BSidesLV 2017

You have heard of Red Team, Red vs. Blue Team and Purple Team exercises, but these approaches often miss two crucial aspects: communication and mentoring. An organisation doesn’t need to be overly mature to conduct a Purple Team exercise. This type of exercise can be divided into multiple stages when the business risks are well defined with communication and mentoring at the core of the engagement.

This presentation will describe how and why to execute a Purple Team exercise, as well as how to encourage upper management’s participation in this type of engagement. We will discuss techniques for executing a Purple Team exercise, along with the various types and levels of testing to assess the business risk using real case studies. This presentation will also include how to most effectively mentor the Blue Team.

Similarly to a Red Team, Purple Team exercises assess the business risks that can impact the business as a whole. The main difference between these two being that the Blue Team is involved throughout the engagement. Daily, weekly or monthly meetings are set with communication as the main objective. The Blue Team is responsible to detect, monitor and analyze the Red Team’s activities throughout the engagement. They communicate regularly with the Red Team to find solutions related to their findings rather than waiting for a finalized report that ultimately summarizes to the words “You’ve been pwned”.

Multiple levels of Blue Team involvement and mentoring approaches will be shown during the presentation. We will review different types of tests from predefined attack scenarios, which include real Red Team examples. We will focus on how this type of exercise can help the entire organisation improve their security from both a technical and strategic perspective, which will increase the value of this engagement when selling it to upper management.