Colourful mindsets

Red teaming is campaign-based testing that runs for an extended period of time, e.g., multiple weeks or months of emulating the same attacker.

With enough time and resources, all security defences will fall. Red teaming is not meant to score the skill of defenders – but the cost to adversaries. Blue teaming is meant to increase the cost to adversaries. Purple teaming integrates the defensive tactics and controls from blue teams with the threats and vulnerabilities found by red teams into a single narrative that maximizes both while minimising the inconvenience for operations adding these defensive tactics and controls.

  • Red teams are internal or external entities dedicated to testing the effectiveness of a security program by emulating the tools and techniques of likely attackers in the most realistic way possible. The practice is similar, but not identical to, penetration testing.
  • Blue teams are an internal security team that defends against both real attackers and red teams. The practice is similar to “normal” security operations teams found in most organisations, and more than that, they have a mentality of constant vigilance against attack.
  • Purple teams integrate the defensive tactics and controls from blue teams with the threats and vulnerabilities found by red teams into a single narrative that maximizes both. They are bridgers with a stake in the narrative.

I agree with Miessler I don’t much care for the word “team” being assigned to the colours, as I too think in most cases they’re actually mindsets, or functions, rather than dedicated groups of people. We add and change:

  • A wheel
    • The holders are represented on the non diagonal positions and represent functions (yet can be separate teams).
    • Diagonally one can find the drivers for possible changes both clockwise and counter-clockwise.
    • White has been added to add the forgotten strengths and make sharing of results that may be re-useful in other contexts easier. That also requires coalition building.
    • Indigo has been added to increasing operational awareness for defending a (digital) environment, involving people from the targeted higher risk group themselves.
  • Direct paths or more complex choreographies can be used, depending on what the colourful teaming is used for. For example:
    • Clockwise for assessing what is there in a local context (starting in red)
    • Counter-clockwise for finding the low hanging fruit for making changes to development (starting in yellow)
    • Yellow-blue-purple-white-red-orange-green-indigo for setting up incident response teams in a context.
  • Last modified: 2019/11/13 08:18