BSidesAugusta 2018 - Joseph Pilkington - Purple Reign: Elevate Your Analysts, Build Your Playbook

Joe Pilkington (@_Pilk_) Purple teaming is all the rage right now and has proven to be a very effective mechanism for building and strengthening defenses. While purple teaming generally involves the emulation of adversary techniques to develop detection techniques and analytics to counter them, purple teaming can provide teams so much more. I’ll address the much broader benefits purple teaming provides teams, including its role in analyst development, and developing living playbooks through updated information on attack trends and emerging threats. Purple teaming is a vastly underutilized approach that can augment capabilities, defenses, and teamwork without requiring a ton of external resources. In addition to the advanced detection benefits, purple teaming also helps analysts better understand attack trends and emerging threats. Analysts who participate in purple team exercises, and leverage a framework such as MITRE, are more likely to develop a better understanding of techniques and be more prepared to identify them during regular threat detection workflows. In many ways, this epitomizes the notion of “train how you fight”, and prepares analysts for a range of scenarios because they have already experienced them. Second, purple teaming helps build a living playbook that evolves in sync with the changing threats. Through purple teaming, the team gains a better understanding of the manual analytic processes needed to identify some techniques, as opposed to the automated detections that need to be triaged when they are triggered. Finally, lower tier analysts often are not involved in purple teaming, and so teams miss out on a great opportunity to develop these analysts within a collaborative and information-rich environment. Each of these areas will be discussed in detail, along with some real-world examples, to demonstrate the broad benefits of purple teaming well beyond building new detections.