cyber purple teaming: uniting blue and red teams - b sides san antonio - albert campa, denim group
TRANSCRIPT
![Page 1: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/1.jpg)
© 2015 Denim Group – All Rights Reserved
Cyber Purple Teaming: Uniting
Blue and Red Teams
Don’t forget Advanced Cyber
![Page 2: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/2.jpg)
© 2015 Denim Group – All Rights Reserved
Introduction:
- Security Consultant
- Brazilian JiuJitsu practitioner
- Defender of networks
- Firewall admin
- Linux guy
- Soccer player/fan
- Windows guy
- Air Force guy
![Page 3: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/3.jpg)
© 2015 Denim Group – All Rights Reserved
Points to discuss:
- Blue team preparations – Get ready defenders!
- Not ready for pentest? Get ready!
- Log all things! Educate all things!
- Red team tactics – Hack with love!
- The scope question – Hack all things!
- Social Engineering – Assess, train, assess!
- Team communication
- Wolf! Man on! Watch out!
- Putting it all together – fine tuning
![Page 4: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/4.jpg)
© 2015 Denim Group – All Rights Reserved
Red Team vs Blue Team:
![Page 5: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/5.jpg)
© 2015 Denim Group – All Rights Reserved
Red Team vs Blue Team:
![Page 6: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/6.jpg)
© 2015 Denim Group – All Rights Reserved
Red Team vs Blue Team:
![Page 7: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/7.jpg)
© 2015 Denim Group – All Rights Reserved
Red Team vs Blue Team:
![Page 8: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/8.jpg)
© 2015 Denim Group – All Rights Reserved
Red Team vs Blue Team:
![Page 9: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/9.jpg)
© 2015 Denim Group – All Rights Reserved
Red Team vs Blue Team:
![Page 10: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/10.jpg)
© 2015 Denim Group – All Rights Reserved
Red Team vs Blue Team:
![Page 11: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/11.jpg)
© 2015 Denim Group – All Rights Reserved
Blue team tactics
- Brace yourself
![Page 12: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/12.jpg)
© 2015 Denim Group – All Rights Reserved
Blue team tactics
- Security Fundamentals
![Page 13: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/13.jpg)
© 2015 Denim Group – All Rights Reserved
Blue team tactics
- Security Fundamentals
- Patch management
- Locked down DMZ firewall and servers.
- Proper segmentation
- Vulnerability scanning
- Monitoring
- Security Awareness Training (Web based CBT?)
- Skills (Be a sysadmin)
![Page 14: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/14.jpg)
© 2015 Denim Group – All Rights Reserved
Blue team tactics
- Internal Assessments
- Vulnerability scanning (minimum)
- Internal pentesting (resources needed)
- System hardening / Compliance scans
- Patch management program
- VA data to patch cycle
![Page 15: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/15.jpg)
© 2015 Denim Group – All Rights Reserved
Blue team tactics
- Logs, Logs and more logs
- Firewall, IPS, Servers, network devices, etc.
![Page 16: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/16.jpg)
© 2015 Denim Group – All Rights Reserved
Blue team tactics
- Configure tools properly
- Malware detection, IPS, Log levels, etc
- http://hackerhurricane.blogspot.com/
- http://www.slideshare.net/Hackerhurricane/windows-
logging-cheat-sheet-v11
- Personnel resources
- Skills and training
![Page 17: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/17.jpg)
© 2015 Denim Group – All Rights Reserved
Blue team tactics
- Netflow / Packet Capture
- Proper location
- Tool to view and understand the flows
- Use Cases
- Unauth traffic from/to internet
- (ftp, telnet, non-standard http(s))
- C2, Unexpected traffic
- Sensitive information unencrypted
- Unusual spikes in traffic
- Internal server access
- Internal detection of spread of malware
![Page 18: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/18.jpg)
© 2015 Denim Group – All Rights Reserved
Blue team tactics
- SIEM
- Remember Personnel requirements!
- Central Log repository
- Log correlation
- Ease of Log search
![Page 19: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/19.jpg)
© 2015 Denim Group – All Rights Reserved
Blue team tactics
- That pentest engagement is getting closer.
![Page 20: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/20.jpg)
© 2015 Denim Group – All Rights Reserved
Blue team tactics
- CISO
- Pentest is coming (black box, white box, grey box)
- Incentives (awards, gear, etc)
![Page 21: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/21.jpg)
© 2015 Denim Group – All Rights Reserved
Blue team tactics
- Be Confident
![Page 22: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/22.jpg)
© 2015 Denim Group – All Rights Reserved
Red team tactics
- Defined:
- Red Team vs Penetration test?
- Scope
- Social Engineering
- Physical Testing
- Man Power used
- Collaboration needed
- Exploits / havoc wreaked
![Page 23: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/23.jpg)
© 2015 Denim Group – All Rights Reserved
Red team tactics
- Are we ready for full Red Team Assessment
- Full scope, Physical, SE, all out attack
- Nation State tactics
![Page 24: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/24.jpg)
© 2015 Denim Group – All Rights Reserved
Red team tactics – Hack with love!
- Team Player Attitude
![Page 25: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/25.jpg)
© 2015 Denim Group – All Rights Reserved
Red team tactics – Hack with love!
- OOOOOOOOOOOOHH Day!!!!
![Page 26: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/26.jpg)
© 2015 Denim Group – All Rights Reserved
Red team tactics – Hack with love!
- OOOOOOOOOOOOHH Day!!!!
![Page 27: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/27.jpg)
© 2015 Denim Group – All Rights Reserved
Red team tactics – Hack with love!
- OOOOOOOOOOOOHH Day!!!!
![Page 28: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/28.jpg)
© 2015 Denim Group – All Rights Reserved
Red team tactics
- Social Engineering
- Are employees trained? Not CBT, not 1 Lunch and Learn.
- Its no use, cant fix…
- Blue team: We have firewall, AV.
![Page 29: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/29.jpg)
© 2015 Denim Group – All Rights Reserved
Red team tactics
- Social Engineering
![Page 30: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/30.jpg)
© 2015 Denim Group – All Rights Reserved
Red team tactics
- Social Engineering – Dave Kennedy
- Destroying Education and Awareness
- https://www.youtube.com/watch?v=ldvI12lpeEI
- WebJacking in SET
- http://www.restrictedintelligence.co.uk/
![Page 31: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/31.jpg)
© 2015 Denim Group – All Rights Reserved
Red team tactics
- Full Scope.
![Page 32: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/32.jpg)
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
- Unprepared Blue Teams
- Recommendation on Personnel
- Training of Personnel(SANS, Books, podcasts, RSS)
- Assistance with tools implementation (SIEM rules)
- Retesting and verifying (segmentation, IPS/SIEM)
![Page 33: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/33.jpg)
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
- All Blue Teams
- Adversary simulation (Rafa Mudge)
- http://blog.cobaltstrike.com/2014/11/12/adversary-simulation-
becomes-a-thing/
- Malleable C2
- Nation State simulation
![Page 34: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/34.jpg)
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
- Testing Scenarios- WAF
- IPS/IDS
- AV
- Malware Detection
- DLP
- More…
- What exists in your SOC:
- Monitoring TEAM
- Deployment/UpKeep/Configuration TEAM
![Page 35: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/35.jpg)
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
- SIEM Rules
- Idea mentioned by Kevin Johnson @ BsidesATX
- As a pentester, provide SIEM rules to blue teams
- Any vendor
- An idea, a possibility?
- Purple Team Talk by Kevin Johnson and James Jardine
- https://youtu.be/ARM2ArOw9sI
![Page 36: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/36.jpg)
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
- We Talked Logs/Events
- Lets Talk Flows/packet analysis- Example from compromising a system:
- Beacon
- Setoolkit / Metasploit
![Page 37: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/37.jpg)
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
![Page 38: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/38.jpg)
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
![Page 39: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/39.jpg)
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
![Page 40: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/40.jpg)
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
![Page 41: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/41.jpg)
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
![Page 42: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/42.jpg)
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
![Page 43: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/43.jpg)
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
![Page 44: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/44.jpg)
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
![Page 45: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/45.jpg)
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
- So what’s the point?
- Bring the education
- Work together and keep communication high
- Blue and Red have to equally contribute
- Don’t throw over the fence
- Make reports beneficial
- Remediation?
![Page 46: Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group](https://reader031.vdocument.in/reader031/viewer/2022032422/55a89dd81a28ab8a188b47f5/html5/thumbnails/46.jpg)
© 2015 Denim Group – All Rights Reserved
Comments? Questions?
Twitter: @beto_atx
Email: [email protected]