Purple Team Summit & Training 2021 - Live Online

Welcome & Opening Remarks

Jorge Orchilles @jorgeorchilles, Certified Instructor, SANS Institute

Erik Van Buggenhout @ErikVaBu, Senior Instructor, SANS Institute

Keynote

Designing Playbooks with Purple Team Approach

Semanur Guneysu @semanurtg, SOC Team Lead, DESTEL Information Technologies

I want to teach 3 topics in a nutshell

-Simulating an attack using the attack simulation lab environment (Splunk-Attack Range)

-Identifying attack logs and writing relevant correlations

-How to prepare a playbook on SOAR for the determined scenario

Purple Team War Stories

Pepijn Vissers @purpletheism, MSc, Chapter8

In this presentation we will take viewers through some of our actual Purple Teaming Missions. They will learn the following:

• Why real-time Purple Teaming – collaborating Red and Blue teams DURING a penetration test - beats the hell out of classical Red Teaming;
• Why “assume breach” and “train as they fight” take Purple Teaming to its full potential;
• There is always something to learn about dragons;
• WAR STORIES!
  • Mission preparation, including attack surface scoping;
  • Executing the actual Mission with real-life examples and lessons learned, basically our epic fails and epic wins;
  • TTP preparation and (i.e. VECTR, MITRE etc.);
  • Communication Plan between red, blue, white and client;
  • Reporting with in accordance with industry standard frameworks like NIST and CIS controls;
  • How to deal with some typical reactions to Purple Teaming results;
• Why a Security Expert Team (SET – consisting of both SOC, CISO and attackers) is a Big Win™ for organizations

Threat Focused Purple Team Exercises (non Active Directory Edition)

Cedric Owens @cedowens, Lead Offensive Security Engineer, Twilio

This talk will focus on some examples of threat-focused purple team exercises that red and blue teams can collaborate on with the goal of proactively building detections and response procedures for these attack paths. In particular, this talk will focus on useful purple team exercise ideas for modern tech environments that have very few Windows hosts and large numbers of macOS, linux, and cloud hosts. There is a lot more content available that focuses on Windows, so this talk aims to help provide offensive and defensive practitioners with some useful ideas and approaches for the types of environments that exist at most tech companies. By the end of this talk I hope you will be armed with practical ideas for purple team exercises that you can start executing.

Purple Maturity Model

Timothy Schulz @teschulz, Adversary Emulation Lead, SCYTHE

Purple teaming is the new kid on the block, straddling the fence between red and blue teams, except this new kid doesn’t know what to be when they grow up. As processes and fields mature, standards of operation become the new normal. Blue teams have the multi-level security operations center (SOC) maturity model and hunting maturity model (HMM) to provide a clear path of capability building. Red teams have the Ethical Hacking Maturity Model and can leverage frameworks like ATT&CK and David Bianco’s Pyramid of Pain to match emulation with their capability level. When it comes to purple, there is currently no such model for determining the maturity or capability level. This talk will present an approach to maturing a new purple team from scratch, allowing anyone to chart the path for an internal capability. We will use a multi-level approach to identify the skill sets, people, and processes needed to build a strong purple team. Audiences can expect to walk away with an understanding of where their organization sits in the Purple Maturity Model, and what skills their current blue and red teams can leverage to strengthen the organization’s purple capabilities.

Purple Wars: Episode II - Attack of the Emulators

Jonas Bauters, Manager & Red Team Lead, NVISO

Has purple teaming become the new red teaming? There are a number of prerequisites you should take into account before being able to perform efficient and effective (red and) purple teaming. During this presentation, Jonas will provide a simple roadmap on how to transition from traditional penetration testing to full-fledged adversary emulation, both in its red and purple flavors. After this talk, you will have a good idea on how to prepare for the purple wars that every company wants to be a part of now, and how to make sure you are ready when the adversary emulators attack.

The Active Directory Purple Team Playbook

Mauricio Velazco @mvelazco, Threat Research, Splunk

After obtaining an initial foothold, adversaries will most likely target or abuse Active Directory across the attack lifecycle to achieve operational success. It is essential for Blue Teams to design and deploy proper visibility & detection strategies for AD-based attacks and executing Adversary Simulation/Purple Team exercises can help. This talk will introduce the Active Directory Purple Team Playbook, a library of documented playbooks that describe how to simulate different adversary techniques targeting Active Directory. The playbooks can help blue teams measure detection coverage and identify enhancement opportunities. After this talk, attendees will be able to run purple team exercises against development or production Active Directory environments using open source tools.

Don't Fear the Zero: A Test-driven Approach to Analytic Development

Tim Nary, Offensive Security Research Lead, Booz Allen Dark Labs

Fred Frey, Technical Director, Booz Allen Dark Labs

You've written a new behavioral analytic, run it against your environment, and it returned zero hits. That could mean the attack was not present in your network, or it could represent a silent failure or failures – a logic or syntax error, poor sensor coverage, or missing log/event data. In this interactive talk, you will learn how to use tools and practical methodologies to create high-quality behavioral detections using purple teams, and how adopting a collaborative, test-driven approach will increase threat detection and reduce risk to your organization. By testing your analytics against true positive attacks, you’ll gain confidence in your ability to detect threats and need not "fear the zero" the next time you look at your dashboards.

Key Takeaways
* Understand why deploying analytics without testing them against a true positive potentially puts your organization at risk
* Learn tools and processes to integrate into your adversary detection pipeline
* Make threat intelligence actionable and red team emulations more effective
* Increase blue team success by verifying analytics against event logs from the replicated attacks
* Understand how a continuous and collaborative purple team culture can greatly improve the security posture of your organization

Red Versus Blue
Getting Blue Team value from red team testing

Tony Drake, Senior Engineer, Information Security Intelligence, Intercontinental Exchange (ICE)

Purple Team exercises have evolved from what generally started as Red Team or Pen Test exercises with frustrated Blue Teams on the other side. In this talk, I describe the problems experienced by a Blue Team in responding to Red Team and Pen Test exercises, and how to make these exercises more collaborative. This talk is aimed at those who don't have internal Red Teams, but contract out Pen Testing to external firms, and want to get close to Purple Team without having their own Red Team. I will talk about the 4 sick soc syndromes, the cure for these syndromes, testing methodologies, a description of levels of attacker sophistication, and how to simulate nightmare scenarios to keep your SOC on their toes.

Red Team Engagements: Training Your Blue Team to Hunt Adversaries

Madhav Bhatt @desi_jarvis, Offensive Security Engineer, Credit Karma

Brad Richardson, Offensive Security Engineer, Credit Karma

This talk focuses on how the Internal Red Team can pragmatically train blue teams to hunt threat actors in the environment. It incorporates the philosophy of “train like you would fight”.

During this presentation we will discuss how to build visual detection charts using threat intelligence incorporating MITRE ATT&CK®. Then we will demonstrate how to leverage the visual detection charts to plan and execute purple team exercises. We will also demonstrate an example of how to effectively work with SOC and other stakeholders to build high fidelity detections.

Next, we will discuss how to effectively build an adversary detection pipeline using enterprise issue & project tracking software. We will show examples of cataloging, elements of minimum detection criteria, as well as, feeding priority detections into the pipeline.

Finally, we will focus on how internal red teams can conduct adversary simulation and emulation to train the Blue side to be better threat hunters. We will show how to plan and execute these engagements, as well as, develop actionable reports to plug holes found during the operation.

[Target Audience]
This talk is meant for organizations whether they are in the process of building a new red team program or have a red team program in place and would like to mature it further.

Day 1 Wrap-Up

Welcome & Opening Remarks

Jorge Orchilles @jorgeorchilles, Certified Instructor, SANS Institute

Erik Van Buggenhout @ErikVaBu, Senior Instructor, SANS Institute

Keynote

Understanding the Effectiveness of Exploit Mitigations for Purple Teams

Stephen Sims @Steph3nSims, Fellow, SANS Institute

Exploit mitigations aim to prevent a vulnerability from being exploitable. There are well-known mitigations, such as Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP), and stack canaries, but there are also less-common and less-understood mitigations that can be applied, such as Arbitrary Code Guard (ACG) and Bottom-up ASLR (BASLR). Each mitigation targets a specific bug class, exploitation technique, or dependency required by an exploit in order to work. In this presentation we will take a look at how various mitigations can work together to greatly increase the difficulty in getting an exploit to work and to bypass these protections.

Look at me, I'm the Adversary now: Introduction to Adversary Emulation and its place in Security Operations

Samuel Kimmons @Valcan_K

Adversary Emulation is quickly becoming a hot topic in information security, and there is a good reason for it. Security analysts, threat hunters, and incident responders are constantly facing an onslaught of old and new threats. How can defenders properly prepare for the ever-changing threat landscape, improve their skill set, and improve the security posture of their organization? In this presentation I'll answer those questions by covering: The various forms of Adversary Emulation, where/how it fits into Security Operations, Threat Intelligence, the benefits of using it as a Blue Team training tool, and how to get started!

Purple chaos - Dos and Don’ts of the game

Prithvi Bhat @Prithvibhat90, Manager, Cyber Vigilance and Resilience, Deloitte

Abstract:
This session is called purple chaos because that is how it feels when organizations wishes to tread on uncharted territory. Hence, knowing where to start and what to focus on makes a lot of difference in making a capability or a program effective.
What to expect?
Tips and tricks on planning and scoping purple teaming programs and the importance of it for both small and large organizations.
It is important to know that it is not one size fits all and scoping(prioritizing scenarios) plays a key role by taking into account the nature of your business.
The presentation will also cover on preferences for building/procuring purple teaming capabilities for different organizations depending on their size and requirements.
It will also focus on reaping continuous /operational benefits for the cyber defense team by avoiding it to be a one-off activity.
Key takeaways:
How to build/sustain purple teaming capability in small and large organizations.

How to reap maximum benefits out of the capability.
Avoiding common pitfalls.

Gone in 66 Techniques – How MITRE ATT&CK® Evaluations Round #3 United Us as a (Purple) Team

Emrah Alpa @EmrahAlpa, Sr. Product Manager | ArcSight Global Content & Connectors, Micro Focus

In March 2020, as the Content Development team for a leading SIEM solution, we decided to take the road less travelled. The idea was simple: We would enroll in MITRE ATT&CK® Evaluations Round 3, to get an objective assessment of our “detection” capabilities in a real-world adversary emulation in Azure cloud. The goal: Detect “only” the 66 x ATT&CK techniques commonly used by financial sector’s most notorious threat actors Carbanak and FIN7. That was just the tip of the iceberg, as we soon would find out.
4 months, 2 teams, 250+ correlation rules and countless sleepless nights later, we understood exactly what it meant to form a blue and a red team, collectively known as our first Purple Team.
Join us in this lively session, to hear first-hand the lessons learned in our journey, the pain, the glory, and everything in between. Learn how purple teaming can help you speed up your workflow, increase detection capabilities and create a “competitive” culture in your team that can be one of the most fun ways to advance personally and as a team.
PS: Right after this presentation, you may get motivated to form your 1st ever purple team. Well, you have been warned.

Supply Chain Purple: Simulating Supply Chain Attacks With DLL Hijacking

Mike Gualtieri @mlgualtieri, Principal Consultant, SAVIO Information Security

The SolarWinds Orion incident has once again put supply chain attacks among the top cybersecurity concerns for organizations. Supply chain attacks - where a target organization is breached through a trusted third-party system or software - are difficult to defend against, as malware may arrive and execute as part of a signed executable update to an application. Since prevention is difficult and perhaps impossible to achieve, organizations should focus instead on detection. Purple team exercises focused on unit testing potential supply chain TTPs becomes an effective defensive option.

The question remains, how do we go about realistically simulating such a supply-chain attack to test organizational defenses? Most organizations do not have access to a code signing certificate to prepare a realistic delivery mechanism. Instead, a Windows "feature" can be taken advantage of to inject synthetic malware inside a trusted executable, DLL hijacking.

This talk discusses how to identify applications that can be abused to employ DLL hijacking, how to craft synthetic staged malware that begins execution within a signed application, how to set up a basic - yet custom - simulated C2 channel for the controlled malware, and most importantly - how to detect all of the above.

Which Came First: The Phish or the Opportunity to Defend Against It

Jamie Williams @jamieantisocial, Lead Cyber Adversarial Engineer, The MITRE Corporation

Mike Hartley @thecookiewanter, Lead Cybersecurity Engineer, The MITRE Corporation

Does a campaign start at Initial Access? Threat intelligence proves otherwise, so as defenders can we avoid giving adversaries a head start?

In this talk we will look at emulating adversaries "left-of-exploit". We recently updated MITRE ATT&CK® for Enterprise to include behaviors adversaries use to select a target, obtain information, and launch a campaign previously only found in a separate PRE-ATT&CK matrix. These changes allow us to better connect the ways we think about defending our networks with the behaviors adversaries perform leading up to a compromise. We will discuss how you can incorporate this broader perspective into your assessments. Specifically, we will use real examples from threat intelligence to walk through opportunities to emulate and defend behaviors from the new Reconnaissance and Resource Development tactics of ATT&CK.

Order Through Chaos: Data-Driven Hypothesis Creation Using Security Chaos Engineering

Cari Cistola, Director of Threat Hunting, Capital One

David Lavezzo, Director of Security Chaos Engineering, Capital One

All hunts start with a hypothesis. What takes hunting from an art to a science is the method a hunter uses to generate this "educated guess".

Often times, we see hunters rely on intuition, experience, and a little bit of luck to find evil. These three elements can be a powerful combination. But what happens when you bring a new hunter into your organization and they haven't had time to build that intuition or experience yet? What happens when someone asks you to make your hunting process repeatable? What happens when you have more hunts to perform than you have hunters to run them?

That's where Security Chaos Engineering comes in! By baselining the detection and prevention capabilities of an organization, we can proactively identify gaps in coverage and unknown attack vectors and use that data to help inform hunters where potential problem areas may exist.

By marrying up the science of baselining with the art of hunting, we can provide robust, informed, and defensible threat hunts that maximize our chances of finding evil. In this talk, we'll walk you through a real-life example of how we can take outputs from security chaos engineering, convert them into actionable hypotheses, and apply them in a hunt operation. We'll leave you with lessons we learned from applying this methodology in our own environment, and recommendations for how to apply this methodology to your own hunts to make the process faster, more repeatable, and more likely to find evil.

Think Red, Act Blue - Evaluating the Security Cost of New Technology

Ismael Valenzuela @aboutsecurity, Senior Instructor, SANS Institute

Douglas McKee @fulmetalpackets, Principal Engineer and Senior Security Researcher, McAfee

We are constantly purchasing and adding new software and hardware to our corporate networks, but at what risk? What is the security cost of adding these new products? It is imperative we evaluate every piece of technology we add to our fast-growing networks; however, this task is far from trivial and requires a unique skill set that is a blend of offensive and defensive skills.

Often one of the challenges faced when evaluating a product is we find vendors using proprietary protocols to communicate on our networks. Naturally, these protocols are harder to understand and protect due to lack of publicly available information. As a result, many organizations do not take the time to understand these protocols yet sophisticated attackers are analyzing these protocols for vulnerabilities in order to move laterally or gain a foothold in corporate networks.

In this webinar, Douglas McKee and Ismael Valenzuela, using their combined 30 years of experience in cybersecurity, will begin to walk through one small aspect of performing a product security assessment. They will show how an adversary can dissect and understand proprietary protocols on your network to find vulnerabilities or leak sensitive information. These same techniques can be used by red teamers as well as blue teamers, to emulate behaviors and anticipate the adversary. We will provide insights using real data embedded into proprietary networking protocols used by vendors and the techniques needed to break down and understand this information.

Day 2 Wrap-Up