Purple teaming exercises
Following the comprehensive workshop, your security operations center now has a deeper understanding of their detective capabilities – both conceptually and functionally. Through this unique opportunity they were also able to refine existing defensive measures for improved performance.
After analysis and assessment of the SOC capabilities, we move on to a series of purple teaming exercises: a collaborative effort between FalconForce’s offensive “red” team and your defensive “blue” team. With our combined forces, let us put detection security strategies to the test!
First, we jointly select targets and relevant attacker techniques that will be used in the purple teaming exercises. We use the industry-wide accepted MITRE ATT&CK matrix, a common language to aid both offensive and defensive teams. Also, during the preparation step, the necessary technical preparation will be made, such as setting up test accounts, or arranging network access for the red team.
Attack technique simulation
Next, the red team will perform attacks on your selected environment(s) based on the chosen attacker techniques in the preparation step. The red team will perform these attacks in a controlled manner, as to not disturb production systems. During the red team’s attacks the SOC will actively monitor and see if the selected MITRE ATT&CK techniques are detected.
Purple teaming exercise
Next, FalconForce will facilitate a hands-on purple teaming exercise with your SOC team. Input for the exercise are the techniques used, and the IOC data captured during the red teaming. In the purple teaming exercise, we will discuss where detection was (not) successful. FalconForce can replay specific attacks during the exercise to enable an in-depth discussion on how detection can be improved. Where useful, first tweaks can already be made, and tested on the spot. Outcome of the exercise is a list of improvement points that you can take further action on.