This document discusses how offensive security tools can provide value when used in a purple team exercise approach. It describes how a purple team consists of a cyber threat intelligence team, red team to emulate adversaries, and a blue team of defenders. The process involves the intelligence team providing adversary tactics, a tabletop discussion on security controls, the red team emulating tactics, the blue team detecting them, and documenting lessons learned to improve controls. The C2 Matrix tool is introduced for collaboratively evaluating command and control frameworks, and Slingshot C2 Matrix Edition is highlighted for easily testing C2 frameworks in purple team exercises. An example purple team exercise improved detection of threats from 0% to 64% without spending on new technology.
3. T1033 – User Discovery
• Chief Technology Officer - SCYTHE
• 10 years leading offensive team @Citi
• Wrote a book when I was a system admin
• Started in Vulnerability Assessment
• Pen Test
• Red Team
• Purple Team
@JorgeOrchilles
4. Evolution of OffSec
Or how I went through this journey in past 10+ years
@JorgeOrchilles
https://www.scythe.io/library/scythes-ethical-hacking-maturity-model
6. Exploitation is valuable!
However, there is much more to an attack than exploitation
@JorgeOrchilles
“It is not all about exploitation” – Ed Skoudis 2011
MITRE has CVE and ATT&CK
• CVE is for vulnerabilities (and exploits)
• ATT&CK is for adversary behavior
• 525 Techniques and Sub techniques
• Only 9 reference “exploit”
7. Assume Breach
Santa operates in assume breach mode
Everyone will be compromised at some point
• A patch will not be applied in time (exploited)
• A user will fall for a phishing campaign (oops)
What happens next is what matters
@JorgeOrchilles
8. Purple Team
Full Knowledge Offensive Exercises
@JorgeOrchilles
A Purple Team is a virtual team where the following teams
work together:
• Cyber Threat Intelligence - team to research and provide
adversary behavior
• Red Team - offensive team emulating adversaries
• Blue Team - the defenders. Security Operations Center
(SOC), Hunt Team, Digital Forensics and Incident
Response (DFIR), and/or Managed Security Service
Provides (MSSP)
https://www.scythe.io/ptef
9. Cyber Threat Intelligence
We are not talking about Indicators of Compromise but about Adversary Behavior (TTPs)
@JorgeOrchilles
10. Red Team
The Offensive Team
@JorgeOrchilles
“The practice of looking at a problem or situation from the
perspective of an adversary”
– Red Team Journal
Test, measure, and improve people, process, and
technology
11. Blue Team
The Defenders tasks with identifying and responding to attacks
@JorgeOrchilles
Log
• Relevant Events
• Locally
• Central Log Aggregator
Alert
• Severity
Respond
• Process
• People
• Automation
Detect & Respond
Prevention != Detection
12. The Flow
@JorgeOrchilles
1. Cyber Threat Intelligence presents the adversary, TTPs, and technical details
2. Attendees have a table-top discussion of security controls and expectations for
TTPs
3. Red Team emulates the TTPs
4. Blue Team analysts follow process to detect and respond to TTP
5. Share screen if TTPs were identified, received alert, logs, or any forensic artifacts
6. Document results - what worked and what did not
7. Perform any adjustments or tuning to security controls to increase visibility
8. Repeat TTPs
9. Document any feedback and/or additional Action Items for Lessons Learned
10. Repeat from step 1 for next TTPs
14. SANS Slingshot C2 Matrix Edition
@JorgeOrchilles
• Made in collaboration with SANS and
Ryan O'Grady
• Goal is to lower the learning curve of
installing each C2 framework
• Gets you straight to testing C2s
• 8 C2s installed by default
• VECTR for managing/tracking exercises
https://howto.thec2matrix.com/slingshot-c2-matrix-edition
15. Provide Value - Baseline
@JorgeOrchilles
https://vectr.io
• 6-week Purple Team Exercise
• Assumed Breach scenario
• Emulated 4 APTs
Baseline Result
Known threats have the ability to achieve their
objective without being detected
16. Provide Value – End State
@JorgeOrchilles
https://vectr.io
• $0 technology spend
• Achieved 64% detection rate
• Enabled telemetry (Sysmon)
• Created logic for alerts on SIEM
End State Result
Known threats will be detected and responded
to before achieving objective