Purple Teaming Methodology
Phases example
- 1-2w planning
- 4 pt threat profiling
- 7 pt emulation planning
- 2 pt emulation review & approval
- 4 days emulation, followed by daily hotwash
- 1-2w mitigation and continuous defense plan build
phase 1: pipeline assessment
-
emulate adversary technique
-
model the threat
-
take business area
- research cyber threats for this area
- research existing problems in this area
- idenitfy APTs → what are they using? → move to attack navigator
-
attack.mitre.org
-
orient to the target (defender)
-
understand the environment (review IT architecture)
-
terrain analysis : why was it built the way it is?
-
threat selection: threat modeling and selection
-
pipeline assessment : do my controls work against baseline threats
phase 2: planning & preparation
- scoping the excercise: establish goals
- establish emulation control measures: fence of areas/peoples/etc., out-of-scope
- select tactics against controls
- timing and sequencing, 4 days + 1 day for remedial work
- establish a battle rhythm
- debriefs: twice a day (minimum)
- emulation/time gates by technique
- move to the next technique or provide threat intelligence
- identify and in-brief trusted agents
- they have full knowledge of the excercise
- deconfliction procedures (who has ceasefire priority?)
- align emulations to controls, define success criteria, prepare a hint bank
phase 3: execute the emulation plan
- manage the ebb and flow of the plan
- find frictions points
phase 4: reporting and remediation
- hot wash daily
- produce audience-appropriate reports
- mitigate and revalidate