Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
Purple Teaming: A comprehensive and collaborative approach to cyber security
Cyber Security: A Peer-Reviewed Journal,
7
(3),
207-216
(2024)
Abstract
This paper introduces Purple Teaming as a comprehensive and collaborative approach to cyber security, emphasising the need for organisations to adapt their cyber security testing methodologies in response to evolving cyber threats. Traditionally, cyber security efforts were divided into offensive (Red Team) and defensive (Blue Team) units; however, the concept of Purple Teaming has gained prominence, advocating for the integration of these units to create a dynamic and cooperative cyber security environment. The paper covers various topics including the significance of adversary emulation, the role of the MITRE ATT&CK framework in standardising communication, the value of traditional Red Team exercises and how Purple Teaming activities can complement these exercises. It differentiates between types of Purple Teaming activities and proposes an approach and architecture to support continuous Purple Teaming efforts. Adversary emulation, a key aspect of Purple Teaming, involves replicating the tactics, techniques and procedures (TTPs) of real-world threat actors to evaluate an organisation’s defences. The paper outlines how, when properly combined, Red and Purple Team efforts can significantly enhance an organisation’s capability to proactively improve its preventative, detection and response mechanisms against adversary tactics. Through its comprehensive coverage, the paper underscores the vital role of Purple Teaming in modern cyber security, highlighting its potential to foster a more resilient and proactive security posture for organisations.
Keywords: Red Teaming; Purple Teaming; adversary emulation; BAS; security operations
The full article is available to subscribers to the journal.
Author's Biography
Erik Van Buggenhout kickstarted his career in cyber security as an intern at Ernst & Young. He quickly evolved from pen testing to a mix of offensive and defensive security work, accumulating over a decade of experience. Today, he primarily engages in Blue/Purple Team activities. In 2013, Erik co-founded NVISO, a European cyber security company focusing on government, defence and finance sectors. Over the past ten years, he helped grow the company to a 250+ person team, serving crucial organisations across Europe. NVISO offers a broad spectrum of security services, from security governance topics over Red/Purple Team testing to managed services and incident response. Currently, Erik serves as the Head of Managed Services at NVISO. Next to his activities at NVISO, Erik is the lead author and instructor for two Purple Teaming courses at the SANS Institute. There, he uses his knack for knowledge transfer and storytelling to educate others in the field. He is recognised for his effective teaching style, combining technical depth with relatable anecdotes. In parallele with his educational endeavours, Erik is also an active member of the cyber security community and has presented at a variety of conferences such as BruCON (2019) and RSA Conference (2023).
