Purple Teaming

Collaboration

Purple teaming is a collaborative cybersecurity exercise where red and blue teams work together to improve detection and response capabilities. Unlike traditional red team engagements where the blue team is unaware, purple teams share knowledge in real-time to maximize learning.

Purple Team Philosophy

Purple teaming is not a separate team—it's a mindset and methodology. The "purple" represents the blending of red (offensive) and blue (defensive) to create a unified security improvement process.

Goal: Maximize organizational learning by removing adversarial dynamics and focusing on measurable security improvements.

Purple Team vs Red Team

Aspect Red Team Purple Team
Blue Team Awareness Unaware (blind test) Fully aware (collaborative)
Communication Post-engagement debrief Real-time collaboration
Objective Test detection capabilities Improve detection capabilities
Duration Weeks to months Hours to days (per technique)
Outcome Report of findings Validated detection rules

Purple Team Exercise Workflow

Phase 1: Technique Selection

Red and blue teams jointly select an ATT&CK technique to test (e.g., T1003.001 - LSASS Memory Dump).

Phase 2: Red Team Execution

Red team executes the technique in a controlled environment while blue team monitors detection tools.

Phase 3: Detection Analysis

Blue team analyzes logs, alerts, and telemetry. Did the SIEM trigger? Did EDR catch it? What was missed?

Phase 4: Improvement

Blue team creates new detection rules, tunes existing alerts, and adjusts EDR policies based on findings.

Phase 5: Validation

Red team re-executes the technique to confirm the new detection rule works. Iterate until detection is reliable.

Start with High-Impact Techniques

Focus on techniques your threat model indicates are most likely (e.g., if ransomware is a concern, test T1486 - Data Encrypted for Impact). Don't try to cover all 200+ ATT&CK techniques.

Example: Detecting Mimikatz

Scenario

Red team will dump LSASS memory using Mimikatz (T1003.001). Blue team will attempt to detect it.

Iteration 1: Baseline

Red Action: Run mimikatz.exe "sekurlsa::logonpasswords"

Blue Result: EDR blocks execution (signature detection)

Finding: Known malware signatures work, but what about custom variants?

Iteration 2: Evasion

Red Action: Use Invoke-Mimikatz with obfuscation

Blue Result: No alert. SIEM shows PowerShell execution but no LSASS access logged.

Finding: Need behavioral detection for LSASS memory access, not just file signatures.

Iteration 3: Behavioral Detection

Blue Action: Enable Sysmon Event ID 10 (ProcessAccess) for LSASS.exe

Red Re-test: Run Invoke-Mimikatz again

Result: Alert triggered! SIEM shows "PowerShell.exe accessed LSASS.exe memory"

Outcome

Blue team successfully implemented behavioral detection for credential dumping. Detection rule validated and pushed to production.

Purple Team Metrics

Measure purple team effectiveness with these KPIs:

  • Detection Coverage: % of tested ATT&CK techniques with working detection rules
  • Mean Time to Detect (MTTD): How quickly alerts fire after technique execution
  • False Positive Rate: How often detection rules trigger on benign activity
  • Response Effectiveness: Can blue team contain the threat before objective is achieved?

Document Everything

Create a "Purple Team Playbook" documenting:
  • • Techniques tested
  • • Detection rules created
  • • Evasion variants attempted
  • • Remaining detection gaps
This becomes a living document showing security maturity over time.

Related Topics

Adversary Simulation

Threat Intelligence Integration

Threat Intelligence