Purple Teaming is the idea of using a Red Team exercise with clear training objectives for the Blue Team.
Great exercises should not just be focused on testing a product, they should also test your active Blue Team members and their skills. But how does one start to think about a Purple Team exercise, how does one go about running one and what does it look like?
In this talk we will explain what, why and how, to plan an effective purple team exercise and give some examples. Most enterprise networks are Windows heavy so examples will heavily lean on this.
Testing Assumptions, gaps, blind spots is what being proactive is all about. This talk is both for the console folks and non-console folks.
Offensive security and Ethical Hacking is about providing business value. One of the most efficient and effective ways to improve security is through Adversary Emulation Purple Team Exercises. Adversary Emulation is a type of ethical hacking engagement where the Red Team emulates how an adversary operates, leveraging the same tactics, techniques, and procedures (TTPs), against a target organization. The goal of these engagements is to train and improve people, process, and technology. This is in contrast to a penetration test that focuses on testing technology and preventive controls. Adversary emulations are performed using a structured approach following industry methodologies and frameworks (such as MITRE ATT&CK) and leverage Cyber Threat Intelligence to emulate a malicious actor that has the opportunity, intent, and capability to attack the target organization. Adversary Emulations may be performed in a blind manner (Red Team Engagement) or non-blind (Purple Team) with the Blue Team having full knowledge of the engagement. In this talk, we will cover how to run a high-value adversary emulation through a Purple Team Exercise.
https://www.scythe.io/library/threatthursday-apt33
As attacker tactics, techniques and procedures evolve, so must the defenses and strategy used to defend against them. Traditional red teaming presents an opportunity to find gaps in security, but leaves more valuable information unabsorbed. Results and methodologies used in red team assessments can drive protections in place use by blue teams and a larger program and vice versa.
(Source: RSA USA 2016-San Francisco)
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
Purple Team exercises are an efficient and effective method of adversary emulation leading to the training and improvement of people, process, and technology. Red Teams and Blue Teams work together in a live production environment, emulating a selected adversary that has the capability, intent, and opportunity to attack the target organization provided by Cyber Threat Intelligence. Purple Team exercises are ‘hands on keyboard’ exercises where Red and Blue teams work together with an open discussion about each attack procedure and how to detect and alert against it.
Purple Team Exercise Framework #PTEF: https://www.scythe.io/ptef
Ethical Hacking Maturity Model: https://www.scythe.io/library/scythes-ethical-hacking-maturity-model
Definitions: https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
#ThreatThursday: https://www.scythe.io/threatthursday
#C2Matrix: https://thec2matrix.com/
Atomic Purple Team: https://github.com/DefensiveOrigins/AtomicPurpleTeam
SCYTHE Playbooks: https://github.com/scythe-io/community-threats
#ThreatHunting Playbooks: https://threathunterplaybook.com/introduction.html
VECTR: https://vectr.io/
Unicon: https://www.scythe.io/unicon2020
Lately, monolithic applications have been replaced by more complex and evolving micro-service oriented architecture. Moreover, with the rise of CI/CD, DevOps, and agile SDLC, the need for building security as a core line of business has become an indispensable requirement. Within this framework, the traditional security evaluation approach, or the new secure DevOps approach implemented using small security teams (blue team, red team, DevOps security team, etc.) present both limitations and advantages. Specifically, the checkpoint approach slows down deployments, and not all types of security assessments can be automated in CI/CD. In this presentation, I suggest that a purple team strategy is the best way to weave security across business units in an organization. Purple teams are security teams that consolidate the defensive security controls prominently learnt from blue teams with the vulnerabilities and exploitation techniques utilized by red teams, into a single score. A purple team approach can break artificial boundaries and transform security from a checkpoint to a semi-mystical function. Successful collaboration between purple team members and developers/devOps engineers will bridge the operational gap between implementation and verification of defensive controls, while using exploitation techniques will reduce the issue identification and remediation time significantly. Adopting a purple team approach can also break the negative stereotype associated with security professionals and security testing. In this talk, the audience will learn the traits and methodology of purple teams and how they are used to influence security among various groups, while augmenting the effectiveness and influence of application security programs.
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
Join Jorge Orchilles and Phil Wainwright as they cover how to show value during Red and Purple Team exercises with a free platform, VECTR. VECTR is included in SANS Slingshot C2 Matrix Edition so you can follow along the presentation and live demos.
VECTR is a free platform for planning and tracking of your red and purple team exercises and alignment to blue team detection and prevention capabilities across different attack scenarios. VECTR provides the ability to create assessment groups, which consist of a collection of Campaigns and supporting Test Cases to simulate adversary threats. Campaigns can be broad and span activity across the kill chain or ATT&CK tactics, from initial access to privilege escalation and lateral movement and so on, or can be a narrow in scope to focus on specific defensive controls, tools, and infrastructure. VECTR is designed to promote full transparency between offense and defense, encourage training between team members, and improve detection, prevention & response capabilities across cloud and on-premise environments.
Common use cases for VECTR are measuring your defenses over time against the MITRE ATT&CK framework, creating custom red team scenarios and adversary emulation plans, and assisting with toolset evaluations. VECTR is meant to be used over time with targeted campaigns, iteration, and measurable enhancements to both red team skills and blue team detection capabilities. Ultimately the goal of VECTR is to help organizations level up and promote a platform that encourages community sharing of CTI that is useful for red teamers, blue teamers, threat intel teams, security engineering, any number of other cyber roles, and helps management show increasing maturity in their programs and justification of whats working, whats not, and where additional investment might be needed in tools and team members to bring it all together.
Offensive security and Ethical Hacking is about providing business value. One of the most efficient and effective ways to improve security is through Adversary Emulation Purple Team Exercises. Adversary Emulation is a type of ethical hacking engagement where the Red Team emulates how an adversary operates, leveraging the same tactics, techniques, and procedures (TTPs), against a target organization. The goal of these engagements is to train and improve people, process, and technology. This is in contrast to a penetration test that focuses on testing technology and preventive controls. Adversary emulations are performed using a structured approach following industry methodologies and frameworks (such as MITRE ATT&CK) and leverage Cyber Threat Intelligence to emulate a malicious actor that has the opportunity, intent, and capability to attack the target organization. Adversary Emulations may be performed in a blind manner (Red Team Engagement) or non-blind (Purple Team) with the Blue Team having full knowledge of the engagement. In this talk, we will cover how to run a high-value adversary emulation through a Purple Team Exercise.
https://www.scythe.io/library/threatthursday-apt33
As attacker tactics, techniques and procedures evolve, so must the defenses and strategy used to defend against them. Traditional red teaming presents an opportunity to find gaps in security, but leaves more valuable information unabsorbed. Results and methodologies used in red team assessments can drive protections in place use by blue teams and a larger program and vice versa.
(Source: RSA USA 2016-San Francisco)
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
Purple Team exercises are an efficient and effective method of adversary emulation leading to the training and improvement of people, process, and technology. Red Teams and Blue Teams work together in a live production environment, emulating a selected adversary that has the capability, intent, and opportunity to attack the target organization provided by Cyber Threat Intelligence. Purple Team exercises are ‘hands on keyboard’ exercises where Red and Blue teams work together with an open discussion about each attack procedure and how to detect and alert against it.
Purple Team Exercise Framework #PTEF: https://www.scythe.io/ptef
Ethical Hacking Maturity Model: https://www.scythe.io/library/scythes-ethical-hacking-maturity-model
Definitions: https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
#ThreatThursday: https://www.scythe.io/threatthursday
#C2Matrix: https://thec2matrix.com/
Atomic Purple Team: https://github.com/DefensiveOrigins/AtomicPurpleTeam
SCYTHE Playbooks: https://github.com/scythe-io/community-threats
#ThreatHunting Playbooks: https://threathunterplaybook.com/introduction.html
VECTR: https://vectr.io/
Unicon: https://www.scythe.io/unicon2020
Lately, monolithic applications have been replaced by more complex and evolving micro-service oriented architecture. Moreover, with the rise of CI/CD, DevOps, and agile SDLC, the need for building security as a core line of business has become an indispensable requirement. Within this framework, the traditional security evaluation approach, or the new secure DevOps approach implemented using small security teams (blue team, red team, DevOps security team, etc.) present both limitations and advantages. Specifically, the checkpoint approach slows down deployments, and not all types of security assessments can be automated in CI/CD. In this presentation, I suggest that a purple team strategy is the best way to weave security across business units in an organization. Purple teams are security teams that consolidate the defensive security controls prominently learnt from blue teams with the vulnerabilities and exploitation techniques utilized by red teams, into a single score. A purple team approach can break artificial boundaries and transform security from a checkpoint to a semi-mystical function. Successful collaboration between purple team members and developers/devOps engineers will bridge the operational gap between implementation and verification of defensive controls, while using exploitation techniques will reduce the issue identification and remediation time significantly. Adopting a purple team approach can also break the negative stereotype associated with security professionals and security testing. In this talk, the audience will learn the traits and methodology of purple teams and how they are used to influence security among various groups, while augmenting the effectiveness and influence of application security programs.
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
Join Jorge Orchilles and Phil Wainwright as they cover how to show value during Red and Purple Team exercises with a free platform, VECTR. VECTR is included in SANS Slingshot C2 Matrix Edition so you can follow along the presentation and live demos.
VECTR is a free platform for planning and tracking of your red and purple team exercises and alignment to blue team detection and prevention capabilities across different attack scenarios. VECTR provides the ability to create assessment groups, which consist of a collection of Campaigns and supporting Test Cases to simulate adversary threats. Campaigns can be broad and span activity across the kill chain or ATT&CK tactics, from initial access to privilege escalation and lateral movement and so on, or can be a narrow in scope to focus on specific defensive controls, tools, and infrastructure. VECTR is designed to promote full transparency between offense and defense, encourage training between team members, and improve detection, prevention & response capabilities across cloud and on-premise environments.
Common use cases for VECTR are measuring your defenses over time against the MITRE ATT&CK framework, creating custom red team scenarios and adversary emulation plans, and assisting with toolset evaluations. VECTR is meant to be used over time with targeted campaigns, iteration, and measurable enhancements to both red team skills and blue team detection capabilities. Ultimately the goal of VECTR is to help organizations level up and promote a platform that encourages community sharing of CTI that is useful for red teamers, blue teamers, threat intel teams, security engineering, any number of other cyber roles, and helps management show increasing maturity in their programs and justification of whats working, whats not, and where additional investment might be needed in tools and team members to bring it all together.
Everyone has heard of Purple Team by now, but how many have been able to quantify the value? In this talk, we cover all the roles of a Purple Team: Cyber Threat Intelligence, Red Team, Blue Team, and Exercise Coordination. We were asked to emulate various adversaries, with an increasing order of sophistication, while implementing defenses for the adversary TTPs. We were also asked to not spend any money on new technology. Instead, we had to tune the current security controls. See the results!
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesJorge Orchilles
Presented at the inaugural SANS Purple Team Summit & Training event, this presentation covers performing a high value adversary emulation exercise in a purple team fashion (red and blue team sitting together throughout the entire engagement).
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
Presentation at DEF CON Red Team Village - Mayhem Virtual Summit 2020
Adversary Emulation - Red Team emulating APT19 with Empire3 and Starkiller
Connect:
https://twitter.com/jorgeorchilles
https://twitter.com/c2_matrix
References:
https://mitre-attack.github.io/attack-navigator/enterprise/
https://attack.mitre.org/groups/G0073/
https://www.thec2matrix.com/
https://howto.thec2matrix.com/slingshot-c2-matrix-edition
https://howto.thec2matrix.com/c2/empire#red-team-village-mayhem-demo-of-apt19
https://vectr.io/
https://www.scythe.io/
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksMauricio Velazco
After obtaining an initial foothold, adversaries will most likely target or abuse Active Directory across the attack lifecycle to achieve operational success. It is essential for Blue Teams to design and deploy proper visibility & detection strategies for AD-based attacks and executing Adversary Simulation/Purple Team exercises can help. This talk will introduce the Active Directory Purple Team Playbook, a library of documented playbooks that describe how to simulate different adversary techniques targeting Active Directory. The playbooks can help blue teams measure detection coverage and identify enhancement opportunities. After this talk, attendees will be able to run purple team exercises against development or production Active Directory environments using open source tools.
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
Keynote de 8.8 Las Vegas 2020: https://www.8dot8.org/8-8-las-vegas/
La presentacion es una combinacion de mis presentaciones de Blackhat 2020 Arsenal - C2 Matrix y DEF CON Red Team Village de Adversary Emulation.
https://twitter.com/jorgeorchilles
Presentation slides presented by Cody Thomas and Christopher Korban at x33fcon 2018 about how to jumpstart your purple teaming with the MITRE ATT&CK framework, and accompanying Adversary Emulation Plans
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
Katie and John from the MITRE ATT&CK team present "ATT&CKing the Status Quo: Improving Threat Intelligence and Cyber Defense with MITRE ATT&CK" at BSidesLV 2018.
Presented at the DEFCON27 Red Team Offensive Village on 8/10/19.
From the dawn of technology, adversaries have been present. They have ranged from criminal actors and curious children to - more modernly - nation states and organized crime. As an industry, we started to see value in emulating bad actors and thus the penetration test was born. As time passes, these engagements become less about assessing the true security of the target organization and more about emulating other penetration testers. Furthermore, these tests have evolved into a compliance staple that results in little improvement and increasingly worse emulation of bad actors.
In this presentation, we will provide a framework complementary to the Penetration Testing Execution Standard (PTES). This complementary work, the Red Team Framework (RTF), focuses on the objectives and scoping of adversarial emulation with increased focus on the perspective of the business, their threat models, and business models. The RTF borrows part of the PTES, adding emphasis on detection capabilities as well as purple team engagements. We believe this approach will better assist organizations and their defensive assets in understanding threats and building relevant detections.
Red team and blue team in ethical hackingVikram Khanna
Red team blue team work on two approaches, one attacks it while blue team defends it. View this presentation now to understand what is red team and blue team and its importance in ethical hacking!
Happy learning!!
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
From ATT&CKcon 3.0
By Ismael Valenzuela and Jose Luis Sanchez Martinez, Trellix
The Trellix team believes that creating and sharing compelling stories about cyber threats -with ATT&CK- is a powerful way for raising awareness and enabling actionability against cyber threats.
In this talk the team will share their experiences leveraging ATT&CK to disseminate Threat knowledge to different audiences (Software Development teams, Managers, Threat detection engineers, Threat hunters, Cyber Threat Analysts, Support Engineers, upper management, etc.).
They will show concrete examples and representations created with ATT&CK to describe the threats at different levels, including: 1) an Attack Path graph that shows the overall flow of the attack; 2) Tactic-specific TTP summary tables and graphs; 3) very detailed, step-by-step description of the attacker's behaviors.
Delivered 1 - day Practical Threat Hunting workshop at sacon.io in Bangalore,India balancing on developing the threat hunting program in organization, how and where to start from as well threat hunting demos as it would look on the ground with hands on labs for 100+ participants.
MITRE’s ATT&CK is a community-driven knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s life cycle and the platforms they are known to target. By scoping the wide breadth of the MITRE ATT&CK matrix to focus initially on the techniques used by threat actors you specifically care about, you can help the defenders create more useful and impactful detections first. Once you start emulating the appropriate threat actors, you can practice your defenses in a scenario that’s more realistic and applicable without the need for an actual intrusion. The speakers are providing a process and a case study of APT3 - a China-based threat group - for how to go from finding threat intelligence, sifting through it for actionable techniques, creating emulation plans, discovering how to emulate different techniques... to actually operating on a network. They are also providing a beginning "cheat sheet" for this actor to give a starting point for red and blue teams to accomplish these techniques in their own environment without the need to build their own tooling.
EC-Council, a globally recognized cybersecurity credentialing body, offers the Certified Ethical Hacker (CEH) and Certified Penetration Testing Professional (CPENT) certifications to help you acquire the skills you need to be a part of Red and Blue Teams. CEH is the most desired cybersecurity training program, upping your ethical hacking skills to the next level. CPENT takes off from where CEH leaves off, giving you a real-world, hands-on penetration testing experience.
Adversary Emulation is a type of Red Team Exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective (similar to those of realistic threats or adversaries). Adversary emulations are performed using a structured approach, which can be based on a kill chain or attack flow. Methodologies and Frameworks for Adversary Emulations are covered. Adversary Emulations are end-to-end attacks against a target organization to obtain a holistic view of the organization’s preparedness for a real, sophisticated attack.
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
Sector 2016 Chris Gates & Haydn Johnson
Purple Teaming is conducting focused Red Teams with clear training objectives for the Blue Team for the ultimate goal of improving the organization’s overall security posture. The popular opinion is that Purple Teaming requires a big undertaking. This is not true and we will show practical exercises for Purple Teaming for varying levels of organizational maturity using the Cyber Kill Chain[1] as our framework.
This is the slide deck from a presention for SecTor 2016.
I spoke with Chris Gates @carnal0wnage.
The outline is:
Purple Teaming is conducting focused Red Teams with clear training objectives for the Blue Team for the ultimate goal of improving the organization’s overall security posture. The popular opinion is that Purple Teaming requires a big undertaking. This is not true and we will show practical exercises for Purple Teaming for varying levels of organizational maturity using the Cyber Kill Chain[1] as our framework.
Everyone has heard of Purple Team by now, but how many have been able to quantify the value? In this talk, we cover all the roles of a Purple Team: Cyber Threat Intelligence, Red Team, Blue Team, and Exercise Coordination. We were asked to emulate various adversaries, with an increasing order of sophistication, while implementing defenses for the adversary TTPs. We were also asked to not spend any money on new technology. Instead, we had to tune the current security controls. See the results!
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesJorge Orchilles
Presented at the inaugural SANS Purple Team Summit & Training event, this presentation covers performing a high value adversary emulation exercise in a purple team fashion (red and blue team sitting together throughout the entire engagement).
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
Presentation at DEF CON Red Team Village - Mayhem Virtual Summit 2020
Adversary Emulation - Red Team emulating APT19 with Empire3 and Starkiller
Connect:
https://twitter.com/jorgeorchilles
https://twitter.com/c2_matrix
References:
https://mitre-attack.github.io/attack-navigator/enterprise/
https://attack.mitre.org/groups/G0073/
https://www.thec2matrix.com/
https://howto.thec2matrix.com/slingshot-c2-matrix-edition
https://howto.thec2matrix.com/c2/empire#red-team-village-mayhem-demo-of-apt19
https://vectr.io/
https://www.scythe.io/
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksMauricio Velazco
After obtaining an initial foothold, adversaries will most likely target or abuse Active Directory across the attack lifecycle to achieve operational success. It is essential for Blue Teams to design and deploy proper visibility & detection strategies for AD-based attacks and executing Adversary Simulation/Purple Team exercises can help. This talk will introduce the Active Directory Purple Team Playbook, a library of documented playbooks that describe how to simulate different adversary techniques targeting Active Directory. The playbooks can help blue teams measure detection coverage and identify enhancement opportunities. After this talk, attendees will be able to run purple team exercises against development or production Active Directory environments using open source tools.
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
Keynote de 8.8 Las Vegas 2020: https://www.8dot8.org/8-8-las-vegas/
La presentacion es una combinacion de mis presentaciones de Blackhat 2020 Arsenal - C2 Matrix y DEF CON Red Team Village de Adversary Emulation.
https://twitter.com/jorgeorchilles
Presentation slides presented by Cody Thomas and Christopher Korban at x33fcon 2018 about how to jumpstart your purple teaming with the MITRE ATT&CK framework, and accompanying Adversary Emulation Plans
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
Katie and John from the MITRE ATT&CK team present "ATT&CKing the Status Quo: Improving Threat Intelligence and Cyber Defense with MITRE ATT&CK" at BSidesLV 2018.
Presented at the DEFCON27 Red Team Offensive Village on 8/10/19.
From the dawn of technology, adversaries have been present. They have ranged from criminal actors and curious children to - more modernly - nation states and organized crime. As an industry, we started to see value in emulating bad actors and thus the penetration test was born. As time passes, these engagements become less about assessing the true security of the target organization and more about emulating other penetration testers. Furthermore, these tests have evolved into a compliance staple that results in little improvement and increasingly worse emulation of bad actors.
In this presentation, we will provide a framework complementary to the Penetration Testing Execution Standard (PTES). This complementary work, the Red Team Framework (RTF), focuses on the objectives and scoping of adversarial emulation with increased focus on the perspective of the business, their threat models, and business models. The RTF borrows part of the PTES, adding emphasis on detection capabilities as well as purple team engagements. We believe this approach will better assist organizations and their defensive assets in understanding threats and building relevant detections.
Red team and blue team in ethical hackingVikram Khanna
Red team blue team work on two approaches, one attacks it while blue team defends it. View this presentation now to understand what is red team and blue team and its importance in ethical hacking!
Happy learning!!
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
From ATT&CKcon 3.0
By Ismael Valenzuela and Jose Luis Sanchez Martinez, Trellix
The Trellix team believes that creating and sharing compelling stories about cyber threats -with ATT&CK- is a powerful way for raising awareness and enabling actionability against cyber threats.
In this talk the team will share their experiences leveraging ATT&CK to disseminate Threat knowledge to different audiences (Software Development teams, Managers, Threat detection engineers, Threat hunters, Cyber Threat Analysts, Support Engineers, upper management, etc.).
They will show concrete examples and representations created with ATT&CK to describe the threats at different levels, including: 1) an Attack Path graph that shows the overall flow of the attack; 2) Tactic-specific TTP summary tables and graphs; 3) very detailed, step-by-step description of the attacker's behaviors.
Delivered 1 - day Practical Threat Hunting workshop at sacon.io in Bangalore,India balancing on developing the threat hunting program in organization, how and where to start from as well threat hunting demos as it would look on the ground with hands on labs for 100+ participants.
MITRE’s ATT&CK is a community-driven knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s life cycle and the platforms they are known to target. By scoping the wide breadth of the MITRE ATT&CK matrix to focus initially on the techniques used by threat actors you specifically care about, you can help the defenders create more useful and impactful detections first. Once you start emulating the appropriate threat actors, you can practice your defenses in a scenario that’s more realistic and applicable without the need for an actual intrusion. The speakers are providing a process and a case study of APT3 - a China-based threat group - for how to go from finding threat intelligence, sifting through it for actionable techniques, creating emulation plans, discovering how to emulate different techniques... to actually operating on a network. They are also providing a beginning "cheat sheet" for this actor to give a starting point for red and blue teams to accomplish these techniques in their own environment without the need to build their own tooling.
EC-Council, a globally recognized cybersecurity credentialing body, offers the Certified Ethical Hacker (CEH) and Certified Penetration Testing Professional (CPENT) certifications to help you acquire the skills you need to be a part of Red and Blue Teams. CEH is the most desired cybersecurity training program, upping your ethical hacking skills to the next level. CPENT takes off from where CEH leaves off, giving you a real-world, hands-on penetration testing experience.
Adversary Emulation is a type of Red Team Exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective (similar to those of realistic threats or adversaries). Adversary emulations are performed using a structured approach, which can be based on a kill chain or attack flow. Methodologies and Frameworks for Adversary Emulations are covered. Adversary Emulations are end-to-end attacks against a target organization to obtain a holistic view of the organization’s preparedness for a real, sophisticated attack.
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
Sector 2016 Chris Gates & Haydn Johnson
Purple Teaming is conducting focused Red Teams with clear training objectives for the Blue Team for the ultimate goal of improving the organization’s overall security posture. The popular opinion is that Purple Teaming requires a big undertaking. This is not true and we will show practical exercises for Purple Teaming for varying levels of organizational maturity using the Cyber Kill Chain[1] as our framework.
This is the slide deck from a presention for SecTor 2016.
I spoke with Chris Gates @carnal0wnage.
The outline is:
Purple Teaming is conducting focused Red Teams with clear training objectives for the Blue Team for the ultimate goal of improving the organization’s overall security posture. The popular opinion is that Purple Teaming requires a big undertaking. This is not true and we will show practical exercises for Purple Teaming for varying levels of organizational maturity using the Cyber Kill Chain[1] as our framework.
Faster! Faster! Accelerate your business with blazing prototypesOSCON Byrum
Bring your ideas to life! Convince your boss to that open source development is faster and cheaper than the "safe" COTS solution they probably hate anyway. Let's investigate ways to get real-life, functional prototypes up with blazing speed. We'll look at and compare tools for truly rapid development including Python, Django, Flask, PHP, Amazon EC2 and Heroku.
The recent trend of using Attack and Defense Together.
Due to the recent trend of using offensive and defensive capabilities together, we thought a talk on Purple Teaming would be interesting. We hope to benefit those on the Attack side (red team), Defensive (blue team) and mixing the two.
The recent trend of using Attack and Defense Together.
Due to the recent trend of using offensive and defensive capabilities together, we thought a talk on Purple Teaming would be interesting. We hope to benefit those on the Attack side (red team), Defensive (blue team) and mixing the two.
This talk was presented at BSidesLV 2016. It covered the trend of Automating Penetration Testing. We will delve into what this means for skilled penetration testers / exploit developers and the probable outcome of bigger and more breaches.
Operational Security (OPSEC) is one of the most important aspects to consider in Adversary Simulations (usually called "Red Teaming"). When talking about OPSEC, it is common to think around matters like AV/EDR evasion, avoiding "noises" or using builtin/legitimate tools whenever is possible. In fact, the scope of the term OPSEC is usually wider than that.
OPSEC usually refers to the identification and protection of data that could be useful for an adversary. In Adversary Simulations, the adversary is the organisation's security team (Blue Team) and the goal is to improve their detection capabilities. This is why the maturity of an organisation should dictate the complexity required to carry out these operations, so that the objectives are met with the minimum effort, as it would do an attacker in real life.
For example, for experienced Blue Teams, the mere fact of using legitimate tools such as net.exe (e.g. “net users /domain”) or powershell.exe could be a reason for the whole operation to be discovered, whereas in other organisations or situations these same actions could remain completely unnoticed.
In this presentation we will discuss how you should review and understand your own toolset and procedures in order to gain OPSEC. We will comprehend how to deal with trade-offs, and why understanding your adversary is key in that matter. In addition, sources of detection (disk, memory, network...) and resources commonly employed by defenders (events, hooks, callbacks...) will be explained visually and practically to help you building and improving your operations.
Understanding and Hiding your Operations’ goal is to be a resource for comprehending the meaning of OPSEC and creating awareness in your operations, so as you can successfully face – and improve – experienced security teams and their detection capabilities.
Going Purple : From full time breaker to part time fixer: 1 year later Chris Gates
A little over a year ago I made the transition from external security consultant to internal offensive security engineer at Facebook. I went from a full time breaker to part time fixer. This talk is aimed at providing lessons learned and documenting the mindset changes I've made over the last year that I feel can be used by the industry as a whole. I've broken the lessons learned into three primary buckets; Red, Blue, and Purple and the talk will hopefully bring value to anyone working in their respective bucket or assist in their creation/continuing of purple teaming at their company.
The Invisible Traceback: blockers that make potential contributors drop out (and how to fix them) - originally presented at the 2009 Ontario Linux Festival.
Abstract:
Unix Philosophy #12, Rule of Repair: "When you must fail, fail noisily and as soon as possible." This applies to both code and culture; when someone gets stuck and hollers for help, they are helping their community find and fix a participation process bug. However, the new contributor on-ramp pipeline is particularly tricky to debug; potential participants often struggle in silence, giving you no indication of their presence, let alone why they were unable to begin working with your project community. We'll go over some common blockers that quietly prevent students (and other new contributors) from beginning to participate in open source, and how to fix them no matter who you are.
Beginners enthusiastically welcomed - this talk is for everyone who's ever wanted to contribute to open source as well as everyone who's ever wanted to help someone else get started. It took me over 6 years of banging my head against a solitary wall to figure out how to contribute back to open source (and it's been worth it); here's how to figure out (or help someone figure out) the same thing in 99.999% less time.
--> What is Hardware Hacking ?
--> How and Where to get started ?
--> What is Best Arduino or Rasberry Pie ?
--> Make a Simple Project with Arduino.
--> Programming With Arduino IDE.
--> Intro to Building The Internet of Things.
--> Creating an IOT Solution.
Now Let's Take an Update of Computer Security:
--> Getting Aware of HID Attacks and Defence Against It.
Finally we will have Good Understanding of How Hardware Works with Programming.
Introduction to Just in Time Access - BrightTalkHaydn Johnson
Ensuring users have access to only the resources they need, aka least privilege is great. But have you considered granting users only needed access?
This talk will introduce the concept of granting ‘Just-in-Time Access’. Securing an endpoint is more than patching and vulnerability management. Granting access to who, when and what also secures an endpoint. Only when a user needs to connect to a system, can access be granted. Ports such as SSH do not need to be open for the world to connect and probe. Database credentials do not need to last forever.
This approach limits the damage that can be caused by an account -- privileged or otherwise -- by reducing the amount of time an attacker has to gain access to the account, as well as the time they have to move from a compromised account before losing access.
The short explanation for Just-in-Time Access is providing short-term access in real time. It is a relatively new term in the industry and is another way to practice the least privileged best practice.
Key Takeaways:
• The benefits to Just-in-Time access for security and operations
o Improved visibility
o Minimize damage from compromised accounts
o Operational efficiency
• How SSH can be replaced with AWS SSM sessions
o Direct SSH replacement
o SSH reverse proxy
• How Just in Time Access for database credentials can help
o Example: Hashicorp Vault
o Example: Akeyless
• Resources for learning more
Communication to the business is very different to exploitation. This talk helps bridge the gap between a finding and a business risk.
Presented at HackFest 2018
Human(e) Security in a World of Business 2018Haydn Johnson
Relationship Building in Security is extremely important.
Understand where I came from, where I am at, struggles I had and things I found work to help improve the security Posture of my organizaiton.
Phishing for clicks is like the VA portion of a Pentest. It feels nice being a hacker, but that fuzzy feeling wears off quickly, once you learn about command and control.
Everyone knows in theory what phishing is, what phishing emails looks like, they even may even theoretically know how it all works.
What about executing a Phishing campaign? This talk will show you the journey of setting up and executing a Phishing campaign to gain command and control. I have tried a few frameworks, coded some pages myself and will show the way I learned to Phish.
This is not just about sending an email and a link, this is about bypassing the email minefield to get the email to the target and having the payload call back out of the network.
We will go through:
Choosing and setting up a Phishing Framework
Cloning a site
Testing delivery and bypassing Spam filters with a payload (Click Once)
Testing different user interactions for executing payloads
Learning different payloads for command and control
Co Speaker: Cheryl Biswas
Talk Description:
How about this: a blue team talk given by red teamers. But here’s our rationale - your best defence right now is a strategic offence. The rules of the game have changed and we need to get defence up to speed.
We’ll show you what the key elements are in a good defence strategy; what you can and need to be using to full advantage. We’ll talk about the new “buzzwords” and how they apply: visibility; patterns; big data. There’s a whole lotta data to wrangle, and you aren’t seeing the whole picture if you aren’t doing things right. Threat intel is about getting the big picture as it applies to you. You’ll learn the importance of context and prioritization so that you can manipulate intel feeds to do your bidding. And then we’ll take things further and talk about hunting the adversary, using an update on proven methodologies.
We’ll show you how to understand your data, correlate threats and pin point attacks. Attendees will leave with a new understanding of the resources they have on hand, and how to leverage those into an Adaptive Proactive Defense Strategy.
This was part of a 3 hour talk for students at a local college. Introductipn to post exploitation with PowerShell Empire. Feel free to use and learn from.
This report is to explain some key commands within Meterpreter that allow you to have some sort of situational awareness. That is, how to gain more insight into system information, the user you currently are and what processes are running among other things.
This blog gives a step by step guide to creating persistence with
PowerSploit. A reverse shell will be sent to the attacker when a victim logs into their machine.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
2. @haydnjohnson
Haydn Johnson
◈ Security Consultant - Researcher
◈ @haydnjohnson
◈ Talks: BsidesTO, Circle City Con, HackFest, SecTor
◈ Offsec, Purple Team, Gym??
◈ http://www.slideshare.net/HaydnJohnson
Australian living in Canada
18. @haydnjohnson
Purple Team
Working together to achieve the ultimate goal of
making the organization more secure
◈different threats & attacker mindset
◈incident detection and response
◈policy and procedures
◈tuning of controls
Benefits
21. @haydnjohnson
Red Team Origin
We (Red Team) f*cked up so badly.
We had to create a term to remind you (Blue
Team), that we are there to help you….
Not just beat you up.
23. @haydnjohnson
“capabilities evolved and they turned into a force
tasked with challenging the security posture of
military bases..”
http://redteams.net/blog/2013/what-is-a-red-team
RedTeams.net - Definition
24. @haydnjohnson
“A key aspect of the red team operations today is
the adversarial way of thinking, the “Red Team
Mindset”. Red team members think outside the
box…”
http://redteams.net/blog/2013/what-is-a-red-team
https://blog.cobaltstrike.com/2015/04/29/2015s-red-team-tradecraft/
RedTeams.net - Defnition
25. @haydnjohnson
I Love Purple Team:
Collaboration.
https://blog.cobaltstrike.com/2014/11/12/adversary-simulation-becomes-a-thing/
31. @haydnjohnson
Event / Injects
Events - generally executed by the Red Team to
elicit responses from the Blue Team in specific
phases, focused on the objectives of the exercise.
Cyber Exercises
Terms
65. @haydnjohnson
Purple Team it
What do you have
Is your security budget YUUGE?
Do you have threat hunting? It’s the best.
Do you have a blinky box! Sad!
73. @haydnjohnson
Purple Team It
Start with the Basics
Example:
Detecting Port Scanning
https://www.safaribooksonline.com/library/view/snort-cookbook/0596007914/ch04s06.html
98. @haydnjohnson
Purple Team
Ideas
People Process Technology
Skillset
Mean time to
detection
Use of Tools
Attacker mindset
Paperwork
Reporting
Escalation
Firewall
Anti Virus
Whitelisting
TTP Pyramid of pain
101. @haydnjohnson @carnal0wnage
Story Time
Receive call “Check this IP address”
$secretpoliceinvestigation
IP address seen - Investigators go to meeting + lunch
2 hours later, identify data exfil
Sh*t hits fan
Log into FTP server to delete data
Execute processes
Alerts triggered purposely
107. @haydnjohnson @carnal0wnage
Story Time
Create defined and clear process for hierarchy
Training on hacking back - DON’T
Budget for prioritized upgrade of Lab
Shift style lunches
Solutions