Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group
-
Upload
denim-group -
Category
Technology
-
view
113 -
download
2
Transcript of Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albert Campa, Denim Group
© 2015 Denim Group – All Rights Reserved
Cyber Purple Teaming: Uniting
Blue and Red Teams
Don’t forget Advanced Cyber
© 2015 Denim Group – All Rights Reserved
Introduction:
- Security Consultant
- Brazilian JiuJitsu practitioner
- Defender of networks
- Firewall admin
- Linux guy
- Soccer player/fan
- Windows guy
- Air Force guy
© 2015 Denim Group – All Rights Reserved
Points to discuss:
- Blue team preparations – Get ready defenders!
- Not ready for pentest? Get ready!
- Log all things! Educate all things!
- Red team tactics – Hack with love!
- The scope question – Hack all things!
- Social Engineering – Assess, train, assess!
- Team communication
- Wolf! Man on! Watch out!
- Putting it all together – fine tuning
© 2015 Denim Group – All Rights Reserved
Red Team vs Blue Team:
© 2015 Denim Group – All Rights Reserved
Red Team vs Blue Team:
© 2015 Denim Group – All Rights Reserved
Red Team vs Blue Team:
© 2015 Denim Group – All Rights Reserved
Red Team vs Blue Team:
© 2015 Denim Group – All Rights Reserved
Red Team vs Blue Team:
© 2015 Denim Group – All Rights Reserved
Red Team vs Blue Team:
© 2015 Denim Group – All Rights Reserved
Red Team vs Blue Team:
© 2015 Denim Group – All Rights Reserved
Blue team tactics
- Brace yourself
© 2015 Denim Group – All Rights Reserved
Blue team tactics
- Security Fundamentals
© 2015 Denim Group – All Rights Reserved
Blue team tactics
- Security Fundamentals
- Patch management
- Locked down DMZ firewall and servers.
- Proper segmentation
- Vulnerability scanning
- Monitoring
- Security Awareness Training (Web based CBT?)
- Skills (Be a sysadmin)
© 2015 Denim Group – All Rights Reserved
Blue team tactics
- Internal Assessments
- Vulnerability scanning (minimum)
- Internal pentesting (resources needed)
- System hardening / Compliance scans
- Patch management program
- VA data to patch cycle
© 2015 Denim Group – All Rights Reserved
Blue team tactics
- Logs, Logs and more logs
- Firewall, IPS, Servers, network devices, etc.
© 2015 Denim Group – All Rights Reserved
Blue team tactics
- Configure tools properly
- Malware detection, IPS, Log levels, etc
- http://hackerhurricane.blogspot.com/
- http://www.slideshare.net/Hackerhurricane/windows-
logging-cheat-sheet-v11
- Personnel resources
- Skills and training
© 2015 Denim Group – All Rights Reserved
Blue team tactics
- Netflow / Packet Capture
- Proper location
- Tool to view and understand the flows
- Use Cases
- Unauth traffic from/to internet
- (ftp, telnet, non-standard http(s))
- C2, Unexpected traffic
- Sensitive information unencrypted
- Unusual spikes in traffic
- Internal server access
- Internal detection of spread of malware
© 2015 Denim Group – All Rights Reserved
Blue team tactics
- SIEM
- Remember Personnel requirements!
- Central Log repository
- Log correlation
- Ease of Log search
© 2015 Denim Group – All Rights Reserved
Blue team tactics
- That pentest engagement is getting closer.
© 2015 Denim Group – All Rights Reserved
Blue team tactics
- CISO
- Pentest is coming (black box, white box, grey box)
- Incentives (awards, gear, etc)
© 2015 Denim Group – All Rights Reserved
Blue team tactics
- Be Confident
© 2015 Denim Group – All Rights Reserved
Red team tactics
- Defined:
- Red Team vs Penetration test?
- Scope
- Social Engineering
- Physical Testing
- Man Power used
- Collaboration needed
- Exploits / havoc wreaked
© 2015 Denim Group – All Rights Reserved
Red team tactics
- Are we ready for full Red Team Assessment
- Full scope, Physical, SE, all out attack
- Nation State tactics
© 2015 Denim Group – All Rights Reserved
Red team tactics – Hack with love!
- Team Player Attitude
© 2015 Denim Group – All Rights Reserved
Red team tactics – Hack with love!
- OOOOOOOOOOOOHH Day!!!!
© 2015 Denim Group – All Rights Reserved
Red team tactics – Hack with love!
- OOOOOOOOOOOOHH Day!!!!
© 2015 Denim Group – All Rights Reserved
Red team tactics – Hack with love!
- OOOOOOOOOOOOHH Day!!!!
© 2015 Denim Group – All Rights Reserved
Red team tactics
- Social Engineering
- Are employees trained? Not CBT, not 1 Lunch and Learn.
- Its no use, cant fix…
- Blue team: We have firewall, AV.
© 2015 Denim Group – All Rights Reserved
Red team tactics
- Social Engineering
© 2015 Denim Group – All Rights Reserved
Red team tactics
- Social Engineering – Dave Kennedy
- Destroying Education and Awareness
- https://www.youtube.com/watch?v=ldvI12lpeEI
- WebJacking in SET
- http://www.restrictedintelligence.co.uk/
© 2015 Denim Group – All Rights Reserved
Red team tactics
- Full Scope.
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
- Unprepared Blue Teams
- Recommendation on Personnel
- Training of Personnel(SANS, Books, podcasts, RSS)
- Assistance with tools implementation (SIEM rules)
- Retesting and verifying (segmentation, IPS/SIEM)
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
- All Blue Teams
- Adversary simulation (Rafa Mudge)
- http://blog.cobaltstrike.com/2014/11/12/adversary-simulation-
becomes-a-thing/
- Malleable C2
- Nation State simulation
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
- Testing Scenarios- WAF
- IPS/IDS
- AV
- Malware Detection
- DLP
- More…
- What exists in your SOC:
- Monitoring TEAM
- Deployment/UpKeep/Configuration TEAM
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
- SIEM Rules
- Idea mentioned by Kevin Johnson @ BsidesATX
- As a pentester, provide SIEM rules to blue teams
- Any vendor
- An idea, a possibility?
- Purple Team Talk by Kevin Johnson and James Jardine
- https://youtu.be/ARM2ArOw9sI
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
- We Talked Logs/Events
- Lets Talk Flows/packet analysis- Example from compromising a system:
- Beacon
- Setoolkit / Metasploit
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
© 2015 Denim Group – All Rights Reserved
Purple Team tactics
- So what’s the point?
- Bring the education
- Work together and keep communication high
- Blue and Red have to equally contribute
- Don’t throw over the fence
- Make reports beneficial
- Remediation?
© 2015 Denim Group – All Rights Reserved
Comments? Questions?
Twitter: @beto_atx
Email: [email protected]