Purple Team Assessment

Service Context

Purple team engagements are designed to bridge the gap between the red team and blue team exercises. This service involves a collaboration between our cybersecurity experts and the organisation’s internal security team. The goal of a purple team engagement is to evaluate the effectiveness of existing security controls and identify areas for improvement. The service is delivered by our experienced cybersecurity professionals, who work with the organisation’s security team to simulate realistic attack scenarios and provide recommendations for remediation.

Key Benefits

Comprehensive Assessment: A purple team exercise goes beyond conventional security testing, holistically evaluating the organisation’s ability to detect and respond to real-world attacks. This comprehensive assessment evaluates people, processes and technology to identify issues that cannot be detected by penetration testing alone.
Integrated Collaboration: Our Purple Team Exercise service combines the strengths of your internal Blue Team (defenders) and our expert Red Team (attackers). We facilitate seamless collaboration, allowing for a synergistic partnership to enhance your organisation’s overall security posture.
Practical Training and Skill Development: Our Purple Team Exercises serve as invaluable training opportunities. Your Blue Team members gain hands-on experience in detecting, responding to, and mitigating sophisticated cyber threats. This enhances their skills, knowledge, and preparedness to defend against future attacks.

Why Cyber Alchemy?

Unrivalled Expertise: Cyber Alchemy is formed of consultants with diverse professional backgrounds. Having team members coming from incident response and development backgrounds allows the team to think around problems or develop new tools to solve the issue, being able to mimic even the most motivated adversary. Uniquely for a purple team exercise, Cyber Alchemy are also able to leverage our consultant’s experiences as cyber security trainers when explaining how exploitation was achieved and what improvements can be made to prevent it from happening again. Purple team exercises are, above all, about learning, so when an adversary strikes, an organisation has the people, tools and processes to stop them.

Customised Approach: We understand that every organisation is unique. Our Purple Team Assessment service is tailored to your specific needs, industry regulations, and risk profile. We develop a value-oriented approach, incorporating custom attack scenarios that mimic the threats most relevant to your business, ensuring targeted and effective testing.

Comprehensive Security Testing: Our Purple Team Assessments cover a wide range of security aspects, including network infrastructure, web applications, wireless networks, social engineering, and physical security. We leave no stone unturned in assessing your overall security posture.

Collaboration and Knowledge Transfer: We believe in fostering collaboration throughout the assessment process. Our Purple Team works closely with your internal security team, sharing knowledge, best practices, and recommendations after the enagement. This empowers your team to understand the attack vectors better and strengthen your defences.

Actionable Recommendations: Our Purple Team Assessment doesn’t stop at identifying vulnerabilities. We provide you with actionable recommendations and practical remediation strategies to help you prioritise and address the identified weaknesses. Our focus is on helping you improve your security posture over the months that follow the assessment. .

Why do I need a Purple Team Assessment?

Most organisations are only as strong as their weakest link. Purple team exercises allow organisations to test the effectiveness of their network security and identify weaknesses and vulnerabilities in their existing policies, processes, technologies and personnel. Cyber Alchemy frequently works with organisations that have invested thousands in security tooling to keep them protected but often lack the required parallel investments in people and processes to maximise the value of these investments.

The outputs from a purple team exercise give organisations actionable data to evolve their security strategy based on the organisation’s unique weaknesses and vulnerabilities. They help identify and fix all identified security weaknesses and processes. Post-exercise reporting is important to document the how, what, and where and to improve processes and business defences for the future. Through this process, it is also possible to improve response time should a real-world attack occur.

Our Approach

Cyber Alchemy builds every purple team engagement bespoke. Every engagement has different objectives and needs to assess different capabilities. Cyber Alchemy maps all of its Purple Team exercises to the MITRE ATT&CK framework, which is a knowledge base of adversary tactics and techniques based on real-world observations. This approach has several benefits:

More effective engagement planning, execution, and reporting.
Provides an easy-to-track register of capabilities, exposures and the testing conducted.
Bridges gaps across different parts of an organisation, and it can be re-used by non-technical teams with easy-to-understand visual representations and reporting.
Ensures engagements are centred around real-world scenarios.

Project Plan

We will work with you to determine your objectives for the exercise and what defences you require testing with which tools, techniques and tactics. Our team will assist throughout this process, bringing their real-world experience to develop an engagement plan.

Should reconnaissance be a part of the agreed techniques, which we often recommend, our team will take an intelligence-led approach to gather information from public sources related to your organisation. This is used to determine appropriate attack scenarios for the exercise.

Keeping in constant communication with the blue team, we will attempt to penetrate your network and deliver the objectives defined in the scoping stage. This could include securely exfiltrating data from the systems that hold the target information selected by you. This, for example, would assess your security controls to detect and prevent loss of information as part of this exercise.

Throughout the engagement, we record which systems and tools are used or accounts created to achieve access. Where authorised changes to systems have been made, these will be reverted to the same state as if the engagement never happened, guaranteeing a seamless transition back to normality

Our Purple Team Exercise report will provide a detailed and digestible view of the critical, high-, medium- and low-priority risks and appropriate prioritised recommendations for your organisation. A matrix based on MITRE ATT&CK is also provided, giving a clear visual interpretation of what attacks were performed and where gaps were found. These outputs can be expanded into a defined security strategy as part of a further engagement with Cyber Alchemy, helping the organisation maximise the value of further security investments.

For organisations requiring in-depth and continuing remediation, every engagement has the opportunity to use our Full Stop Remediation™ service. Bespoke training delivered by our expert trainers covers the issues discovered in your systems and gives your system administration team the skills to ensure the same issues don’t creep back into your infrastructure. Full details of our reporting and Full Stop Remediation™ can be found below.

The report contains the scope, technical approach, executive summaries, dynamic risk visualisations, prioritised vulnerabilities based on likelihood vs impact, and bespoke mitigation advice for each finding. Each report has three distinct and dedicated board, management, and technical personnel sections. Report clarity ensures understanding and enables informed decisions. The report is aligned with MITRE ATT&CK, providing a standardised and comprehensive structure to describe the adversary techniques, tactics, and procedures employed during simulated attacks, enabling clear communication of the findings and facilitating effective remediation actions by the blue team. Every Cyber Alchemy report will include the following:

Background: An overview of the assessment’s general purpose, scope, methodology, and timing.
Management Summary: A detailed but digestible summary of the results, such as key critical findings requiring immediate attention, system or recurring issues, and other general findings. This could also include strategic recommendations, offering long-term remediation actions to ensure ongoing risk reduction.
Technical Details: Comprehensive vulnerability results, including a description of the vulnerability observed, the impact, evidence of where the vulnerability was observed, step-by-step demonstrations of exploits performed which give teams the ability to internally verify the issues, and detailed remediation recommendations which give developers the steps to address every reported issue.
Methodology: A detailed recap of what was tested, the methodologies used, and the related historical information required for audiences such as auditors to understand the specifics of the test approach.
Attack Surface Analysis: Additional content and guidance, such as recommended post-assessment activities that provide added value to the audience of the report.

After every engagement, we offer a focused meeting to discuss the testing and outcomes. This allows system administrators and risk owners to ask specific questions to our expert consultants, ensuring all parties understand the context of the vulnerabilities, root cause and the real-world likelihood and impact of successful exploitation in the context of the organisation. The potential mitigation steps will be discussed, allowing for the implementation of robust measures and the possible effort to be understood.

We don’t believe that report delivery marks the end of the engagement; in fact, it’s just the beginning for us. We’re in every client relationship for the long haul, providing ongoing support to ensure that issues are robustly addressed in line with your organisation’s requirements.

After every engagement, we offer a focused meeting to discuss the testing and outcomes. This allows system administrators and risk owners the opportunity to ask specific questions to our expert consultants, ensuring all parties understand the context of the vulnerabilities, alongside the likelihood and impact of successful exploitation.

We recognise that remediation of all issues doesn’t just happen overnight, and our technical team will be happy to answer any questions while remediation is happening over the following months. We find this approach allows for better integration of security into development and helps reduce the number of issues we see when retesting.

For clients who require further support, we offer our Full Stop Remediation™ post assessment training, which incorporates real-world examples from the assessment into the training course. This tailored approach delivers lessons to system administrators in a familiar context and environment, allowing the lessons learned to be immediately applied to existing projects and ensures long-term risk reduction. More information about Full Stop Remediation™ can be found below.

Full Stop Remediation™ – Secure Infrastructure Operations Training

From the results of a penetration test, or series of assessments, our consultants can provide bespoke training to system administrators on how to remediate the issues found in the assessment and SecOps best practices. This powerful remediation offering allows total remediation for now and the future, giving infrastructure teams the skills to identify vulnerabilities before they make it to production. Other benefits of this remediation package include the following:

Cost savings: Investing in remediation training helps your organisation save money in the long run. By preventing security incidents and potential breaches, you avoid the financial impact of data loss, system downtime, regulatory penalties, and reputation damage.
Long-term Risk Mitigation:Our remediation service equips your team with the skills and knowledge to address vulnerabilities in the present and future. By building a strong foundation of security practices, you create a sustainable framework for ongoing risk mitigation.
Better collaboration: When system administrators understand how to build and maintain secure systems, they can work more effectively with security teams and other stakeholders, resulting in a more secure and cohesive infrastructure estate.
Foster a “Security First” culture: With better awareness of security issues and the knowledge to address them, a culture of security can be developed. With a strong security culture comes greater security, shared accountability and efficiency, forming the basis of any successful security program.
Empowered Internal Teams:Our training empowers system administrators to handle remediation tasks independently. They gain the knowledge and skills needed to efficiently address vulnerabilities, reducing reliance on external security consultants for routine remediation efforts.

Contact us today for more information on how Full Stop Remediation™ can accelerate your SecOps program and put security at the heart of your infrastructure administration team.

Specifically, for your organisation, that question will be answered at the end of a scoping call with our technical team. The duration depends on various factors, such as the specified objectives and the organisation’s size. Generally speaking, depending on the project size and requirements, it can range from a few weeks to a couple of months.

o Penetration testing focuses on exploiting vulnerabilities within specific systems, enabling you to assess the resilience of your technology. However, purple teaming adopts a more proactive approach by simulating real-world threat actors who stealthily infiltrate your systems while constantly communicating with the defenders. Through conducting purple team exercises, you gain a holistic evaluation of your defences, encompassing technical controls, processes, and personnel.

The cost of an assessment can vary based on factors such as the size and complexity of the engagement. After the scoping call, our consultants will be able to provide a detailed quote which outlines what we will do and what the outputs of that work will be

We don’t just wine, dine and dash. We’re in every client relationship for the long term. Just like most providers, after the penetration testing is complete, you will receive a detailed report outlining the vulnerabilities identified, their severity levels, and recommendations for remediation. Where we differ is in the post-test support. We recommend to all clients that debrief meetings are scheduled after the assessment is completed, allowing for discussions around real-world risk, prioritisation and the best way to approach specific remediation actions. We recognise that remediation of all issues doesn’t just happen overnight, and our technical team will be happy to answer any questions while remediation is happening over the months that follow. We find this approach allows for better integration of security into development and helps reduce the number of issues we find when retesting applications.

Of course, what good is a security assessment if the issues aren’t addressed?! Our team will be here to support remediation efforts for months after the end of the assessment. Our recommended post-engagement debrief calls, and detailed reports provide all the information that is often required to remediate all issues, but if we can be of any more use, then we will be on hand to help.

We understand that timescales can sometimes be tight, and things need to get done. In these cases, we will attempt to accommodate all requests from our clients, or if we don’t have capacity, we will know a trusted partner who can. Typically, we ask for a lead time of at least four weeks due to the set up required for the engagement.

The frequency of purple team assessments depends on each client, often considering the organisation’s risk appetite, budget and security program maturity. As a general rule, conducting a purple team assessment at least once a year or whenever significant changes are made to the organisation’s security program is recommended.

Our objective is not to cause any disruption during the assessment, but that doesn’t mean that problems can’t (and don’t) occur. There might be instances where certain vulnerabilities could cause temporary issues, but as stealth is paramount, these situations are rare. There are lots of techniques that can be used to minimise the likelihood of issues occurring. For example, certain aspects may be conducted outside core business hours, although this will be discussed with every client beforehand. Whatever is required, our team can determine a testing strategy to meet your objectives safely and securely.