In my latest articles for CSO, I’ve talked in regards to the limits of present SOC fashions and the significance of rehearsal. This time, I need to concentrate on one thing that’s changing into more and more clear: purple teaming has misplaced its depth.
We’ve turned one of the vital highly effective instruments for resilience right into a transactional train that feels reassuring however reveals little or no about how a corporation will cope when the stress is actual.
Care and a focus have develop into uncommon belongings in our world. Distraction dominates each the consuming and provide sides of cybersecurity. Purchasers are pulled into complexity and novelty, whereas companies suppliers are pulled into deadlines and deliverables.
In the meantime, attackers — more and more powered by AI — have gotten quicker, quieter, and extra decided.
When threats speed up, surface-level testing is not sufficient.
The absence of findings is just not the absence of threat
I’ve seen this sample all over the place: a purple group engagement produces a set of spectacular outcomes. The report seems good. Findings correlate with expectations. Management feels reassured.
However a result’s typically handled as the consequence, as if the absence of findings means the absence of threat. This can be a flaw.
The business’s default method is formed by time stress, industrial constraints, and scopes which are too slim. None of that is malicious, it’s merely how the system has developed. Suppliers ship what they’re contracted to ship, and purchasers take the report as an indication of depth.
Omissions, typically attributable to time stress or lack of psychological house, are invisible. And invisible omissions are probably the most harmful sort.
Two purchasers who “shouldn’t have been breakable”
Just lately, we labored with two extraordinarily mature organizations. On paper, each seemed near unbreakable.
As a substitute of operating an ordinary purple group, we co-designed the engagement with them. We seemed on the drawback as a decided attacker would, and we shared tacit data brazenly, each our personal and theirs. Crucially, everybody concerned had visibility into the controls in place. It was a real cyber safety partnership, not an audit.
And each organisations have been compromised — deeply — with nearly no signal of compromise.
In a single case, there was a single indicator of compromise: “domain admin.” Nothing about how it occurred. Nothing about what to do subsequent. No instinctive or automated response. Only a gentle turning purple with no playbook behind it.
Within the different case, the SOC detected a number of alerts however by no means acted in time. Detection with out motion is simply noise.
The expertise was humbling. And it pressured a blunt query: “You saw us. So what?”
That’s the actual check. Not whether or not the SOC sees one thing. Whether or not it does one thing — quick sufficient and precisely sufficient — to cease the harm.
Normal purple teaming can’t get you there
Purple teaming ought to be the self-discipline that reveals these realities, however the present mannequin hardly ever does. Service suppliers are inclined to concentrate on the bypass, the exploit, the “win.” Purchasers concentrate on closing tickets, ending the engagement, and getting the report.
Neither mindset creates the house wanted for deep pondering.
Had we rushed by means of our work we might by no means have discovered what we did. Time stress shapes outcomes greater than most organizations understand. When testing is constrained by an ordinary 9–5, it limits how far groups can discover the circumstances that result in actual compromise.
Resilience is the “brake” second
Think about you’re driving, and also you see the automotive forward braking out of the blue. Consciousness helps, however it’s your speedy response that avoids the collision. Insurance policy don’t matter at that second. Nor do compliance stories or dashboards.
Solely vigilance and rehearsal matter.
Cyber resilience works the identical means. You’ll be able to’t construct the intuition required to behave by operating one simulation a 12 months. You construct it by means of repetition. By testing how particular eventualities unfold. By analyzing not solely how adversaries get in, but additionally how they transfer, escalate, evade, and exfiltrate.
That is the center of actual purple teaming.
AI didn’t assist both organisation
Each purchasers had AI embedded of their SOCs. And it made no distinction.
AI can speed up evaluation, however it may possibly’t substitute instinct, design, or the judgment required to behave. If the group hasn’t rehearsed what to do when the sign seems, AI solely accelerates the second when everybody realises they don’t know what occurs subsequent.
For this reason a lot testing as we speak solely addresses opportunistic assaults. It cleans up the low-hanging fruit. But when organized crime wished these organisations, they’d have had them. And that’s not a simple sentence to jot down.
A mannequin that creates false confidence
The usual testing mannequin traps everybody concerned:
- One-off exams create false confidence.
- Scopes restrict creativeness.
- Time stress eliminates depth.
- Industrial buildings discourage collaboration.
- Tooling provides the phantasm of functionality.
- Compliance encourages the looks of rigour as an alternative of the fact of it.
For this reason purple teaming typically turns into “jump out, stabilize, pull the chute, roll on landing.” However what in regards to the exhausting eventualities? What about partial deployments? What about complicated failures? That’s the place resilience is constructed.
And as we speak, resilience is the one significant metric.
New mindset: sluggish, constant, engaged, outcome-driven
In my expertise, purple teaming that works requires:
- Co-ownership of the mission.
- Tacit data shared on either side.
- Full visibility into controls.
- Situations designed, not purchased.
- Repetition and rehearsal.
- House for pondering.
- Disciplined simplicity.
- A concentrate on the “so what,” not the bypass.
That is techniques pondering. Engineering. Psychology. It’s, in each sense, more durable work than the usual mannequin.
However the seemingly unimaginable turns into doable when either side push one another, and when the purpose is to not produce a report however to disclose actuality.
Purple teaming is about getting in, certain. However it’s additionally about what occurs after that. With no completely different method, centered on consistency and outcomes, organizations will hold passing exams whereas failing in follow.
