Purple Team Exercise Readiness Checklist

Effective purple team exercises start with strong security practices to yield efficient exercise results that improve your organization's overall security strength. Purple team exercises can be challenging due to the timeframes and resources required to conduct the exercises, deliver the findings, and remediate and reassess the issues. While planning the exercise, make sure your security strategy is built on a framework that includes a system of standards, guidelines and best practices. A solid security framework sets the stage for a strong, cohesive purple team exercise that won’t leave your team scrambling to locate resources. 

Set your team up for successful purple team exercises that are cost-efficient and effective with the following security basics already in place. This piece features a detailed checklist with recommended prerequisites for security teams to participate in and benefit from purple team exercises. 

Purple Team Readiness Checklist 

Strong Foundation of Information Security Policies and Employee Training 

• Policies are written and reference standards and procedures 
• Policies are focused on core business risk mitigation and have consensus agreement 
• Policies are approved by executive management and enforceable 
• Employee training program is established in appropriate response to common security threats, such as voice and email phishing 

Established Inventory and Control of Software/Hardware Assets   

• Both manual and automated inventory collection methods are provided 
• Inventory collection is comprehensive, including both cloud and on-premises assets 
• Mechanisms for requests, procurement, lifecycle and secure disposal are available 
• Inventory is accessible by all authorized personnel 

Properly Secured Endpoints and Infrastructure   

• Widely accepted security standards such as Department of Defense (DoD) Security Technical Implementation Guides (STIGs) and best practice cloud security recommendations are employed 
• Baseline software images and configuration management standards are in place for all IT assets 
• Change management, configuration monitoring and reporting processes are established 
• Controlled use of administrative privileges with supporting processes is in place 
• Properly secured and integrated cloud provider identity and access management solutions are used 

READ:  Threat Hunting 101: Understand the Basics 

Mature Vulnerability Management Program 

• A periodic, regular vulnerability management scanning process that includes both unauthenticated and authenticated scanning is followed 
• The vulnerability management process is augmented by cloud monitoring solutions to match on-prem and in-cloud objectives 
• Processes for timely remediation with identified asset administrators are supported by both the change management and asset management processes 
• A prioritized list of both software and data sensitivity is used to cross-reference against vulnerability management scanning results, forming a localized criticality rating 
• Difference reports are made available for every periodic scanning cycle to illustrate both new vulnerabilities and forward progress 

READ: How to Formalize Your Vulnerability Management Program

Track Record of Successful Penetration Tests 

• Comprehensive penetration testing is performed on an annual or semi-annual basis that includes internal network, external network and specific applications 
• Incremental improvement in information security processes and vulnerability management is gained as a result of penetration-testing activities 
• Penetration-testing program includes assessment of cloud-deployed resources and cloud best practice configuration auditing 

Mature Security Operations Center (SOC) 

• Well-trained staff are engaged in monitoring, analysis and threat-hunting activities 
• Staff has a comprehensive understanding of the MITRE ATT&CK framework, which lays the foundation of tactics, techniques and procedures (TTPs) used by adversaries  
• SOC has demonstrated visibility into events generated by all prior penetration-testing activities 
• Monitoring technology and processes are supplemented by managed security service providers (MSSPs) where applicable 
• SOC has a demonstrated track record in timely response and remediation of threat actor-driven incidents 
• Mature metrics on security incidents are reported such that lessons learned are actively used to tune and improve processes 

READ: Strategies for Building an Effective Purple Team

Tips for Purple Team Exercise Readiness 

To build readiness for purple team exercises and collaborate toward uniform security goals, make sure the essential fundamental security framework pieces are already in place for a maximum utilization of available time and resources. You’ll be able to successfully conduct organized and less chaotic purple team exercises and resolve any challenges associated with testing and remediation. 

A clear purple team checklist helps to organize the exercise and keeps the teams working together to yield the desired results that uncover vulnerabilities and strengthen the organization. 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.