5. @haydnjohnson
Outline
Terminology
❏ Security in General
❏ Red Team
❏ Blue Team
What is Purple Teaming
❏ Core concept
❏ Process
❏ Togetherness
Examples of Purple Teaming
❏ NMap
❏ Mimikatz
❏ Attachment Testing
❏ Table Top
❏ BloodHound
❏ OpenDLP
15. @haydnjohnson
Terminology
Vulnerability Assessment Person - Run Vuln
Scanner....hey client you suck
Penetration Tester - Metasploit / MSF PRO (FTW)...hey
client you suck
Red Teaming - Phish, move laterally, find “sensitive stuff”,
maybe custom implant...hey client you suck
Purple Teaming - You did all the above, but got to charge
for an extra body and to tell the client how they suck in
person
16. @haydnjohnson
Terminology
Red Teaming - “Red Team engagements are the full
spectrum warfare of security assessments. In a red team
engagement, the consultants attack the client organization
using physical means, social engineering, and
technological avenues. “
From: http://winterspite.com/security/phrasing/
20. @haydnjohnson
Terminology
Purple Team
❏ Working together to achieve the ultimate goal of
making the organization more secure
❏ different threats & attacker mindset
❏ incident detection and response
❏ policy and procedures
❏ tuning of controls
23. @haydnjohnson
Purple Team
❏ Conducting focused pentesting (up to Red
Teaming) with clear training objectives for the
Blue Team.
❏ It isn't a "can you get access to X" exercise it is
a "train the Blue Team on X" exercise. The
pentesting activities are a means to conduct
realistic training.
24. @haydnjohnson
Purple Team
Primary result of the exercise is to create an
intrusion event (aka get caught) to test
instrumentation (host/ network), validate
detection processes and procedures, validate
protections in place, force response procedures
and post mortems.
Differs from Red Team where primary goal is to
NOT get caught
28. @haydnjohnson
Events / Injects
Events - generally executed by the Red Team to elicit
responses from the Blue Team in specific phases,
focused on the objectives of the exercise.
31. @haydnjohnson
Exercises - Teams
Exercise Control Group
Take information from other teams and make
decision to ensure the exercise is “controlled” and
reaches its goals.
IR Manager
Team Lead
VP
ECG
32. @haydnjohnson
Exercises - Teams
Gray Team / Observers
Observe the Blue Team's reaction or non-reaction and
report back to ECG.
Ongoing process
IR Manager
Team Lead
VP
GREY
37. @haydnjohnson
Exercises - Planning
“By failing to prepare, you are preparing to fail.”
Benjamin Franklin
Everything needs consideration, pros, cons and a
plan!
1. Brainstorming
2. Action Items
3. Budget / Approval
38. @haydnjohnson
Exercises - Planning
Each team needs to know the end goals (except Blue)
Red Team needs to know what injects and when.
Goals:
1. To prevent confusion
2. Finalize Objectives
3. Identify if training is required
4. Decide on Use Cases
49. @haydnjohnson
Exercises - Lessons Learned
❏ What observations were made during the
exercise.
What went well, what didn’t
Positive and negative - constructive
50. @haydnjohnson
Exercises - Lessons Learned
❏ Internally we need to prepare better
❏ Ensure findings are document
❏ Think of more alternative tests
52. @haydnjohnson
Exercises - Lessons Learned
Collect Information from everyone
Strengthen future exercises
Exercise
Control
Group
Red
Team
Training
Audience
Observers
56. @haydnjohnson
Example 1 - Nmap
# of People Required: 1
Level of knowledge required: Little
Documentation online: Many
Time to Test Minimal
Disruption to Business None
57. @haydnjohnson
Example 1 - Nmap
Test if Nmap / Port scans can be seen internally or
externally
What do the alerts look like?
64. @haydnjohnson
Example 2- Credentials in Memory
# of People Required: 1 -2
Level of knowledge required: Little
Documentation online: Many
Time to Test Minimal
Disruption to Business None
65. @haydnjohnson
Example 2- Credentials in Memory
Helpdesk / Ops wants a secure way to remotely
manage workstation(s).
RDP | VNC - no thanks
Want to use PowerShell Remoting because easier and
‘secure’
https://blog.netspi.com/powershell-remoting-cheatsheet/
76. @haydnjohnson
Example 3 - Malicious Attachment
Testing
<Email> is great at filtering malicious emails,
attachments etc.
We want to see what gets through to know what to
expect
“What could get through”
77. @haydnjohnson
Example 3 - Malicious Attachment
Testing
Malicious File Maker
@carnal0wnage
https://github.com/carnal0wnage/malicious_file_make
r
85. @haydnjohnson
Example 3 - Malicious Attachment
Testing
The goal:
❏ Confirm email attachment filtering
❏ Confirm attachments that bypass
❏ Document findings for reference
❏ Potential defenses / future steps
86. @haydnjohnson
Example 3 - Malicious Attachment
Testing
Which allows us:
❏ Potential tuning to block file types
❏ Research file types for use in the wild
❏ Identification of compensating controls
88. @haydnjohnson
Example 4 - Domain Admin Paths
# of People Required: 1 -2
Level of knowledge required: Enough to install the tool
Documentation online: Installation instructions
Time to Test Minimal
Disruption to Business Potential to pop alerts
89. @haydnjohnson
Example 4 - Domain Admin Paths
Goals:
❏ Identify Domain Admins
❏ Identify derivative admins
❏ Weakness in the chain of trust
93. @haydnjohnson
Example 4 - Domain Admin Paths
❏ Follow up on mystery account
❏ Create Ticket
❏ Does it require the access it has?
Test with a group that has less access
95. @haydnjohnson
Example 4 - Table Top Exercise
# of People Required: Many
Level of knowledge required: Varied
Documentation online: Yes
Time to Test Long term
Disruption to Business 1 day +
97. @haydnjohnson
Example 4 - Table Top Exercise
Pre Hack
During
Post
https://www.sans.org/reading-room/whitepapers/analyst/killing-advanced-threats-tracks-intelligent-
approach-attack-prevention-35302
98. @haydnjohnson
Example 4 - Table Top Exercise
Pre Hack
$Group Threaten Company
https://www.sans.org/reading-room/whitepapers/analyst/killing-advanced-threats-tracks-intelligent-
approach-attack-prevention-35302
106. @haydnjohnson
Example 5 - Lateral Movement
# of People Required: 1-2
Level of knowledge required: Ability to find network shares
Documentation online: Yes
Time to Test hours
Disruption to Business Minimal
107. @haydnjohnson
Example 5 - Lateral Movement
Goals:
❏ Is there sensitive information at rest?
❏ What data could be accessed on network shares
109. @haydnjohnson
Example 5 - Lateral Movement
OpenDLP
❏ Data Loss prevention tool
❏ Identifies sensitive data at rest on thousands of
systema
❏ Not easy to install
https://github.com/ezarko/opendlp
110. @haydnjohnson
Example 5 - Lateral Movement
OpenDLP Video Reference
Bsides Cleveland 2017
Blue-Teamin' on a Budget [of Zero]
https://www.youtube.com/watch?v=77M0aO2F2fU
111. @haydnjohnson
Example 5 - Lateral Movement
❏ Download OVA
❏ Transfer sc.exe from XP 32bit
❏ Install browser sert
❏ Start apache
❏ connect
112. @haydnjohnson
Example 5 - Lateral Movement
Issues with install:
❏ sc.exe 32bit
❏ Accessing web server
❏ Solution:
XP
http://www.makeuseof.com/tag/download-wi
ndows-xp-for-free-and-legally-straight-from-
microsoft-si/
121. @haydnjohnson
From Australia
Masters of I.T - infosec specialization
Internship @ Deloitte Australia
Graduate program @ Deloitte
Move to Deloitte Canada
Move to KPMG Canada
Move to Points
125. @haydnjohnson
Speaking / Publicity
Local Bsides Toronto
CO submission to Circle City Con
CO Submission to HackFest
BsidesLV Mentee program (Proving grounds)
CO Submission to SecTor (Chris Gates mentoring)