For years, security-conscious organizations invested in Red teams and Blue teams to help shore up their cyber defenses. While Red teamers focused on mimicking attackers to target infrastructure and networks during security exercises, Blue teamers worked to stop those simulated threats and neutralize their opponents.
More recently, the line between Red and Blue teamers at some organizations has blurred in the name of a more collaborative approach. Cooperation among these teams, in turn, has created a new type of cybersecurity specialist: the Purple teamer.
As the name implies, Purple teamers straddle the worlds of Red and Blue teams. Purple team engineers draw upon the experiences of both offensive and defensive cybersecurity operations to give an organization a more holistic view of the threats it faces and where security needs improvements to stop attackers.
“Blue teams and Red teams working together, often called a Purple team, to try to combine the best of both mindsets,” said Mike Parkin, a senior technical engineer at security firm Vulcan Cyber. “Rather than working against each other competitively, they cooperate. The Red Team explains what they’re doing, and the Blue Team shares where they did or didn’t see the attack as it happened. Working together requires good communication skills and a willingness to cooperate and share knowledge.”
This collaborative approach is growing popular with large organizations that can afford to have both Red and Blue team members on staff and can dedicate resources to help develop those Purple teamers who can bridge the gap. For instance, security firm CrowdStrike posted a blog post earlier this year detailing how its internal security team is now embracing this approach.
“We believe that red team/blue team exercises hold relatively little value unless both teams fully debrief all stakeholders after each engagement and offer a detailed report on all aspects of project activity, including test techniques, access points, vulnerabilities and other specific information that will help the organization adequately close gaps and strengthen their defenses,” according to CrowdStrike.
Retail giant Walmart also detailed its Purple team approach at the 2019 RSA conference, with its internal security team detailing how the company first took this approach in 2016, and that it has taken several years of experimentation to get it right.
What Skills Does a Purple Team Engineer Need?
As the name implies, a Purple team engineer must draw on both offensive and defensive cyber skills to understand the entire attack surface and how best to protect it.
A Red teamer, for example, needs to analyze the physical security controls around the technology infrastructure where a physical weakness could be exploited to gain privileged access to networks, data or identity infrastructure. On the other side, a Blue teamer needs to develop expertise within all the available security controls within the organization as well as familiarity with pen testing.
The Purple team engineer sits at the nexus of these two and not only must understand both, but also coordinate the efforts of the Red and Blue teams, said Aaron Turner, CTO for SaaS protection at security firm Vectra.
“The Purple teamer is the culmination of all of these skills, experiences and knowledge,” Turner told Dice. “Usually the Purple teamer is the one coordinating tabletop or actual Red and Blue teaming engagements… Purple teamer being someone who can manage both domains of knowledge and experience.”
For aspiring Purple team members, brushing up on cloud computing security and identity and access management (IAM) skills can help, but John Steven, CTO at ThreatModeler, added that developing coding skills and knowledge of common programming languages are becoming essential.
“Security practitioners can no longer avoid code literacy—being able to interrogate development frameworks is another must-have skill, regardless of tech stack. This includes languages such as Golang, Node.js and the Angular framework as well as Java Spring frameworks,” Steven told Dice.
By studying languages and frameworks, Purple team engineers can better understand how infrastructures are constructed and how attackers might exploit weaknesses. “Being able to understand infrastructure, and the dev frameworks give purple team members a basis,” Steven added.
Vulcan Cyber’s Parkin added that, beyond any technical skills, a Purple team engineer needs to hone their communication skills to bridge the Red and Blue team gap and explain how the results of any particular exercise can benefit the organization’s overall cybersecurity stance. This is all part of the more collaborative process.
“In addition to the specialized skills that come with a Blue or Red team, communication is paramount. The ability to effectively communicate with the team, share findings, and techniques, and work together is a huge part of being a successful team member,” Parkin told Dice. “When you are on a Red or Blue team, you’re generally only seeing one side of the game. When you are working in a Purple team, you get to see the whole picture. To be honest, it’s a lot of fun.”
What Career Opportunities Come with Purple Teams?
Purple team engineer remains a relatively new position within the cybersecurity field, and only the largest organizations typically support full-time positions. For those interested, however, this career move is lucrative.
For example, several jobs and career sites cite list starting salaries in the $130,000 range, with the potential to increase to $200,000 or more depending on the skills required and the location of the position.
Other training organizations, such as the SANS Institute, have specialized courses for those attempting to gain certification within the Purple team career field. The key, experts note, is to focus on the collaborative aspects of the jobs and how the Purple team makes both Red and Blue teams better.
“Traditionally, the roles have been independent while modern practices have led to a relatively newer concept of Purple Teaming—the blending of the two roles working together for the betterment of the security posture,” Justin Wynn, principal consultant for adversary ops at security consulting firm Coalfire, told Dice. “This allows the Blue Team to work with the Red conducting live exercises in a controlled manner, honing their skills to better detect and respond to threats to the environment.”