Part II: The Purple Ascent Framework

Continuing from “Part I: Unveiling the Power of Purple Teaming in Cybersecurity: Build Your Program” and our “Shifting Sands of Resilience” saga, we dive deeper into Purple Teaming by exploring our Purple Ascent Framework… 

Importance of Purple Teaming

As a quick recap to Part I, Purple Teaming is a dynamic and collaborative approach revolutionizing cybersecurity practices. Unlike traditional methods where red and blue teams operate in silos, Purple Teaming fosters proactive cooperation between these traditionally distinct roles. This proactive, iterative methodology aims to fortify an organization’s security posture by nurturing communication and collaboration. By simulating realistic cyber threats and attacks, Purple Teaming empowers organizations to comprehensively identify vulnerabilities, assess defensive capabilities, and enhance incident response. This holistic approach considers the interplay between people, processes, and technology – aligning offensive and defensive efforts to bolster incident response capabilities, improve detection mechanisms, and ultimately fortify cybersecurity resilience. Join us as we explore the journey towards Purple Team maturity and its transformative impact on organizational security.

Introduction to the Purple Ascent Framework

We developed the Purple Ascent Framework after years of research and experience with cybersecurity teams and assessments.

Once you know your environment, have basic security mechanisms in place, and are able to capture information about your network, you have accounted for all the pre-reqs.

Your team can begin at the Level and Step that best matches their experience. However, you should consider the maturity of all your stakeholders and not just your purple team when making the decision.

Along the left side we capture 22 Steps across 4 Levels. For each Step we provide a TTP, Defense Function, Event Type, and Focus Area. The remainder of the article will discuss each of these attributes.

Tactics, Techniques, & Procedures

Foundational TTPs:  Level 1 and the first 6 Steps comprise the Foundational TTPs. This Level is designed to ensure your team can master the basics and learn the fundamental tactics to strengthen your cyber defense.

Advanced TTPs:  Level 2 and the Steps 7-12 account for the Advanced TTPs. From here your team will elevate their defenses and delve into more advanced tactics, like MITRE ATT&CK, to begin learning how to stay ahead of more sophisticated threats.

Threat Actor TTPs:  Level 3 with Steps 13-21 is where we get into Threat Actor TTPs. At this level of maturity your team is ready has the knowledge to detect, analyze, and thwart even the most elusive cyber adversaries. Level 4, Step 22, represents the closest you and your team will ever come to defending against a true, determined, well-resourced criminal. At this point you will be on par with cybersecurity teams responsible for national security, banking, critical infrastructure, and other no-fail sectors of government and industry.

Defense functions

There are 3 defense functions, and we will progress through them at least twice for each level. They build from each other, so it’s important to progress systematically. Once you demonstrate the ability to detect threats and vulnerabilities, we focus on how to respond then move to how to mitigate, before cycling back through again.

Detection Engineering: a specialized emphasis on refining our detection capabilities. It encompasses the tools, methodologies, and expertise required to engineer robust and precise detection mechanisms. These capabilities will largely remain the same but as your team learns more and gains confidence, their ability to leverage the tools in more effective and creative ways will improve.

Incident Response Vigilance: a coordinated approach to managing and mitigating security incidents. It ensures we can swiftly identify, contain, and recover from threats, minimizing potential damage and downtime while safeguarding our digital assets.

Mitigate for Resilience: A range of strategies, controls, and countermeasures designed to minimize vulnerabilities and reduce the impact of potential incidents. Some of these will be proactive, in response to lessons learned from Incident Response, but it is also important to ensure that you are comfortable with how to respond when an attack does happen.

Event Type

Purple teaming is most effective when it mimics real life events. These events can either be announced or unannounced, again depending on the maturity of your team and shareholders.

Announced: Announced objectives are focused on improving & learning​. The team is focused and know what to expect. Ideally, they are excited and have the right mindset for learning​. Leadership and shareholders should block off time for learning. We have found teams benefit by executing a greater number of meaningful training events in a shorter time period. The learning should be controlled and tailored to match the appropriate level of learning and should ramp up or slow down based on team’s performance.

Unannounced: Unannounced objectives are designed to assess the readiness and response of your organization and teams. These events should occur when the team is in the midst of their daily routine, at random intervals​ to meet the intent, and include the most likely threats.

Focus Areas

The reason why we recommend your organization rotate through the 3 Defense Functions at least twice each level, is to address the vulnerabilities within your company’s technology separately from those inherent in your employees and the processes they use to do their jobs.

Technology Only: Then the team is focused on technology, they are working to evaluate the organization’s IT systems, hardware, software, and networks to identify vulnerabilities and enhance cybersecurity defenses.

People & Processes: One you feel confident your technology is secure, your team can pivot to focus on your organization’s human resources (i.e., training, experience) and operational procedures (including communication plan and roles & responsibilities).  It is important to understand that no matter how secure your technology is, your people and processes will always be vulnerable.

People, Process & Technology: As we near the most mature Levels and Steps in the model, we graduate to a holistic evaluation encompassing personnel, operational procedures, and technological infrastructure. This will allow you to truly enhance the overall cybersecurity readiness and resilience of your company.

Conclusion… and teaser for Part III

This article introduced our Purple Ascent Framework in support of Purple Teaming – a collaborative cybersecurity approach that transcends traditional approaches to cybersecurity with red and blue teams, fostering proactive cooperation to fortify an organization’s security posture. Purple Teaming employs realistic simulations of cyber threats and attacks, empowering organizations to identify vulnerabilities, assess defensive capabilities, and enhance incident response comprehensively. The Purple Ascent Framework offers a structured path for cybersecurity teams to advance through foundational, advanced, and threat actor TTPs by emphasizing defense functions, event types, and focus areas. By systematically progressing through detection, response, and mitigation phases while considering technology, people, and processes, organizations can strengthen their cybersecurity resilience, aligning offensive and defensive efforts to safeguard against sophisticated threats effectively.

In the next article we will discuss how to run a purple teaming event. If you’re anxious to get started however, feel free to book a discovery session today to discuss how we can help your team.

You can also check out CYYNC, our collaboration platform built for cyber teams. We would love to provide a product demo and show you how CYYNC can unlock purple teaming for your organization.

Want to stay up to date on compelling and effective ways for cyber to enable your business to thrive? Sign up for our newsletter here.