Purple Team Exercise — Sophos Advisory Services

Service Overview

The Purple Team Exercise allows your defenders to experience live-fire information security exercises designed to mimic real-world threat scenarios. You defend and/or hunt in your own network, using your own tooling, against a live attack while maintaining a real-time, constant communication channel with the Sophos Adversary Group ("Red Team").

The Purple Team Exercise is for organizations with established security monitoring—either in-house or third-party monitoring services—that want to test assumptions about current detection, prevention, and response capabilities against common tactics, techniques, and procedures ("TTPs") of modern threat actors. This exercise is an excellent starting point to identify the readiness of your detection, prevention, and response capabilities prior to executing more advanced exercises, such as the Red Team Exercise - Full Spectrum and Red Team Exercise - Intel Led.

Each exercise is based on common scenarios that emulate real-world TTPs with a goal of providing actionable events for the defenders so they can identify visibility deficiencies within security controls, and work with our consultants to improve detection capabilities.

Additionally, Sophos understands that each organization has different needs and time constraints for interactive exercises, and as such, the Purple Team Exercise service has various tiers which offer flexibility and scaling interactivity based on individual needs as outlined in the table below.


Purple Team Exercise	The "Purple Team Exercise" allows organizations time to interact with the Red Team over the course of five days. This five-day exercise spreads out playbook tasks to give defenders ample time to hunt and validate alerting, as well as communicate with the Red Team in real-time during activities to ask questions and discuss how to improve detection and alerting. One or more of the following playbooks can be chosen for this exercise: Internal & Active Directory Exercise Command and Control ("C2") Detonation and Network Detection Exercise Ransomware Group Emulation Exercise Cloud Compromise Exercise

Purple Team Exercise

The "Purple Team Exercise" allows organizations time to interact with the Red Team over the course of five days. This five-day exercise spreads out playbook tasks to give defenders ample time to hunt and validate alerting, as well as communicate with the Red Team in real-time during activities to ask questions and discuss how to improve detection and alerting.

One or more of the following playbooks can be chosen for this exercise:

Internal & Active Directory Exercise
Command and Control ("C2") Detonation and Network Detection Exercise
Ransomware Group Emulation Exercise
Cloud Compromise Exercise

For the above exercise, an add-on service—Post-Remediation Exercise Replay—is available. During each Purple Team Exercise, Customer may identify and remediate visibility deficiencies within existing security controls. If a Post-Remediation Exercise Replay add-on ("Replay") is purchased, then Sophos will perform a Replay of one Exercise to validate that any newly added remediations are working as expected.

Service Methodology

Each Purple Team Exercise is driven by pre-defined playbook scenarios that map to the MITRE ATT&CK framework, and evaluate the detection, prevention, and response capabilities of your organization's defensive team (known as the "Blue Team").

A high-level overview of the exercise methodology is summarized below:

Establish Communication Channel: Sophos establishes a dedicated communication channel for constant communication throughout the Purple Team Exercise, allowing your team to communicate with the Red Team in real time to address detection gaps where applicable.
Pre-defined Playbook Execution: Sophos will emulate threats in alignment with the chosen predefined playbook, one action at a time, notifying your Blue Team with appropriate timestamps, commands and tools used, and any applicable notes to aid in detection efforts. The executed threat activity will map to MITRE ATT&CK to provide a consistent framework for Red and Blue Team alignment. While most playbooks will attempt to breach networks and guess valid credentials using the same methodologies of a threat actor, certain playbooks may require the Blue Team to provide valid credentials and access to pre-selected target endpoints following an assumed breach model to achieve maximum value of the exercise. Upon completion of playbooks, if ample time remains during the execution window, individual Red Team actions can be re-played at the request of the Blue Team to test any newly created security controls.
Detection and Response Result Collection: After execution of each playbook action, Sophos will update the Blue Team on the outcome of the action and ask for the Blue Team to provide sample logs to identify what activity was logged, triggered a signature detection from security controls, and if that detected activity was brought to the attention of your security team via alerting notifications systems. These metrics are recorded and provided in a detailed report.

Outcome

Upon completion of the Purple Team Exercise, Sophos will provide a detailed report containing all actions performed during the playbook execution, MITRE ATT&CK framework mapping of each action, tool commands and output, activity timestamps; and all provided Blue Team results, including notes, logs, signature detection, and alerting metrics.

Scoping Information

Description	Exercise Duration
Purple Team Exercise	1 week
Add-on: Post-Remediation Exercise Replay	-

The complete Service Description for this service can be found here: Sophos Purple Team Exercise