| dc.description.abstract | This thesis examines the possibility of automating the correlation between attacks and detection in purple team exercises, aiming to enhance the efficiency of threat detection engineering. The study utilizes a hybrid research approach consisting of interviews with cybersecurity professionals and experimental investigations. The interviews reveal common challenges associated with manual correlation, especially that it is a time-consuming and tedious task, stressing the need for further exploration and innovative tooling in purple teaming and threat detection. Through experiments, it is demonstrated that the correlation process can be successfully automated. Several correlation methods are proposed based on the most common parameters identified through the interviews. Furthermore, a proof-of-concept tool is developed, and the proposed correlation methods are rigorously tested and compared in a controlled cloud environment. Notably, one approach stands out, exhibiting exceptional results in accuracy and efficiency. This promising outcome demonstrates the potential for automating the manual correlation process. It also sets a compelling path for future research and development in purple team exercises and detection engineering. The thesis highlights the significance of purple teaming as a collaborative approach in cybersecurity, promoting effective communication and cooperation between Red and Blue teams. While purple teaming has gained popularity, the limited research and tooling available emphasize the need for further exploration. This study contributes to the field by addressing the challenges of manual correlation and presenting an automated approach that shows promise for enhancing the overall efficiency of purple team exercises and threat detection engineering. | |
