Purple Team Part 2: Prereqs & CTI
Resources to assist with CTI functions
Part two of my purple team series hits on some key aspects of purple teaming, specifically, I’ll be discussing Cyber Threat Intelligence (CTI), along with some quality tools and resources for learning more on your own. I’m a huge proponent of people taking learning into their own hands and using everything possible (that is free) before jumping to the paid options. There’s so much out there you can find if you just seek it. I’ve included some courses I’ve done at the bottom of this blog, but no doubt you can find more out there as well.
If you missed part one, you can go read that one here. It might prove useful to at least skim that one before reading the rest of part 2.
Now, before we dive into some specifics regarding CTI skills, goals, resources, and methodologies, it’s important to cover some prerequisites to successful purple team exercises. There are some “must-haves” and a few “nice-to-haves” that would give the exercise a higher ROI, but are not mandatory.
Must-haves
People with dedicated functions for purple teaming
If no one is assigned this to be at least part of their role, it will likely fall through the cracks or lose priority
Some Security / IT maturity
Purple teaming will have no value if you are not already utilizing basic security controls. The blog listed in the image caption below explains this.
Graphic from https://medium.com/mitre-engenuity/threat-informed-defense-is-hard-so-we-are-still-not-doing-it-31ae7b68955f
Logs
SIEM or some query capability
Detection (defend) capability
EDR/SIEM
Testing (attack) capability
Manual human-led process or automated tools are fine here
Identified attack chain(s) or atomic TTPs to test
Nice-to-have’s
Organization threat model
Know yourself
Blue team workflows / SOPs
Know what to do when an incident occurs
Separate attack & defense teams
Keep teams separate so the exercise is more realistic
From a 1000-foot view, purple teaming is really just CADD
CTI -Gather intel on something to test
Attack - Emulate the TTP in your environment
Detect - Review/add detections, reduce noise
Defend - Implement/adjust defenses, harden systems, modify permissions, etc.
From a much closer vantage, it would look like the description below found in the Purple Team Exercise Framework (PTEF).
Ok, now we can finally get into the topic-specific stuff.
Cyber Threat Intelligence
Cyber Threat Intelligence is really the “so what” of data. Its purpose is to drive decisions and reduce risk/uncertainty. This is achieved by utilizing evidence-based knowledge, context, indicators, capabilities, and behaviors of a threat to assess how the threat may impact the organization, and tying that back to defensive actions to help reduce risk.
In CTI, you often write reports that are concise and have a clear BLUF. Will interact with indicators/observables, and use formats or rules in STIX, YARA, SIGMA, etc. And you deliver actionable recommendations (block, hunt, patch, mitigate) to defensive teams.
The workflow is probably: Collect data → Conduct analysis → Disseminate proactive and actionable intelligence → Influence security decisions with data (now it’s “intel”, not just random threat data). CTI is just the intelligence lifecycle (seen below) focused on cyber threats.
If we take the first three steps of the above graphic, and apply it to purple teaming, we will get the below graphic.
CTI Categories
The image below does a great job of breaking down all of the different use cases and categories of CTI (strategic, tactical, technical, operational).
CTI is really just a lot of “Who did what to whom?”
The main problem CTI attempts to solve is “what threats matter most?” (how to prioritize). It can be useful to reflect on the following questions:
What threat actors commonly target my industry or size? (Intent)
What tactics, techniques, & procedures are used by these groups? (Capability)
What are our business-critical functions, information, and systems that we must protect? (Crown Jewels)
The team at SnapAttack also wrote a great article on threat prioritization. They identified the following items for assistance.
Industry – “Which threat actors are targeting other organizations in our industry? How have they done it?”
Region – “Which threat actors have targeted organizations in our region?”
Technology – “Are there certain technologies used by our organization that make us more of a target for certain threats?”
Motivations – “Is the actor financially motivated and looking to deploy ransomware? Or are we worried about a targeted attack, theft of IP, etc.?”
Recency – “Is this threat new and actively used? When was it last observed?”
Relevance – “How likely is this to impact our organization?”
Prevalence – “How commonly are those tactics used?”
Impact – “If it were to impact us, how bad would the damage be?”
One important note for any intelligence being reviewed is to consider biases. For example, the above post’s author works for a cybercrime intel vendor, he has reason to say that fin crime is the most common type of attack (I’m not saying he is wrong, just always be aware that biases exist in all intel products).
CTI Resources
So, where should CTI be collected? Often it’s available in:
Threat Actor Reports
DFIR / Campaign Reports
Annual Trends
Feedly, Start.me, RSS feeds
And how can we store CTI? Some people use Excel, others will use a TIP, such as:
OpenCTI
MISP
Paid - Flashpoint, ThreatConnect, Anomali, Recorded Future, Google Threat Intelligence, etc
And finally, what are trustworthy places to collect CTI from? Well, usually it is going to be vendors that profit off of intel or DFIR services, and governments.
CISA / FBI / Joint Alerts/Advisories (for US companies)
MITRE ATT&CK
DFIR Report
Palo Alto Unit 42
TrustedSec
Google T.A.G
CrowdStrike
Sophos
Huntress
Red Canary
Recorded Future
Intel 471
Zero Fox
Wiz
Example CTI Collection Scenario
Ok, now let’s go through an example CTI priority intelligence requirement (PIR). Your CISO has requested that you identify the most common methods utilized by threat actors to gain initial access.
To start, let’s consider the ATT&CK framework (TA0001) and google something along the lines of “top initial access vectors 2025.”
We come across some trend reports and advisories, and decide on these 5 resources based on vendor credibility and report details/context.
Sources:
Red Canary - Threat Detection Report 2025
IBM X-Force - Threat Intelligence Index 2024
CISA - Advisory 2022
WNE Security - Most Common attack vectors for initial access 2025
Sophos – Active Adversary Report 2025
After review, we concluded that the top initial access vectors are:
Public-Facing Vulnerability Exploitation
VPN Abuse / Brute Forcing
Phishing
Web – malvertising, fake browser updates, SEO poisoning
Valid Account/Credential Abuse
Misconfigurations
When prioritizing defensive measures to implement/improve to best prevent attacks, our organization should focus on those 6 TTPs. We should absolutely map that list back to the ATT&CK framework, and I’ll leave that for you to do ;).
My Personal Favorite Resources
To stay up to date on the latest cyber news, I subscribe to 3 different email blogs.
Risky.Biz (every 2 days) - https://news.risky.biz/
Metacurity (daily) - https://www.metacurity.com/
TLDR Infosec (daily) - https://tldr.tech/infosec
I have found that there is rarely anything I miss between these three items.
There are also some awesome CTI start.me projects that will update with the latest reports and links, such as https://start.me/p/wMrA5z/cyber-threat-intelligence. Start.me is a nice resource to track all of your bookmarks and RSS feeds.
One last free item I love is the Wiz vulnerability database. It does a great job of enriching CVEs and updates them asap. This is something orgs could use to track vulns in the products of their tech stack.
And if you have a budget, go use Feedly CTI, it does a LOT of cool stuff.
That’s all for now, part 3 will look into detection engineering and adversary emulation / breach and attack simulation.