Moving from Penetration Testing to Purple Teams

When I started my cybersecurity consulting career, I focused my efforts on what I thought was the coolest area – penetration testing. It’s an area that attracts many newcomers – who doesn’t want to be a “hacker”? Whether it was internal network, external network, web application, mobile application, or physical assessments, I did it all. I had a blast and learned an immense amount, facing new challenges each week and expanding my knowledge base of vulnerabilities and their remediations. For about three years, my routine involved conducting assessments, writing reports, and presenting findings to clients.

As time went on, I realized something that changed my career path entirely. When it comes to penetration testing, there is one key factor that often lacks during third-party penetration tests. Most are done with minimal engagement with the client. Clients are left wondering what we ran, when we ran it, what was blocked by their tools, and if they missed any detections during testing. All of this paired with remediation advice only going so far without a deeper understanding of client security landscape and internal processes often led to repeat findings during future penetration tests. There had to be a better, more impactful way to deliver tailored remediation advice that the client security team can analyze and implement. All of this can be solved by that one key factor that lacks from traditional penetration tests; Collaboration.

That is when I started to get more involved with SRA’s Purple Team services. Unlike traditional black box assessments, Purple Teams operate in a live, collaborative fashion. We work directly with the client, sharing knowledge to bridge the gap between offensive and defensive cybersecurity. It’s an incredible concept and one that attracted me – not only are you executing real-world techniques and procedures, but you’re also *discussing* them with the team responsible for defending against them. This is often the first time Blue Teamers get to watch and learn the adversary perspective. This approach brings a connected, human element to what is typically a removed interaction between teams and serves as an excellent medium for knowledge transfer. There is a great comparison of Penetration Tests and Purple Teams in this blog, Penetration Testing in a Continuous Security Testing Program.

If you’ve never conducted a penetration test in front of the client you’re working for, let me tell you, it is *intimidating* at first. I wanted to Purple Team, yet if I saw one in my schedule I’d be anxious about it for weeks! I swear the amount of typos goes up with the number of eyes watching you (curse you, demo gods). But, as with all things, this anxiety passed. With more and more Purple Teams under my belt, I became much more comfortable operating in front of a live audience and engaging in the conversations that spawn from each test case. It was a long journey to gain that level of comfort – talking through execution as you run live payloads on a client machine for everyone to see.

The Role of the Purple Teams MC

I reached a point where I was well-versed in performing Purple Teams as an operator. I knew caveats of certain test cases, common obstacles and troubleshooting steps, and actively engaged with the client to learn more about their unique internal processes. I was comfortable, yet growth requires stepping out of your comfort zone.

I decided to “Level Up” and step into the lead Purple Team role – The “MC” or “Master of Ceremonies”. The MC is responsible for guiding their team of operators towards smooth, efficient execution using their Red knowledge as a foundation. MCs also carry the lead speaking role – introducing and describing test cases as well as spawning conversations with the client to dig into their tool responses and incident response processes. MCs use their Blue knowledge as a foundation to speak to expected security tool behaviors and ideal results post-execution. The MC is the most crucial role in the Purple Team, you are in control of how this live engagement goes, not only on a technical level of execution and outcome capture, but also on a social level. At the end of the day, we are all human. Talking to a team you just met for three days in a row can be challenging sometimes, but if two teams from different companies can come together, analyze defensive tool efficacy, propose remediation strategies, and still crack a few jokes together, that’s a win-win for everyone involved.

The Value of Purple Teams

What I’ve seen is that this type of assessment, paired with a defensive security team that cares about their environment, provides not only a strategy to remediate gaps in log ingestion, detection logic, and preventative controls – but generates conversations that are immensely beneficial to both parties involved. It often provides a liminal space where members from different internal teams are spending days together where they can discuss what needs to happen next to increase their defensive posture. In some cases, this internal collaboration would have never occurred. It is the level playing field having everyone involved working for the betterment of the client’s environment that allows for these discussions to happen. For example, an MC could ask a question on environmental preference when it comes to preventing lateral movement techniques, offering multiple solutions – to which the client team engages in conversation between themselves, weighing whether or not host-based firewalls is something they want for the environment, or if network architecture needs a deeper analysis overall. Defensive teams can agree on remediation paths before a report is even delivered.

Though I am happy with my current MC role, my journey is not over. I continue to learn and build my skills with every Purple Team assessment, gaining insight on how the most popular EDRs, SIEMs, IDPs and so forth perform and compare against each other. I learn more about incident response procedures, stay up to date in adversary actions, and build relationships with client teams where I genuinely look forward to working with them again. A Purple Team MC is a busy role, especially with back-to-back Purple Teams (see this blog, Efficiently Managing Hundreds of Purple Teams), but efficient time management has been another valuable soft skill that this role has helped hone.  Though it might not appear to be the coolest role to the “hacker” in me at first, I can say it’s been the most fulfilling so far. Forming genuine connections with client teams and working with them over the course of years, seeing their security posture grow and knowing that you played a role in that is something to be proud of.

All in all, my journey to becoming a Purple Teams MC has been incredibly fulfilling. I have grown beyond my initial expectations as a trusted cybersecurity consultant and am pleased with the impact I have made on the security posture of our clients. I’ve built great relationships with defensive security teams I would have never had the pleasure to meet if not for Purple Teams. I am glad to be a part of the collaborative, transparent approach of Purple Teams to help foster a culture of shared knowledge and mutual respect between offensive and defensive security teams. I believe that Purple Teams are one of the most beneficial types of assessments an organization can conduct with us. Am I biased? Maybe a little, but not only do you get the on-paper assessment, analysis, and tailored remediation strategy per team and toolset, you get the opportunity to collaborate with offensive and defensive cybersecurity experts in an open-book knowledge transfer experience that is enjoyable, human, and beneficial for everyone involved.
Ray Ruffini