© 2015 Denim Group – All Rights Reserved

Cyber Purple Teaming: Uniting

Blue and Red Teams

Don’t forget Advanced Cyber

© 2015 Denim Group – All Rights Reserved

Introduction:

- Security Consultant

- Brazilian JiuJitsu practitioner

- Defender of networks

- Firewall admin

- Linux guy

- Soccer player/fan

- Windows guy

- Air Force guy

© 2015 Denim Group – All Rights Reserved

Points to discuss:

- Blue team preparations – Get ready defenders!

- Not ready for pentest? Get ready!

- Log all things! Educate all things!

- Red team tactics – Hack with love!

- The scope question – Hack all things!

- Social Engineering – Assess, train, assess!

- Team communication

- Wolf! Man on! Watch out!

- Putting it all together – fine tuning

© 2015 Denim Group – All Rights Reserved

Red Team vs Blue Team:

© 2015 Denim Group – All Rights Reserved

Red Team vs Blue Team:

© 2015 Denim Group – All Rights Reserved

Red Team vs Blue Team:

© 2015 Denim Group – All Rights Reserved

Red Team vs Blue Team:

© 2015 Denim Group – All Rights Reserved

Red Team vs Blue Team:

© 2015 Denim Group – All Rights Reserved

Red Team vs Blue Team:

© 2015 Denim Group – All Rights Reserved

Red Team vs Blue Team:

© 2015 Denim Group – All Rights Reserved

Blue team tactics

- Brace yourself

© 2015 Denim Group – All Rights Reserved

Blue team tactics

- Security Fundamentals

© 2015 Denim Group – All Rights Reserved

Blue team tactics

- Security Fundamentals

- Patch management

- Locked down DMZ firewall and servers.

- Proper segmentation

- Vulnerability scanning

- Monitoring

- Security Awareness Training (Web based CBT?)

- Skills (Be a sysadmin)

© 2015 Denim Group – All Rights Reserved

Blue team tactics

- Internal Assessments

- Vulnerability scanning (minimum)

- Internal pentesting (resources needed)

- System hardening / Compliance scans

- Patch management program

- VA data to patch cycle

© 2015 Denim Group – All Rights Reserved

Blue team tactics

- Logs, Logs and more logs

- Firewall, IPS, Servers, network devices, etc.

© 2015 Denim Group – All Rights Reserved

Blue team tactics

- Configure tools properly

- Malware detection, IPS, Log levels, etc

- http://hackerhurricane.blogspot.com/

- http://www.slideshare.net/Hackerhurricane/windows-

logging-cheat-sheet-v11

- Personnel resources

- Skills and training

© 2015 Denim Group – All Rights Reserved

Blue team tactics

- Netflow / Packet Capture

- Proper location

- Tool to view and understand the flows

- Use Cases

- Unauth traffic from/to internet

- (ftp, telnet, non-standard http(s))

- C2, Unexpected traffic

- Sensitive information unencrypted

- Unusual spikes in traffic

- Internal server access

- Internal detection of spread of malware

© 2015 Denim Group – All Rights Reserved

Blue team tactics

- SIEM

- Remember Personnel requirements!

- Central Log repository

- Log correlation

- Ease of Log search

© 2015 Denim Group – All Rights Reserved

Blue team tactics

- That pentest engagement is getting closer.

© 2015 Denim Group – All Rights Reserved

Blue team tactics

- CISO

- Pentest is coming (black box, white box, grey box)

- Incentives (awards, gear, etc)

© 2015 Denim Group – All Rights Reserved

Blue team tactics

- Be Confident

© 2015 Denim Group – All Rights Reserved

Red team tactics

- Defined:

- Red Team vs Penetration test?

- Scope

- Social Engineering

- Physical Testing

- Man Power used

- Collaboration needed

- Exploits / havoc wreaked

© 2015 Denim Group – All Rights Reserved

Red team tactics

- Are we ready for full Red Team Assessment

- Full scope, Physical, SE, all out attack

- Nation State tactics

© 2015 Denim Group – All Rights Reserved

Red team tactics – Hack with love!

- Team Player Attitude

© 2015 Denim Group – All Rights Reserved

Red team tactics – Hack with love!

- OOOOOOOOOOOOHH Day!!!!

© 2015 Denim Group – All Rights Reserved

Red team tactics – Hack with love!

- OOOOOOOOOOOOHH Day!!!!

© 2015 Denim Group – All Rights Reserved

Red team tactics – Hack with love!

- OOOOOOOOOOOOHH Day!!!!

© 2015 Denim Group – All Rights Reserved

Red team tactics

- Social Engineering

- Are employees trained? Not CBT, not 1 Lunch and Learn.

- Its no use, cant fix…

- Blue team: We have firewall, AV.

© 2015 Denim Group – All Rights Reserved

Red team tactics

- Social Engineering

© 2015 Denim Group – All Rights Reserved

Red team tactics

- Social Engineering – Dave Kennedy

- Destroying Education and Awareness

- https://www.youtube.com/watch?v=ldvI12lpeEI

- WebJacking in SET

- http://www.restrictedintelligence.co.uk/

© 2015 Denim Group – All Rights Reserved

Red team tactics

- Full Scope.

© 2015 Denim Group – All Rights Reserved

Purple Team tactics

- Unprepared Blue Teams

- Recommendation on Personnel

- Training of Personnel(SANS, Books, podcasts, RSS)

- Assistance with tools implementation (SIEM rules)

- Retesting and verifying (segmentation, IPS/SIEM)

© 2015 Denim Group – All Rights Reserved

Purple Team tactics

- All Blue Teams

- Adversary simulation (Rafa Mudge)

- http://blog.cobaltstrike.com/2014/11/12/adversary-simulation-

becomes-a-thing/

- Malleable C2

- Nation State simulation

© 2015 Denim Group – All Rights Reserved

Purple Team tactics

- Testing Scenarios- WAF

- IPS/IDS

- AV

- Malware Detection

- DLP

- More…

- What exists in your SOC:

- Monitoring TEAM

- Deployment/UpKeep/Configuration TEAM

© 2015 Denim Group – All Rights Reserved

Purple Team tactics

- SIEM Rules

- Idea mentioned by Kevin Johnson @ BsidesATX

- As a pentester, provide SIEM rules to blue teams

- Any vendor

- An idea, a possibility?

- Purple Team Talk by Kevin Johnson and James Jardine

- https://youtu.be/ARM2ArOw9sI

© 2015 Denim Group – All Rights Reserved

Purple Team tactics

- We Talked Logs/Events

- Lets Talk Flows/packet analysis- Example from compromising a system:

- Beacon

- Setoolkit / Metasploit

© 2015 Denim Group – All Rights Reserved

Purple Team tactics

© 2015 Denim Group – All Rights Reserved

Purple Team tactics

© 2015 Denim Group – All Rights Reserved

Purple Team tactics

© 2015 Denim Group – All Rights Reserved

Purple Team tactics

© 2015 Denim Group – All Rights Reserved

Purple Team tactics

© 2015 Denim Group – All Rights Reserved

Purple Team tactics

© 2015 Denim Group – All Rights Reserved

Purple Team tactics

© 2015 Denim Group – All Rights Reserved

Purple Team tactics

© 2015 Denim Group – All Rights Reserved

Purple Team tactics

- So what’s the point?

- Bring the education

- Work together and keep communication high

- Blue and Red have to equally contribute

- Don’t throw over the fence

- Make reports beneficial

- Remediation?

© 2015 Denim Group – All Rights Reserved

Comments? Questions?

Twitter: @beto_atx

Email: acampa@denimgroup.com