Organizations get penetration tests year after year, yet companies still get breached because they’re STILL missing the basics.Traditional penetration tests are failing to prepare organizations for the threats they actually face. They’ve become a commodity of compliance and box-checking. Remediation steps rarely include management objectives. General lack of excitement for Blue Team functions. Red team is sexy, but just a tool. Do you even have a JBOSS server? (Then why are you seeing alerts for it?)

1. Purple Teaming
THE COLLABORATIVE FUTURE OF PENETRATION TESTING

2. Presenter
Will Pearce
Joined FRSecure in 2014
OSCP, SWCCDC Red Team, OSCE to be.
InfoSec Crushes
◦ Raphael Mudge (@armitagehacker) – blog.Cobaltstrike.com
◦ Matt Weeks (@scriptjunkie) scriptjunkie.us

3. But Why…
•Organizations get penetration tests year after year, yet companies still get breached because
they’re STILL missing the basics.
•Traditional penetration tests are failing to prepare organizations for the threats they actually
face. They’ve become a commodity of compliance and box-checking.
•Remediation steps rarely include management objectives.
•General lack of excitement for Blue Team functions. Red team is sexy, but just a tool.
•Do you even have a JBOSS server? (Then why are you seeing alerts for it?)

4. Our Definition of Purple Teaming
Improving cyber security by leveraging red teams as representative adversaries. Using red
actions, blue teams practice detection and response against active threats.
“Putting more Offense in your Defense”
-Chris Gates

5. Different Focus
KEY WORDS
Detection
Response
Practice
ABSENT WORDS
Patch
Annual
Compliance

6. Different Focus Cont’d
Military Model (Red vs. Blue)
◦ Military Mindset: National Security
◦ Private Sector Mindset: Security for Cheap
Collaborative Security (Red + Blue)
◦ What did it look like on blue side?
◦ How did red get there?
Exercise IR Plan
◦ Find the gaps in people, technology, and processes.
◦ Detection 50%, Response 50%
Educational
◦ Consultants come on site with expertise, then leave at the end of the day taking their expertise with
them.

7. Different Focus Cont’d
Validates tools/processes.
◦ Certain people not getting alerts/responding to alerts.
Find paths of least resistance.
◦ Repeat.
Assumes a hardened network.
◦ Preparation is key. Doing some research upfront can save $$$
◦ Scope is key
Gets to the point.
◦ Remediation steps are valuable, generally structural in nature (at first)
Practice, Practice, Practice
◦ Gain confidence in IR
◦ Save $$$$

8. Time is the Commodity
CURRENT
Attack Sim.
Full Scope
Penetration Test.
Vulnerability
Assessment
FUTURE
Vulnerability
Assessment
Full Scope
Penetration Test
Attack Sim.

9. Lack of Malware
It’s not all about the malware
◦ Poison Login.bat
◦ Poison other scripts
Spot the Malware (You won’t find it)
◦ PowerShell
◦ Regsvr32
◦ Rundll32
◦ Tracker
◦ notepad

10. Scenario Based
Let’s pretend…
◦ Alice has been CryptoLockered
Results
◦ Alice has access to these shares. 3 of which Alice should not have access to.
◦ Alice is a local admin.
◦ Alice can run macros from internet.
◦ AV failed to detect.
◦ Spam filter worked but Alice moved it out of junk.
◦ Our backups are insufficient.

11. Scenario Based
Let’s pretend
◦ External terminal server has been breached, Bob logged in from Germany after several failed attempts.
Results
◦ Terminal server has access to these systems.
◦ Excessive failed attempts do not generate alerts.
◦ Bob has excessive failed attempts to login on these systems.
◦ Bob successfully logged into these systems.
◦ Bob is a local admin on random webdev system on the domain.
◦ Webdev machine has production data.

12. Scenario Based
Scenario
◦ Sourcefire is alerting on DNS beacons. Internal host communicated 2, 4, and 6 weeks ago.
Results
◦ Several internal IPs are communicating to the same address space.
◦ Traffic has matched known APT signatures.

13. Two Kinds of Customers
Those who think they have everything buttoned up.
◦ Generally get high marks on audits and assessments.
◦ False sense of security.
◦ A lack of humility costs $$$
Those who are working on maturing their processes.
◦ Do research and go beyond what audits and assessments tell them.
◦ Not necessarily assessment focused.
◦ Know they’re are not perfect, put effort in anyway.

14. Common Issues
•Tools that cannot be properly implemented AND maintained.
•Lack of network visibility, knowledge of what is on the network, or what is even supposed to be
on the network – not just devices, software too.
•Lack of real network segmentation.
•Lack of manpower and resources.
• Little knowledge of how attacks happen. Anyone alerting on PowerShell.exe?
•Lack of system hardening.
• STIG it!
•Lack of 2FA for external services.

15. Eliminate Low Hanging Fruit
•PowerUp.ps1
• Invoke-AllChecks
• Service abuse
• DLL Hijacks
• Registry checks
•PowerView.ps1
• Find-LocalAdmin
• Invoke-ShareFinder –CheckShareAccess
• Invoke-ShareFinder -CheckAdmin
•Get-GPPPassword.ps1
• MS14-025
•Responder.py –I <IP> -I <int> -wrf
•Local Administrator (Honorable Mention)

16. Put Controls Around Admin Tools
•AppLocker, Device Guard, LAPS
•Alert on the use of admin tools.
•Alert on new services.
• (netsrv.exe)
•Accounts logging into systems they shouldn’t be, at odd times.
•Turn on various Windows logging abilities that are off by default.
• Firewall Logs
• PowerShell Logs
• Object Access
• File Access

17. Vulnerabilities an Honorable Mention
Patching is a lagging defense mechanism.
◦ Vuln -> Discovery -> Patch -> Push
Vulnerabilities not a big deal anymore (Internally).
◦ Users still click on stuff.
◦ Whoami /groups
◦ Still patch diligently
Trust Materials, protect them.
◦ 2FA
◦ Remove caching of creds
◦ Remove Local Administrative access from users. Please.

18. Getting Management
Involved
BECAUSE THEY’RE MOST RESPONSIBLE FOR INFORMATION
SECURITY.

19. First and Foremost
Information Security is NOT and Information Technology function. They may sound the same, but
they’re quite different.
Information Security is NOT about saying no, it’s about finding a secure solution to a business
need.
ALL engagements go better if management willingly involves itself.
Information Security seen as cost center – there is marketing value in being secure.

20. Obligatory XKCD

21. Purple Teaming’s place in an information
security program
Information security: administrative, physical and technical controls which minimize risks
associated to the confidentiality, integrity and availability of data.
Enhances almost every facet of your program, because it places greater emphasis on the human
element.
◦ Enumerates structural issues within the network (technical)
◦ Identifies deficiencies in logging and monitoring capabilities (technical)
◦ Strengthens monitoring and response plans (administrative)
◦ Satisfies audit/vendor management requirements (administrative)

22. Communicating results (without getting
fired)
Effectively communicate outcomes prior to engagement
◦ Level with them - “Given enough time, resources and motivation, any network is susceptible to breach”
◦ Justify the cost - The reason these are so expensive is because they are so good, they will provide
capability we may never see “in the wild”.
◦ Utilize cost/benefit - We’re going to learn our weaknesses in one of two ways: the good guys will find it,
or the bad guys will. The good guys are typically cheaper.
◦ Baffle them with bullshit – We need to know if the MPLS is inherently POODLE’d when IP/TCP traverses
multiple virtual clusters. That’s what they did in Office Space.
Incorporate them in the exercise
◦ Any executive team acting as an incident response committee during a concurrent table-top exercise
derives value, sense of accomplishment and empathy for the difficulties you face. We are more
accepting of “us” mistakes than “them”.

23. Including Executives
Purple Team Exercise – The Bob goes to China
Technical team – Confirm containment and determine severity
◦ Contain the potential breach, as much as possible, ASAP
◦ Determine if a breach occurred, review audit logs (local, gateway, etc), inspect devices
Executive team – Determine appropriate action
◦ Ascertain situation based on streaming information from technical team

24. Speaking of Audit…….
Audits typically test the design and implementation of controls, it does not address the efficacy
of them. Purple teaming does
 IPS is in place
 IPS is reviewed and tuned on a regular basis
? IPS is actually detecting and correcting realistic adversarial tactics
 NMAP is run periodically to enumerate open ports
 Results are reviewed by network admin, unnecessary ports closed
? The ports left open are risk free?

25. Contact
Questions?
Will Pearce: wpearce@frsecure.com
Ryan Elmer: relmer@frsecure.com