In my current articles for CSO, I’ve talked in regards to the limits of present SOC fashions and the significance of rehearsal. This time, I wish to give attention to one thing that’s turning into more and more clear: purple teaming has misplaced its depth.
We’ve turned one of the vital highly effective instruments for resilience right into a transactional train that feels reassuring however reveals little or no about how a corporation will cope when the stress is actual.
Care and a spotlight have develop into uncommon property in our world. Distraction dominates each the consuming and provide sides of cybersecurity. Purchasers are pulled into complexity and novelty, whereas providers suppliers are pulled into deadlines and deliverables.
In the meantime, attackers — more and more powered by AI — have gotten quicker, quieter, and extra decided.
When threats speed up, surface-level testing is not sufficient.
The absence of findings is just not the absence of danger
I’ve seen this sample all over the place: a purple staff engagement produces a set of spectacular outcomes. The report seems good. Findings correlate with expectations. Management feels reassured.
However a result’s typically handled as the outcome, as if the absence of findings means the absence of danger. This can be a flaw.
The business’s default strategy is formed by time stress, industrial constraints, and scopes which can be too slim. None of that is malicious, it’s merely how the system has advanced. Suppliers ship what they’re contracted to ship, and purchasers take the report as an indication of depth.
Omissions, typically attributable to time stress or lack of psychological area, are invisible. And invisible omissions are essentially the most harmful variety.
Two purchasers who “shouldn’t have been breakable”
Just lately, we labored with two extraordinarily mature organizations. On paper, each regarded near unbreakable.
As an alternative of working a typical purple staff, we co-designed the engagement with them. We regarded on the drawback as a decided attacker would, and we shared tacit data overtly, each our personal and theirs. Crucially, everybody concerned had visibility into the controls in place. It was a real cyber security partnership, not an audit.
And each organisations have been compromised — deeply — with nearly no signal of compromise.
In a single case, there was a single indicator of compromise: “area admin.” Nothing about how it occurred. Nothing about what to do subsequent. No instinctive or automated response. Only a mild turning crimson with no playbook behind it.
Within the different case, the SOC detected a number of alerts however by no means acted in time. Detection with out motion is simply noise.
The expertise was humbling. And it pressured a blunt query: “You noticed us. So what?”
That’s the actual take a look at. Not whether or not the SOC sees one thing. Whether or not it does one thing — quick sufficient and precisely sufficient — to cease the harm.
Commonplace purple teaming can’t get you there
Purple teaming needs to be the self-discipline that reveals these realities, however the present mannequin hardly ever does. Service suppliers are inclined to give attention to the bypass, the exploit, the “win.” Purchasers give attention to closing tickets, ending the engagement, and getting the report.
Neither mindset creates the area wanted for deep considering.
Had we rushed by way of our work we’d by no means have discovered what we did. Time stress shapes outcomes greater than most organizations notice. When testing is constrained by a typical 9–5, it limits how far groups can discover the situations that result in actual compromise.
Resilience is the “brake” second
Think about you’re driving, and also you see the automobile forward braking abruptly. Consciousness helps, however it’s your fast response that avoids the collision. Insurance coverage don’t matter at that second. Nor do compliance studies or dashboards.
Solely vigilance and rehearsal matter.
Cyber resilience works the identical approach. You’ll be able to’t construct the intuition required to behave by working one simulation a yr. You construct it by way of repetition. By testing how particular eventualities unfold. By inspecting not solely how adversaries get in, but in addition how they transfer, escalate, evade, and exfiltrate.
That is the guts of actual purple teaming.
AI didn’t assist both organisation
Each purchasers had AI embedded of their SOCs. And it made no distinction.
AI can speed up evaluation, however it will probably’t substitute instinct, design, or the judgment required to behave. If the group hasn’t rehearsed what to do when the sign seems, AI solely accelerates the second when everybody realises they don’t know what occurs subsequent.
This is the reason a lot testing at the moment solely addresses opportunistic assaults. It cleans up the low-hanging fruit. But when organized crime wished these organisations, they’d have had them. And that’s not a straightforward sentence to write down.
A mannequin that creates false confidence
The usual testing mannequin traps everybody concerned:
- One-off exams create false confidence.
- Scopes restrict creativeness.
- Time stress eliminates depth.
- Business constructions discourage collaboration.
- Tooling provides the phantasm of functionality.
- Compliance encourages the looks of rigour as an alternative of the fact of it.
This is the reason purple teaming typically turns into “soar out, stabilize, pull the chute, roll on touchdown.” However what in regards to the exhausting eventualities? What about partial deployments? What about advanced failures? That’s the place resilience is constructed.
And at the moment, resilience is the one significant metric.
New mindset: sluggish, constant, engaged, outcome-driven
In my expertise, purple teaming that works requires:
- Co-ownership of the mission.
- Tacit data shared on either side.
- Full visibility into controls.
- Eventualities designed, not purchased.
- Repetition and rehearsal.
- House for considering.
- Disciplined simplicity.
- A give attention to the “so what,” not the bypass.
That is methods considering. Engineering. Psychology. It’s, in each sense, tougher work than the usual mannequin.
However the seemingly not possible turns into attainable when either side push one another, and when the intention is to not produce a report however to disclose actuality.
Purple teaming is about getting in, positive. However it’s additionally about what occurs after that. With out a totally different strategy, centered on consistency and outcomes, organizations will preserve passing exams whereas failing in observe.
