Purple teaming in the modern enterprise. [CyberWire-X]

Dave Buettner

You're listening to the Cyberwire Network, powered by N2K. Welcome to CyberWire X where we unpack the critical conversations shaping cybersecurity today. I'm Dave Buettner. In this sponsored episode, we're diving into the world of purple teaming, where often meets defense to strengthen enterprise security. At the heart of this strategy are red and blue teams. One simulates real world attacks, the other defends against them. But the real magic happens when they team up. Joining us today are two leaders from Adobe's security organization. Justin Tiblitsky, director of Red Team, and Ivan Koshkin, senior detection engineer. They'll share how Adobe's red and blue teams collaborate every day, not just to test and defend, but to learn, adapt and outpace evolving threats. From real world examples to practical advice, this conversation sheds light on how purple teaming can refine controls, boost detection, and make enterprise security more resilient. Let's jump in. Well, to kick things off, I'd really love each of you to introduce yourselves and your roles at Adobe and how you came to be a part of this Red and blue collaboration. Ivan, will you start for us, please?

Ivan Koshkin

Yeah. So I've been working at Adobe for the last almost four years now and started within the kind of standard SOC development team, doing a lot of triage, kind of transitioned into more of a detection engineer role. And over time, as we're maturing that program, kind of a natural evolution of the whole process is trying to collaborate more with adversarial emulation teams, especially the Red team. So over time we've kind of developed a relationship and identified how to improve our collaboration, and it's grown into something that's become very fruitful.

Dave Buettner

Justin, how about you?

Justin Tiplitsky

Yeah, so I joined Adobe in 2021 with the intention of building the Red team from the ground up. So previous to that, I had been at Intuit and had the opportunity to be one of the first red teamers there. And then I spent about five years leading and doing Red team operations for Microsoft. So now here I am. We're basically building up this program continuously, year over year and seeking improvement in the defense side. And that's where the Red Blue collaboration comes together. And we've had some really good purple team work that we've done.

Dave Buettner

So, Justin, for folks who might not be familiar, what exactly does purple teaming mean and how does it differ from Red and Blue team operations?

Justin Tiplitsky

Yeah, definitely. So purple is something that's being embraced a little bit more in the industry now because it's an opportunity to strengthen the blue team. Side. So you make the blue team aware, a little bit different, you know, from red teaming, that you are going to be exercising some attack simulations. In some cases they are also making the request to exercise a very particular thing or run certain techniques. So that provides us the opportunity to run our attack simulation and immediately get feedback from the blue side and also share the details of what we're doing. So when we do that in collaboration and we go back and forth, we're giving the blue team that opportunity to build that muscle stronger.

Dave Buettner

Ivon, any additional insights there from your point of view?

Ivan Koshkin

Yeah, he, Justin basically hit the nail on the head. It's basically the way I like to describe it is we use red team as like a practice squad for real time adversaries. So it's extremely valuable to have a team internally that's able to emulate the real life threat before we actually have to experience some kind of interaction with that real time threat so we're more prepared and are able to respond and detect more effectively.

Dave Buettner

Well, Ivan, tell me, how do your teams at Adobe collaborate day to day? Is this more like an ongoing partnership or is this a series of planned engagements?

Ivan Koshkin

Yeah, definitely. So it's a continual partnership. It's actually both of those really. So red team has kind of a. And Justin will go into more detail on this though. They have a continuous onset of engagements that they go through and as they go through those engagements, they collaborate with our team on the blue side to ensure that we're tracking what they're doing, how effective our detection is, how effective our response is. They're measuring a bunch of different things that we're doing on our end. And at the same time we're taking their emulation and basically adjusting how we're doing our operations to improve them, using those operations as basically, like I was saying, like the practice to the real thing. So it's a continuous thing. We have regular meetings and collaborations that we work with together to make sure that we're all on the same page and we're tracking what each other's team is doing.

Dave Buettner

Justin, can you add to that?

Justin Tiplitsky

Yeah. So the comparison that he said about the practice squad is actually a truly good comparison because similar to in sports, where there's a practice squad, they are trying to run through all of their plays and ensure that there's lessons that they learn not on game day but when they're in practice. Right. So if they're able to strengthen up the plays, learn where there's weaknesses and determine how they can effectively execute the play and reach the objective that they want, that when there is actually a real game day or in cyber security, when there's an actual incident, they're not spending that time, that extra time learning those lessons. They are just executing effectively and reaching their goal and then, you know, getting that touchdown or home run or whatever, whatever it is they're trying to achieve.

Dave Buettner

Yeah, that. Practice like you play. Right?

Justin Tiplitsky

Practice like you play. Yes, definitely. Definitely a great quote. I'm going to hold on to that one.

Dave Buettner

Okay, so Justin, can you walk us through an example, a real world purple team scenario at Adobe that helped you all improve your security posture?

Justin Tiplitsky

Yeah, I'll give you a specific example. So sometimes we will choose some particular asset that we find valuable and that we would like to protect and we will determine if we can make some kind of attack path towards reaching that asset. So what we'll do is we'll go and we'll plan out an attack path and we'll have conversations with the blue team ahead of time to determine like if there's any particular things that we want to test. And they will also give us sometimes some parameters and limited feedback to help us go execute that. Then we'll go execute our attack path. And determined to walk step by step through an attack path that would normally be pulled off by a real attacker. So we're using attack techniques that are used by real attackers and those are being tracked in the wild and also those are being tracked by threat intel. And then we'll go forth and we'll execute that. So once we complete that or step by step, depending on how we want to do it, we end up learning a lot about where we can harden things in the steps so that it makes it more difficult to reach that asset and where detections need to be added so that we can get as early of an alarm as possible if an actual adversary is attempting to do that same attack chain.

Dave Buettner

And Ivan, what does that look like from your team's point of view?

Ivan Koshkin

Yeah, so from our team's point of view, kind of the flip side of that coin is we're looking for any detections that fire during the red team's operation, or at least the SOC operations team is looking for that behavior. And as we identify that behavior, we're doing deconflictions to ensure that red team is being captured. What did we miss as they perform their operations? And we're taking notes from the detection engineering side along this whole path to ensure that we are basically doing the lessons learned following that operation to better detect those attack chains like Josan mentioned in the future. So there's a lot that goes into it when we actually break it down because they submit a lot of requests into our queue to basically improve detections and things on the blue side. And the operations last sometimes months on end. So that entire time we're working together and making sure that we can improve our detection capabilities and response capabilities.

Dave Buettner

What kinds of tools or platforms or environments do you all use to simulate these threats and test out the defenses?

Justin Tiplitsky

Yeah, so for us, we have a completely custom tool chain, so we have custom exploits that we build. Obviously, we spend a lot of time researching Adobe products. And then also we have a command and control framework that we've built from the ground up so that we can execute safely and ethically within the environment and be able to do the exercises that are going to emulate and simulate the attackers to the best of our ability. We also have post exploitation modules that are developed from the ground up. And having all three of those things and additional tools is what makes us have a completely custom ATTCK toolchain.

Dave Buettner

You know, red and blue teams don't always see eye to eye. Has there ever been any tension that you all have had to deal with when goals or priorities conflict? How do you come at that as leaders yourselves, to make sure, you know, everybody gets to the same end goal?

Ivan Koshkin

Yeah, I could touch on that a little bit. There's definitely conflicting priorities sometimes. And that's kind of the maturation process that we go through as we're developing both sides of the red and blue side teams. So when we started, there was a lot of, you know, what do we work on first? There's so much coming in because the red team was spinning things up all the time and obviously there's lots of stuff that we can constantly improve on. So as we mature, we're kind of identifying and creating a model that we use to identify which things that we should prioritize first based on a set of parameters that we've developed over time within our team. And I think Red team also has a similar thing, and Justin, you'll speak to that, where they've kind of developed a model to identify what things we should prioritize to emulate within Adobe's environment.

Dave Buettner

Yeah, Justin.

Justin Tiplitsky

Yeah, really, I like to call it more of like a friendly competition in some senses. But for the most part we are doing work to collaborate with the blue team. I like to say some. Sometimes, like, we work for the blue team because we are like their gym partner. We're spotting them when they're lifting weights and getting their muscles strong and the defense and response capabilities. So it creates an opportunity for us to really spend most of our time strengthening them and then the rest of our time, you know, testing to make sure that the things that we implemented are actually working effectively.

Dave Buettner

We'll be right back. For folks who might be setting up their own Purple teaming, are there any early lessons or maybe even mistakes that you all made when you were setting up your Purple Team engagements at Adobe and any words of wisdom to share for, for folks who might be not as far along the journey as you all are? Justin?

Justin Tiplitsky

Yeah, I think communication is probably one of the key things that I learned as a leader in these past couple of years. You need to make sure that you're sharing information all the way down to things that are as simple as using the same terminology. So we have shared chat channels and shared email distribution lists and stuff like that to make sure that we can communicate clearly and, and interact with each other. So a lot of that stuff when it comes to that space is really important because if you're not speaking the same language and you're not using the same terminology, then there could be miscommunications. If they are just starting out in the Purple team space, obviously they're going to want to have an effective red team. There's industry standards for that, such as a red team maturity model that can help you start understanding how to build from square one and have some low level attack simulation exercises and then you step it up little by little. On the blue side, it definitely varies, dive and speak more to that. But the capabilities at the blue team obviously are most likely being built up prior to a red team in most situations.

Dave Buettner

Yeah, Ivan.

Ivan Koshkin

Yeah. So Justin made a great point about the communication side of things. That's something that we definitely improved over the years. Exactly. Heavy mentioned lots of channels. Not lots of channels, but specific channels that we use to keep each other up to date, make sure everything critical is communicated and feedback is shared. I think is critical. Alongside of that, a big part of the communication is regular readouts. So that's something that we've enjoyed from the blue team side is having a readout following an operation where we can basically digest and have an opportunity to ask questions and provide feedback to the red team instead of them submitting something to our ticket queue for another detection and us having to interpret that ourselves. So something like that I think has been super helpful. The other thing I think that's been super helpful for the blue side as we're spinning this up is adding some kind of way to prioritize the red team tickets and show how we have tangible value that we've generated as a result of their operations. So in the beginning it was a little bit overwhelming. There was a lot of stuff happening and a ton of opportunity, but we just weren't sure what to hit first and we weren't sure how to provide that show the value that we've been generating to leadership. So one thing that we've started doing is marking red team deliverables to our queue as kind of more of a critical priority because it's something that's been basically emulated and demonstrated, that's something that's feasible for an attacker to perform within our environment. So we can basically stage that in a way where we can assign a critical priority to that content that needs to be developed for the blue team and then essentially be able to deliver that content in a more shorter period of time as well as provide that value of what we're doing to leadership.

Dave Buettner

Justin, that really leads me to my next question, which is how do you measure success in purple teaming? Are there qualitative indicators or quantitative indicators that signal effective progress?

Justin Tiplitsky

Yeah, definitely. So that's something I was actually going to pivot off what Ivan was saying. But setting clear and achievable goals in the very beginning is important. So once you have your red team established, once you have your purple team established, you're going to want to determine what is actually important to the business and what you plan to test. And usually you're going to want to get some sort of agreement that if we execute this exercise and we have this outcome, that will be something meaningful to the business. Example they may take into consideration, if the red team goes out and scans the external attack surface, which are the publicly available servers and machines, is there some way for them to gain an initial foothold into that environment? And if we discover that and are able to patch those critical vulnerabilities, us as technical people and also leadership will consider that very valuable. So that's like a specific example of that. But when you set those clear goals, like I said, you can operate while also knowing that you're going to deliver value back to the business.

Dave Buettner

You mentioned sort of a friendly competitiveness between the two teams. How do you ensure that that competitiveness doesn't inadvertently become adversarial, that, you know, there isn't just a low level resentment that the two of you are p pushing and pulling against each other?

Justin Tiplitsky

I think the way that we achieve that is we all have the same goal. The goal is to secure Adobe. And when we think about it that way, and we really try to put aside any minor, slight miscommunications that could potentially happen and really think about that outcome, it really helps us avoid that and know that, you know, even if we hit bumps in the road or even if we have minor disagreements, that in the end we are going to wind up with a more secure Adobe.

Dave Buettner

Ivan, any thoughts there?

Ivan Koshkin

Yeah, and I think I could speak for a lot of blue teams in general, where we've all experienced like pen tests or some kind of emulations where it's made our job a little bit more difficult. Right. But the way that we kind of look at it at Adobe is, like Justin said, we're all on the same team. And not only is Red team making our jobs easier because we can more easier identify the actual adversaries once they perform their emulations, but it's also providing us a ton of collaboration opportunity where we can display, you know, how are we extending our efforts across different teams and organizations and breaking down silos at Adobe.

Dave Buettner

That's a really interesting insight. Now, I'm curious, for companies who are new to purple teaming, what's your advice on how they should begin? What are some foundational practices or approaches that you all have found to be valuable in your own journeys? Let me start with you, Ivan.

Ivan Koshkin

Yeah, so as far as what I've experienced in the past with working with adversary emulation and pen testing teams is I think something that we've improved upon. The traditional framework of that at Adobe is, I think some things that we've already kind of mentioned is having that collaborative spirit between the red and blue teams, I think is essential. And not looking at the other team as kind of like an, an adversary, but more of like a practice squad. Like, you're both on the same team. This is just a separate part of the team and it's helping you practice against the actual adversary. So I think it's a kind of a mindset shift at the core that you have to instill within your blue team organization. But once you kind of start collaborating with the Red team and understanding that their goal is the same as yours, which is protecting the organization, you kind of develop that rapport and eventually it's really natural to collaborate with red as well as any other blue teams.

Dave Buettner

Yeah, you're all making each other stronger. Exactly, yeah. Justin, your thoughts there?

Justin Tiplitsky

Yeah. If somebody is just starting a probable team program, obviously you're going to want to have your blue team already strongly Established. Depending on the size of that, it can be limited size all the way down to a small, medium company, but obviously at a large scale you're probably going to have already one already implemented. I have seen examples of Red team starting with one to two people. It's not ideal, but you can start to do some attack simulation and some attack emulation at that level and begin to get a little bit of signal back that you can measure. So like back to your previous question about is there a way to measure this? Yeah, I definitely think there is. I am developing some, some Red Team metrics that I, I consider to be simple and effective in communicating to the business and they can also be introduced very early on so that you can get a bit of a clear measurement of how effective your exercises are and what business outcomes you're having.

Dave Buettner

You know, the threats are always evolving and you know, dare I mention AI, as these threats grow and change, how do you see purple teaming changing over the next few years?

Justin Tiplitsky

Yeah, it's definitely an interesting capability that has been introduced to red teams and obviously if it's been introduced to red teams, it's been introduced to real adversaries and that is the use of AI. I have a term that I say which is like accelerated attack chain, where you take information in very rapidly from inside the business to push an attack chain forward, because that's not the particular section of it that you're most interested in, so you're just going to push that part forward. With AI, every step can be accelerated. So what took a long time before is now becoming a lot short of a process. Example. I recently read an article about how somebody was able to develop a full proof of concept exploit before any exploit came out, before any details about the bug came out, and they were able to do it rapidly in like under four hours. So it's definitely going to change the landscape. So if one word could describe that, it's speed, the attackers are going to get much faster and that means that the response capabilities are going to have to get faster and most likely leverage AI themselves.

Dave Buettner

What's your outlook, Ivan?

Ivan Koshkin

Yeah, I think just to piggyback off Justin's answer is the best way I could describe it is it's a force multiplier. So as we're trying to adapt to attackers using these newer tools and capabilities, it's kind of a parallel approach. So not only are attackers improving their capabilities and they're becoming faster and more effective at executing on their objectives, the blue team has to match that. Right. So we have to be as aggressive as possible to match those capabilities on our end too. So I think in the future you're going to see especially detection engineering, which is a relatively new discipline, a lot of our maturation models are going to be matching, implementing these AI capabilities to force multiply what we're capable of doing.

Dave Buettner

Stepping up to a higher level. I'm sure there are some folks in our audience who look at the two of you and find inspiration that you have these interesting positions at a very well known and high level respected organization. Any words of wisdom or tips to folks who are just coming up in the industry and see the kinds of things that you all are doing as inspirational or perhaps a future goal for themselves? Ivan?

Ivan Koshkin

Yeah, I mean personally I don't think I'm doing anything special. It's really just a matter of find something you're interested in and go all in on it. So I think curiosity is kind of your best friend. So if you're, if, if something that you kind of dabble in, whether you're working in a SoC, if you're starting out in security engineering, interact with a few other disciplines within your organization and see what they're up to and if something looks interesting, spend some time investigating on it, jump on a five minute call with them and see what they're up to. And I think having that interaction with external teams kind of helps you develop more knowledge with how overall as a security organization you should function and what other disciplines you should be implementing into your workflows.

Dave Buettner

How about you Justin?

Justin Tiplitsky

Yeah, I would say at this point in cybersecurity it's starting to mature and there's a lot of depth in each individual piece of it. So I would say probably specialize at this point, really narrow in on what you're trying to, what career you're trying to have. And I always say I said this in a previous Adobe based blog post, but find the job that looks exciting and interesting to you and kind of reverse engineer the expectations and responsibilities of that job to determine what you should spend time on that leads into. I think hands on is one of the best approaches. Really it's a very hands on job. So like you're not going to be able to get everything you need to do to perform the job just by reading or just by collecting information. You're really going to need to spend that time, like Ivan said, tinkering and playing around with the technology so you're comfortable with it.

Dave Buettner

And that is a wrap on this edition of Cyberwire X. A big thanks to Justin Tiplitsky and Ivan Koshkin for taking us behind the scenes of Adobe's purple teaming efforts. Their insights highlight the power of collaboration where offensive creativity meets defensive depth to create smarter, faster and more more resilient security strategies. If you're thinking about building or leveling up your own purple teaming program, pick a cue from Adobe Start with trust, align goals, and make learning a shared mission. Thanks for listening. Don't forget to follow, rate and share if you found this episode helpful. We'll catch up with you next time. I'm Dave Bittner. Thanks for listening.