Purple Teaming @ Rocket.Chat

By Julio
2 min

This page was inspired by GitLab’s https://handbook.gitlab.com/handbook/security/security-operations/red-team/purple-teaming/.

image-20250403-165045.png

According to the Purple Team Framework, a Purple Team is the combination of three skillsets:

  • Cyber Threat Intelligence: Research and provide adversary behaviors, tactics, techniques, and procedures (TTPs)

  • Red Team: Offensive team responsible for emulating adversary behaviors and TTPs

  • Blue Team: Defenders, including Security Operations Center (SOC), Hunt Team, Digital Forensics and Incident Response (DFIR), and/or Managed Security Service Providers (MSSP)

Purple Teaming Goals

At Rocket.Chat, collaboration and transparency are part of our core values. In our Security team, offensive and defensive security folks are always working together to enhance our company’s security posture. By purple teaming, they enable Rocket.Chat to assess its ability to detect and respond to real-world cyber threats while gaining hands-on experience through simulated attacks.

At a high level, these operations typically serve one of the following purposes:

  1. Evaluate defensive capabilities - can our EDR, SIEM, and other security tools detect malicious behavior?

  2. Enhance our incident response procedures - Do we have enough documentation to handle such incident scenarios? Are there any processes that could be automated? What do we need to improve to make incident response faster and more effective?

  3. Detection and response to specific threats - How would we handle ransomware attacks? How would we handle specific APTs?

Purple teaming isn’t about a covert operation where the Blue Team is unaware of the Red Team's actions as they move through the infrastructure. Instead, it’s a collaborative effort between both teams, focused on enhancing defenses and improving detection capabilities.

Purple Team Ops

Purple teaming can happen with atomic testing or tailored campaigns.

Atomic testing is easier and we may leverage tools such as Stratus Red Team, Atomic Red Team, MITRE Caldera, and/or TTPForge + ForgeArmory.

As for tailored campaigns, they’ll likely happen whenever a new TTP (tool, technique, and/or procedure) that could impact Rocket.Chat is identified. The Security team will then gather together to understand the TTPs involved and any capabilities that may be collected or developed for a successful campaign.

All purple team operations must be communicated to and approved by the Head of Security before taking place. These operations should also be properly documented and a Purple Team Exercise Template can be found at https://rocketchat.atlassian.net/wiki/spaces/SEC/pages/316637202.

 

Related content