Understanding purple teaming

We can now have our cybersecurity moment of Zen as we get into purple teaming. The term purple teaming refers to the combination of skill sets in red and blue teaming. The color purple can also be achieved by mixing the colors red and blue, hence the name purple teaming. Looking back at all the skill sets and certifications mentioned in the red and blue teaming sections, it may seem like an impossible accomplishment; however, I guarantee you that there are many purple teamers out there who started as novices and ended up as professionals, myself included.

When I started my journey in cybersecurity in the early 2000s, I was far more interested in ethical hacking and pentesting (red teaming) at that point in time and spent many a night in front of my desktop reading, researching, and using the very limited tools available at that time. It was not until perhaps 2008 that I decided to get into DFIR and became very interested in the field of forensics, to the point where I started to teach the CHFI course alongside the CEH course.

Every time I thought to myself that I’d specialize in one, I’d come across a new tool that would point me in the direction of the other. Thankfully, this all worked out in my favor as I soon realized that red and blue teaming overlap in many aspects and also that there was never a point where I could say that what I had already learned was enough. My point here is that cybersecurity is such a dynamic field with so many paths that you can never know just enough. There is always some new exploit, an investigative tool, or an incident response procedure to learn, and it’s up to you to decide whether you would like to specialize in one field or continue to learn and grow as I did and apply your knowledge when necessary.

Fast forward to today, and I’m the owner of the Computer Forensics and Security Institute, where I not only lead a purple team but I’m also the lead penetration tester as well as the lead forensic and incident response investigator. Again, it is very much possible to be well versed in both fields once you commit to it.

In this regard, I can comfortably state that Kali Linux is the perfect place to get started, as it offers the best tools for purple teaming. Let’s have a sneak peek at some of the exploitation (red teaming tools) available to us, which are all preinstalled with any version of Kali.

This is just a snippet of the tools within the Exploitation menu of Kali; however, I use the metasploit framework, the msf payload creator, and the social engineering toolkit (root) religiously for red team assessments.

Figure 1.2 – Tools within the Exploitation menu

Now let’s have a look at the Forensic menu in Kali Linux:

Figure 1.3 – Tools within the Forensics menu

Again, these are just some of the forensics tools, as the others can also be found by viewing the All Applications menu, which we will explore in Chapter 3, Installing Kali Linux. Kali Linux is one of the few user-friendly platforms that offers a variety of tools for purple teaming, and I look forward to showing you how to effectively use many of them in the coming chapters.

In Chapter 3, Installing Kali Linux, I’ll show you, step by step, how to set up Kali Linux in a safe, virtual test environment where we can use our tools and download sample files for analysis. Although this virtual machine will be connected to the internet, we will use it in a sandboxed environment to ensure that it does not affect your production environment. In Chapter 5, Installing Wine in Kali Linux, I will also walk you through the process of installing Wine in Kali Linux to help build your ultimate blue and purple team arsenal of tools that will now combine the best open source Windows and Linux tools.

Now that we’ve looked at the differences between red, blue, and purple teaming, we will be moving on to understand digital forensics and also have a look at other forensic platforms and some commercial tools and quite importantly, gain some insight into forensic frameworks in Chapter 2, Introduction to Digital Forensics.