[FIC REPORT] Red Team, Purple Team, Bug Bounty … The new ways to make tests and security audits, Thomas Gayet, Director of the CERT digital.security

FIC Synopsis : “Red Team, Purple Team, Bug Bounty… These new ways of working promise innovative approaches to evaluate or strengthen the security of your information systems. What are their benefits? Are they adapted to all contexts? The director of CERT digital.security shared his vision at the 2019 FIC in Lille”.


The Purple Team is the result of the collaboration between the Blue Team and the Red Team. It consists in aligning the Red Team and Blue Team objectives to improve the defence of the IT System by creating a virtuous cooperation.

Initially, the Blue Team and the Red Team distinguished themselves by their missions and objectives to be achieved.

The Blue Team is:
– A team (SOC, ISS Team…) often internal, having practiced few attacks on an IT System
– Inquires about the attackers
– Analysis of attacks and malware
– Ensure the permanent monitoring of the IT System
– And conducts informative investigations

On the other hand, the Red Team:
– It consists mainly of slopes
– The team is often external and contributes little to the security of an IT System
– It collects information on the target, looks for vulnerabilities
– It uses social engineering
– And leads physical and logical intrusions

The Blue Team defends the IT System while the Red Team attacks and tries to enter the network.

Their approaches and objectives therefore differ:
The Red Team is trying to make occasional intrusions. If the attack is successful, the Red Team wins without improving detection. The RT also produces an overly dense report, focusing on vulnerabilities to be fixed. Finally, it does not know the detection mechanisms.
In response, the Blue Team makes occasional blockages. However, by winning, TTP’s (techniques, tactics and procedures) are not improved. Its action focuses on reported vulnerabilities but is confronted with a lack of knowledge of attack mechanisms.

The Purple Team conducts Red Team type intrusion tests in order to promote the training of the Blue Team. It has its own objectives and aims to improve the Blue Team’s detection capabilities through the creation and use of new rules > Log Sources > Detection and Correlation Rules > Actions to be considered according to events (anticipation of attack scenarios). It keeps the Blue Team in a permanent state of alert in the face of attackers and detection cases; it unlocks Red Team attacks to continue to learn about the detection of subsequent steps. The PT also allows the RT team to refine attack methods to adapt to the detection mechanisms implemented on the Information System concerned.

Ultimately, the success or failure of the intrusion is a victory for security and the continuous improvement loop for IS security.

Purple Team Organization:

– RT workers are integrated into the BT team through physical proximity
– Slope rotation is provided to vary the approaches: different TTPs
– Realization of scenarios over time: initial intrusion, pivoting….
PT is also organized around attack scenarios. It will define perimeters and means > Technical, Social Engineering, Physical Intrusions, etc. It will set up expected objectives > trophy definition, detection of a specific attack, test of a security mechanism, etc. Finally, it relies on the capitalization and organization of knowledge transfer by a single pilot.

digital.security offers a Purple Team template:

It offers a permanent approach (10 days a month)
– Red Team speakers integrated into the Blue Team (or nearby)
– Rotation of stakeholders to vary slope approaches (different TTPs)
– Realization of scenarios over time (initial intrusion, pivoting, etc.)

As well as a pilot expert of the service (2 days a month)
– Scope and resources: Technical, Social Engineering, Physical Intrusions, etc.
– Expected objectives: Definition of trophies, Detection of a specific attack, testing of a security mechanism, etc.
– Deliverables: creation of concrete tickets to improve detection (no reports)
– Provision of methodological reports by the Red Team for reference

The CERT digital.security team is at your disposal for any further information about the Purple Team.