The document discusses the importance of purple teaming in cyber security, particularly for detecting cloud breaches and improving defensive strategies. It outlines processes involving threat intelligence, adversary emulation, and incident response to enhance detection capabilities and reduce risks. Additionally, it provides case studies and technical details on cloud exploitation techniques and offers guidelines for securing cloud infrastructures.

1. Arun Seelagan
23 October 2024
C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y
EVERY CLOUD HAS A PURPLE LINING
1
23 October 2024
This Photo by Unknown Author is licensed under CC BY

2. Arun Seelagan
23 October 2024
CISA does not endorse any commercial entity, product, company, or
service, including any entities, products, or services featured in this
presentation. Any reference to specific commercial entities, products,
processes, or services by service mark, trademark, manufacturer, or
otherwise, does not constitute or imply an endorsement by CISA.
Disclaimer
2

3. Arun Seelagan
23 October 2024
Talking Points
3
The
Why
• Purple Teaming
The
Need
• Detecting Cloud Breaches
The
Process
• ATT&CK & D3FEND
The
Outcome
• Reducing Risk

4. C Y B E R S E C U R I T Y &
I N F R A S T R U C T U R E
S E C U R I T Y A G E N C Y
Cyber Security Division
November 13, 2024
About CISA
4
Vision
Secure and Resilient Critical Infrastructure for the American people
What We Do
• Engage Stakeholders in Industry and Government
• Deliver resources to understand, manage, and reduce risk

5. C Y B E R S E C U R I T Y &
I N F R A S T R U C T U R E
S E C U R I T Y A G E N C Y
Cyber Security Division
November 13, 2024
Why Purple Team
5
This Photo by Unknown Author is licensed under CC BY-SA

6. Arun Seelagan
23 October 2024
Why Purple Team
6
Know the
Enemy
• Emulate
Adversary Tools,
Tactics,
Procedures
• Gain observables
Know
Yourself
• Develop and test
detections,
mitigations, and
prevention
strategies
• Identify tradecraft
gaps, limitations

7. Arun Seelagan
23 October 2024
Why Purple Team
7
§ Effective Adversary Insight
Most Adversaries lack originality.
§ N-day CVEs*
§ Exploit POCs
§ “Security audit” tools
This Photo by Unknown Author is licensed under CC BY

8. Arun Seelagan
23 October 2024
Why Purple Team
8
§ Avoid Defender Complacency
Defensive measures may fall short.
§ Missing essential forensic artifacts
§ Over-tuned analytic models, SIEMs
§ Variance in EDR / MSSP performance
This Photo by Unknown Author is licensed under CC BY-SA

9. Cyber Security Division
November 13, 2024
Why Purple Team
9

10. Arun Seelagan
23 October 2024
How We Purple Team
10
https://d3fend.mitre.org

11. Cyber Security Division
November 13, 2024
The Need: Detect Cloud Breaches
11
§ Rapid adoption, evolution of cloud services
§ Inadequate, complex security mechanisms
§ Advantage: Adversaries
This Photo by Unknown Author is licensed under CC BY-SA-NC

12. Arun Seelagan
23 October 2024
The Need: Detect Cloud Breaches
12
https[:]//www.reuters.com/technology/chinese-hackers-breached-us-commerce-
chiefs-emails-blinken-warns-chinese-2023-07-13/
2023 Case Study
§ Storm-0558
§ Techniques
§ Unsecure Credentials: Private Key
(T1552.004)
§ Forge Web Credentials (T1606)
§ Cloud Accounts (T1078.004)
§ Application Access Token (T1550.001)
§ PowerShell (T1059.001)
§ Remote Email Collection (T1114.002)
§ Multi-hop Proxy (T1090.003)
How to Detect?

13. Cyber Security Division
November 13, 2024
The Need: Detect Cloud Breaches
13
2024 Case Study
§ NOBELIUM
§ Techniques
§ Password Spraying (T1110.003)
§ Cloud Accounts (T1078.004)
§ Application Access Token (T1550.001)
§ Remote Email Collection (T1114.002)
§ Network Devices (T1584.008)
§ Proxy (T1090)
§ Forge Web Credentials (T1606)
https[:]//www.theverge.com/2024/7/4/24192159/micro
soft-midnight-blizzard-hack-targets

14. Cyber Security Division
November 13, 2024
The Purple Team Process
14
ATT&CK
• Techniques
• Forensic Data Sources
• Detection Logic
• Mitigation guidance
D3FEND
• Countermeasures
• Hardening and Eviction
Strategies

15. Arun Seelagan
23 October 2024
The Purple Team Process
15
ATT&CK Plans
•Leverage threat
intelligence, case
studies, security
research
•Tactics & Techniques
compose red team
playbook
Simulation
Requirements
•Network
Infrastructure, User
Roles, Apps,
Services, CVEs, etc.
•White noise activity
Forensic
Requirements
•Host level, Network level,
Application Level, Service
Level, etc.
Adversary
Emulation
•Red Team
executes
playbook
•Track all
activities and
indicators of
compromise
Incident
Response
•Blue team hunts with
existing tradecraft,
processes
The Purple Lining
•ATT&CK Coverage Analysis
•Identify D3FEND Defensive
Actions taken/missed
•Develop detections with
"perfect" forensics and full
knowledge of red team
activities
•Identify additional
countermeasures

16. Cyber Security Division
November 13, 2024
Cloud Breach Purple Team Case Study
16
16
ATT&CK
Plans
Simulation
Requirements
Forensic
Requirements
Adversary
Emulation
Incident
Response
The Purple Lining
§ Draw from threat intelligence, case studies, security research, PoC exploits
AZURE

17. Cyber Security Division
November 13, 2024
Cloud Breach Purple Team Case Study
17
ATT&CK
Plans
Simulation
Requirements
Forensic
Requirements
Adversary
Emulation
Incident
Response
The Purple Lining
§ Enumerate core ATT&CK tactics and techniques
§ Supplement and sequence techniques logically
This Photo by Unknown Author is licensed under CC BY-NC-ND

18. Cyber Security Division
November 13, 2024
Cloud Breach Purple Team Case Study
18
18
ATT&CK
Plans
Simulation
Requirements
Forensic
Requirements
Adversary
Emulation
Incident
Response
The Purple Lining
§ Techniques inform Cyber Range / Simulation design
§ Network Infrastructure
§ User Roles & Privileges
§ Applications & Services
§ OS Configuration and Patch level
§ CVEs
§ Consider User & Network “white noise” activity
§ Helps discern the malicious from the benign
§ Identify Hardening Opportunities during build-out
§ Pose D3FEND opportunities later on!

19. Cyber Security Division
November 13, 2024
Cloud Breach Purple Team Case Study
19
ATT&CK
Plans
Simulation
Requirements
Forensic
Requirements
Adversary
Emulation
Incident
Response
The Purple Lining
§ Hybrid Cloud Victim Network

20. Cyber Security Division
November 13, 2024
Cloud Breach Purple Team Case Study
20
ATT&CK
Plans
Simulation
Requirements
Forensic
Requirements
Adversary
Emulation
Incident
Response
The Purple Lining
§ Enable optimal forensic visibility
AuditLog
InteractiveSignIns
NonInteractiveSignIns
AuthDetails
AzureSubscriptionActivity
Network
Zeek
Host
App logs
Sysmon
Security.evtx
Disk images
Mem dumps
Cloud

21. Cyber Security Division
November 13, 2024
Cloud Breach Purple Team Case Study
21
ATT&CK
Plans
Simulation
Requirements
Forensic
Requirements
Adversary
Emulation
Incident
Response
The Purple Lining
§ Red Team executes techniques
§ Track IOCs, C2, activities

22. Cyber Security Division
November 13, 2024
Cloud Breach Purple Team Case Study
22
ATT&CK
Plans
Simulation
Requirements
Forensic
Requirements
Adversary
Emulation
Incident
Response
The Purple Lining
§ Blue Team hunts with
existing tradecraft
§ EDR, SIEM, Network Taps,
IR SOPs
§ Red Team activities
optionally persist
§ Track findings and
detection methods

23. Cyber Security Division
November 13, 2024
Cloud Breach Purple Team Case Study
23
23
ATT&CK
Plans
Simulation
Requirements
Forensic
Requirements
Adversary
Emulation
Incident
Response
The Purple
Lining
§ Analyze ATT&CK Coverage
§ Blue Team findings vs Red Team activities
§ Explore & Adopt D3FEND actions for missed techniques
§ Fill gaps in detection, capabilities, skills, & processes
§ Use Red team ”answer key” to illuminate defensive opportunities

24. Arun Seelagan
23 October 2024
Facilitating the Purple Team Process
24
Map Red Team
Campaigns
• Track tools,
techniques,
commands, and
artifacts across
ATT&CK tactics
Log Blue Team
Tradecraft
• Log utilized detection
sources and tools
• Document Preventions,
detection evidence, &
D3FEND actions
Analyze
ATT&CK
Coverage
• Visualize strengths &
weaknesses
https://vectr.io

25. Arun Seelagan
23 October 2024
Outcome: Federal Cloud Threat Detection
25
§ Identified key forensic artifacts to
detect Azure/M365 exploitation
§ Promote collection of appropriate
cloud logs to enable threat hunting
§ Implemented detection logic in
ATT&CK-annotated detection rules
Image Source: https[:]//www.cisa.gov/sites/default/files/2023-02/NCPS%20Cloud%20Interface%20RA%20Volume%20One%202021-05-14.pdf

26. Arun Seelagan
23 October 2024
Outcome: ATT&CK Contributions
26
§ Software – Additional Techniques Used
§ dsregcmd
§ Mimikatz (S0002)
§ ROADTools (S0684)
§ Data Source – Enhanced Detection
Guidance for Cloud Techniques
§ Active Directory (DS0026)
§ Cloud Service (DS0025)
§ Firewall (DS0018)
§ Instance (DS0030)
§ Logon Session (DS0028)
§ User Account (DS0002)
Persistence
• Additional
Cloud
Credentials
(T1098.001)
• Additional
Cloud Roles
(T1098.003)
• Device
Registration
(T1098.005)
• Create Cloud
Account
(T1136.003)
• Modify MFA
(T1556.006)
Defense
Evasion
• Disable or
Modify Cloud
Logs
(T1562.008)
• Modify Cloud
Firewall
(T1562.007)
• Create Cloud
Instance
(T1578.002)
• Delete Cloud
Instance
(T1578.003)
• Valid Cloud
Accounts
(T1078.004)
Credential
Access
• Steal
Application
Access Token
(T1528)
• MFA Request
Generation
(T1621)
Discovery
• Cloud Service
Discovery
(T1526)
Lateral
Movement
• Internal
Spearphishing
(T1534)
Collection
• Remote Email
Collection
(T1114.002)
• Email
Forwarding
Rule
(T1114.003)
• Sharepoint
(T1213.002)
• Data from
Cloud Storage
(T1530)
• Automated
Collection
(T1119)
Impact
• Account
Access
Removal
(T1531)

27. Arun Seelagan
23 October 2024
Outcome: Secure Configuration Baselines
27
§ Security Configuration Guidance for M365, Google, Identity Services
§ Configuration Audit Tools on GitHub!

28. Arun Seelagan
23 October 2024
Outcome: Making Cloud Secure by Design
28
§ MFA by Default
§ Essential Logs by Default

29. Arun Seelagan
23 October 2024
Resources
29
§ https://attack.mitre.org
§ https://d3fend.mitre.org
§ https://mitre-attack.github.io/attack-navigator/
§ https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/
§ https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/
§ https://msrc.microsoft.com/blog/2024/03/update-on-microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/
§ https://aadinternals.com/aadkillchain/
§ https://github.com/BloodHoundAD/AzureHound
§ https://github.com/dirkjanm/ROADtools
§ https://github.com/AlteredSecurity/365-Stealer
§ https://www.cisa.gov/news-events/directives/ed-24-02-mitigating-significant-risk-nation-state-compromise-microsoft-corporate-email-system
§ https://www.cisa.gov/known-exploited-vulnerabilities-catalog
§ https://www.cisa.gov/resources-tools/groups/cyber-safety-review-board-csrb
§ https://www.cisa.gov/resources-tools/services/secure-cloud-business-applications-scuba-project
§ https://www.cisa.gov/securebydesign
§ https://www.sandia.gov/minimega
§ https://github.com/cisagov/untitledgoosetool
§ https://vectr.io/

30. Arun Seelagan
23 October 2024
30
For more information:
www.cisa.gov
Questions?

31. Arun Seelagan
23 October 2024
31