Skip to content

High-level overview of purple teaming

General principles

Purple teaming (PT) – whether conducted in the testing phase or to enhance the replay workshop during the closure phase – needs to follow some fundamental principles, as outlined below.

Scope and objectives

For PT to be successful, the stakeholders involved must clearly define the scope, goals, objectives, timing and rules for the actual activity. These aspects should be first discussed during engagement and scoping of the TIBER-EU preparation phase to form a preliminary understanding of where PT could be anticipated. The risk management controls should be reviewed and where necessary adapted, as it is possible that different and more elaborated attack scenarios can be tested under PT.

Cooperative attitude among stakeholders

During PT, the TCT should continue to provide advice to the WT to support its management of the test. The objective should be to continue deriving the maximum possible value. The WT should also approach PT with an exploratory mindset to delve deeper into the attack scenarios and examine additional techniques and possibly additional attack scenarios. These scenarios may have a forward-looking, outside-the-box perspective that is extreme but plausible and should resemble attacks which could occur in the (near) future.

For PT to be successful, the BT and RT are expected to forge a different working relationship and maximise their collaboration throughout, to create a unique learning experience and enhance each other’s understanding. It should also take into account barriers between the various stakeholders that may hinder understanding due to different types of knowledge and expertise. Since information must flow between the different teams, language should be adapted so that all stakeholders have a common understanding. Stakeholders should be open-minded and mindful so as to create a bridge for open discussion and model this cooperative behaviour. To facilitate such behaviour, the RT should lead by example, clearly explaining its tactics and objectives to the BT, acknowledging the areas of strength and gradually opening up the conversation to the areas that need to be improved. This can be done by conducting live remediation to refine existing controls or implement new ones, for example.

The TCT and WT should approach PT with an exploratory mindset and retain a constructive attitude throughout. Close cooperation between the WT, RT and BT is crucial for the success of any PT. The BT and RT should have regular check points so that they can confirm their understanding of each other’s actions. The WT is instrumental in establishing a good basis for cooperation and needs to make explicit the roles and responsibilities within the PT setting.

Communication channels between stakeholders

For communication channels to be efficient and effective and to avoid misunderstandings, the WT should clearly define communication frequency and secure channels in advance, as foreseen in the TIBER-EU Framework. Formal (real- time) communication via secure channels (e.g. involving end-to-end encrypted email and chat) may not be in place between the RT and BT in the context of PT and should be implemented. Effective, efficient and transparent communication among stakeholders is a critical success factor for any TIBER test, and all the more so for PT.

Roles and responsibilities

The stakeholders involved in PT remain the same in both the testing and the closure phases.

The TIBER Cyber Team (TCT) serves as an adviser for all parties during PT. In particular, the TCT should ensure that the spirit, principles and processes envisaged in the TIBER-EU Framework are maintained and observed. Moreover, the TCT as a whole, and the TIBER test manager (TTM) in particular, has the power to invalidate a test if they assert that it has not been conducted in line with both the requirements set out in the TIBER-EU Framework and the spirit of the framework. Additionally, the TCT can object to using PT during the testing phase and suggest alternatives to overcome any hindrances encountered.

The White Team (WT) is responsible for making all the necessary decisions as circumstances arise and for ensuring that proper risk management controls are in place for the test to be conducted in an appropriate manner. In addition to making sure that risk management controls remain effective in PT, the WT must also ensure that:

  • stakeholders fully comprehend the agreed scope, goals and objectives when switching to PT during the testing or closure phases;
  • stakeholders are aware of and agree on the communication channels to be used, including between the RT and BT (under WT supervision);
  • appropriate arrangements are in place to facilitate the shift to PT and provide the clarity required by the RT and BT to be able to adapt to this new collaborative way of working;
  • the RT and BT adapt their behaviour when initiating and executing different types of P T, and cultivate cooperation and mutual support.

The Threat Intelligence (TI) provider provides expert judgement on the scenarios and the tactics, techniques and procedures (TTPs) to be used in PT. The involvement of the TI provider in PT is crucial in both testing and closing phases, as scenarios may need to be adapted. Additional and more advanced scenarios or TTPs may be added, depending on test specificities and planning, resourcing and timing.

The Red Team (RT) carries out the simulated attack by attempting to compromise live production systems of the entity by mimicking the TTPs of threat actors, as described in the TIBER-EU Framework. In PT, the RT is responsible for the offensive aspects. The expert judgement of the RT should also be sought when considering and planning PT. The RT should work with the TI provider to validate the plan and provide a list of TTPs to be used during PT.

The Blue Team (BT) acts out, or is actively in charge of, all the defensive aspects of the scenarios being executed. The BT may also contribute to additional scenario types and variations by providing interesting leads and feeding information back to the RT in the course of PT. During PT, the BT might have difficulty shifting to a more cooperative attitude, particularly if the actions it has to engage in may not be clear. The WT should communicate with the BT regularly to ensure the constructive nature of PT is maintained.