CyberWire Daily - Purple teaming in the modern enterprise. [CyberWire-X]

Episode Date: May 25, 2025

In large enterprise software companies, Red and Blue Teams collaborate through Purple Teaming to proactively detect, respond to, and mitigate advanced threats. In this episode of CyberWire-X, N2K's Da...ve Bittner is joined by Adobe’s Justin Tiplitsky, Director of Red Team and Ivan Koshkin, Senior Detection Engineer to discuss how their teams work together daily to strengthen Adobe’s security ecosystem. They share real-world insights on how this essential collaboration enhances threat detection, refines security controls, and improves overall cyber resilience.   Learn more about your ad choices. Visit megaphone.fm/adchoices

Transcript
Discussion (0)
Starting point is 00:00:00 You're listening to the CyberWire Network powered by N2K. Welcome to CyberWireX where we unpack the critical conversations shaping cybersecurity today. I'm Dave Bittner. In this sponsored episode, we're diving into the world of purple teaming, where offense meets defense to strengthen enterprise security. At the heart of this strategy are red and blue teams.
Starting point is 00:00:38 One simulates real world attacks, the other defends against them. But the real magic happens when they team up. Joining us today are two leaders from Adobe's security organization, Justin Tiplitsky, director of Red Team, and Ivan Koshkin, senior detection engineer. They'll share how Adobe's Red and Blue teams collaborate every day, not just to test and defend, but to learn, adapt, and outpace evolving threats. From real-world examples to practical advice, this conversation sheds light on how purple
Starting point is 00:01:12 teaming can refine controls, boost detection, and make enterprise security more resilient. Let's jump in. Well, to kick things off, I'd really love each of you to introduce yourselves and your roles at Adobe and how you came to be a part of this red and blue collaboration. Ivan, will you start for us, please? Yeah. collaboration. Ivan, will you start for us please? Yeah, so I've been working at Adobe for the last almost four years now and started within the kind of standard SOC development team doing a lot of triage kind of transition into more of a detection engineer role. And over time as we're maturing that program kind of a natural evolution of the whole process
Starting point is 00:02:03 is trying to collaborate more with adversarial emulation teams, especially the Red Team. So over time, we've kind of developed a relationship and identified how to improve our collaboration. And it's grown into something that's become very fruitful. Justin, how about you? Yeah, so I joined Adobe in 2021 with the intention of building the Red Team from the ground up.
Starting point is 00:02:24 So previous to that, I had been into it I joined Adobe in 2021 with the intention of building the red team from the ground up. So previous to that, I had been into it and had the opportunity to be one of the first red teamers there. And then I spent about five years leading and doing red team operations for Microsoft. So now here I am. We're basically building up this program continuously year over year and seeking improvement at the defense side. And that's where the red blue collaboration comes together. And we've had some really good purple teamwork that we've done. So Justin, for folks who might not be familiar, what exactly does purple teaming mean and how does it differ from red and blue team operations? Yeah, definitely.
Starting point is 00:03:01 So purple is something that's being embraced a little bit more in the industry now, because it's an opportunity to strengthen the blue team side. So you make the blue team aware a little bit different, you know, from red teaming that you are going to be exercising some attack simulations. In some cases, they are also making the request to exercise a very particular thing or run certain techniques. So that provides us the opportunity to run our attack simulation and immediately get feedback from the blue side and also share the details of what we're doing. So when we do that in collaboration and we go back and forth, we're giving the blue team that opportunity to build that muscle stronger. Ivan, any additional insights there from your point of view?
Starting point is 00:03:44 Yeah, Justin basically hit the nail on the head. It's basically, the way I like to describe it is we use Red Team as like a practice squad for real-time adversaries. So it's extremely valuable to have a team internally that's able to emulate the real-life threat before we actually have to experience some kind of interaction with that real-time threat so we're more prepared and are able to respond and detect more effectively. Well, Ivan, tell me how do your teams at Adobe collaborate day to day? Is this more like an ongoing partnership or is this a series of planned engagements?
Starting point is 00:04:19 Yeah, definitely. So it's a continual partnership. It's actually both of those really. So Red Team has kind has kind of a adjust and go into more detail on this so they have a continuous. On set of engagements that they go through and as they go through those engagements they collaborate with our team on the blue side to ensure that. We're tracking what they're doing how effective our detection is how effective our responses are measuring a bunch of different things that we're doing on our end. And at the same time, we're taking their emulation and basically adjusting how we're doing our operations to improve them, using those operations as basically, like I was saying, like the practice to the real thing. So it's a continuous thing.
Starting point is 00:04:58 We have regular meetings and collaborations that we work with together to make sure that we're all on the same page and we're tracking what each other's team is doing. Justin, can you add to that? Yeah, so the comparison that he said about the practice squad is actually a truly good comparison because similar to in sports where there's a practice squad, they are trying to run through all of their plays and ensure that there's lessons that they learn not on game day,
Starting point is 00:05:22 but when they're in practice, right? So if they're able to strengthen up the plays, learn where there's weaknesses, and determine how they can effectively execute the play and reach the objective that they want, that when there is actually a real game day or in cybersecurity, when there's an actual incident, they're not spending that time,
Starting point is 00:05:38 that extra time learning those lessons. They are just executing effectively and reaching their goal and then getting that touchdown or home run or whatever it is they're trying to achieve. Yeah that's practice like you play right? Practice like you play yes definitely a great quote I'm going to hold on to that one. Okay so Justin can you walk us through an example like a real world purple team scenario at Adobe that helped you all improve your security posture? Yeah, I'll give you a specific example.
Starting point is 00:06:09 So sometimes we will choose some particular asset that we find valuable and that we would like to protect. And we will determine if we can make some kind of attack path towards reaching that asset. So what we'll do is we'll go and we'll plan out an attack path and we'll have conversations with the blue team ahead of time to determine like if there's any particular things that we want to test and they will also you know give us sometimes some parameters and and limited
Starting point is 00:06:35 Feedback to help us go execute that then we'll go execute Our attack path and determine to walk step by step through An attack path that would normally be pulled off by a real attacker. So we're using attack techniques that are used by real attackers, and those are being tracked in the wild, and also those are being tracked by threat intel. And then we'll go forth and we'll execute that.
Starting point is 00:06:56 So once we complete that or step by step, depending on how we wanna do it, we end up learning a lot about where we can, you know, harden things in the steps so that, you know, it makes it more difficult to reach that asset and where detections need to be added so that we can get as early of an alarm as possible if an actual adversary is attempting to do that same attack chain. And Yvonne, what does that look like from your team's point of view? Yeah, so from our team's point of view?
Starting point is 00:07:33 Yeah, so from our team's point of view, kind of the flip side of that coin is we're looking for any detections at fire during the red team's operation, or at least the SOC slash operations team is looking for that behavior. And as we identify that behavior, we're doing the conflictions to ensure that red team is being captured. What did we miss as they performed their operations? And we're taking notes from the detection engineering side along this whole path to ensure that we are basically doing the lessons learned following that operation to better detect those attack chains like Joseph mentioned in the future.
Starting point is 00:07:59 So there's a lot that goes into it when we actually break it down because they submit a lot of requests into our queue to Basically improve detections and things on the blue side and the operations last, you know, sometimes Months and on and so that entire time we're working together and making sure that we can improve our detection capabilities and response capabilities What kinds of tools or platforms or? Environments do you all use to simulate these threats and test out the defenses? Yeah, so for us, we have a completely custom tool chain.
Starting point is 00:08:33 So we have custom exploits that we build. Obviously, we spend a lot of time researching Adobe products. And then also we have a command and control framework that we've built from the ground up so that we can execute safely and ethically within the environment and be able to do the exercises that are going to emulate and simulate the attackers to the best of our ability. We also have post exploitation modules that are developed from the ground up and having all three of those things and additional tools is what makes us have a completely custom attack tool chain.
Starting point is 00:09:09 You know, red and blue teams don't always see eye to eye. Um, has there ever been any tension that you all have had to, to deal with when, when goals or priorities conflict? How do you come at that, you know, as, as leaders yourselves, uh, to make sure, you know, everybody gets to the same end goal? Yeah, I could touch on that a little bit. There's definitely conflicting priorities sometimes, and that's kind of the maturation process that we go through as we're developing both sides, the red and blue side teams. So when we started, there was a lot of, you know, what do we work on first? There's so much coming in because the red team was spinning things up all the time. And
Starting point is 00:09:46 obviously, there's lots of stuff that we can constantly improve on. So as we mature, we're kind of identifying and creating a model that we use to identify which things that we should prioritize first based on a set of parameters that we've developed over time within our team. And I think Red Team also has a similar thing, and Justin is going to speak to that, where they've kind of developed a model to identify what things we should prioritize
Starting point is 00:10:08 to emulate within Adobe's environment. Yeah, Justin? Yeah, really, I like to call it more of like a friendly competition in some senses. But for the most part, we are doing work to collaborate with the Blue Team. I like to say sometimes like we work for the Blue Team because we are like their gym partner, we're spotting them when they're lifting weights and getting their muscles strong and the defense and response capabilities So it creates an opportunity for us to really spend most of our time strengthening them
Starting point is 00:10:36 And then the rest of our time, you know testing to make sure that the things that we implemented are actually working effectively and are actually working effectively. We'll be right back. For folks who might be setting up their own Purple Team, are there any early lessons or maybe even mistakes that you all made when you were setting up your Purple Team engagements at Adobe and any words of wisdom to share for folks who might be not as far along the journey as you all are, Justin? Yeah, I think communication is probably one of the key things that I learned as a leader in these past couple of years. You need to make sure that
Starting point is 00:11:28 you're sharing information all the way down to things that are as simple as using the same terminology. So we have shared chat channels and shared email distribution lists and stuff like that to make sure that we can, you know, communicate clearly and interact with each other. So a lot of that stuff when it comes to that space is really important because if you're not speaking the same language and you're not using the same terminology, then there could be miscommunications. If they are just starting out in the Purple Team space, obviously they're going to want
Starting point is 00:11:59 to have an effective Red Team. There's industry standards for that, such as a red team maturity model that can help you start understanding how to build from square one and have some low level attack simulation exercises. And then you step it up little by little. On the blue side, it definitely varies. I'll let Ivan speak more to that. But the capabilities of the blue team, obviously,
Starting point is 00:12:20 are most likely being built up prior to a red team in most situations. Yeah, Ivan? Yeah, so Justin made a great point about the communication side of things. That's something that we've definitely improved over the years. Exactly, I have mentioned lots of channels, not lots of channels, but specific channels that we use to keep each other up to date, make sure everything critical is communicated,
Starting point is 00:12:41 and feedback is shared, I think, is critical. Alongside of that, a big part of the communication is regular readouts. So that's something that we've enjoyed from the blue team side is having a readout following an operation where we can basically digest and have an opportunity to ask questions and provide feedback to the red team instead of them submitting something to our ticket queue for another detection and us having to interpret that ourselves. So something like that, I think, has been super helpful. The other thing I think that's been super helpful for
Starting point is 00:13:11 the blue side as we're spinning this up is adding some way to prioritize the red team tickets and show how we have tangible value that we've generated as a result of their operations. So in the beginning, it was a little bit overwhelming. There was a lot of stuff happening and a ton of opportunity, but we just weren't sure what to hit first.
Starting point is 00:13:30 And we weren't sure how to provide that, show the value that we've been generating to leadership. So one thing that we've started doing is marking red team deliverables to our queue as kind of more of a critical priority, because it's something that's been basically emulated and demonstrated as something that's feasible for an attacker to perform within our environment.
Starting point is 00:13:49 So we can basically stage that in a way where we can assign a critical priority to that content that needs to be developed for the blue team and then essentially be able to deliver that content in a more shorter period of time as well as provide that value of what we're doing to leadership. Justin, that really leads me to my next question,
Starting point is 00:14:09 which is how do you measure success in purple teaming? Are there qualitative indicators or quantitative indicators that signal effective progress? Yeah, definitely. So that's something I was actually going to pivot off what Ivan was saying. But setting clear and achievable goals in the very beginning is important.
Starting point is 00:14:30 So once you have your red team established, once you have your purple team established, you're going to want to determine what is actually important to the business and what you plant to test. And usually, you're going to want to get some sort of agreement that if we execute this exercise and we have this outcome, that will be something meaningful to the business. Example, they may take into consideration
Starting point is 00:14:50 if the red team goes out and scans the external attack surface, which are the publicly available servers and machines, is there some way for them to gain an initial foothold into that environment? And if we discover that and are able to patch those critical vulnerabilities, us as technical people and also leadership will consider that very valuable. So that's like a specific example of that. But when you set those clear goals, like I said, you can operate while also knowing that you're going to deliver value back to the business. You mentioned sort of a
Starting point is 00:15:18 friendly competitiveness between the two teams. How do you ensure that that competitiveness doesn't inadvertently become adversarial? That there isn't just a low level resentment that the two of you are pushing and pulling against each other. I think the way that we achieve that is we all have the same goal. The goal is to secure Adobe.
Starting point is 00:15:45 And when we think about it that way, and we really try to put aside any minor slight miscommunications that could potentially happen and really think about that outcome, it really helps us avoid that and know that even if we hit bumps in the row or even if we have minor disagreements, that in the end, we are going to wind up with a more secure Adobe.
Starting point is 00:16:04 Ivan, any thoughts there? Yeah, and I think I could speak for a lot of blue teams in general, where, you know, we've all experienced like pen tests or some kind of emulations where it's not it's made our job a little bit more difficult. Right. But the way that we kind of look at it at Adobe is like Justin said, we're all on the same team. And not only is Red Team making our jobs easier because because we can more easily identify the actual adversaries once they perform their emulations, but it's also providing us a ton of collaboration opportunity where we can
Starting point is 00:16:34 display how are we extending our efforts across different teams and organizations and breaking down silos at Adobe. That's a really interesting insight. Yeah, I'm curious for companies who are new to purple teaming. What's your advice on how they should begin? What are some foundational practices or approaches that you all have found to be valuable in your own journeys? Let me start with you Ivan. Yeah, so as far as what I've experienced in the past with working with adversary emulation and pen testing teams is, I think something that we've improved upon the traditional framework of that at Adobe is, I think some things that we've already kind of mentioned is having
Starting point is 00:17:19 that collaborative spirit between the red and blue teams, I think is essential and not looking at other teams as kind of like an adversary, but more of like a practice squad. You're both on the same team. This is just a separate part of the team, and it's helping you practice against the actual adversary. So I think it's a kind of a mindset shift at the core that you have to instill within your new team organization.
Starting point is 00:17:41 But once you kind of start collaborating with the red team and understanding that their goal is the same as yours, which is protecting the organization, you kind of develop that rapport. And eventually, it's really natural to collaborate with red as well as any other blue teams. Yeah, you're all making each other stronger. Exactly. Yeah. Justin, your thoughts there? Yeah, somebody is just starting a purple team program Obviously you're gonna want to have your blue team already strongly established depending on the size of that
Starting point is 00:18:13 It can be you know limited size all the way down to a small medium company But obviously at a large scale you're probably gonna have already one already implemented Um, I have seen examples of red team starting with one to two people. It's not ideal, but you can start to do some attack simulation and some attack emulation at that level and begin to get a little bit of signal back that you can measure. So like back to your previous question about is there a way to measure this? Yeah, I definitely think there is. I am developing some red team metrics that I consider to be simple and effective in communicating to the business. And they can also be introduced very early on so that you can get a bit of a clear measurement
Starting point is 00:18:49 of how effective your exercises are and what business outcomes you're having. You know, the threats are always evolving and you know, dare I mention AI. As these threats grow and change, how do you see purple teaming changing over the next few years? Yeah, it's definitely an interesting capability that has been introduced to red teams. And obviously, if it's been introduced to red teams, it's been introduced to real adversaries.
Starting point is 00:19:18 And that is the use of AI. I have a term that I say, which is like accelerated attack chain, where you take information in very rapidly from inside the business to push an attack chain forward, because that's not the particular section of it that you're most interested in. So you're just going to push that part forward. With AI, every step can be accelerated. So what took a long time before is now becoming a lot short of a process.
Starting point is 00:19:40 Example, I recently read an article about how somebody was able to develop a full proof of concept exploit before any exploit came out, before any details about the bug came out, and they were able to do it rapidly in like under four hours. So it's definitely gonna change the landscape. So if one word could describe that, it's speed. The attackers are gonna get much faster,
Starting point is 00:20:00 and that means that the response capabilities are gonna have to get faster and most likely leverage AI themselves What's your outlook Ivan? Yeah, I think just to piggyback off Justin's answer is the best way I could describe it is it's a force multiplier So as we're trying to adapt to attackers using these newer tools and and capabilities It's kind of a parallel approach So not only are attackers improving their capabilities
Starting point is 00:20:26 and they're becoming faster and more effective at executing on their objectives, the blue team has to match that, right? So we have to be as aggressive as possible to match those capabilities on our end, too. So I think in the future, you're going to see, especially detection engineering, which is a relatively new discipline, a lot of our maturation models are going to be matching, implementing these AI capabilities to
Starting point is 00:20:49 force multiply what we're capable of doing. Stepping up to a higher level, I'm sure there are some folks in our audience who look at the two of you and find inspiration that you have these interesting positions at a very well-known and high-level respected organization. Any words of wisdom or tips to folks who are just coming up in the industry and see the kinds of things that you all are doing as inspirational or perhaps a future goal for
Starting point is 00:21:21 themselves? Ivan? Yeah. I mean, personally, I just don't, I don't think I'm doing anything special. perhaps a future goal for themselves. Ivan? Yeah. I mean, personally, I just don't, I don't think I'm doing anything special. It's really just a matter of, you know, find something you're interested in and go all in on it.
Starting point is 00:21:33 So I think curiosity is kind of your best friend. So if you're, if something that you kind of dabble in, whether you're working in a SOC, if you're starting out in a security engineering, interact with a few other disciplines within your organization and see what they're up to. And if something looks interesting, spend some time investigating on it,
Starting point is 00:21:51 jump on a five minute call with them and see what they're up to. And I think having that interaction with external teams kind of helps you develop more knowledge with how overall as a security organization you should function and what other disciplines you should be implementing into your workflows. How about you, Justin? Yeah, I would say at this point in cybersecurity, it's starting to mature and there's a lot of depth in each individual
Starting point is 00:22:16 piece of it. So I would say probably specialize at this point, really narrow in on what you're trying to, what career you're trying to have. And I always say, I said this in a previous Adobe based blog post, but find the job that looks exciting and interesting to you and kind of reverse engineer the expectations and responsibilities of that job to determine what you should spend time on.
Starting point is 00:22:39 That leads into, I think hands-on is one of the best approaches. Really it's a very hands-on job. So like you're not going to be able to get everything you need to do to perform the job just by reading or just by collecting information. You're really going to need to spend that time, like Ivan said, tinkering and playing around with the technology so you're comfortable with it. And that is a wrap on this edition of CyberWireX. A big thanks to Justin
Starting point is 00:23:07 Tablitsky and Ivan Koshkin for taking us behind the scenes of Adobe's Purple Teaming efforts. Their insights highlight the power of collaboration where offensive creativity meets defensive depth to create smarter, faster, and more resilient security strategies. If you're thinking about building or leveling up your own purple teaming program, take a cue from Adobe. Start with trust, align goals, and make learning a shared mission. Thanks for listening. Don't forget to follow, rate, and share if you found this episode helpful.
Starting point is 00:23:40 We'll catch up with you next time. I'm Dave Bittner. Thanks for listening.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.