How to Train Your (Dragons) Analysts - A TrustedSec Guide to Picking the Perfect Purple Team

Whether it be the advent of AI technologies, new Red-Team techniques and exploits, or new patches and emergent defensive technologies, it’s pretty clear to all of us operating within technology fields that the landscape of computing and cyber-security is ever evolving.

In order to stay up to date with all that’s going on, the TrustedSec Purple Team has been hard at work renovating and improving our assessments to better service the needs of our clients and the broader security community.

This blog post will walk you through the types of Purple Team assessments that we offer, how to choose the assessment that will meet your security team where they are, and offer the best path forward to improvement.

TrustedSec Engagement Overview

Live Fire Exercise (LFX)

The Live Fire Exercise is an active testing engagement in which TrustedSec consultants execute a pre-designed playbook of attack scenarios within your environment, and then, in tandem with the client’s Blue Team, leverage the generated telemetry to test, validate, and evaluate logging within the clients defensive tooling (EDR, SIEM, IDPS).

The LFX comes in two models: live bootcamp style assessments, and ad-hoc assessments which allow TrustedSec consultants to perform the same work, but with more scheduling flexibility.

Detection Validation and Review Assessment (DVR)

The Detection Validation and Review Assessment is another active testing style assessment that targets a specific and defined list of client-built detections.

In this ad-hoc style engagement, TrustedSec will test and validate that existing detections can fire and will provide tangible recommendations to improve logic or recommend additional detections if a gap in coverage is identified.

Defense Validation and SIEM Ingestion Review (DVSIR)

TrustedSec's Defense Validation is a structured assessment designed to quantify the effectiveness of an organization's defensive controls. The engagement begins with a Detection and Alerting Interview, where consultants collaborate with the organization to identify its primary security goals, high-priority systems, and business-critical data. A SIEM Configuration Review is then performed to assess whether the organization’s SIEM has sufficient visibility into environmental logging, aiming to reduce unnecessary event logging to maximize the usability of the SIEM.

Adversarial Detection and Countermeasures Engagement (AD&C) and General Variants

The AD&C assessment features live attack scenario execution and custom, high-fidelity detections written directly within your SIEM or EDR platform. We also evaluate the security posture surrounding those scenarios and provide tangible guidance for how to improve.

This exercise comes in two models: live bootcamp style assessments, or an ad-hoc assessment.

To tailor your experience, we also offer multiple AD&C Assessment variants, such as:

• Phases: Our standard playbooks. A great place to start if you’re new to working with us.
• MITRE Focused: Know your environment? If there are specific gaps pertaining to a specific phase of the MITRE framework (e.g. Lateral Movement, Discovery), this is a great assessment for having a more targeted evaluation of the problem area.
• Cloud: Looking for detection engineering for AWS, GCP, Azure- or other cloud platforms? This is the right assessment for you!
• Blue Team Guidance: Looking to review and cover gaps from an existing pentest or Red Team? This assessment focuses on walking through key techniques and issues from the report, leveraging the work that has already been done to close existing gaps in detection or prevention.
• ADS: Want an AD&C but don’t have the time or budget for a large-scale assessment? This variant is limited in scope but is an excellent choice for clients who may wish to test out and see if this type of assessment will meet their needs, or for those who need an accelerated timeline.
• Ransomware Resilience: A shorter, ransomware focused assessment that seeks to identify and cover detection gaps for common ransomware techniques.

Threat Emulation Assessment (TEA)

A threat emulation is a more advanced assessment wherein TrustedSec will design a custom threat emulation based on a specific Threat Group, execute the scenario, and ensure that proper detection capabilities exist for each step in the attack sequence.

Deception Engineering and Implementation Engagement (DEIE)

The DEIE engagement is another advanced assessment for clients looking to design and implement deception technologies and accompanying detections within their environments.

In this assessment, clients can choose from pre-built deception technologies per technology stack, or work with TrustedSec consultants to design custom deceptions for a platform of their choosing.

SOC Response Training

The SOC-RT assessment is a hybrid, interactive tabletop training exercise that provides practical hands-on exercises for your defensive team. In this assessment, a series of attack sequences will be executed in your environment and guided exercises will walk your SOC through investigative logic and solutions, with an attack scenario live demonstration and subsequent investigative discussion after each exercise.

How to Pick your Perfect Match

Now that you have a solid idea on each of our offerings, let’s talk about how to choose the Purple Team assessment that will get you and your security team the best value.

Where to Start

For clients who may not know where to start their journey, or would like help better understanding their environment, logging, and existing detection capabilities, we highly recommend starting with a Defense Validation and SIEM Ingestion Review (DVSIR) or a Live Fire Exercise (LFX).

A DVSIR will help you identify critical assets and existing technologies through inquiry style testing and then evaluate your current SIEM to provide recommendations on existing logging structure and how to get the most out of your SIEM.

A Live Fire Exercise will then test logging directly with real world attack scenarios to ensure that you have the needed telemetry in place to be able to detect them.

Where to Go Next

For those clients who have a strong idea of their defensive tooling and logging infrastructure, we highly recommend one (or more!) of the next three assessment types.

If you’re looking for a detection building engagement, look no further than our AD&C assessments. This will provide attack demonstrations, knowledge transfer from consultant to security teams, and will feature custom detection engineering that will be implementation ready by the end of the assessment.

Alternately, if you’re looking to improve existing detections, try our Detection Validation and Review Assessment. In this assessment, we will test your existing detections, recommend improvements in logic, and identify any gaps that may be present.

Or, if you’re looking to help augment and test your Defensive teams’ skills, try a SOC Response Training exercise.

For the Advanced Security Teams Among Us

If you’re looking for something new to enhance your security program, why not try a Threat Emulation Assessment, or our Deception Engineering assessment? Both of these assessments look to improve your defenses in ways that go beyond basic or intermediate level testing. 

Your Adventure at a Glance:

It’s also possible to view our assessments through the following lenses:

• Detection Engineering Assessments
• Active Testing Assessment, and;
• Level-Up Assessments

The graphic below gives a quick overview of the assessment, and which categories they fall into.

In addition to all the engagement styles we offer above, we are always more than happy to sit down and chat about the security posture of your organization. If something above doesn’t match what you’re looking for, let us know! We also offer customized approaches that may better suit your team’s needs.

Conclusion

Picking the right Purple Team assessment for your organization can be a challenging endeavor, whether it be identifying a starting point, or putting together a roadmap for next-steps. TrustedSec’s account managers and consulting team have the skills and expertise to provide actionable guidance to assist your organization at all stages of its journey. If you have questions or are interested in these services, please get in touch with us!