Get an iPad Air w/ Smart Keyboard, a Google Pixel 4a Smartphone, or Take $350 Off with ANY qualifying 5-6 Day Course through through April 21. For special codes to use during registration, view offer details.
Live Online | Free Summit: May 24-25
Sign Up to Receive Updates About Purple Team Summit
Monday, May 24, 2021 - all times are listed in Eastern Daylight Time | |
---|---|
10:00-10:15 am |
Welcome & Opening RemarksJorge Orchilles @jorgeorchilles, Certified Instructor, SANS Institute Erik Van Buggenhout @ErikVaBu, Senior Instructor, SANS Institute |
10:15-11:00 am |
Keynote |
11:00-11:15 am | Break |
11:15-11:45 am |
Designing Playbooks with Purple Team Approach
I want to teach 3 topics in a nutshell |
11:50 am-12:20 pm |
Purple Team War StoriesPepijn Vissers @purpletheism, MSc, Chapter8 In this presentation we will take viewers through some of our actual Purple Teaming Missions. They will learn the following:
|
12:25-12:55 pm |
Threat Focused Purple Team Exercises (non Active Directory Edition)Cedric Owens @cedowens, Lead Offensive Security Engineer, Twilio This talk will focus on some examples of threat-focused purple team exercises that red and blue teams can collaborate on with the goal of proactively building detections and response procedures for these attack paths. In particular, this talk will focus on useful purple team exercise ideas for modern tech environments that have very few Windows hosts and large numbers of macOS, linux, and cloud hosts. There is a lot more content available that focuses on Windows, so this talk aims to help provide offensive and defensive practitioners with some useful ideas and approaches for the types of environments that exist at most tech companies. By the end of this talk I hope you will be armed with practical ideas for purple team exercises that you can start executing. |
1:00-2:00 pm | Lunch |
2:00-2:30 pm |
Purple Maturity ModelTimothy Schulz @teschulz, Adversary Emulation Lead, SCYTHE Purple teaming is the new kid on the block, straddling the fence between red and blue teams, except this new kid doesn’t know what to be when they grow up. As processes and fields mature, standards of operation become the new normal. Blue teams have the multi-level security operations center (SOC) maturity model and hunting maturity model (HMM) to provide a clear path of capability building. Red teams have the Ethical Hacking Maturity Model and can leverage frameworks like ATT&CK and David Bianco’s Pyramid of Pain to match emulation with their capability level. When it comes to purple, there is currently no such model for determining the maturity or capability level. This talk will present an approach to maturing a new purple team from scratch, allowing anyone to chart the path for an internal capability. We will use a multi-level approach to identify the skill sets, people, and processes needed to build a strong purple team. Audiences can expect to walk away with an understanding of where their organization sits in the Purple Maturity Model, and what skills their current blue and red teams can leverage to strengthen the organization’s purple capabilities. |
2:35-3:05 pm |
Purple Wars: Episode II - Attack of the EmulatorsJonas Bauters, Manager & Red Team Lead, NVISO Has purple teaming become the new red teaming? There are a number of prerequisites you should take into account before being able to perform efficient and effective (red and) purple teaming. During this presentation, Jonas will provide a simple roadmap on how to transition from traditional penetration testing to full-fledged adversary emulation, both in its red and purple flavors. After this talk, you will have a good idea on how to prepare for the purple wars that every company wants to be a part of now, and how to make sure you are ready when the adversary emulators attack. |
3:10-3:25 pm | Break |
3:25-3:55 pm |
The Active Directory Purple Team PlaybookMauricio Velazco @mvelazco, Threat Research, Splunk After obtaining an initial foothold, adversaries will most likely target or abuse Active Directory across the attack lifecycle to achieve operational success. It is essential for Blue Teams to design and deploy proper visibility & detection strategies for AD-based attacks and executing Adversary Simulation/Purple Team exercises can help. This talk will introduce the Active Directory Purple Team Playbook, a library of documented playbooks that describe how to simulate different adversary techniques targeting Active Directory. The playbooks can help blue teams measure detection coverage and identify enhancement opportunities. After this talk, attendees will be able to run purple team exercises against development or production Active Directory environments using open source tools. |
4:00-4:30 pm |
Don't Fear the Zero: A Test-driven Approach to Analytic DevelopmentTim Nary, Offensive Security Research Lead, Booz Allen Dark Labs Fred Frey, Technical Director, Booz Allen Dark Labs You've written a new behavioral analytic, run it against your environment, and it returned zero hits. That could mean the attack was not present in your network, or it could represent a silent failure or failures – a logic or syntax error, poor sensor coverage, or missing log/event data. In this interactive talk, you will learn how to use tools and practical methodologies to create high-quality behavioral detections using purple teams, and how adopting a collaborative, test-driven approach will increase threat detection and reduce risk to your organization. By testing your analytics against true positive attacks, you’ll gain confidence in your ability to detect threats and need not "fear the zero" the next time you look at your dashboards. |
4:35-4:50 pm | Break |
4:50-5:20 pm |
Red Versus Blue
|
5:20-5:50 pm |
Red Team Engagements: Training Your Blue Team to Hunt AdversariesMadhav Bhatt @desi_jarvis, Offensive Security Engineer, Credit Karma Brad Richardson, Offensive Security Engineer, Credit Karma This talk focuses on how the Internal Red Team can pragmatically train blue teams to hunt threat actors in the environment. It incorporates the philosophy of “train like you would fight”. |
5:50-6:00 pm |
Day 1 Wrap-Up |
Tuesday, May 25 - all times listed are in EST | |
---|---|
10:00-10:15 am |
Welcome & Opening RemarksJorge Orchilles @jorgeorchilles, Certified Instructor, SANS Institute Erik Van Buggenhout @ErikVaBu, Senior Instructor, SANS Institute |
10:15-11:00 am |
Keynote |
11:00-11:15 am | Break |
11:15-11:45 am |
Look at me, I'm the Adversary now: Introduction to Adversary Emulation and its place in Security OperationsSamuel Kimmons @Valcan_K, Adversary Emulation Lead, Recon InfoSec Adversary Emulation is quickly becoming a hot topic in information security, and there is a good reason for it. Security analysts, threat hunters, and incident responders are constantly facing an onslaught of old and new threats. How can defenders properly prepare for the ever-changing threat landscape, improve their skill set, and improve the security posture of their organization? In this presentation I'll answer those questions by covering: The various forms of Adversary Emulation, where/how it fits into Security Operations, Threat Intelligence, the benefits of using it as a Blue Team training tool, and how to get started! |
11:50 am - 12:20 pm |
Purple chaos - Dos and Don’ts of the gamePrithvi Bhat @Prithvibhat90, Manager, Cyber Vigilance and Resilience, Deloitte Abstract: How to reap maximum benefits out of the capability. |
12:25-12:55 pm |
Purple Team Feedback LoopMichael Rogers @ANC13NT, Director - Technical Advisory Services, MOXFIVE This talk will break down different ways blue and red teams can work together to make an effective purple team and provide stronger outcomes to the business. It will cover ways to create net-new processes as well as improve an existing process. It will also highlight common pitfalls both with and without a purple team and the roles that the various teams play (detection, threat intel, analyst, threat hunting, penetration testing, and red teams) in an effective purple teaming exercise. All teams need a strong feedback process and/or integrated workflow for success. |
1:00-2:00 pm | Lunch |
2:00-2:30 pm |
Gone in 66 Techniques – How MITRE ATT&CKŪ Evaluations Round #3 United Us as a (Purple) TeamEmrah Alpa @EmrahAlpa, Sr. Product Manager | ArcSight Global Content & Connectors, Micro Focus In March 2020, as the Content Development team for a leading SIEM solution, we decided to take the road less travelled. The idea was simple: We would enroll in MITRE ATT&CKŪ Evaluations Round 3, to get an objective assessment of our “detection” capabilities in a real-world adversary emulation in Azure cloud. The goal: Detect “only” the 66 x ATT&CK techniques commonly used by financial sector’s most notorious threat actors Carbanak and FIN7. That was just the tip of the iceberg, as we soon would find out. |
2:35-3:05 pm |
Supply Chain Purple: Simulating Supply Chain Attacks With DLL HijackingMike Gualtieri @mlgualtieri, Principal Consultant, SAVIO Information Security The SolarWinds Orion incident has once again put supply chain attacks among the top cybersecurity concerns for organizations. Supply chain attacks - where a target organization is breached through a trusted third-party system or software - are difficult to defend against, as malware may arrive and execute as part of a signed executable update to an application. Since prevention is difficult and perhaps impossible to achieve, organizations should focus instead on detection. Purple team exercises focused on unit testing potential supply chain TTPs becomes an effective defensive option. |
3:10-3:25 pm | Break |
3:25-3:55 pm |
Which Came First: The Phish or the Opportunity to Defend Against ItJamie Williams @jamieantisocial, Lead Cyber Adversarial Engineer, The MITRE Corporation Mike Hartley @thecookiewanter, Lead Cybersecurity Engineer, The MITRE Corporation Does a campaign start at Initial Access? Threat intelligence proves otherwise, so as defenders can we avoid giving adversaries a head start? |
4:00-4:30 pm |
Order Through Chaos: Data-Driven Hypothesis Creation Using Security Chaos EngineeringCari Cistola, Director of Threat Hunting, Capital One David Lavezzo, Director of Security Chaos Engineering, Capital One All hunts start with a hypothesis. What takes hunting from an art to a science is the method a hunter uses to generate this "educated guess". |
4:35-5:05 pm |
Think Red, Act Blue - Evaluating the Security Cost of New TechnologyIsmael Valenzuela @aboutsecurity, Senior Instructor, SANS Institute Douglas McKee @fulmetalpackets, Principal Engineer and Senior Security Researcher, McAfee We are constantly purchasing and adding new software and hardware to our corporate networks, but at what risk? What is the security cost of adding these new products? It is imperative we evaluate every piece of technology we add to our fast-growing networks; however, this task is far from trivial and requires a unique skill set that is a blend of offensive and defensive skills. Often one of the challenges faced when evaluating a product is we find vendors using proprietary protocols to communicate on our networks. Naturally, these protocols are harder to understand and protect due to lack of publicly available information. As a result, many organizations do not take the time to understand these protocols yet sophisticated attackers are analyzing these protocols for vulnerabilities in order to move laterally or gain a foothold in corporate networks. In this webinar, Douglas McKee and Ismael Valenzuela, using their combined 30 years of experience in cybersecurity, will begin to walk through one small aspect of performing a product security assessment. They will show how an adversary can dissect and understand proprietary protocols on your network to find vulnerabilities or leak sensitive information. These same techniques can be used by red teamers as well as blue teamers, to emulate behaviors and anticipate the adversary. We will provide insights using real data embedded into proprietary networking protocols used by vendors and the techniques needed to break down and understand this information. |
5:45-6:00 pm |
Day 2 Wrap-Up |