How to Automate a Purple Team Program

In March, we discussed how purple teaming can help improve your security posture by challenging your security assumptions and showed some practical examples of how it can provide value to your organization.

But if you’ve ever built a purple team program, you're likely familiar with the level of effort needed from multiple people to plan, execute, investigate and track an engagement, and measure and report on the blue team's improvements. Multiple vendors offer solutions to address challenges in some of these phases, but it's up to you to manually glue together the rest to meet your enterprise needs. This is a manual process that can become tedious and time-consuming, ultimately endangering the long-term success of your purple team program.

One major key to long-term success is to create an efficient workflow that automates as much of your program as possible. Unfortunately, there aren't that many practical demonstrations of efficient, automated workflows. So, I wanted to share some tangible examples you can learn from or incorporate into your program for long-term success. Let’s dive in.

Threat Intelligence Planning

The main objective of the threat intelligence phase is to apply your understanding of the company and research the most likely adversary and tactics, techniques, and procedures (TTPs) to target it. This allows you to prioritize methods most likely to impact the business today, and follow up on less imminent ones tomorrow. For example, a configuration management software company may want to begin with simulating APT-29 TTPs, as this was the threat actor group that compromised Solarwinds in 2021.

If you've ever had to read multiple threat intelligence reports to extract TTPs, you likely found the task to require quite the manual effort. Admittedly, this is still a manual process for us, but I want to illustrate how it can be improved to automatically generate a MITRE ATT&CK Navigator (Navigator) heat map.

In this example, we’re going to plan for a macOS Malware of 2021 engagement. In his article, "The Mac Malware of 2021," Patrick Wardle points out the malware families and cites additional sources, but we still need to extract TTPs on a more granular level to make them usable for our use case. Using the MITRE ATT&CK Framework, we can do this with relative ease.

For initial research and TTP extraction, I found a simple Google Sheet containing the critical pieces of information for each TTP to be most efficient. As you’re reading a report, you can quickly copy and paste relative content into the Google Sheet. And since everyone on your team is familiar with Google Sheets, you can easily collaborate with your teammates; no training on specialized tools required means saving time and effort!

Once the Google Sheet is complete, we can visualize the data in a heat map view with deeper colors to differentiate between the most and least common TTPs. We’ll use the Navigator tool for this, and we made it simple to convert your Google Sheet to the proper JSON format by using sheet2nav.

So the workflow is as follows:

  1. Find threat intelligence articles that support your purple team engagement

  2. Extract TTPs from articles and paste them into your Google Sheet

  3. Convert Google Sheet to Navigator JSON using sheet2nav

To demonstrate, we go from:


To our final product which is the MITRE ATT&CK Navigator heatmap:

We can use this heatmap to prioritize the most common TTPs (darker shade) and include it in our presentations and reporting.

Attack Framework

There are many Command and Control (C2) frameworks available to simulate TTPs, but this requires a significant initial investment to set up and plan. Each C2 framework requires specialized knowledge to use the framework, provision the infrastructure, and generate, test, and stage payloads. After all that, we still need to create, test, and execute the TTPs.

A growing number of companies are working to solve many of these problems with the development of attack frameworks. These are tools that automate TTP development and execution via their own custom C2 agents, and many don’t require any infrastructure investment. I’m going to be using Prelude Operator because it:

  • Is highly customizable

  • Includes over 550 preexisting TTPs

  • Doesn’t require infrastructure

  • Has an API (we can automate!)

  • Integrates with tools for metrics and tracking

These features of Operator mean anyone can start executing attacker TTPs in less than five minutes. And for those looking to customize their experience, Operator includes an editor to create and save TTPs using YAML syntax.

For this example, we’re going to apply findings from the threat intelligence portion and apply it to our macOS Malware of 2021 engagement. Unfortunately, many attack framework tools almost exclusively focus on post-exploitation techniques. This is fine in most situations since initial access is inevitable and post-exploitation behaviors provide a good opportunity for the blue team to detect malicious actors, but macOS initial access TTPs provide this same opportunity.

Thanks to the Operator API, we can easily automate the creation of these initial access vectors on macOS. We are releasing a tool called iShelly that automates:

  • Compilation of Prelude Operator agents

  • Staging of payloads

  • Generation of initial access vectors on macOS. This includes various installer and disk image techniques.

Once we run an initial access payload generated using iShelly, we'll have a C2 agent communicating with Prelude Operator, enabling us to execute TTPs. Let's run the “File Hunter” attack “chain”, which is a collection of TTPs that will automate the discovery and archiving of recently used documents to prepare for exfiltration:

With a few keystrokes and mouse clicks, we ran four (4) different TTPs in a matter of seconds. To proceed with our macOS malware of 2021 engagement, we can either search through the preexisting TTPs or create our own.

So our workflow becomes:

  1. Generate and run initial access payloads generated using iShelly

  2. Search for (or create!) TTPs that support our Threat Intelligence findings

  3. Execute attack chain or TTP

  4. Pivot to the blue team side to determine detection

  5. Document findings (next section!)

Metrics & Tracking

This is often the most tedious and time-consuming part of an engagement, but arguably the most important. Recording the results of your engagement enables you to track trends over time and show value to leadership. The VECTR platform is a great option for this, but if you’ve ever used it, you’ve likely noticed it to be a tedious, manual process to record and track your work. Thankfully, recent versions of VECTR have an improved API that lets us automate this, and Prelude Operator conveniently has a VECTR plugin that automates this for us.

Immediately after running the File Hunter attack chain from earlier, the results were immediately pushed to VECTR:

Once the data is in VECTR, it becomes more manageable to progress through the engagement since the bulk of the data entry is complete. At this stage, you’re mostly adding the results of the blue team’s response for each of the TTPs executed. Automating this portion of the engagement is a massive win: what took 2-5 minutes to create and fill out initial details of a TTP is now automatically done when executing through Operator.

After completing your engagement, you have all the reporting benefits that VECTR has to offer, like heatmap, test case drill downs, historical trends, and more.

The Takeaway

Automating as many phases of a purple team engagement is an important key to a successful program. The less time spent configuring infrastructure, testing and generating payloads, creating and planning TTPs means more time to evaluate the blue team’s ability to detect and respond to threats facing your business.

Automox for Easy IT Operations

Automox is the cloud-native IT operations platform for modern organizations. It makes it easy to keep every endpoint automatically configured, patched, and secured – anywhere in the world. With the push of a button, IT admins can fix critical vulnerabilities faster, slash cost and complexity, and win back hours in their day.

Demo Automox and join thousands of companies transforming IT operations into a strategic business driver.

Dive deeper into this topic