The difference between red, blue, and purple teams


• Blue Teams refer to the internal security team that defends against both real attackers and Red Teams. Blue Teams should be distinguished from standard security teams in most organizations, as most security operations teams do not have a mentality of constant vigilance against attack, which is the mission and perspective of a true Blue Team.

• Purple Teams are ideally superfluous groups that exist to ensure and maximize the effectiveness of the Red and Blue teams. They do this by integrating the defensive tactics and controls from the Blue Team with the threats and vulnerabilities found by the Red Team into a single narrative that ensures the efforts of each are utilized to their maximum. When done properly, 1 + 1 will equal 3, but this should be happening naturally as the benefit of having a Red and Blue team.

Waiters Who Don't Deliver Food: A restaurant is having trouble getting their waiters to pick up food from the kitchen and bring it to tables. Their solution is to hire "kitchen-to-table coordinators", who are experts in table delivery. When management is asked why they hired this extra person to do this instead of having the waiters do it themselves, the answer was:

Elite Chefs Who Keep the Food in the Kitchen: An expert is brought in to figure out why a restaurant is failing when they have all this top-end chef talent. Evidently customers are waiting forever and often not getting food at all. When the reviewer goes into the kitchen they find stacks of beautiful, perfectly-arranged plates of food sitting next to the stoves. They ask the chef why this food hasn't gone out to the tables, and the chef answers:

So perhaps there's a Purple Team engagement, where a third party analyzes how your Red and Blue teams work with each other and recommends fixes. Or perhaps there's a Purple Team exercise, where someone monitors both teams in realtime to see how they work. Or maybe there's a Purple Team meeting, where the two teams bond, share stories, and talk about various attacks and defenses.

• A Tiger team is similar, but not quite the same as a Red Team. A 1964 paper defined the term as "a team of undomesticated and uninhibited technical specialists, selected for their experience, energy, and imagination, and assigned to track down relentlessly every possible source of failure in a spacecraft subsystem. The term is now used often as a synonym for Red Team, but the general definition is an elite group of people designed to solve a particular technical challenge.

• It is important that Red Teams maintain a certain separation from the organizations they are testing, as this is what gives them the proper scope and perspective to continue emulating attackers. Organizations that bring Red Teams inside, as part of their security team, tend to (with few exceptions) slowly erode the authority, scope, and general freedom of the Red Team to operate like an actual attacker. Over time (often just a number of months) Red Teams that were previously elite and effective become constrained, stale, and ultimately impotent.

• Another aspect that leads to the dilution of effectiveness of internal Red Teams is that elite Red Team members seldom transition well to cultures at companies with the means to hire them. In other words, companies that can afford a true Red Team tend to have cultures that are difficult or impossible for elite Red Team members to handle. This often leads to high attrition within internal Red Team members who make the transition to internal.

• One trap that internal Red Teams regularly fall into is being reduced in power and scope to the point of being ineffective, at which point management brings in consultants who have full support and who come back with a bunch of great findings. Management then looks at the internal team and says, "Wow! They're amazing! Why can't you do that?" That's usually a LinkedIn-generating event.