The cybersecurity two-step

Modern threats are getting quite sophisticated, and attackers have increasing access to unlimited resources that can compromise an organization’s network. To address these threats, the modern response is to deploy a variety of solutions, including endpoint detection and response (EDR), network monitoring, process monitoring, and next-gen detection and response (XDR). But once deployed, do any of these solutions truly cover all the potential paths of attack?

Put another way: Have you ever validated that the detection rules you’ve deployed are correctly blocking the threats? This is exactly what a “purple team” exercise will answer.

Purple team exercises are designed to assess the detection and response capability within your environment. In a typical scenario, a purple team exercise is the result of a collaborative exercise between the blue and the red teams—the blue team representing your detection efforts, the red team representing the threat offense, which for instance KPMG can simulate. The interactive push and pull between the teams then leads to actionable recommendations for improving the overall detection based on the control in place.

Here at KPMG, we regularly assess detection and response capabilities by executing up to 25 unique test cases per environment. These test cases are based on specific tactics, techniques and procedures (TTPs) as defined by the MITRE ATT&CK framework. Observations are then separated into the following categories of detection capability:

• Malicious process detection, designed to test your capability to detect and prevent malicious code execution on workstations and servers
• Network traffic detection, designed to test your capability to detect malicious network traffic (e.g., network reconnaissance, network-based authentication and secure shell protocol [SSH] tunneling)
• Cloud access detection, designed to test your Azure cloud tenant detection capabilities against remote attacks
• Targeted attack and exploitation detection, designed to assess your capability to detect targeted attacks and exploit attempts within the internal network
• Lateral movement detection, designed to test your capability to detect lateral movements between assets inside the network (e.g., remotely extracting credentials, compromising a remote host using a pass-the-hash attack or remote connection to other systems).

Each test is designed to assess a specific control. During the purple team exercise, your team would collaborate with ours to attempt to identify whether the activities were detected. One of the following outcomes is usually expected:

• An alert was generated and the test was blocked
• The test generated an alert but was not blocked
• The test neither generated an alert nor was blocked.

Based on the outcome, we’d then provide guidance on how to enhance your detection and prevention capabilities.

Notably, the data associated with the threat activity is often aggregated in the security information and event management (SIEM) system even when proper detection rules were not implemented. We’ve also observed that certain controls are sometimes not implemented owing to the lack of visibility with the product deployed in the environment.

A purple team exercise will allow you to improve your detection and response capabilities through technical assessments of the controls in place. The hands-on aspect of the exercise helps identify gaps between the policy on paper and the actual implementation within the environment. Once the exercise is finished, you will have a much better understanding of your current detection and response abilities in real-time. A follow-up report is then prepared to provide clear guidance on the steps you’ll need to take to address the gaps identified during the exercise.

Importantly, the collaborative aspect of these exercises is also beneficial to the detection team. The real-time aspect, meanwhile, allows the team to perform threat hunting and learn from the various test cases executed. Bring it all together and you have a colourful whole that is far greater than the sum of its parts.

If you’re interested in learning more about our purple team capabilities and how they can help you enhance your cyber resilience, please visit us here. We offer a range of cyber services, from strategy and governance to incident response, recovery and beyond.