Enterprise Recovery

Purple Team Exercise

Deloitte's Purple team exercise enhances the defensive (Blue team) and offensive (Red team) capabilities which gives an improved exercise for your organisation.

Challenges

Our approach

Why Deloitte?

Challenges

Is your organisation getting the most out of your Red Teaming exercises?

Nowadays, most organisations leverage teams of simulated attackers (Red Team) and defenders (Blue Team) to test assumptions about the state of their IT security. Purple teaming effectively combines these two separate efforts into an integrated and cooperative approach that allows for rapid, iterative improvement of the security posture. Focusing mainly on cybersecurity, continual feedback between both groups will broaden the Blue Team’s knowledge and rapidly improve their defence capabilities. This function is commonly referred to as the Purple Team exercise (Red and Blue mixed together).

Combining the Red and Blue Teams’ efforts in an interactive setting by performing different real-world attack scenarios, while the Blue Team is actively watching which elements are and are not detected. Afterwards, both the Blue team and the Red team improve their approaches and retry.

Our approach

Combining the Red and Blue team efforts in an interactive setting: by performing an attack while the blue team is actively watching which elements are and are not detected. Afterwards, both blue and red team improve their approaches and retry.

Our purple teaming approach is modelled in clearly defined sprints. As part of each sprint, scenarios are designed, corresponding SOC use cases identified, the simulation is executed, and improvements identified in a loop. Depending on client wishes and requests, we can report observations and recommendations in a memo, as well as aid in implementation of additional measures for prevention, detection and response to the tested scenarios.

Preparation

Every exercise requires preparation and so does the Purple Teaming exercise: scope and targeted scenarios are identified and agreed, to simulate different threats.
Execution

The Red Team will openly perform attacks on the network while the Blue Team will try to identify the Red Team’s activities with their tools and procedures.
Improve

If the Blue Team detects and responds to the Red Team’s attack, the Red Team will increase the sophistication of the attacks to identify the boundaries of the use cases. Once the objectives are reached and/or the Red team is caught and stopped, a debrief takes place to discuss findings. The focus of the debrief is to find room for improvement of detection controls.
Defence

The Blue Team will improve the use cases and responses to the Red Team’s attacks. The sophistication of the attacks will be increased, until both teams agree that the use case has been optimised. A new round, with improved attack and defence can now commence. Iterations are performed until the findings no longer result in significant increase in detection capabilities for the specific type of activity that is being tested. The SOC is obviously aware that this will eventually happen, but not of the exact moment in order to get the most natural response to an incident. This will provide high-level insight into how the detective capabilities of the SOC have been increased. All improvement is evaluated as well as its detection. Any missed techniques which could have been detected will be investigated and recommendation on improvement will be made.
Optimize

The two teams sit together in an interactive session while they share their most important findings and reflections on how they can improve. The SOC team is informed of the performed Red Team Campaign and the used attack path. This means that the SOC can now start to form an idea of why they were (or were not) able to detect some of the attack techniques used by the Red Team.

Preparation

Execution

Improve

Defence

Optimize

Every exercise requires preparation and so does the Purple Teaming exercise: scope and targeted scenarios are identified and agreed, to simulate different threats.

The Red Team will openly perform attacks on the network while the Blue Team will try to identify the Red Team’s activities with their tools and procedures.

If the Blue Team detects and responds to the Red Team’s attack, the Red Team will increase the sophistication of the attacks to identify the boundaries of the use cases. Once the objectives are reached and/or the Red team is caught and stopped, a debrief takes place to discuss findings. The focus of the debrief is to find room for improvement of detection controls.

The Blue Team will improve the use cases and responses to the Red Team’s attacks. The sophistication of the attacks will be increased, until both teams agree that the use case has been optimised. A new round, with improved attack and defence can now commence. Iterations are performed until the findings no longer result in significant increase in detection capabilities for the specific type of activity that is being tested. The SOC is obviously aware that this will eventually happen, but not of the exact moment in order to get the most natural response to an incident. This will provide high-level insight into how the detective capabilities of the SOC have been increased. All improvement is evaluated as well as its detection. Any missed techniques which could have been detected will be investigated and recommendation on improvement will be made.

The two teams sit together in an interactive session while they share their most important findings and reflections on how they can improve. The SOC team is informed of the performed Red Team Campaign and the used attack path. This means that the SOC can now start to form an idea of why they were (or were not) able to detect some of the attack techniques used by the Red Team.

Although the overall process for purple teaming will always follow a similar pattern, variations in the execution phase are possible. Options range from a fully paper-based approach to actual attack simulation. Apart from various execution methods, we can also change the scope from very broad, down to focused entirely on a single link of the kill chain. By performing a threat assessment workshop before we start, we ensure that any and all simulated attacks are in line with your organisation’s actual threat landscape.

Deloitte specialist assists your organisation with the high-level design making sure that every aspect is taking into account.

Why Deloitte?

Awarded market leaders

We strive to continuously lead the market in the area of cyber risk and security services. We are awarded and acknowledged by some of the most renowned institutions within the area of cyber, e.g. Gartner, ALM Intelligence and Forrester. In 2020, we were named global leader in Security Consulting Services for the 9th year in a row by Gartner.

Leading-edge technologies

We are committed to investing in innovation and emerging technologies to ensure that we are equipped with the latest tools to solve current and future challenges for our clients. Alliances with market-leading cyber vendors and groundbreaking startups around the world offer our clients access to a wide range of cyber-risk technologies and leading-edge technology innovation.

Global intelligence delivered locally

We have the largest professional services network in the world. Diversity across our cyber teams helps us work across the globe with a local and personal lens. We have over 8,600 dedicated cyber-risk service practitioners of which 1,300 are dedicated to Europe and the Middle East alone, ready to help our clients everywhere with any challenge.

End-to-end cyber-risk services

We cover every aspect of cyber risk — from advisory and implementation of strategic transformations to managed security services, product solutions and incident management. This enables us to deliver more resilient and silo-breaking solutions, taking the whole business chain into account. This helps our clients to leverage their potential and growth even more.