TIBER-EU – Purple Teaming Best Practices – European Central Bank

Introduction
The TIBER EU Purple Teaming Best Practices describe Purple teaming. Purple teaming is a collaborative testing activity that involves both the offensive attacker team (red team) and the defensive operator team (blue team) within a TIBER-EU test and aims to complement a TIBER-EU test in specific situations, like when a test could impact the production system or to reap further benefits when closing a
TIBER-EU test.
The TIBER EU Purple Teaming Best Practices complement the Threat Intelligencebased Ethical Red Teaming (TIBER-EU) Framework, which enables European and national authorities to work with financial infrastructures and institutions to put in place a programme for controlled, bespoke tests that are based on realistic and genuine cyber threats. These tests, conducted on entities’ critical live production
systems, mimic the tactics, techniques and procedures of real-life threat actors with a view to improving the entities’ resilience against sophisticated cyberattacks.
Conducting tests on live production systems underpinning critical functions contains an inherent element of risk of disruption, such as denial-of-service, unexpected system crash, damage to critical live production systems, or the loss, modification or disclosure of sensitive data. Every effort is therefore made to minimise these risks and to ensure that these tests are conducted in a controlled manner. For this reason, the TIBER-EU Framework requires the White Team to conduct a risk assessment prior to the test and to put in place active and robust risk management controls, as well as monitor and adjust these controls as needed during the testing process.

These best practices for purple teaming are derived from the experience gained from numerous tests conducted under the TIBER-EU process across several jurisdictions.
These insights strongly indicate the need to recognise where purple teaming could
be performed in the TIBER-EU process These best practices provide information about purple teaming in the context of the TIBER-EU Framework and can be used on a voluntary basis; they serve as
guidance only and are not intended to address the specific circumstances of any particular individual or entity. They do not constitute professional or legal advice.

Purpose of this document
This document provides guidance on how purple teaming might be used in the testing and closure phases of a test conducted under the TIBER-EU process. It sets out to define what purple teaming is, together with its main principles, use cases and its potential types.
Target audience
These best practices are mainly intended to provide guidance to national TIBER Cyber Teams (TCTs), threat-intelligence (TI) and red-team (RT) providers and entities that are undergoing or planning to undergo TIBER tests, although they may also have a broader audience.