You’ve heard of black, white, and gray box testing? Adding to the security color spectrum, Red Teams (pen testers) working together with Blue Teams (defenders), can improve organizational security and get the most out of security assessments. This talk will discuss both general and specific concepts and techniques to improve penetration tests with coordination of internal security teams. We will discuss high level topics such as knowing what type of assessment is needed for your organization, to more detailed technical concepts such as detecting attack traffic and coordinating with red team attacks. If your internal security team isn't ready for a pentest, lets discuss steps to get your team prepared and ready to fully take advantage of full scope penetration tests. From a pentester perspective, we will discuss the types of testing that is most beneficial to your clients and how to communicate and perform testing activities in conjunction with blue teams. We will also talk about ways to assist the teams with remediation from a 3rd party point of view. What are the three key points an audience will receive: · Pen testing techniques on working with internal security · Internal security techniques for detecting attacks · Concepts on performing the best type of pen test for your customers

1. © 2015 Denim Group – All Rights Reserved
Cyber Purple Teaming: Uniting
Blue and Red Teams
Don’t forget Advanced Cyber

2. © 2015 Denim Group – All Rights Reserved
Introduction:
- Security Consultant
- Brazilian JiuJitsu practitioner
- Defender of networks
- Firewall admin
- Linux guy
- Soccer player/fan
- Windows guy
- Air Force guy

3. © 2015 Denim Group – All Rights Reserved
Points to discuss:
- Blue team preparations – Get ready defenders!
- Not ready for pentest? Get ready!
- Log all things! Educate all things!
- Red team tactics – Hack with love!
- The scope question – Hack all things!
- Social Engineering – Assess, train, assess!
- Team communication
- Wolf! Man on! Watch out!
- Putting it all together – fine tuning

4. © 2015 Denim Group – All Rights Reserved
Red Team vs Blue Team:

5. © 2015 Denim Group – All Rights Reserved
Red Team vs Blue Team:

6. © 2015 Denim Group – All Rights Reserved
Red Team vs Blue Team:

7. © 2015 Denim Group – All Rights Reserved
Red Team vs Blue Team:

8. © 2015 Denim Group – All Rights Reserved
Red Team vs Blue Team:

9. © 2015 Denim Group – All Rights Reserved
Red Team vs Blue Team:

10. © 2015 Denim Group – All Rights Reserved
Red Team vs Blue Team:

11. © 2015 Denim Group – All Rights Reserved
Blue team tactics
- Brace yourself

12. © 2015 Denim Group – All Rights Reserved
Blue team tactics
- Security Fundamentals

13. © 2015 Denim Group – All Rights Reserved
Blue team tactics
- Security Fundamentals
- Patch management
- Locked down DMZ firewall and servers.
- Proper segmentation
- Vulnerability scanning
- Monitoring
- Security Awareness Training (Web based CBT?)
- Skills (Be a sysadmin)

14. © 2015 Denim Group – All Rights Reserved
Blue team tactics
- Internal Assessments
- Vulnerability scanning (minimum)
- Internal pentesting (resources needed)
- System hardening / Compliance scans
- Patch management program
- VA data to patch cycle

15. © 2015 Denim Group – All Rights Reserved
Blue team tactics
- Logs, Logs and more logs
- Firewall, IPS, Servers, network devices, etc.

16. © 2015 Denim Group – All Rights Reserved
Blue team tactics
- Configure tools properly
- Malware detection, IPS, Log levels, etc
- http://hackerhurricane.blogspot.com/
- http://www.slideshare.net/Hackerhurricane/windows-
logging-cheat-sheet-v11
- Personnel resources
- Skills and training

17. © 2015 Denim Group – All Rights Reserved
Blue team tactics
- Netflow / Packet Capture
- Proper location
- Tool to view and understand the flows
- Use Cases
- Unauth traffic from/to internet
- (ftp, telnet, non-standard http(s))
- C2, Unexpected traffic
- Sensitive information unencrypted
- Unusual spikes in traffic
- Internal server access
- Internal detection of spread of malware

18. © 2015 Denim Group – All Rights Reserved
Blue team tactics
- SIEM
- Remember Personnel requirements!
- Central Log repository
- Log correlation
- Ease of Log search

19. © 2015 Denim Group – All Rights Reserved
Blue team tactics
- That pentest engagement is getting closer.

20. © 2015 Denim Group – All Rights Reserved
Blue team tactics
- CISO
- Pentest is coming (black box, white box, grey box)
- Incentives (awards, gear, etc)

21. © 2015 Denim Group – All Rights Reserved
Blue team tactics
- Be Confident

22. © 2015 Denim Group – All Rights Reserved
Red team tactics
- Defined:
- Red Team vs Penetration test?
- Scope
- Social Engineering
- Physical Testing
- Man Power used
- Collaboration needed
- Exploits / havoc wreaked

23. © 2015 Denim Group – All Rights Reserved
Red team tactics
- Are we ready for full Red Team Assessment
- Full scope, Physical, SE, all out attack
- Nation State tactics

24. © 2015 Denim Group – All Rights Reserved
Red team tactics – Hack with love!
- Team Player Attitude

25. © 2015 Denim Group – All Rights Reserved
Red team tactics – Hack with love!
- OOOOOOOOOOOOHH Day!!!!

26. © 2015 Denim Group – All Rights Reserved
Red team tactics – Hack with love!
- OOOOOOOOOOOOHH Day!!!!

27. © 2015 Denim Group – All Rights Reserved
Red team tactics – Hack with love!
- OOOOOOOOOOOOHH Day!!!!

28. © 2015 Denim Group – All Rights Reserved
Red team tactics
- Social Engineering
- Are employees trained? Not CBT, not 1 Lunch and Learn.
- Its no use, cant fix…
- Blue team: We have firewall, AV.

29. © 2015 Denim Group – All Rights Reserved
Red team tactics
- Social Engineering

30. © 2015 Denim Group – All Rights Reserved
Red team tactics
- Social Engineering – Dave Kennedy
- Destroying Education and Awareness
- https://www.youtube.com/watch?v=ldvI12lpeEI
- WebJacking in SET
- http://www.restrictedintelligence.co.uk/

31. © 2015 Denim Group – All Rights Reserved
Red team tactics
- Full Scope.

32. © 2015 Denim Group – All Rights Reserved
Purple Team tactics
- Unprepared Blue Teams
- Recommendation on Personnel
- Training of Personnel(SANS, Books, podcasts, RSS)
- Assistance with tools implementation (SIEM rules)
- Retesting and verifying (segmentation, IPS/SIEM)

33. © 2015 Denim Group – All Rights Reserved
Purple Team tactics
- All Blue Teams
- Adversary simulation (Rafa Mudge)
- http://blog.cobaltstrike.com/2014/11/12/adversary-simulation-
becomes-a-thing/
- Malleable C2
- Nation State simulation

34. © 2015 Denim Group – All Rights Reserved
Purple Team tactics
- Testing Scenarios
- WAF
- IPS/IDS
- AV
- Malware Detection
- DLP
- More…
- What exists in your SOC:
- Monitoring TEAM
- Deployment/UpKeep/Configuration TEAM

35. © 2015 Denim Group – All Rights Reserved
Purple Team tactics
- SIEM Rules
- Idea mentioned by Kevin Johnson @ BsidesATX
- As a pentester, provide SIEM rules to blue teams
- Any vendor
- An idea, a possibility?
- Purple Team Talk by Kevin Johnson and James Jardine
- https://youtu.be/ARM2ArOw9sI

36. © 2015 Denim Group – All Rights Reserved
Purple Team tactics
- We Talked Logs/Events
- Lets Talk Flows/packet analysis
- Example from compromising a system:
- Beacon
- Setoolkit / Metasploit

37. © 2015 Denim Group – All Rights Reserved
Purple Team tactics

38. © 2015 Denim Group – All Rights Reserved
Purple Team tactics

39. © 2015 Denim Group – All Rights Reserved
Purple Team tactics

40. © 2015 Denim Group – All Rights Reserved
Purple Team tactics

41. © 2015 Denim Group – All Rights Reserved
Purple Team tactics

42. © 2015 Denim Group – All Rights Reserved
Purple Team tactics

43. © 2015 Denim Group – All Rights Reserved
Purple Team tactics

44. © 2015 Denim Group – All Rights Reserved
Purple Team tactics

45. © 2015 Denim Group – All Rights Reserved
Purple Team tactics
- So what’s the point?
- Bring the education
- Work together and keep communication high
- Blue and Red have to equally contribute
- Don’t throw over the fence
- Make reports beneficial
- Remediation?

46. © 2015 Denim Group – All Rights Reserved
Comments? Questions?
Twitter: @beto_atx
Email: acampa@denimgroup.com