Cyber Range Purple Team Exercises Playbook

December 17, 20235 min read

Playbook Objectives:

  • To enhance the defensive capabilities of InnoTech’s cybersecurity team by exposing them to a realistic cyber attack scenario.
  • To bridge the gap between the red team’s offensive skills and the blue team’s defensive strategies by incorporating purple team dynamics.
  • To identify weaknesses in the current security posture and develop a robust incident response plan.
  • To train the staff in detecting, responding to, and mitigating sophisticated cyber threats.
  • To ensure compliance with industry standards and regulations that pertain to cybersecurity.

Difficulty Level:

  • Advanced


  • InnoTech, a prominent financial services provider, has noticed an uptick in targeted cyber threats within their industry. With a considerable amount of sensitive client data and financial information being processed daily, the company recognizes the urgent need for a comprehensive cybersecurity strategy to protect its assets.
  • In recent months, several competitors have fallen victim to advanced persistent threats (APTs), leading to significant financial and reputational damage. InnoTech’s leadership team, spearheaded by CISO Dr. Maya Richardson, has decided it’s time to put their defenses to the test with a Purple Team Exercise in their Cyber Range environment.
  • In this exercise, the red team, led by offensive security expert Alexei Petrov, will simulate an adversary group, “ShadowElite,” known for their meticulous approach and long-term infiltration tactics. They are tasked with compromising the company’s network by any means necessary, imitating real-life attackers targeting financial institutions.
  • On the defensive side, the blue team, under the guidance of cybersecurity defense lead Grace Lee, will utilize their monitoring tools, threat intelligence, and incident response protocols to identify, contain, and eradicate the threats posed by ShadowElite.
  • InnoTech’s network is a complex hybrid cloud environment with an array of endpoints, including workstations, servers, and mobile devices that employees use for remote access. The network houses a comprehensive customer database, payment processing systems, and proprietary financial analysis software.


  • Cybersecurity Incident Response / Threat Simulation

Exercise Attack Steps:

  • Reconnaissance:
    • Red team gathers information on InnoTech’s external-facing assets through tools like Shodan, search engine queries, and social engineering techniques.
    • Blue team monitors traffic and sets up alerts for potential reconnaissance activities.
  • Initial Compromise:
    • Red team attempts to gain initial entry through spear-phishing emails targeting the finance department with malicious attachments.
    • Blue team employs email filtering, user training, and endpoint protection to detect and block phishing attempts.
  • Establish Foothold:
    • Red team exploits a known but unpatched vulnerability in the company’s VPN solution to establish a foothold on the network.
    • Blue team conducts regular vulnerability scans and patches critical systems, and uses anomaly detection to identify unusual network traffic.
  • Privilege Escalation:
    • Red team uses local exploits to gain higher privileges on a compromised system, seeking access to administrative accounts.
    • Blue team implements least privilege and multi-factor authentication, monitoring for the use of privilege escalation techniques.
  • Lateral Movement:
    • Red team moves within the network using techniques like pass-the-hash and exploits lateral movement vulnerabilities like insecure SMB configurations.
    • Blue team segregates critical assets, monitors for lateral movements, and conducts network segmentation.
  • Persistence:
    • Red team creates backdoors and schedules tasks to maintain long-term access even after initial entry vectors are cut off.
    • Blue team checks for unrecognized scheduled tasks, startup items, and applies host-based intrusion detection systems.
  • Exfiltration:
    • Red team packages sensitive data and exfiltrates it to an external command-and-control server using encrypted channels.
    • Blue team inspects outbound data flows, enforces data loss prevention strategies, and deploys network intrusion detection systems.
  • Incident Response:
    • Blue team identifies the breach, contains the threat, eradicates the adversary’s presence, recovers systems to normal operation, and conducts a post-mortem analysis.
    • Red team provides feedback on the effectiveness of the defense strategies and the challenges faced during the attack.
Through this Cyber Range Purple Team exercise, InnoTech aims to reinforce their security measures, improve their incident response time, and build a more resilient infrastructure against sophisticated cyber threats.