Michael A. Raggi

Michael A. Raggi Enterprise Purple Teaming Professional Interview

7/2/21: YouTube Video. Purple Team Perspectives with Michael Raggi - Link

• I believe the purple team is a collaboration method of different teams within a security enterprise both managerial, defensive, and offensive that collaborate in order to scope, establish, test, and defend security controls within an enterprise environment. The goal of this activity is to test the controls that are in place, identify gaps, and ultimately improve upon existing controls in a lesson-learned fashion. Above all, I think it's important to think of a purple team exercise as an Investment. It's a series of services, tools, and human cycles that all cost money which is aimed at performing actions that result in a measurable improvement in security posture. That improvement decreases risk and that decrease is the return on investment for a purple team. I think much has been said about the red team vs. blue team aspects of purple team exercises. Attack and defend like it's a chess game. But really I think most enterprise purple team exercise investments fail in the planning and in the reporting phase after the exciting Red vs. blue sparks fly.
• Management invests in a multidisciplinary team to measure risk, implement controls, and perform activities that ultimately reduce risk.
• In carrying out the purple team atomic framework, specifically in the harden and reporting phases you are demonstrating an ROI on your purple team endeavor which provides a risk reduction as a return to the management that has invested in this approach.

Tips

• Decide in advance if the goal is to test security controls vs. identify security gaps.
• Emulates advanced actor TTPs_tools_and binaries, can be problematic if actual adversary binaries are not used in a de-payloaded manner, make sure you know what the payloads do, make sure you are using an isolated network segment for testing, make sure even your testing infra isn't on corporate IP space to avoid providing information to APT adversaries.

Vendor Purple Insights

• Vendors may disrupt a purple team exercise by blocking an attachment, a binary from executing on a host, or an inbound network request and not properly reporting this in a way that is not captured by logs. Knowing what the vendor policy is on red team activity and having a line of communication to clarify and confirm where your activity was interceded from a red team perspective is very important.
• Don't miss an opportunity to demonstrate ROI or increase ROI because vendor controls are interceding in purple team exercise beyond your enterprise visibility.
• I am a proponent of treating security vendors like an extension of the blue team. Build relationships. Open communications channels. And deconflict engagement occurrences as part of the purple team engagement's post mortem.
• Collaborate [with security vendors] for better controls through communication to create the largest surface area to strengthen your security mesh across all stakeholders.