How Is Purple Teaming Different from Red vs. Blue Teams?
Purple teams exist to maximize the effectiveness of red and blue teams by integrating the blue team’s defensive tactics and controls with the information on threats and vulnerabilities uncovered by the red team into a single narrative.
A blue team is a healthcare organization’s internal security team; a red team, which could be a dedicated internal team or a security partner, attempts attacks to test these defenses. During purple team exercises, the two teams work together to determine how attacks are being detected and thwarted.
“Ideally, purple shouldn’t be a team at all, but rather a permanent dynamic between red and blue. From healthcare to utilities and government agencies, CISOs are using analysis and reports from purple team assessments, where both red teams (offense) and blue teams (defense) work collaboratively to assess an organization's systems, uncover areas of vulnerability and exposure, and report to the board on the organization’s overall cybersecurity posture,” says Stew Wolfe, technology and transformation cybersecurity leader for Cisco. “Purple team engagement is valuable to executives and board members because instead of having a conversation around hypotheticals, the team can show real-world results based on the company’s unique environment, technologies and crown jewels. It changes the discussion from ‘An attacker could have done this’ to ‘Here’s what an attacker did and the impact to our organization.’”
How Purple Team Exercises Benefit Healthcare Organizations
As ransomware attacks increase, healthcare CISOs are looking for effective methods to reduce risk beyond traditional means such as penetration testing. Purple team exercises are a critical part of any robust and effective security strategy.
“Ideally, these exercises help the organization identify weaknesses in the people, processes and technologies within the network perimeter, as well as pinpoint security gaps such as backdoors, incident response capability and identify other vulnerabilities that may exist within the security architecture,” says Wolfe. “After the exercises, a healthcare institution will have something more tangible to discuss at the strategic level on policy, prioritization and security funding, and can adjust based on the findings.”
The more practical experience a blue team gets at defending against cyberattacks, the better it will become. Purple team exercises help blue teams to improve their remediation activities.
“In healthcare, we talk about people, process and technology. All three of those things can have issues or challenges when it comes to cybersecurity. People can, through social engineering processes, be convinced to give up credentials. The process and the technology sides are more self-explanatory,” says Drex DeFord, executive healthcare strategist at CrowdStrike. “We have particular ways that we do things inside of networks or inside of cybersecurity programs, and sometimes, those things have too many steps, where there’s something that we’ve left out. We’re looking for all those things. Anything that we can find where there’s a vulnerability in those people, process, technology or parts, that’s a good outcome and that’s a good reason to do the exercises.”
These exercises can also bring to light infrastructure weaknesses not necessarily related to security. DeFord explains that healthcare organizations often build up their IT infrastructures incrementally over time in a way that may create weaknesses.
“If a certain thing happens in the infrastructure, it can actually cause a cascade effect in downtime,” he adds. “A lot of this is about finding problems and issues that make it easy to have downtime, which may be caused by cybersecurity incidences or could be caused by other things too. If the red team causes it, though, it’s an opportunity for us to learn, and that’s what the whole exercise is really about.”
Click the banner below for more HealthTech content on security and incident response planning.