and simulation-based training, analyses of threat intelligence data to identify emerging cyber threats, adversary tactics, and potential vulnerabilities, and the creation of feedback loops between red and blue teams, helping to translate red team’s findings into actionable insights for the blue team.

In conclusion, the collaborative efforts of red, blue, and purple teams are essential for fortifying organizational defenses against cyber threats. By leveraging their distinct mindsets, perspectives, and capabilities, these teams contribute to all aspects of cybersecurity defense and help significantly raise organizations’ overall cybersecurity posture. Through continuous collaboration and knowledge sharing, organizations can cultivate a culture of resilience and adaptability, thereby enhancing their ability to mitigate the ever-evolving threat landscape in cyberspace.