Purple teaming Cyber Kill Chain
-
Upload
haydn-johnson -
Category
Technology
-
view
322 -
download
2
Transcript of Purple teaming Cyber Kill Chain
![Page 1: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/1.jpg)
@haydnjohnson @carnal0wnage
Purple Teaming the Cyber Kill Chain
Practical Exercises for Management Everyone
![Page 2: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/2.jpg)
@haydnjohnson @carnal0wnage
whoami
![Page 3: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/3.jpg)
@haydnjohnson @carnal0wnage
Chris Gates - Sr. Incident Response Engineer - Uber Inc.
Twitter: @carnal0wnage Blog: carnal0wnage.attackresearch.com Talks: slideshare.net/chrisgates
![Page 4: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/4.jpg)
@haydnjohnson @carnal0wnage
Haydn Johnson - Security Consultant - “Researcher” Twitter: @haydnjohnson Talks: BsidesTO, Circle City Con, BsidesLV Big 4 experience http://www.slideshare.net/HaydnJohnson
![Page 5: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/5.jpg)
@haydnjohnson @carnal0wnage
Overview
1. Terminology for our discussion 2. Explain this Cyber Kill Chain (CKC) thing
3. Use CKC to plan possible Purple Team exercises
4. Purple Team Story Time
![Page 6: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/6.jpg)
@haydnjohnson @carnal0wnage
Terminology
![Page 7: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/7.jpg)
@haydnjohnson @carnal0wnage
Terminology
Vulnerability Assessment Person - Run Vuln Scanner….hey client you suck Penetration Tester - Metasploit /MSF PRO (FTW)...hey client you suck Red Teaming - Phish, move laterally, find “sensitive stuff”, maybe custom implant...hey client you suck Purple Teaming - You did all the above, but got to charge for an extra body and to tell the client how they suck in person
![Page 8: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/8.jpg)
@haydnjohnson @carnal0wnage
No Really...
Red Teaming - “Red Team engagements are the full spectrum warfare of security assessments. In a red team engagement, the consultants attack the client organization using physical means, social engineering, and technological avenues. “ From: http://winterspite.com/security/phrasing/
![Page 9: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/9.jpg)
@haydnjohnson @carnal0wnage From: Chris Nickerson Lares Consulting
![Page 10: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/10.jpg)
@haydnjohnson @carnal0wnage
You can’t Red Team yourself But you sure as hell can conduct training...and detection/protection validation http://redteamjournal.com/red-teaming-laws/
![Page 11: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/11.jpg)
@haydnjohnson @carnal0wnage
Purple Team Process
![Page 12: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/12.jpg)
@haydnjohnson @carnal0wnage
No Really...
Purple Teaming - Conducting focused pentesting (up to Red Teaming) with clear training objectives for the Blue Team. It isn't a "can you get access to X" exercise it is a "train the Blue Team on X" exercise. The pentesting activities are a means to conduct realistic training. More here: http://carnal0wnage.attackresearch.com/2016/03/more-on-purple-teaming.html
![Page 13: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/13.jpg)
@haydnjohnson @carnal0wnage
Purple Teaming Process
Training Exercise! 1. Primary result of the exercise is to create an intrusion
event (aka get caught) to test instrumentation (host/network), validate detection processes and procedures, validate protections in place, force response procedures and post mortems.
Differs from Red Team where primary goal is to NOT get caught
![Page 14: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/14.jpg)
@haydnjohnson @carnal0wnage
Purple Teaming Process
Training Exercise + work the IR process Investigate Logging vs Alert + action
○ Is the event logged at all? ○ Logged event != alert ○ Does alert == action taken? ○ Purple Team it!
![Page 15: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/15.jpg)
@haydnjohnson @carnal0wnage
But I need ideas for scenarios!
https://github.com/kbandla/APTnotes https://github.com/aptnotes/
![Page 16: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/16.jpg)
@haydnjohnson @carnal0wnage
TRANSITION SLIDE
Handy transition slide
![Page 17: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/17.jpg)
@haydnjohnson @carnal0wnage
Pyramid of Pain
http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html https://www.youtube.com/watch?v=Mke74a9guNk
![Page 18: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/18.jpg)
@haydnjohnson @carnal0wnage
Lockheed Martin Cyber Kill Chain
Worst. Name. Ever. “The seven steps of the Lockheed Martin Cyber Kill Chain® enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques and procedures.”
http://cyber.lockheedmartin.com/solutions/cyber-kill-chain
![Page 19: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/19.jpg)
@haydnjohnson @carnal0wnage
CKC is a great idea!
This is an integrated, end-to-end process described as a “chain” because any one deficiency will interrupt the entire process.
AKA:
Any deficiency in the attackers chain, will interrupt the entire process
![Page 20: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/20.jpg)
@haydnjohnson @carnal0wnage
How to use CKC
![Page 21: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/21.jpg)
@haydnjohnson @carnal0wnage
![Page 22: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/22.jpg)
@haydnjohnson @carnal0wnage
![Page 23: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/23.jpg)
@haydnjohnson @carnal0wnage
Using the CKC to drive Exercises
http://csrc.nist.gov/cyberframework/framework_comments/20131213_charles_alsup_insa_part3.pdf
![Page 24: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/24.jpg)
@haydnjohnson @carnal0wnage
Using the CKC to drive Exercises
● Rather than consolidate all attacker activities into a single chart. We **could** create charts for various attack types or CKC steps.
● This would force us to identify and DOCUMENT an organization’s methods to Detect, Deny, Disrupt, Degrade, Deceive & Contain (Destroy) for any attack type.
● As an added bonus, it creates Purple Team exercises for us when we create a plan to validate the info in the chart.
https://nigesecurityguy.wordpress.com/tag/cyber-kill-chain/
![Page 25: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/25.jpg)
@haydnjohnson @carnal0wnage
Example Attack Types
https://attack.mitre.org/wiki/Main_Page
W I N D O W S
![Page 26: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/26.jpg)
@haydnjohnson @carnal0wnage
Example Attack Types
![Page 27: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/27.jpg)
@haydnjohnson @carnal0wnage
Example Attack Types
https://attack.mitre.org/wiki/Main_Page
![Page 28: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/28.jpg)
@haydnjohnson @carnal0wnage
Example Attack Types
![Page 29: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/29.jpg)
@haydnjohnson @carnal0wnage
Mimikatz Example
● Mimikatz affects almost all organizations
● Outline your defenses against the tool ○ AV ○ Md5 ○ Command line usage ○ Code certificate details ○ Windows Hardening ○ Detection (via ATA)
● https://adsecurity.org/?page_id=1821
![Page 30: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/30.jpg)
@haydnjohnson @carnal0wnage
Mimikatz Example
![Page 31: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/31.jpg)
@haydnjohnson @carnal0wnage
Mimikatz Example
Purple Team ● Pack, Recompile, Sign with different code sign certificate ● Powershell mimikatz ● Various whitelist bypass techniques ● Validate ○ Protected User Groups ○ LSA Protection ○ Registry changes prevent wdigest clear text ○ Alerting!
![Page 32: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/32.jpg)
@haydnjohnson @carnal0wnage
Lateral Movement Example
● We could attempt to document every Lateral Movement tool / technique
● Instead focus on how you detect/protect/respond to a tool or suite of tools ○ Ex: impacket
![Page 33: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/33.jpg)
@haydnjohnson @carnal0wnage
Lateral Movement -- impacket-psexec.py
Place holder for lateral movement example
![Page 34: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/34.jpg)
@haydnjohnson @carnal0wnage
Lateral Movement Example Purple Team ● Run impacket.py in default config ○ Did you detect it? ○ Tweak detection/deny/etc until you do!
● Let your Red Team modify impacket ○ Repeat the detect/deny process until the tool is
unusable in your org ● Do your GPO settings prevent most use cases?
![Page 35: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/35.jpg)
@haydnjohnson @carnal0wnage
Malicious Attachments
● Everyone employs’ some sort of malicious attachment protection ○ Google mail for business ○ Office 365 ○ Proofpoint ○ FireEye
● Do you test it? Or do you just hope for the best?
![Page 36: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/36.jpg)
@haydnjohnson @carnal0wnage
Malicious Attachments
![Page 37: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/37.jpg)
@haydnjohnson @carnal0wnage
Malicious Attachments https://github.com/carnal0wnage/malicious_file_maker
![Page 38: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/38.jpg)
@haydnjohnson @carnal0wnage
Malicious Attachments
![Page 39: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/39.jpg)
@haydnjohnson @carnal0wnage
Malicious Attachments Purple Team • Send various types of malicious attachments via multiple
sources • Compare to your chart of assumptions
• How many emails does it take to block a sender? • What types of attachments generate alerts? • Does suspicious stuff get moved to spam or deleted; do people open spam
emails? • If sent to employees, do they report? • Did any automated actions take place?
![Page 40: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/40.jpg)
@haydnjohnson @carnal0wnage
CKC Exercise Outcomes ● Mental exercise of how we Detect/Respond/etc to attacks ● Document defense posture ● Answer the “Do the Blinky Boxes work?” question
The Purple Team component ● Validate the spreadsheet is accurate ● Validate the blinky box is doing “something” ● Identify training and coverage gaps for the org ○ Test plan for the above
![Page 41: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/41.jpg)
@haydnjohnson @carnal0wnage
CKC Exercise Outcomes ● ITERATIVE PROCESS ○ Starts as simple detection validation exercises ○ Based on maturity, moves into gap analysis/detection
evasion by your attack team ○ You build up to Red Teaming
● Does what we have for detection/protection work? ○ Then how easy is it to bypass ○ Track last test date, drive exercises and training
![Page 42: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/42.jpg)
@haydnjohnson @carnal0wnage
Story Time #1
Privilege Escalation
Assume Breach
Meterpreter C2
Exfiltration - FTP
“Red Team” @ $canadian Bank
![Page 43: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/43.jpg)
@haydnjohnson @carnal0wnage
Story Time #1
• Receive call “Check this IP address” • $secretpoliceinvestigation
• IP address seen - Investigators go to meeting + lunch • 2 hours later, identify data exfil • Sh*t hits fan • Log into FTP server to delete data • Execute processes
Alerts triggered purposely
![Page 44: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/44.jpg)
@haydnjohnson @carnal0wnage
Story Time #1 Debrief
Red Team Blue Team
What we saw
What was done
The GAP
Improvements ==
![Page 45: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/45.jpg)
@haydnjohnson @carnal0wnage
Story Time #1
• Process not as effective as it looks
• Road Blocks in communication
Lessons learned
![Page 46: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/46.jpg)
@haydnjohnson @carnal0wnage
Story Time #1
• Process bypassed • Hard to collaborate • Rotating Shifts
Lessons learned
![Page 47: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/47.jpg)
@haydnjohnson @carnal0wnage
Story Time #1
• IR equipment == slow • Infrastructure out of date
Lessons learned
![Page 48: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/48.jpg)
@haydnjohnson @carnal0wnage
Story Time #1
• Big company hard to change quickly • Issues clearly acknowledged • Long term plans
Nothing changed in short term
![Page 49: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/49.jpg)
@haydnjohnson @carnal0wnage
Story Time #1
• Create defined and clear process for hierarchy • Training on hacking back - DON’T • Budget for prioritized upgrade of Lab • Shift style lunches
Solutions
![Page 50: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/50.jpg)
@haydnjohnson @carnal0wnage
Story Time #1
• Better equipment • Better processes • Better security culture • Better collaboration
2nd time around
![Page 51: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/51.jpg)
@haydnjohnson @carnal0wnage
Story Time #1
• Faster detection • Faster containment • Faster win
2nd time improvements
![Page 52: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/52.jpg)
@haydnjohnson @carnal0wnage
The Point
• What you think works, probably doesn’t
• Test it
• Humans will be humans, including your Blue Team
![Page 53: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/53.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
• IR Manager had identified some gaps plus had new incident responders • Mobile Forensics • Response to Golden Ticket attack • Work thru IR process as a team
• Fully internal -- No external Contractors • Partnered with senior Blue Team member • Took things I found pentesting…chained together story for the
exercise • “Create internal havoc” attackers
Overview of a Purple Teaming Exercise
![Page 54: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/54.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
SMS Phish**
![Page 55: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/55.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 56: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/56.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 57: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/57.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 58: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/58.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 59: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/59.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 60: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/60.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 61: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/61.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 62: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/62.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 63: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/63.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 64: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/64.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 65: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/65.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 66: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/66.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 67: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/67.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 68: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/68.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 69: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/69.jpg)
@haydnjohnson @carnal0wnage
Purple Bucket
![Page 70: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/70.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 71: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/71.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 72: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/72.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 73: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/73.jpg)
@haydnjohnson @carnal0wnage
So the take away!
![Page 74: Purple teaming Cyber Kill Chain](https://reader031.fdocuments.in/reader031/viewer/2022022411/58edf2b91a28ab91198b4685/html5/thumbnails/74.jpg)
@haydnjohnson @carnal0wnage
Please remember:
• Document your defenses and protections
• Find a way to (iteratively) build your attacks/validation
• Start simple, grow to more complex attacks/scenarios
• Pwn all the things...but in a way that helps your organization