Skip to main content
HashnodeB-sec ops

Command Palette

Search for a command to run...

What you need to know about a purple team project

Updated
4 min read
B
Bijan

“Purple team” is actually collaboration of the “red team” and the “blue team”. I consider that you are already familiar with these terms. In this post I share what I learned and experienced.

First of all, the goal

Every project and operation has it’s own goal to achieve. Depending on your role and which side you are (Red/Blue), in a meeting, the goal of project will be told and what and how you gonna work on it.

Usually the goal of a purple team operation is to find security gaps, in a way how a red team ops would take place, how the deployed security solution would work and how the blue team (SOC,Incident response team and …) would take action.

Based on the goal, scopes are set

Scopes are the lines being drawn, what to test (attack to) and what to ignore. For example the client team wants to just have a test operation only on one office network and asks you to ignore other assets of that company (like main office, other staff, websites…) so you would know who or what you are dealing with. This part can also set specific target machines for you to test. For example they want you to only target windows machines while they want their operational business machine unharmed. Which leads you to the next step.

Based on scopes, profiles get set

Here by profiles, I mean the security config setups on each machine. You may also know them as security profiles or different names.

For example,

  • an organization, uses EDR N (take variable names as brands and provider names) on the windows desktops, which also sends the endpoint logs to it’s own special SIEM. The logs of this security solution are set by it’s own capabilities and telemetries. (We will talk about the telemetries later). And the machines are set in a AD and … .

  • And for their windows servers, they are part of the AD, giving services to the users, but they also send SYSMON logs to the SIEM while they have the N installed. Also their traffic is being monitored with a NSM.

  • For linux servers, they are unreachable by the normal employees from the internal network, only admins have direct access to them, they use a different EDR here which has a separate SIEM, they get AuditD, SSH authentication logs and script block logs.

Those three paragraphs, each describe a security profile for different machine, and scenarios can be different like windows desktops to other windows desktops, depends on the security architecture in that organization.

But now what are we going to do about these? On the purple team ops, no matter which side you are in, or you are the leader of operation, you gotta make your actions different based on profiles which means your reports are going to be different. Specially if you are on the Red side, you may now need to modify your payloads to bypass EDR N or the script block log detection on the linux servers.

Action!

Meetings get set, timings and deadlines get set so you would know what you need to do and when to do and when to finish your job. This part goes mostly to the project manager or the leader of operations; like you gotta finish the recon phase in the first week, or make your payloads ready till the 20th day of projects and … (Offense side).

Of course, documentation is so important in this step

You gotta, document every action you take no matter which side you are at. For example on the red side, you run a recon script, screen shot it’s run command with it’s output and the time and date on the desktop of yours so you know : What you ran, what you got and when you did all of this.

On the blue side, you document every finding: What alerts you got, what results (commands, args, files …) you got from investigations, what anomalies you detected, did you get other alerts and behaviors as same time or close to the first item?

These documentations help you to make a clear report.

Report

Now based on which side you were and what you got and how you documented each step, you gather your data in a formal required format (Official organization document format type, with menus, numbers on screen shots and images, formal syntax structures …)

This can be the most exhausting and boring part since you got the excitement on the action, and yeah I know, but you gotta show proof of what you did, and results of it to the client, manager and every one else who have a role in paying for your awesome services.

Recap

So we got goals, scopes, profiles, taking action, and showing off what we just did. Simple ain’t it? Of course is not that simple, but I hope you got an overall perspective on how stuff works, which means there are tons of variables in each project which can affect this structure, but based on what I have seen, this is how it goes usually, with some shared parts like a pentest project.

Wish U luck.

#cybersecurity#purpleteam#soc#redteaming#blueteam

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

B

B-sec ops

3 posts