Highlights from "Purple Teaming For All: The Path to Adversary Emulation" (feat. SCYTHE and Aquia)

Transcript

Trying to get people to redefine purple TV in their brains because no one really knows what it is. Everyone asks me, is it a function of pen testing? Are you just doing more pen testing? And I’m like, no, we’re not pen testers. There’s an offensive portion in a purple teaming, obviously. But really the goal of purple teaming is to actionably and measurably improve defenses like in real time, to move that needle with each exercise that we conduct. Not to simply put findings in a report, not to simply point out things that need to be fixed or lose them to a vulnerability management process that no one understands and 18 people are involved in, but to actually help you build new things in real time that improve your defenses across people, processes and technology. That’s all that it is. But Purple Teamers, I just want you to know, don’t have to be former Red Team.

They don’t have to be pen testers. They can come from anywhere. A Purple Teamer can be a dev, it can be a sysadmin, it can be a stock analyst. That can be detection and response. It can be a red teamer. Literally anyone with an interest in doing that collaborative bit and who knows one piece really well and has an interest in learning the other pieces can do it. You need to know some offensive actions.

You need to know how to execute some testing. You need to know how to do some threat hunting. You need to understand how to implement CTI into what you’re doing. But as long as you have a passion and an interest to learn the pieces you don’t know, you can do the collaborating, you can bring people together, you can get them discussing on their own. And that’s where we’ve been talking that if you are starting the Red Team today and you already have that budget, where do you start? And we think purple is going to be the best place because of the collaboration you’re going to establish. Remember, Red Team’s main goal is to improve the Blue Team’s detection response. So why not work together from the get go, do some baseline.

Because if not, it’s actually going to be boring to be a Red Teamer. You’re going to try a bunch of stuff, it’s all going to work. You’re then going to have to go replay and repeat the same thing over and over and you’re not really going to improve that quick. So definitely start purple teaming now if you can. How do you kind of navigate the concept of like, we don’t have a Red Team, so should we start a Purple Team or how do we convince management to invest? Because I think some organizations have even had trouble convincing that they should do an internal Red Team. And my philosophy and my theory is that going from blue to purple actually paves the way to have an internal Red Team. It does.

Because when I was a security director, we were like, hey, for compliance reasons and all these things, you would get external Red Teams, right? Ops? And they’re like, okay, well, where are the biggest gaps that we’re seeing out of this? And can we see quicker improvement? Right? So we started with Atomic Red Team and the Mitre Attack framework. And just like, hey, let’s pick like, we think we have some gaps largely in lateral movement, right? And so let’s just pick some of the techniques that we are just not sure we can detect. Right? And we have our Blue Team members. They were not like trained Red Team members, but they were interested in it and they wanted to kind of start to learn. So they started doing some of these exercises and executing these TTPs. And that helped us start to measure like, okay, here’s how we get better. Right? And that, I think, paves the way for a Red Team.

You’re really bridging that gap between the teams. And once you confirm defenses, once everything is working like it’s supposed to, because that’s a sweet place to be, and you’ve confirmed that, you can put that feedback back into the CTI side and say, okay, now that we know we’ve confirmed these things, let’s say an Apt uses 20% of this. We could say, realistically, how resilient would we be against an attack from these people based on the things that we know they do? Because we’ve seen it in the wild. This is realistically how well we’d stand up. They might get in here, but we’d stop them here, here, and here well before they get to here. And now you are demonstrating the resilience of your cyber security program, which is, believe me, something your CSO is highly concerned with. That’s one of the reasons shout out here and kind of answering Chris’s question, not making Dan answer questions.

What’s a good way to track metrics of improvement here? PlexTrac is a solution for that. So it is a vulnerability management solution. You could do all your traditional items, but working with them, we’ve been able to come up with these run books that instead of looking at a procedure as open or close or high, Medium low, you can actually track that as no evidence, digitally, forensically logged, responded to, alerted and responded to. Which then when you do an attack chain, you can show, look here, we had this visibility and was responded to, and it’s going to be okay if you had no visibility on one particular procedure as long as throughout that chain, you are able to catch it and respond to it. So as you do this, as your Purple Team, you keep those metrics and shout out again to PlexTrac. Right. It makes it very easy to show where we were a week ago to where we are now against those same TTPs, as well as going way deeper and doing a lot more testing.

So what I’m doing is basically learning that technology really well because you can’t defend it, you can’t break it unless you know it. You can’t defend it unless you know how to break it. And then I’m going to start designing intelligent ways for us to baseline again, always start with baselining, some proof of concept testing. We at the very least should be doing this. These configuration items should be in order. If they’re not, I can get this piece of information with this piece of information, I can further myself here. And that’s a bad place to be.

And once we get those little things freaked out, then we’re going to work on maturing it into more sophisticated customized testing. But don’t feel bad starting with automated. Don’t feel bad starting with open source. Those are great free or cheap places to start when you don’t have a budget. They’re out there. The tools are out there for you to use if you put it well. Meryl it’s like there’s always a crawl, walk, run scenario, right? And then you do get into that bill versus buy conundrum for anything in security, right? So it’s important to say, hey people’s, time, our time is a valuable resource.

So you do have to always have that balance of like, what do I do and where is my time? The best spent versus getting a tool in place or a platform in place to help us automate as much of this so that you can go faster, right? And then those dollars really translate into true value. We’re not just like, screw it, we’ll use whatever C two we want and whatever module we want and whatever exploit we want. It’s like, no, if they wouldn’t do that, if we haven’t seen that they do that, you can’t do it. You are limited to these like dozen things that they are known to do really well. And that’s it. That’s all the creativity you get to work with. So it’s definitely easier as a red Team.

Here’s your objective. Get there any way you want. You’re like, yay, great. But when they’re like, you have to only use these boxes to get there. You’re like, oh, that’s a lot harder. So that’s where the sophisticated red teamers are going to have fun. That’s where they get to do their thing and really shine.

What were the biggest hurdles you encountered while building out your purple teams? So on my side again with the history of being read, not being very nice and human like Meryl said, being very ego, our blue team did not like us because we made them look bad and we weren’t really helping. So the culture was definitely one of the biggest things of organizations working in silos and now coming together to work together. The other one was getting everyone together in the room on a particular date and time. Our first one was actually a whole week long purple team exercise. It was the first one we ran and getting everyone from their day to day, especially sock folks. You work at 24/7 socks, there’s already tight schedules. Who comes making sure that their manager remove their day from them so they’re not multitasking and they can actually focus on it, being able to share and being open again.

Back to culture. Share everything, right? The red team shares their screen while they’re doing something. Then the blue team, the sock level one, shares the sock level two. The deferred folks, the hunt team, we’re all there learning. It’s not just, oh, the red team is going to school us for five days now. We get a lot out of it, too. This is a community.

We’re here to help everybody succeed. And so please reach out like you’ve got plenty of resources in tomic. Red team minor ingenuity site, community threats, anything you can get your hands on will also help as well. So, Meryl, thank you so much for joining us. Good luck as you continue to progress. George, as always, it’s been a pleasure and thanks for joining us as well. And we will catch you all next time.