Originally invented for wargaming, the “oppositional teams” concept was widely adopted by the cybersecurity industry decades ago. Today, Blue Teams and Red Teams are standard concepts in security simulations and testing, especially in large companies–and more recently, we’ve seen the addition of Purple Teams, as well.
However, in our conversations with customers of different sizes and across different industries, we’ve encountered a surprisingly wide variety of definitions of what these teams do, which skill sets are needed, and how to build them. In this post, we’ll propose a level-set on this topic, and explain how the Bugcrowd Security Knowledge Platform enables and contributes to the full “color wheel” of team goals.
Put simply, Red Teams attempt to successfully attack without getting caught, Blue Teams attempt to prevent and catch the Red Team, and Purple Teams unpack the lessons learned through the interactions between the two.
Blue Teams (“Defenders”)
Blue Teams have the task of constructing defensive measures based on known threats and then improving them based on evidence of compromise (by Red teams or externally) and thwarted attempts to compromise, with Mean Time to Detection and Mean Time to Response being key metrics. They will also very likely be responsible for incident response plans should a breach occur. In addition to thoroughly understanding the attack surface, Blue teamers need a proactive, curious mindset and ideally, a subset of Red skills for anticipating attack vectors.
Red Teams (“Attackers”)
Red Teams, as you would expect, are responsible for simulating goal-oriented internal or external attacks, and subsequent lateral movement, using the same tools and techniques as malicious actors–ideally under a “black hat” pretext. The goal, of course, is to mimic adversary behavior in order to uncover hidden risks in the attack surface in an unscoped manner. For Red teamers, an attacker skill set, toolbox, and mindset are must-haves.
Purple Teams (Hybrid)
Sometimes, the dynamic between Blue and Red Teams and their often contradictory goals can carry the risk of mistrust and dysfunction, creating a “winner take all” culture that leads to distorted results such as a Red Team that always wins. (Ideally, the frequency with which Red Teams are thwarted increases as the organizations defensive capabilities improve.) To this end, the collaborative Purple Team concept has become popular recently, particularly in larger and/or particularly sophisticated security teams.
In this approach, a separate group adopts and implements Blue and Red Team techniques, bridging the gap between attacker and defender mindsets, to assess security posture more holistically. The theory is that utilizing internal knowledge about attack surface and defenses will enable more targeted assessment of security posture, and that a hybrid skill set will enable more creative ways to find hidden vulnerabilities. For example, the Purple Team may help the Blue Team design a more sophisticated network defense strategy based on specific knowledge about end points, firewalls, and so on, or help them understand how a Red Team would attack the existing environment.
A Third Way
At Bugcrowd, we’ve enthusiastically endorsed the idea of building connections and mindshare between “builders and breakers”, as the concept was described prior to the “Purple Team” moniker, since the company’s inception. However, we always encourage customers to think of Purple teaming as a continuous, two-way learning process that bridges the Blue and Red Teams–not necessarily as a separate group of people, either in a new team or embedded within those existing teams, with different responsibilities or skill sets (although that may be the preferred approach in some cases). In other words, if the Purple approach is about improving collaboration and knowledge sharing between two teams, building yet another one may well be counterproductive.
According to the traditional definitions, the Blue/Red/Purple Teams dynamic is often illustrated as a Venn diagram:
Based on the alternative described above, we could also look more like this, with a Purple process “bridge” spanning the the two teams/functions:
Where The Bugcrowd Platform Fits In
Whatever approach you take, the Bugcrowd Security Knowledge Platform contributes to all three of these functions in a few important ways. For example, with Bugcrowd:
- Customers can complement and augment their Red Team with a crowd of trusted ethical hackers precisely curated for their needs, targets, and environment. As a result, their Blue Team will get continuous and diverse insight into real-world attack techniques, vectors, and attack surface risk because they will see externally produced reports, and the risk patterns and trends reflected in them, with their own eyes. That anticipation of attacker behavior and its application to improved defenses is precisely the purpose of Purple Teams, and what allows you to burn down risk faster and in a strategic/purposeful way.
- Bugcrowd customers standardize and scale workflows between Blue and Red Teams, enabling the collaboration and knowledge sharing required (“building the bridge”) for a Purple approach to testing–with or without the presence of a separate team.
- The platform’s tight integration with your SDLC creates the feedback loop into Engineering that’s needed to help Blue Team thinking “shift left” into development practices, completing and cementing the connection between builders and breakers.
Color Teams Unite!
Whatever your approach to color teams, Bugcrowd is here to make collaboration and knowledge sharing easier, more productive, and more scalable–across internal teams as well as with the global security researcher community.