Skip to content

Purple Team Operations

9. PURPLE TEAM OPERATIONS

9.1 Purple Team Philosophy

Purple Team Definition: Collaborative security exercise where Red Team (attackers) and Blue Team (defenders) work together to improve detection and response capabilities.

Key Differences from Traditional Pen Testing:

Traditional Pen Test Purple Team Exercise
Red Team operates independently Red Team + Blue Team collaborate
Focus on finding vulnerabilities Focus on improving detection
Single test cycle Iterative cycles (attack → detect → tune → retest)
Final report delivered Continuous improvement process
Adversarial relationship Cooperative relationship

9.2 Purple Team Exercise Structure

Weekly/Bi-weekly Cadence:

┌─────────────────────────────────────────────────────────────────────────────────┐
│                   PURPLE TEAM EXERCISE WORKFLOW                                  │
├─────────────────────────────────────────────────────────────────────────────────┤
│                                                                                  │
│  WEEK 1: PLANNING & BASELINE                                                    │
│  ══════════════════════════════════════════════════════════════════════════     │
│  Monday:                                                                         │
│  • Select MITRE ATT&CK technique to test (e.g., T1003: OS Credential Dumping)   │
│  • Red Team prepares attack scenario                                            │
│  • Blue Team documents current detection capabilities                           │
│                                                                                  │
│  Tuesday-Wednesday:                                                              │
│  • Baseline test: Red Team executes attack (Blue Team unaware)                  │
│  • Measure: Detection time, alert generation, response actions                  │
│                                                                                  │
│  Thursday:                                                                       │
│  • Debrief session: Red Team reveals attack methods                             │
│  • Blue Team reviews missed detections                                          │
│  • Identify gaps: Why didn't we detect this?                                    │
│                                                                                  │
│  Friday:                                                                         │
│  • Blue Team tunes detection rules (Splunk, XDR, AMP)                           │
│  • Implement new alerts, playbooks                                              │
│                                                                                  │
│  WEEK 2: VALIDATION & ITERATION                                                 │
│  ══════════════════════════════════════════════════════════════════════════     │
│  Monday:                                                                         │
│  • Red Team repeats same attack with tuned defenses                             │
│  • Measure: Improved detection time, alert accuracy                             │
│                                                                                  │
│  Tuesday:                                                                        │
│  • Red Team introduces variations of attack (evasion techniques)                │
│  • Test detection robustness                                                    │
│                                                                                  │
│  Wednesday:                                                                      │
│  • Final debrief: Lessons learned, metrics comparison                           │
│  • Document improvements (detection coverage %, MTTD reduction)                 │
│                                                                                  │
│  Thursday-Friday:                                                                │
│  • Plan next week's technique                                                   │
│  • Update detection coverage matrix                                             │
│                                                                                  │
└─────────────────────────────────────────────────────────────────────────────────┘

9.3 Purple Team Scenario Example

Scenario: Credential Dumping (MITRE T1003.001: LSASS Memory)

Week 1 Baseline:

Phase Red Team Action Blue Team Detection Result
Baseline Use Mimikatz to dump LSASS memory on compromised endpoint No alert generated MISS (60 min to detect via manual investigation)

Root Cause Analysis: - AMP signature for Mimikatz is outdated (only detects default binary name) - Splunk Event ID 4656 (process access to LSASS) not correlated with suspicious process names - No alert configured for LSASS memory dumps

Tuning Actions: 1. Update AMP custom signatures to detect obfuscated Mimikatz variants 2. Create Splunk alert: Event ID 4656 (LSASS access) + Event ID 10 (Sysmon process access) 3. Configure XDR playbook: Auto-quarantine endpoint if LSASS dump detected

Week 2 Validation:

Phase Red Team Action Blue Team Detection Result
Test 1 Execute same Mimikatz command AMP alert + Splunk correlation + XDR playbook (endpoint quarantined) DETECT (2 min MTTD, 5 min MTTR)
Test 2 Use custom LSASS dumping tool (not Mimikatz) Splunk Event ID 4656 correlation still detects DETECT (3 min MTTD)
Test 3 Attempt to disable Sysmon before dumping AMP detects Sysmon service stop attempt DETECT (1 min MTTD)

Metrics Improvement: - Detection Rate: 0% → 100% - MTTD: 60 min → 2 min (97% improvement) - MTTR: N/A → 5 min (automated playbook)

9.4 Purple Team Metrics Dashboard

Quarterly Progress Tracking:

MITRE Technique Baseline Detection Q1 Detection Q2 Detection Q3 Detection Q4 Target
T1003 (Credential Dumping) 0% 100% ✅ 100% 100% 100%
T1059.001 (PowerShell) 40% 75% 85% 95% ✅ 95%
T1021.001 (RDP Lateral Movement) 50% 70% 85% 90% ✅ 90%
T1071.001 (Web C2) 60% 75% 85% 90% ✅ 90%
T1048 (Exfiltration) 30% 50% 65% 80% 90%
Overall Coverage 45% 68% 80% 90% 90%

Detection Coverage Heatmap:

MITRE ATT&CK Tactic Coverage (Q3 2025):

Initial Access:        â– â– â– â– â– â– â– â– â–¡â–¡  80%
Execution:             â– â– â– â– â– â– â– â– â– â–¡  90%
Persistence:           â– â– â– â– â– â– â–¡â–¡â–¡â–¡  60%  ⚠️ Need improvement
Privilege Escalation:  â– â– â– â– â– â– â– â–¡â–¡â–¡  70%
Defense Evasion:       â– â– â– â– â– â–¡â–¡â–¡â–¡â–¡  50%  ⚠️ Need improvement
Credential Access:     â– â– â– â– â– â– â– â– â– â– 100% ✅
Discovery:             â– â– â– â– â– â– â– â–¡â–¡â–¡  70%
Lateral Movement:      â– â– â– â– â– â– â– â– â– â–¡  90%
Collection:            â– â– â– â– â–¡â–¡â–¡â–¡â–¡â–¡  40%  ⚠️ Need improvement
Exfiltration:          â– â– â– â– â– â– â– â– â–¡â–¡  80%
Command & Control:     â– â– â– â– â– â– â– â– â– â–¡  90%

9.5 Purple Team Best Practices

DO's: - ✅ Focus on one technique at a time (depth over breadth) - ✅ Document everything (attack commands, detection queries, tuning changes) - ✅ Celebrate improvements (detection coverage increases) - ✅ Share knowledge (Red Team teaches Blue Team attack techniques) - ✅ Iterate frequently (weekly/bi-weekly exercises)

DON'Ts: - ❌ Don't blame Blue Team for missed detections (collaborative, not adversarial) - ❌ Don't rush through exercises (quality over quantity) - ❌ Don't skip documentation (lessons learned are valuable) - ❌ Don't test in production during business hours (use after-hours or lab environment) - ❌ Don't forget to revert changes (clean up test accounts, firewall rules)