Nettitude Blog

If You Can’t Be Red And Blue… Go Purple?...

Posted by Luke Ager on Sep 1, 2015 9:20:10 AM

Earlier in August, Nettitude’s CEO talked about the benefits of your Blue team working with your Red team to enhance attack and threat detection capabilities. You can find the article via SC Magazine here:

It’s a tactic that’s been discussed several times over the years and certainly a technique which reaps huge benefits for those with the capabilities to do it, but what about those organisations who don’t have a Red team?
We know the majority of organisations do not have a defensive Blue team, and even fewer have the luxury of having an in-house offensive Red team; so how do private companies go about achieving that gold standard in threat detection that they are all striving for?

For those companies that have taken the plunge and deployed a SOC solution and have a dedicated team of staff managing the platform, it’s not unreasonable to assume that the CISO’s budget might not stretch to several external Red Team exercises, which are done with the sole intention of developing the Blue team’s capabilities. Certainly, before my time at Nettitude, I have been involved in Red team exercises, and only learned about them when my team detected them. We reported on the activity we observed but never had visibility of the report that the Red team produced. At board level, when budget is being allocated it’s often a case that if your Blue team detected a PART of an attack, then no more budget is required. The team is therefore serving its purpose, but if you ask any security professional, the focus is always on ”what didn’t we see?”, comparing reports between both teams allows at the SOC Team to review what was missed and make improvements where necessary. The only problem is often that no one is testing the improvements!

In my experience, nothing beats having defensive staff with an offensive mind-set. If you can’t mix Red and Blue together… then go Purple!

OK, maybe not Purple, but the chances are, you have an aspiring Pen tester already working in your SOC, or at the very least, an analyst who has the curiosity to want to learn how attacks are done. Numerous resources are available which are great for learning different areas of security and many of them go into a depth covering offensive Pen test techniques. Set aside some time each week or month to allow for development in these areas and reap the rewards when your analyst turns into a SIEM or IDS content engineer overnight!

Purple Team Figure 1 - An Analyst building a Malicious Macro ready to add to an office document and send into a test environment

With a simple test environment, your team can begin to attack and defend systems which not only helps you protect your own network but it also encourages analysts to not only use, but also develop the tools and solutions you have had to fight tooth and nail to get the budget for. When the next Shell-shock or Heartbleed happens your analysts might be in a better position to write their own signature and deploy it instead of waiting two or three days for your third party vendors to publish their own signatures.

Malicious Macto Figure 2 - An Analyst building a SIEM Alarm to detect the above malicious Macro

Building an in-house SOC can be a challenge both financially and tactically, and deploying a team of security analysts is very much like deploying a new SIEM or IDS/IPS. They might work well out of the box, but you need to tune and develop those assets to really get the best out of them and that can take years to reach a mature state. Nettitude’s Managed SOC is designed to take that burden away from organisations that want a SOC that is instantly effective. Our analysts are experts in their field and are constantly developing to ensure that new threats and attacks are detected immediately. Organisations can look to build their own SOC or work with Nettitude to deliver this service on their behalf.

Whatever form that SOC solution comes in, we recommend that it comes with a team of defensive and offensive Security Engineers on staff. With this you can replay attacks over and over again until you know exactly what you didn’t see and exactly what to build into your next alarm to detect that same attack, just a little bit sooner.


To contact Nettitude's editor, please email

Topics: Security Blog, Uncategorized

About Nettitude

Nettitude is the trusted cyber security provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats.

Our experts use an award winning Threat Intelligence led approach that incorporates real-time data, ensuring that your company is protected at every stage of its journey.

Receive an update when we post!

Recent Posts