Being Purple

Person: “Do you enjoy being on the blue team or the red team?”
Me: “Neither.”
Person: “What do you mean? You either like to defend or you like to attack.”
Me: “I like being purple.”

Allow me to explain…

The InfoSec community has an affinity with seeing itself as offense vs. defense, good guys vs. bad guys, adversaries vs. protagonists. This black and white mindset permeates many individuals, but the reality of the landscape is often much more of a gradient or scale. Much like there are black hats and white hats, there are also gray hats, or those that reside somewhere in the middle in their motives, motivations, TTPs, and overall mentality. The purple teamers are the gray hats of the professional InfoSec world. Most small-to-medium organizations when looking for InfoSec professionals are looking for ‘unicorns’ and ‘jack of all trades’, but most individuals see themselves in a linear light as a defender or attacker. Larger organizations can often afford to silo their teams into strictly defending or attacking, but that is oftentimes not the reality for companies most affected by breaches, medium size businesses.

All organizations would be greatly impacted by seeing the value in their InfoSec teams being more ‘purple’ or at least hiring individuals that embrace this mindset. Being purple means understanding both attacks and defense, proper network and security architecture, but most importantly how all of this applies to the individual organization. In addition to the technical/security aspects of a good purple teamer, they should understand business principles, processes, and how to mesh all this knowledge together. Purple teamers may not be the best attackers in your organization, or the best defenders, but there is inherent value in being able to properly translate between the two, a key step that is often missed by many InfoSec teams.

Tasks that would be better suited for your purple team than your blue or red teams include: vulnerability management, security project management, risk analysis, security solution gap analysis, and the mitigation of all these tasks. Even if the administrators are the ones to put the changes in place, the purple team overseeing the process and project management will often net in better results. Your red team overseeing the mitigation of vulnerabilities they discover would often not be done with the business in mind and mitigation should not be the goal of this team to begin with. The purple team is an arm of the business and the InfoSec teams, mitigating and mediating between the two to provide actual value and mitigate business risks.

A request from a strong advocate of the purple team…

Defenders, please spend some time understanding the other side of the coin. Play around with attacks, read some articles or watch some videos on how your network would be breached, think about your network as if you were a bad guy.

Attackers, likewise, spend time understanding what it means to defend the organization you are attacking. How difficult is it to put in patches in your enterprise environment? What’s the network architecture like? Can you make any suggestions coming from an adversarial standpoint that you may have missed without seeing the flip side? How would you stop yourself? You can bang against systems all day and sometimes not understand all the mechanisms and hops between yourself and the end device.

Everyone in InfoSec, spend more time understanding the business you are working for or with. Is what you do every day even providing value back in some way? When was the last time there was a serious look at external endpoints? How up to date are the inventories or how complete are they? What does it take and what is the benefit for deploying a specific patch? How likely is it for you to be breached by not patching? These are some things that you can ask yourself and work into your processes to help be more purple.