This session discusses Deloitte’s purple teaming approach which is using ATT&CK as a guiding principle to help both teams improve. This session shows how this works in a customer scenario, how to scope that scenario, how to plan the scenario and choose the various TTPs to be covered to how we assist the customers blue team in understanding the TTPs and helping them design detective capabilities for them. When the Blue Team is able to connect the dots from offensive activities in the network and what they see in their logs, firewalls, SIEMs, etc. they have the ability to fully understand what adversaries do and what the TTP’s of attackers actually look like if they are active in their network. It’s much easier to find the needle in the haystack if you know there is a needle to find to begin with. Purple teaming is providing this pointy needle, used to accelerate the Blue Team.

1. Headline Verdana Bold
FROM RED vs BLUE to RED 💜💜 BLUE
MITRE ATT&CKcon
Olaf Hartong & Vincent Van Mieghem

2. 2
WTHAY?

3. 3
VINCENT VAN MIEGHEM
RED TEAM SPECIALIST
ABOUT VINCENT
• Red team operator
• Technical guy
• Focus on AV evasion
techniques
• Software engineering
background
HOBBIES
Computers et al.
Lifting when I get bored
@_vivami
github.com/vivami
vvanmieghem@deloitte.nl

4. © 2018 Deloitte LLP. All rights reserved. 4
OLAF HARTONG
SPECIALIST LEADER
BLUE TEAM
ABOUT OLAF
Olaf is technically responsible
for the Blue Team services
within Deloitte NL.
Focus on;
Incident Response, Threat
Hunting, Building SOCs and
Purple Teaming
HOBBIES
Photography, biking,
snowboarding
Background in Tele and Data
communications and Arts.
Former documentary
photographer
Dad of 2 boys
@olafhartong
github.com/olafhartong
ohartong@deloitte.nl

5. 5
OUR DEFINITION OF RED TEAMING
SIMULATING A REALISTIC ADVERSARIAL
ATTACK AGAINST YOUR ORGANIZATION
© 2017 North Korea's Korean Central News Agency

6. 6
Execute scenario ATailor scenario A
TI based Red Teaming (TIBER) approach
Threat Intelligence Tailor scenario B
1 2 3 4
Tailor scenario X
Execute scenario B
Execute scenario X
Blue team debrief Remediation plan
5

7. 7
RED TEAMING PITFALLS
CAN BE ANTAGONIZING
BLUE TEAM CAN BE TIPPED OFF
THE REPORT MIGHT NOT BE PUT TO GOOD USE
YOU’RE MERELY THERE FOR COMPLIENCE REASONS
THE BLUE TEAM LACKS THE SKILL OR KNOWLEDGE TO FOLLOW UP

8. 8
RED vs BLUE

9. 9
RED + BLUE = PURPLE, COMBINING STRENGTHS
RED TEAM
Realistic, simulated attack, following the profile of an actual threat actor to the organization.
The red team will try and achieve a number of agreed objectives without raising any detection
or response.
BLUE TEAM
Continuous monitoring of and response to indicators of attacks and compromises. To this end,
the blue team establishes and improves on detection measures in the IT infrastructure and
defines and implements specific “use cases” to monitor for.
PURPLE TEAM
Combining the red and blue team efforts in an interactive setting: by performing an attack
while the blue team is actively watching which elements are and are not detected. Afterwards,
both blue and red team improve their approach and retry.

10. 10
WE ALL SPEAK THE SAME LANGUAGE…
RED TEAM
THREAT INTELLIGENCE
BLUE TEAM
MITRE ATT&CK

11. 11
…WE ALL SPEAK ATT&CK…
Threat Intelligence Tailor the scenario
Execute the attack
scenario
Monitor within the
SIEM/SOAR/?
1 2 3 4
MITRE ATT&CK MATRIX

12. 12
…SO WE DON’T END UP LIKE THIS
© Disney, All Rights Reserved, Muppets

13. 13
TIBER STYLE PURPLE TEAMING
Gain threat intelligence on
attacks to similar
companies
Identify an attack
scenario mapped to
ATT&CK
Execute the attack
scenario
Monitor within the
SIEM/SOAR/?
1 2 3 4
Evaluate attack and
identify gaps in
detection
5
Develop additional detection
methods, request additional
logging
67
Replay the attack scenario
Exercise complete

14. 14
OPEN SKIES
WHAT TRACES DO I LEAVE?
HOW DOES A RED TEAM THINK?
CAN I ADOPT MY TTP’S TO FALL OFF THE RADAR?
FOCUS DETECTION BASED ON ATT&CK
SKILL/KNOWLEDGE BOOST FOR BOTH TEAMS

15. 15
QUESTIONS?