Home Did you know ? How Purple Teaming Prepares Organizations for Ransomware Attacks

How Purple Teaming Prepares Organizations for Ransomware Attacks

by Mic Johnson

The second quarter of 2021 saw record-high volumes of global ransomware attacks. Ransomware volume reached 188.9 million in quarter two, an increase of more than 60 percent compared to the first quarter figure of 115.8 million. Also, a 151 percent year-on-year rise has been recorded for the combined number of attacks during the first half of the year. With these numbers alone (not counting the attacks during the second half), 2021 already shapes up to be the worst year for ransomware attacks.

This has led the FBI to conduct investigations on 100 variants of ransomware regarded as tools used for terrorism. “The scale of this problem is one that I think the country has to come to terms with,” says FBI Director Christopher Wray, who also notes the importance of focusing on disruption and prevention. The ransomware problem has aggravated to unprecedented levels that the FBI is calling for shared responsibility between government agencies and the private sector.

To address the rising threats, organizations need to be more prepared. One of the best ways to achieve this greater level of preparedness is to invest in a purple team simulation module.

Purple teaming

Purple teaming has been getting quite the attention recently. Back in June Microsoft Product Marketing Manager Natalia Godyla featured Hacker House CEO Matthew Hickey in a Voice of the Community blog series post to discuss how purple teams help organizations embrace hacker culture to boost their security posture.

Here are some key points from the discussion:

  • Purple teaming bridges red (attack) and blue (defense) teams by enabling collaboration and eliminating the drawbacks brought about by the siloing that happens when the red and blue teams work separately, oblivious to each others’ actions. “It can remove a lot of competitiveness from security testing processes,” Hickey says.
  • Bringing the red and blue teams together to some extent of collaboration results in various advantages including speedier processes and cost reduction. The red and blue teams do not necessarily become a single team, but they collaborate to share insights that help each other in improving their strategies. A certain level of beneficial transparency between the teams is achieved, which allows both teams to learn from each other.
  • “Purple teams are used to provide a level of assurance that what you’ve built is resilient enough to withstand modern network threats by increasing the visibility and insights shared among typically siloed teams,” Hickey explains.
  • Moreover, Hickey says that “once you understand the workflow of what your attacker is doing, you get better at knowing which systems will need host intrusion, enhanced monitoring, and the reasons why.” Having a good grasp of the hacker culture is a boon to cybersecurity. Hackers, after all, are the ones who have a more profound understanding of the cyber risks an organization faces. Hence, they can provide useful insights into the problems organizations need to focus on.
  • Hickey acknowledges that it can be challenging to ensure that employees have the right training and the right tooling for the job. It helps to use special tools like the purple team simulation module in cybersecurity platforms.

Purple teaming is generally about the collaboration or sharing of insights between the red and blue teams. However, in recent years, security firms have come up with new tools that can automate the process of simulating cyber attacks. Purple team modules are provided especially in continuous security validation platforms to persistently examine the efficacy of security controls and make sure that attacks, including zero-days, are kept at bay.

Purple power vs ransomware

A video presentation hosted by CREST offers a good explanation of the impact of purple teaming in defending against ransomware. CREST is an internationally recognized accrediting and certifying body for organizations and professionals that provide cyber incident response, penetration testing, security operations centers (SOCs), and cyber threat intelligence services.

The presentation expounds on the idea of using purple teaming to prepare organizations against ransomware threats. Notably, the presentation lauds MITRE ATT&CK for being a useful tool in security assessment, but this globally accessible free framework alone is not enough to achieve the best outcomes.

According to the presentation, MITRE ATT&CK does not capture all techniques. The techniques it presents are not all applicable to the specific environments of different organizations. Also, some techniques may only be applicable to specific organizations. As such, it is advisable to consider other solutions—and this is where purple teaming comes into play.

Purple teaming helps identify broad but relevant tests. Subsequently, these relevant tests can be translated to different scenarios. It enables the mapping of common TTPs into actionable testing.

After identifying relevant testing, purple teaming also has processes for validation detections. It facilitates or guides the running of common attack scenarios, the better comprehension of logging configurations, and insights on what has been detected and what is detectable.

Moreover, purple teaming is designed to enable a robust system for recording findings for more systematic analysis. The outcomes arrived at by the red and blue teams can be viewed side by side to have a better glimpse of what else can be done to improve an organization’s security posture based on what the red team managed to penetrate and the gaps the blue team needs to plug.

Purple teaming, particularly the purple teaming modules in cybersecurity testing platforms, also usually features a comprehensive monitoring system that helps cybersecurity professionals in getting continuously updated about the threats they need to watch out for. This tracking system is essential in detecting and preventing the different ways ransomware manages to enter devices, systems, or networks. It reveals the different techniques, tactics, phases, and responses of existing security controls.

Ultimately, purple teaming leads to the “uplifting” of detection and prevention capabilities. With all the data gathered, organizations are able to come up with better means to identify sophisticated ransomware attacks and implement the appropriate strategies to stop malicious malware on their tracks or make sure they do not aggravate into worse problems.

The presentation goes on to summarize how purple teaming enables a thorough security gap analysis by emphasizing the following points:

  • Understanding of not only the weaknesses but also the strengths
  • Highlighting of requirements for resource allocation considerations
  • (For the purple teaming modules in cybersecurity testing platforms) Providing a visually impactful way of presenting ransomware threats to stakeholders and decision-makers

In summary

The idea of purple teaming is relatively new, but many organizations are already integrating it into their security posture. The benefits are undeniable, especially when used with other security solutions designed to ascertain the efficacy of security controls. It enables better-informed responses to threats and a system that is more capable of detecting ransomware attacks and cushioning their impact.

Purple teaming provides a massive boost for security preparations against ransomware as well as other forms of cyber threats. It does not only ensure that the security controls an organization has are effective; it also helps in fixing or improving existing cyber defenses in line with the severity and criminal ingenuity of present-day attacks.

You may also like

Leave a Comment

Latest Hacking News

Privacy Preference Center


The __cfduid cookie is used to identify individual clients behind a shared IP address and apply security settings on a per-client basis.

cookie_notice_accepted and gdpr[allowed_cookies] are used to identify the choices made from the user regarding cookie consent.

For example, if a visitor is in a coffee shop where there may be several infected machines, but the specific visitor's machine is trusted (for example, because they completed a challenge within your Challenge Passage period), the cookie allows Cloudflare to identify that client and not challenge them again. It does not correspond to any user ID in your web application, and does not store any personally identifiable information.

__cfduid, cookie_notice_accepted, gdpr[allowed_cookies]


DoubleClick by Google refers to the DoubleClick Digital Marketing platform which is a separate division within Google. This is Google’s most advanced advertising tools set, which includes five interconnected platform components.

DoubleClick Campaign Manager: the ad-serving platform, called an Ad Server, that delivers ads to your customers and measures all online advertising, even across screens and channels.

DoubleClick Bid Manager – the programmatic bidding platform for bidding on high-quality ad inventory from more than 47 ad marketplaces including Google Display Network.

DoubleClick Ad Exchange: the world’s largest ad marketplace for purchasing display, video, mobile, Search and even Facebook inventory.

DoubleClick Search: is more powerful than AdWords and used for purchasing search ads across Google, Yahoo, and Bing.

DoubleClick Creative Solutions: for designing, delivering and measuring rich media (video) ads, interactive and expandable ads.



The _ga is asssociated with Google Universal Analytics - which is a significant update to Google's more commonly used analytics service. This cookie is used to distinguish unique users by assigning a randomly generated number as a client identifier. It is included in each page request in a site and used to calculate visitor, session and campaign data for the sites analytics reports. By default it is set to expire after 2 years, although this is customisable by website owners.

The _gat global object is used to create and retrieve tracker objects, from which all other methods are invoked. Therefore the methods in this list should be run only off a tracker object created using the _gat global variable. All other methods should be called using the _gaq global object for asynchronous tracking.

_gid works as a user navigates between web pages, they can use the gtag.js tagging library to record information about the page the user has seen (for example, the page's URL) in Google Analytics. The gtag.js tagging library uses HTTP Cookies to "remember" the user's previous interactions with the web pages.

_ga, _gat, _gid