Purple teaming is an exercise in which the attacking red team and the defending blue team communicate and cooperate with each other instead of working as separate entities that don’t communicate. In a purple-teaming scenario, both sides share certain pieces of information with each other and provide continuous feedback while conducting and defending against the simulated attack. While both sides are aware of each other, there is still an element of the unknown with purple teaming, as the blue team ultimately doesn’t know how a red team will attack.
As with red teaming, the idea of purple teaming is to test security in a low-risk environment. The added benefit is the idea that the continuous feedback between the two teams would further strengthen both sides and enhance security.
Physical Red Teaming
Physical red teaming follows the same principles as a digital red-teaming exercise but instead tests the physical security of a facility, including its locks, fences and barriers, surveillance cameras and alarm systems. Physical red teaming could involve tools such as devices that clone radio-frequency ID tags and other key systems.
Exercises involve physically entering an organization’s facilities with the objective of gaining access to a particular area or certain files or equipment. This can be done through a number of strategies, including lock-picking, posing as building staff to be allowed in, and breaching or finding open spots in barriers.
Physical red teaming often starts with performing reconnaissance onsite to identify weak points. Depending on the exercise, physical red teams might employ such tactics as posing as a FedEx or UPS driver to gain access, or disguise themselves as cleaners or employees once they enter the facility.
As with digital red teaming, organizations can set parameters around physical red-teaming exercises. Rules of engagement need to be established beforehand.
“If it’s a third party, you can say, ‘Hey, only go so far. I don’t want you to walk into my building, but if you get the key and can get in, tell me and then stop there,’” Deskin says. “That’s part of the upfront work of asking, what are the goals? What are we looking to achieve? How far are we going to go?”