Skip to content

Purple Teaming Best Practices

Introduction

The TIBER EU Purple Teaming Best Practices describe Purple teaming. Purple teaming is a collaborative testing activity that involves both the offensive attacker team (red team) and the defensive operator team (blue team) within a TIBER-EU test and aims to complement a TIBER-EU test in specific situations, like when a test could impact the production system or to reap further benefits when closing a TIBER-EU test.

The TIBER EU Purple Teaming Best Practices complement the Threat Intelligence- based Ethical Red Teaming (TIBER-EU) Framework, which enables European and national authorities to work with financial infrastructures and institutions to put in place a programme for controlled, bespoke tests that are based on realistic and genuine cyber threats. These tests, conducted on entities’ critical live production systems, mimic the tactics, techniques and procedures of real-life threat actors with a view to improving the entities’ resilience against sophisticated cyberattacks.

Conducting tests on live production systems underpinning critical functions contains an inherent element of risk of disruption, such as denial-of-service, unexpected system crash, damage to critical live production systems, or the loss, modification or disclosure of sensitive data. Every effort is therefore made to minimise these risks and to ensure that these tests are conducted in a controlled manner. For this reason, the TIBER-EU Framework requires the White Team to conduct a risk assessment prior to the test and to put in place active and robust risk management controls, as well as monitor and adjust these controls as needed during the testing process.

These best practices for purple teaming are derived from the experience gained from numerous tests conducted under the TIBER-EU process across several jurisdictions. These insights strongly indicate the need to recognise where purple teaming could be performed in the TIBER-EU process

These best practices provide information about purple teaming in the context of the TIBER-EU Framework and can be used on a voluntary basis; they serve as guidance only and are not intended to address the specific circumstances of any particular individual or entity. They do not constitute professional or legal advice.

Purpose of this document

This document provides guidance on how purple teaming might be used in the testing and closure phases of a test conducted under the TIBER-EU process. It sets out to define what purple teaming is, together with its main principles, use cases and its potential types.

Target audience

These best practices are mainly intended to provide guidance to national TIBER Cyber Teams (TCTs), threat-intelligence (TI) and red-team (RT) providers and entities that are undergoing or planning to undergo TIBER tests, although they may also have a broader audience.

What is purple teaming?

Purple teaming (PT) is a form of collaborative activity that involves both the Red Team (RT) and the Blue Team (BT) in a TIBER-EU test and their corresponding offensive and defensive actions. Among other things, this can include insights into particular attack phases, detections, defensive actions and test reports. This increased collaboration helps to expand knowledge on the threat actors’ tactics, techniques and procedures (TTPs), prevent certain risks and to identify areas and actions that can be improved at people, process and technology level. It also helps to actively pinpoint weaknesses in protection and detection capabilities so that they can be addressed and incorporated in the remediation plan. Such collaborative PT may be undertaken in various ways, ranging from desktop discussions to full-scale testing exercises.

PT is not intended to replace the red-teaming nature of a TIBER test, during which, to achieve realistic testing conditions, the test is kept confidential and the BT is unaware of the activities of the RT. Rather, it is intended as a collaborative activity in particular circumstances, to increase the learning experience of the test. In PT, the BT of the entity undergoing the test may be partially or fully aware of the ongoing test and possibly even cooperate with the RT during execution.

Specifically, PT can be used during the following phases in the TIBER-EU process:

In the testing phase, it is used as a last resort when circumstances arise and only once all other options have been exhausted, subject to a proposal from the White Team (WT) and the non-objection of the TCT. It can serve as a response to continue or unblock a TIBER testing phase in a situation where the test would otherwise end prematurely. In such cases, PT is considered to be of limited scope and is conducted to supplement specific parts of the attack scenarios, with the sole aim of maximising the value of the test and the return on investment in terms of learning opportunities. The reasoning and rationale put forward by the WT to continue the TIBER test requires careful assessment by the TCT to ensure alignment with the TIBER-EU requirements and the spirit of the framework. Potential types of PT during the testing phase are described in Section 5.1.

In the closure phase, it can be used to enhance the mandatory replay workshop1 (as described in the TIBER-EU Framework) and is highly recommended. In this phase, PT consists of different review activities using specific scenarios (which may differ from the attack scenarios) to better understand how effective the defensive controls were or would be against the offensive attacks. This helps maximise the value of the test. Potential types of PT during the closure phase are described in Section 5.2.

Definitions of the TIBER Cyber Team (TCT), White Team (WT), Blue Team (BT), Red Team (RT) and Threat Intelligence (TI) providers can be found in the TIBER-EU Framework.

Structure of the best practices

The remainder of this document is structured as follows:

  • Section 2 – High-level overview of purple teaming
  • Section 3 – Purple teaming in the testing phase
  • Section 4 – Purple teaming in the closure phase
  • Section 5 – Types of purple teaming

  1. Although in some jurisdictions, PT is specified as a mandatory element in the national implementation guide.