Oct 12 2020

Why Purple Teams Matter for Higher Ed Cybersecurity

What does it take to create a purple team in higher education? And why do you need one?

In a traditional “red team” cybersecurity exercise, the red team attacks and the blue team defends. A report later dissects where aggressors got through and where defenders succeeded in blocking their efforts. But there may be a better way to approach this exercise.

A purple team exercise calls for both sides to collaborate. Often working side by side, the red and blue teams communicate openly during purple team exercises to improve the blue team’s effectiveness.

“If you are a network defender and the red team gets in and you don’t understand how the trick was done, it’s just magic,” says EDUCAUSE Cybersecurity Program Director Brian Kelly. “Higher education is about collaboration and learning. Purple teams are all about information sharing and learning, which makes it a great fit for higher ed.”

MORE ON EDTECH: Learn more about effective incident response.

How Purple Teaming Works in Cybersecurity

In a cybersecurity exercise, participants are traditionally organized into teams named after colors borrowed from military terminology. Red is the adversary seeking to defeat existing network defenses. The “friendly” forces of the blue team are responsible for defending digital assets.

It’s an imperfect system. Defenders may feel they’re in a “gotcha” situation, with outside agents looking to poke holes at their expertise.

As a result, “the communication has historically been pretty weak between those teams,” says Steve Sims, an instructor and fellow at the SANS Institute. Purple teaming reinvents this formerly adversarial relationship. “This is about opening up that communication and helping them work together.”

This way, purple teams can take traditional penetration testing to a higher level.

“If you are just worried about vulnerabilities, pen testing is good for finding lots of vulnerabilities. Pen testing will find all the chinks in the armor,” says Rob Fuller, CTO of the Mid-Atlantic Collegiate Cyber Defense Competition.

The purple team can build on that awareness, showing defenders not just where to remediate but also why and how the vulnerability appeared in the first place.

“The red team doesn’t hide in the hay bale. They show you where they hide in the hay bale, and the guards say: ‘OK, I will check there from now on.’ Then the next time you do a pen test, you should catch that pen tester right out of the gate,” Fuller says. “It’s a training exercise for your blue team. They see what the attackers do, and they are transferring that skill set from the red team to the blue team so they can get better.”

This collaboration can also happen after the fact. Red attacks. Blue defends. Then they review the results together. But some say purple teaming works best when that high level of collaboration happens in real time, with attackers and defenders working side by side (or virtually side by side, in the era of social distancing). This way, teams can pause attacks midstream and review the unfolding dynamics.

 A New Mindset Improving Higher Education Cybersecurity

In higher education, effective purple teaming may require a new mindset — and a cultural shift among IT stakeholders.

“If you look at higher ed, there are clearly many internal factions and adversarial dynamics. It may be IT versus security, or there may be departmental politics,” says Will Ash, senior director of U.S. public sector security at Cisco. “Purple teams introduce a culture with a more constant flow of information, with teamwork between these different factions.”

For that to happen, senior leadership must set the tone. The provost, dean and CISO should make clear that security is inherently a collaborative effort. “All the teams need to focus on the higher purpose. They need to understand that the overall goal is to improve the organization’s cybersecurity posture,” Ash says. “Having a purple team in place can help put the collective focus on that goal.”

The red team is often an outside contractor, brought in to investigate university defenses. When that is the case, it is important for leadership to make the purple approach explicit in vendor agreements.

“You need to write it into the scope of work,” EDUCAUSE’s Kelly says. “There needs to be a shared language, a shared terminology. These engagements typically have a lot of rules around what the work will include from the red team’s side. So you need to spell out: The red team is to loop back to the campus personnel to share what they did, to help the campus personnel grow their skills.”

MORE ON EDTECH: Read our exclusive Q&A with EDUCAUSE Cybersecurity Program Director Brian Kelly.

This way, campus security and IT officials can get a greater return on their IT investments. They get more value out of their red team engagements and can build intrinsically stronger defenses around existing technology deployments.

Another approach is to crowdsource the attack, which offers a bounty for successful incursions against the system. “You can turn your user base — your students — into a purple team by incentivizing them to break the rules,” Fuller says. “You give them a $50 gift card if they can find a way around your security. But they have to communicate that back to the security team and show how they did it.”

A Game Changer for Higher Ed Security

Purple teaming can potentially help colleges and universities create a higher level of defense around their networks and digital assets.

“The old way showed you that you needed to fix something, but it didn’t change the way you think,” Kelly says.

“Purple teaming changes the way defenders approach their jobs. It helps them to think more like the adversary,” he says. “That learning is a game changer because that is what enables them to incorporate new ideas and new tactics.”

With new endpoints and end-user connections attaching to university systems at an unprecedented level, this new mindset arrives at a critical time in higher education.

“In higher ed today, you can have a wide array of devices and services and applications in production, with people sticking things online without going through proper channels,” says Sims, of the SANS Institute. “In these circumstances, you need a blue team that understands the offense. To get there, they need some immersion into how the red teams operate.”

Arkadiusz Warguła/ Getty Images