Purple Team - Offensive and Defensive collaborative simulation
AdamQuesi
56 views
23 slides
Aug 08, 2024
Slide 1 of 23
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
About This Presentation
Bridging the Gap Between Red and Blue Teams. Purple Team operations are not penetration tests. They are
not meant to deliver a list of vulnerabilities in a specific
application or service.
Instead, they are meant to better understand our
organization’s ability to detect and respond to realworld at...
Slide Content
Purple Teaming
1 @Qwesi_RED
Bridging the Gap Between Red and
Blue Teams
TALK BY: ADAM NURUDINI
1 @Qwesi_RED
Bridging the Gap Between Red and
Blue Teams
TALK BY: ADAM NURUDINI
2@Qwesi_Red
●Offensive Sec. Consultant @ Sekuro(Australia)
●Co-Founder @NetwatchTechnologies
●Security Consultant @ISA Ghana
●Core Member @Africa HackonGhana
●Previous Experience
○Head of SOC @ CBG
●My interests
○Application & Infrastructure Security
○Code Review & Code Assisted Pentest
○Adversary Emulation
○Security Operations (Engineering)
●Certifications
○EWPTX, PNPT, CCNA, CCNP, CASP, CRTP, CEH,
ISO27001, ISO27032 etc.
About Me
●Offensive Sec. Consultant @ Sekuro(Australia)
●Co-Founder @NetwatchTechnologies
●Security Consultant @ISA Ghana
●Core Member @Africa HackonGhana
●Previous Experience
○Head of SOC @ CBG
●My interests
○Application & Infrastructure Security
○Code Review & Code Assisted Pentest
○Adversary Emulation
○Security Operations (Engineering)
●Certifications
○EWPTX, PNPT, CCNA, CCNP, CASP, CRTP, CEH,
ISO27001, ISO27032 etc.
About Me
3@Qwesi_Red
1.Purple Teaming Overview
2.Blue Vs Red
3.Why Purple teaming
4.Goals of Purple teaming
5.Purple Teaming Workflow
6.Table-Top Exercise with Demo
7.Final Words
Agender
1.Purple Teaming Overview
2.Blue Vs Red
3.Why Purple teaming
4.Goals of Purple teaming
5.Purple Teaming Workflow
6.Table-Top Exercise with Demo
7.Final Words
Agender
The opinions expressed in this
presentation and in any corresponding
comments are the personal opinions of
the original authors, not those of my
employer.
Disclaimer
presentation and in any corresponding
comments are the personal opinions of
the original authors, not those of my
employer.
Disclaimer
Your Full Attention
Presentation About
Purple Teaming
Hands-on Demo
and
memes
Presentation About
Purple Teaming
Hands-on Demo
and
memes
Background:-BLUEVs RED
Purple Teaming
Core Functions of Red and Blue Teams
Blue Team
Red Team
Role: Offensive Security
Objective: To simulate real-world attacks to identify and exploit
vulnerabilities in an organization's systems and defenses.
Role: Defensive Security
Objective: To protect the organization's assets by detecting,
preventing, and responding to cybersecurity incidents.
Purple Teaming
Core Functions of Red and Blue Teams
Blue Team
Red Team
Role: Offensive Security
Objective: To simulate real-world attacks to identify and exploit
vulnerabilities in an organization's systems and defenses.
Role: Defensive Security
Objective: To protect the organization's assets by detecting,
preventing, and responding to cybersecurity incidents.
Challenges:-BLUEVs RED as they work in isolation
Purple Teaming
Blue Team Red Team
•Misaligned goals
•Focus on Exploitation:
•Missed Detection Opportunities
Purple Teaming
Blue Team Red Team
•Misaligned goals
•Focus on Exploitation:
•Missed Detection Opportunities
Purple Teaming
Purple Teaming
Purple Teaming IS NOT a team, but a mindset
Moving Red/Blue from adversary to ally
Align under one goal: secure the organization
Planning + collaboration = efficient and effective evaluations
If anything, it is a “team of teams”
Purple Teaming
Purple Teaming IS NOT a team, but a mindset
Moving Red/Blue from adversary to ally
Align under one goal: secure the organization
Planning + collaboration = efficient and effective evaluations
If anything, it is a “team of teams”
9
Purple Teaming
Why is Purple Teaming Important?
Purple Team operations are not penetration tests. They are
not meant to deliver a list of vulnerabilities in a specific
application or service.
Instead, they are meant to better understand our
organization’s ability to detect and respond to real-
world attacks.
●Knowing your enemy is good
○Defensive knowledge makes you a better attacker
○Attacking knowledge makes you a better defender
●Knowing your ally is even better
○Improve collaboration across teams
○Technical, procedural, etc.
Purple Teaming
Why is Purple Teaming Important?
Purple Team operations are not penetration tests. They are
not meant to deliver a list of vulnerabilities in a specific
application or service.
Instead, they are meant to better understand our
organization’s ability to detect and respond to real-
world attacks.
●Knowing your enemy is good
○Defensive knowledge makes you a better attacker
○Attacking knowledge makes you a better defender
●Knowing your ally is even better
○Improve collaboration across teams
○Technical, procedural, etc.
10@Qwesi_RED
Purple Teaming
Goals
At a high level, the goals of an operation generally fall into one of the
following categories:
1.To gauge the effectiveness of existing defensive capabilities (Is our SIEM capable of
detecting a compromised admin account?)
2.To practice and refine our procedures for responding to a breach (Do our runbooks
make sense? Can anything be automated?)
3.To understand our ability to detect and respond to a specific type of threat (What would
happen if we were targeted by a ransomware operator?)
Purple Teaming
Goals
At a high level, the goals of an operation generally fall into one of the
following categories:
1.To gauge the effectiveness of existing defensive capabilities (Is our SIEM capable of
detecting a compromised admin account?)
2.To practice and refine our procedures for responding to a breach (Do our runbooks
make sense? Can anything be automated?)
3.To understand our ability to detect and respond to a specific type of threat (What would
happen if we were targeted by a ransomware operator?)
Purple Teaming Workflows –High Level
Purple Teaming
Purple Teaming
Workflows 1 –Attack Planning
Purple Teaming
Brainstorming: Propose and discuss an initial idea.
Tools: VectrA free, closed-source Purple Team planning and reporting
tool.
1.This might be inspired by;
2.Threat intelligence
3.New systems
4.Detection capabilities
5.some other hypothesis requiring validation (blue team skills testing or
Playbooks and processes effectiveness).
Purple Teaming
Brainstorming: Propose and discuss an initial idea.
Tools: VectrA free, closed-source Purple Team planning and reporting
tool.
1.This might be inspired by;
2.Threat intelligence
3.New systems
4.Detection capabilities
5.some other hypothesis requiring validation (blue team skills testing or
Playbooks and processes effectiveness).
Workflows 2 –Attack Emulation
Purple Teaming
Develop Capabilities: The Red Team will create and test the infrastructure and
tooling required to execute each TTP. Whenever possible, these should be
automated using either GitLab CI pipelines or MITRE Caldera..
Emulate Attack(s): Synchronous meeting to play and replay the attacksas
necessary.
Validate Detection & Response: An asynchronous discussion on what went
well, what could be improved, and what we would do differently next time around.
Purple Teaming
Develop Capabilities: The Red Team will create and test the infrastructure and
tooling required to execute each TTP. Whenever possible, these should be
automated using either GitLab CI pipelines or MITRE Caldera..
Emulate Attack(s): Synchronous meeting to play and replay the attacksas
necessary.
Validate Detection & Response: An asynchronous discussion on what went
well, what could be improved, and what we would do differently next time around.
Workflows 3 –Operation Conclusion
Purple Teaming
Deliver Final Report :
Prepare and share the full report. This contains a detailed attack narrative with
an attack flow diagram, a MITRE ATT&CK heatmap, Vectrdiagrams on
technique outcomes and tooling efficiency, and relevant observations. This is
delivered via the issue itself.
Retrospective:
An asynchronous discussion on what went well, what could be improved, and
what we would do differently next time around.
Purple Teaming
Deliver Final Report :
Prepare and share the full report. This contains a detailed attack narrative with
an attack flow diagram, a MITRE ATT&CK heatmap, Vectrdiagrams on
technique outcomes and tooling efficiency, and relevant observations. This is
delivered via the issue itself.
Retrospective:
An asynchronous discussion on what went well, what could be improved, and
what we would do differently next time around.
Levels of Purple Teaming
Purple Teaming
Purple Teaming
Demo Planning
Purple Teaming
Brainstorming: Propose and discuss an initial idea.
The Idea or Level: We will be simulation attacks
to validate effectiveness of our security controls.
Use Cases:
1.Credential Discovery via SMB Shares, AD Objects
2.Password Spray in AD Environment
3.Kerberoasting& AS_REP Roasting
4.Ransomware Simulation
Purple Teaming
Brainstorming: Propose and discuss an initial idea.
The Idea or Level: We will be simulation attacks
to validate effectiveness of our security controls.
Use Cases:
1.Credential Discovery via SMB Shares, AD Objects
2.Password Spray in AD Environment
3.Kerberoasting& AS_REP Roasting
4.Ransomware Simulation
Demo 1 –Credential Discovery via SMB Shares, AD Objects
Purple Teaming
RED Team: Extract credentials from accessible SMB shares and Activity
Directory user attributes.
Tools: Netexec, CrackMapExec, Snafflerand Manspider
BLUE Team: File Shares (SMB traffic) monitoring and effectiveness
of SIEM, DLP, Password Managers and PAM solution.
Tools/Solutions:
1.SIEM to SMB traffic and security events
2.PAM to monitor Privileged accounts
3.DPL to detect data leakage.
Purple Teaming
RED Team: Extract credentials from accessible SMB shares and Activity
Directory user attributes.
Tools: Netexec, CrackMapExec, Snafflerand Manspider
BLUE Team: File Shares (SMB traffic) monitoring and effectiveness
of SIEM, DLP, Password Managers and PAM solution.
Tools/Solutions:
1.SIEM to SMB traffic and security events
2.PAM to monitor Privileged accounts
3.DPL to detect data leakage.
Demo 2 –Password Spray in AD Environment
Purple Teaming
RED Team: Perform a password spray attack.
Tools: Curl, Nmap, and Sprayhound
BLUE Team: Detect and respond to the password spray attack.
Tools/Solutions:
1.SIEM: Monitor logon events
2.Password Policy
Purple Teaming
RED Team: Perform a password spray attack.
Tools: Curl, Nmap, and Sprayhound
BLUE Team: Detect and respond to the password spray attack.
Tools/Solutions:
1.SIEM: Monitor logon events
2.Password Policy
Demo 3 –Kerberoasting& AS_REP Roasting
Purple Teaming
RED Team:
Extract service account). hashes from Kerberos service tickets (Ticket
Granting Service, or TGS tickets.
Attempt to crack the AES-encrypted TGS tickets offline to extract the
service account keys and
Attempt to crack TGS tickets offline to extract the service account hashes.
Tools: Impacket, ADeNum, and Hashcat
BLUE Team: Monitor Event ID 4769 (A Kerberos service ticket or
TGS requests was requested) for unusual activity..
Tools/Solutions:
1.SIEM: Monitor Event ID 4769
2.EDR Solutions
Purple Teaming
RED Team:
Extract service account). hashes from Kerberos service tickets (Ticket
Granting Service, or TGS tickets.
Attempt to crack the AES-encrypted TGS tickets offline to extract the
service account keys and
Attempt to crack TGS tickets offline to extract the service account hashes.
Tools: Impacket, ADeNum, and Hashcat
BLUE Team: Monitor Event ID 4769 (A Kerberos service ticket or
TGS requests was requested) for unusual activity..
Tools/Solutions:
1.SIEM: Monitor Event ID 4769
2.EDR Solutions
Demo 4 –RansomewareSimulation
Purple Teaming
RED Team:
Execute a malware that simulate various ransomewareencryption
methods.
Tools: Knowbe4 ransomewaresimulator
BLUE Team: Monitor Event ID 4769 (A Kerberos service ticket or
TGS requests was requested) for unusual activity..
Tools/Solutions:
1.SIEM: Monitor antimalware events
2.EDR Solutions
Purple Teaming
RED Team:
Execute a malware that simulate various ransomewareencryption
methods.
Tools: Knowbe4 ransomewaresimulator
BLUE Team: Monitor Event ID 4769 (A Kerberos service ticket or
TGS requests was requested) for unusual activity..
Tools/Solutions:
1.SIEM: Monitor antimalware events
2.EDR Solutions
Purple Teaming
Conclusion
Summary: Purple teaming bridges the gap between offensive and
defensive security.
Collaboration and regular exercises lead to a stronger security
posture.
Call to Action: Implement purple teaming exercises in your
organization to stay ahead of threats.
Conclusion
Summary: Purple teaming bridges the gap between offensive and
defensive security.
Collaboration and regular exercises lead to a stronger security
posture.
Call to Action: Implement purple teaming exercises in your
organization to stay ahead of threats.
Thank you
22@Qwesi_RED
22@Qwesi_RED
Shoutouts
23@Qwesi_RED
Huge Thanks to @M4yFly for building such an awesome AD lab.
@Gitlab for Purple Teaming Handbook.
@David Probinsky-Red Teaming & Physical Security (BSidesOrlando 2022)
23@Qwesi_RED
Huge Thanks to @M4yFly for building such an awesome AD lab.
@Gitlab for Purple Teaming Handbook.
@David Probinsky-Red Teaming & Physical Security (BSidesOrlando 2022)
Categories
SportsDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 56
- Slides 23
- Age 481 days
Related Slideshows
32
figurative-language power point.pptththtrht
acecamero20
19 views
22
Figurative-Language-powerpoint.pptgttgth
acecamero20
21 views
44
Plasma proteins functions electroforesis - Copy.pptx
DratoshKatiyar
20 views
2
FORMATO 4. PLANTEAMIENTO DEL PROBLEMA. 4 Oct. 2022.ppt
LuisLopez350618
17 views
4
Cristiano Ronaldo jugador portugués, la leyenda
laparchizacorp
17 views
10
🎮✨ Top 10 Most Used Software Tools by Indie Game Developers (2025 Edition)
cheapersgamecomcare
17 views