Published by Willem Mouton, Director, Security Testing and Assurance, 27 November 2023
Introducing a new open-source CyberCX tool for mastering the art of purple teaming.
Effective purple teaming is one of the most rewarding and beneficial exercises in cyber security. If done correctly, purple teaming means putting your red team skills to work in more creative and relevant ways than a traditional penetration test but without the stress of getting caught.
However, there is a downside to this approach: data capturing. To allow defenders to accurately diagnose and tweak defences they need enough information and context to be able to work on the problem and retrace steps long after the end of the engagement.
To help with this, CyberCX explored some other tools (and there are some great ones out there) to help with this data capture and management problem. Ultimately, we just could not find one that hit all the marks.
CyberCX required something that was:
- Lightweight and easy to deploy.
- Easily hackable to allow us to quickly customise or adjust during an engagement.
- Portable with data; both results and templates.
- Flexible with reporting.
So, we created our own. Thus PurpleOps was born.
PurpleOps is a python flask-based web UI to help us manage, collect, share, and report on all our actions during a purple team exercise. Plus, at the end of the engagement we can leave it with the customer and the blue team to continue working and expand on the work that was done during the purple team exercise.
Figure 1: Assessment overview screen.
PurpleOps allows us to create assessments, capture, and organise our various test cases and actions aligned to the Mitre ATT&CK framework. We also pull in data from some other amazing open-source initiatives such as Atomic Red Team (ART) to get bootstrapped with some fantastic initial test cases to use. Additionally, detection advice and guidance from both Mitre ATT&CK as well as the Sigma project helps make information easily available to both the red and blue teamers and it helps drive conversations and discussions.
Figure 2: Assessment testcase overview screen with the testcase import modal open.
During the execution of testcases it also helps both sides easily capture detailed information around the actions performed, observed outcomes, evidence, and additional notes. This ensures that the correct context and details for each step or action is recorded to make sure that we create as clear of a picture as possible, while at the same time maintaining enough data points to help guide the teams.
Figure 3: Showing the detailed TTP Interface with the Red (left) and Blue (right) views.
The assessment can be created based on tools such as the Mitre ATT&CK navigator and inversely results can by overlaid with the navigator giving teams the classic ATT&CK heatmap view that is useful for visualising coverage.
Figure 4: Showing test results overlaid on the ATT&CK navigator.
The evolving and devastating nature of cyber crime has always meant that the cyber security and hacker community rely on each other for sharing ideas, discoveries, and tools.
PurpleOps is open source and a CyberCX contribution to creating a community with the hope that we can assist others on their purple teaming journey. You can find more online resources here https://purpleops.app