Skip to content

Purple teaming in the closure phase

Rationale

As described in the TIBER-EU Framework, it is optional but highly recommended that PT be performed on top of, or in combination with, the mandatory replay workshop.1 PT in the closure phase helps to optimise RT and BT collaboration and maximise learning opportunities, defence capabilities, situational awareness and ultimately the return on investment of the whole test.

A well-executed PT activity in the closure phase (see Figure 2) can provide the entity with a comprehensive review of the effectiveness at each layer of its infrastructure in scope and improve the detective controls that are crucial to shed light on suspicious activity.

Indicative PT timeline in the closure phase

Indicative PT timeline in the closure phase

Planning

If planned for the closure phase, PT should ideally be scheduled to take place shortly after the delivery of the final RT and BT reports, close to, or in conjunction with, the replay workshop. This timeline ensures that PT is carried out while the details and observations noted during the testing phase are still fresh in the minds of the BT and RT.

There are no uniform PT duration or scope requirements as PT is tailored individually for each test. However, it is strongly recommended when selecting the appropriate PT type in the closure phase, to consider:

  • that PT will vary, depending on the specific nature of a test;
  • further strengthening the collaborative engagement between BT and RT to identify alternative attack steps that could have been taken by the RT and potential ways of detection and response by the BT;
  • the effectiveness of the defensive controls against offensive actions and how to maximise the value of working closely together during PT specific to the closure phase.

Results

PT in the closure phase allows for more detailed examination and evaluation of particular aspects of a TIBER-EU test, without the constraints present in the testing phase, such as BT detection, limited amount of participation and so on. In particular, it makes it possible to directly leverage the expert knowledge of the RT to revisit and address specific areas deemed important by the tested entity.

PT can therefore result in a deeper understanding of the interconnections and implications of the most relevant offensive and/or defensive measures for the tested entity. It might help to demonstrate and highlight the potential consequences from both a technical and a business perspective (e.g. remediation, recovery time, business continuity, etc.) and hence inform considerations beyond the technical realm. As a result, PT might facilitate a better understanding of the consequences of an attack, further proliferation of an attack and alternative ways to enhance protection and detection.

The results of PT will greatly benefit the further refinement of recommendations and remediation planning, which will in turn enhance the cyber resilience of the tested entity. In addition, they might feed into other operational resilience exercises and improve the entity’s operational risk and information security/cyber resilience programme or framework. One such example is to utilise the scenarios in crisis simulation and coordination exercises.

  1. In some TIBER-EU jurisdictions, PT forms an integral part of the mandatory replay workshop.