Red Team Engagements: How To Train Your Blue Team to Hunt

hello everyone this is red team engagements how to train your blue team to hunt adversaries for this talk we're going to be sharing some processes that will help mature and rigor add rigor to both your red and blue teams and especially equip your blue team to build better detections and effectively hunt adversaries so first things first just a little disclaimer here the opinions beliefs and views expressed by the authors that's us of this presentation do not necessarily reflect the opinions with some viewpoints of our employer and with that out of the way little introductions um so i am bradfordson i'm an offensive security engineer currently at credit karma you see there on the left i tweet at

richard jb and you'll also see i like to write the occasional blog post and the occasional tool so you can find my articles on medium and a recent tool of mine is called slackhound it is a reconnaissance tool for slack workspaces so check that out and now i'm going to uh let one of my best buds and colleague introduce himself and walk you through the next few slides motto take it away thank you bro really appreciate it uh good afternoon good morning good evening wherever you are watching this from uh i'm and offensive security engineer great karma on the left side what you see is my twitter handle uh occasionally blog on medium i sometimes write new tools uh you can

find those tools either on github or on my docker hub desi jarvis repo and from time to time you know so what i want to say is atomic red team if you're not familiar with it i have been using it for last you know three or four years i'm a huge fan and recently i have had the pleasure to contribute to atomic red team uh we'll talk about it in the next slide about dynamic rectangle in a little detail but if you're not familiar with it i'd highly recommend you check it out so let's start this presentation with a fun brain teaser text morgan is he an apt or does he work in ir ah

since i can't see the audience i can't have you guys how you guys face the hands so i'll give you my perspective uh the way i see it is texture loves to do red teaming in his free time but he gets it gets his w2 for working in ir so if you are familiar with the tv show you would see that actually walks up to a crime scene he looks at the blood spider pattern you know deduce how the crime was committed and uses the clues around the crime scene to ultimately write down the attacker so in one word dexter morgan is an apt who works in ir and that you know his passion about red

teaming is what makes him really good at blue and that is what we want from our blue team uh our vision is to arm the defenders of the network with the capability that they can take an isolated alert investigate that alert to identify the chain of events as they may have happened and ultimately track and flush the attacker out of the network so if you want to use an example for it for example say the blue team receives a high fatality pass the has detection the one time to be able to identify whether that pass the host that attempt to pass the hash was initial point of compromise if it was not an initial point of

compromise how did the attacker literally move to that host and ultimately find the initial point of compromise subsequent compromises and flush the attacker out of the network obviously it's easier said than done uh it is difficult but definitely not impossible so how do we achieve this vision well i'll use a little bit of soccer analogy so if you want to play a 90 minute of soccer game uh you have to the basic requirements are you have to be match fit and you have to practice the basic skills like dribbling passing shooting and tackling and then you know your coach will eventually make you play friendly camps in the training sessions so you can prepare for the actual match next day

and that is how we have broken down our maturity process so the four phases detection chart purple team exercise adversary detection pipeline and adversarial services life cycle the first two phrases are supposed to you know make you match fit and help you practice the basic skills and the adversarial services life cycle is that friendly match between red and blue that is supposed to prepare blue for the actual match against actual hackers so without further ado let's jump into phase one detection chart uh this is what it looks like it looks like four different paint buckets my uh exploded on my attack framework obviously there is a method to the magnets so what does detection chart

well detection chart shows you you know how good or bad you are at detecting ttps on the scale of 0 to 3. so if we take an example of bits at 90 db which is t1197 if you don't detect that tdp at all in your environment then you give it a score of zero color red if you do detect that tdp but not its variation cir tutorial is one of the variations if you put carrots between b i d s it is possible your adr tool or your av can miss it uh there is also one of the variation so if you don't detect the variation but the ttp itself that's the score of one

and color orange if you do detect the tdp and it's known variations well that's a score of two color green and obviously not all uh techniques that the attacker use are going to be applicable to your environment so that's a score of three color gray you can ignore building detection for that now normally at this point i tell you that you have to know your environment and combine it with your experience as a retimer to prioritize the dtps you want to test for because you can't do this for every single ttp there are hundreds of tdps in minor attack framework so uh there you know if you go to uh red canary get up repo they have this tool

called gamify attack uh it's a great tool that you can use that you know you what you will do is you'll send a survey to your team bits and then combine the answer of the survey to prioritize the list of tpps so check it out if you have time uh you can use that to prioritize the list of ttps you want to pull detection for or test for once you have a prioritized list of techniques that attackers use building detection chart is very straightforward you're going to need following things first you're going to need a windows vm or linux vm with cold image and if you can have a mac with mac vm with the gold image that's great

normally that doesn't work you probably need a macbook for that so normally you'll end up with a windows vm linux vm and a macbook with a cold image uh once you get this machines set up you will pick a dtp from the prioritized prioritized list of gtps go and gather unit tests for it this is where atomic red team comes in uh you know automatic reaction has some great tests that you can quickly you know test for and see if the detections work but you also want to add your own test you don't want to just rely on commodity test so you'll gather unit tests for those that that ttp that you just picked and then you run the ctps on the cold

image if an alert is triggered uh you know you rate between uh you validate whether the alert is triggered or not and based on that you rate it between zero to two now one thing uh i wanna make very clear during this presentation is if you when we say the alert is triggered we or when we say detection we mean an alert is trigger so you can use alert and detection interchangeably if you see the activity in the log but alert is not triggered we do not consider it a detection for the purpose of this presentation so just a mental not you can swap alert and detection uh whenever we'll be using it interchangeably once you go through this for

http in your list you that will build the foundation for your purple team exercise all right before we go into the next phase uh i want to talk about a tool that i wrote detection navigator you can find it on my head up pretty well i used to maintain detection chart in a spreadsheet however that's very cumbersome and you know if the new dtps come out mitre changes the way they want to classify those stacking the techniques uh it's a big hassle so i don't django this web server that you know can make this a little more seamless uh and you know help you preserve your scoring so uh feel free to check it out uh on my

github repo i also have a blog post about it in the readme file on how to use it and as a bonus i've included atomic tests for linux and mac os these are the automation script that you can refer to and you can also add your own test to this automation script and run them so at the end of this phase you would have achieved following one you would have have a prioritized list of ttps uh you would provide transparency to your leadership on how good or bad you are at detecting these techniques and you would have performed the gap analysis that will help you you know direct your resources in a certain you know for for certain

detections uh response visibility monitoring and there is a bonus if you do this you can use this same method to evaluate edr tools in-house minded does it you know renders a bit their tools it might are for adr evaluation uh but if you do come rocker come across an edr tool for poc that is not evaluated by miter you can use the same methodology uh also you know maybe uh you want to do you you still want to do an edr evaluation despite my test scoring because maybe the environment you're using is a different than the ttp is micro tested for you can definitely use this method phase two purple team exercise now we will not do a deep dive here uh

because there are some great presentations out there uh on how to do verbal team exercise for the purpose of this presentation we would rather walk you through what it would look like if you do purple thing exercise but if you do want to do a deep dive um check out this presentation from cedric owens uh you know he speaks about how to do purple theming in non-active directory environment but you can translate it if you do have active directory of the methodology talks about will overlap so this is what the flow looks like for purple team exercise you pick a ttp you want to build detection for and obviously you already have detection chart at this point you

know which gtpg detect which you don't so you'll pick the tdp you wanna build detection four you did run the unit test in the last phase so you would sort of have an idea of what kind of indicators are generated they can be network level indicators host level or application level based on what level of indicators are generated you'll be working with network engineer a system administrator or an application owner to have those indicators a lot to sim once they are locked the same you'll work with the same expert to build a sim query then you'll test and review that sim query and we'll talk in detail about how to test and review it in the next phases

but for the purpose of this case let's just say that it meets your criteria for testing and reviewing then you can deploy the query and you just build a detection using purple exercise so let's make this more digestible using an example and there is no better example to use than dc sync because it is an absolute worst nightmare for any company absolute most favorite attack for any red team on out there for those of you who have done dc sync on for on-prem or domain controller you would know that it generates ioc at host level and network level so if we go back a little we picked a ttp on the left side that is dc sync and we identified the

ioc as network and host level iocs so we'll work with network engineer and you know domain admin to have those ios is locked to sim then we'll build the sim query to look for those indicators that are not coming from domain controller because obviously domain controller legitimately do dc syncs and we'll test and review the query deployed if it meets our standard right now obviously it is not as easy as i'm making it sound you will run into challenges and i'll talk about one challenge in each section but depending on your environment you'll have different challenges so for example for network level detection to work you have to make sure that paths to your dc are all traffic to your domain

controller it goes through the ids that will be sending you that log could be other network device but for example let's just say that it's the ids that is going to send you those packets of dc sync and at the host level uh every time your system administrator team add a new dc you want to make sure that you update that same query to exclude the new dc otherwise your blue team is going to be flooded with false positives so you'll probably have to put a process in place that you know whenever new dc is added your system administrators notify your detection engineers blue team stock ir so depending on your environment again different challenges and each ttp would

have its own challenges maybe for visibility maybe for detection maybe for response and that is why building detections is very difficult but if you do it right it can give you a lot of mileage against red actors so at the end of this phase you're the chief following you would have improved detection capabilities this is a recurring process to audit detection and all the process all the phases we'll talk about are recurring phases you'll just be visiting at a different point in time depending on where you're at uh this also focuses your forces your red team to improve so your red team may not be able to use commodity ttps anymore they'll have to come up with

their own and as a bonus this exercise will provide insight into your tools so for example say your ids which is sending the lots for deceasing cannot view those packets that's a limitation it means you are blind in that section so next time you want to bind next time you want to find a new ids you want to upload it you want to put in a questionnaire for the binder uh that hey does your ideas allow this uh before buying the two so just a bonus you know it gives you how valuable the tools you bought are phase three adversary detection pipeline this phase can go parallel to purple team exercise however the main difference is the involvement of red

team red team would be heavily involved in purple team exercise unless of course you have dedicated perfecting engineers uh then it's a different case but uh if your red team wears multiple hat then purple theme exercise red team is involved uh adversary detection pipeline red team would be involved only in the review process not as heavily involved as the purple theme exercise so this is what the workflow looks like we already built the detection chart uh very important foundation for all these phases the tdps you want to build a detection for goes in the backlog then your detection engineer or a blue team member will be assigned a ticket or they can pick a ticket they want to work on it'll move

to in progress then they'll identify what iocs are generated for that tdp and then they'll come up with the same query to find those iocs and once they feel confident they'll go to a review board to you know make sure make sure everything is ordered before the detection is deployed and this is the review section we're talking about from you know phase two diagram uh we'll in the next slide we'll have we have questions on what those review questions can look like but say if the review board accepts your content or detection of the sim query detection engineer's job is done it will be deployed to sim uh and you know you just went through

adversary direction pipeline to build their detection but if review word finds something is lacking then they will you know give you the feedback you'll have to go back work on the feedback and come back to tribute so again no better way to explain this than to use example and here let's use a little bit different example this time let's try to detect that ssh password square so first that gtp will go in the backlog now say you've got sherlock holmeson including obviously the best person to have on your blue team because he's the best investigator of all time sherlock has signed this ticket sherlock looks at this uh you know dtp and he's like yeah this is easy you know

generates a negative level i see generates a lot of host level ilc and it sherlock comes up with this query you see on the right top side for network law multiple ssh connection different destination hosts same source ip for host level multiple ssh file logins different user name name source ip sherlock builds a sim query that represents those two logics and goes to the review board now these are the questions these are the questions that sherlock should have answers for when sherlock goes to the review committee one is there a run book for this alert meaning what step needs to be followed to investigate especially helpful for junior analyst what is the proposed maturity of the

detection experimental or stable if it is experimental sherlock with sherlock will work those alerts until it becomes stable uh the next questions are related to not wasting blue team stack how often will it fire what is the false positive rate and the last two question is where red team can chime in is there an alternate scenario that can trigger this alert and is there a way this logic can be bypassed so as for the alternate scenario if you look at the network level logic a simple nmap scan for port 22 will trigger that alert and when it comes to response context is everything uh for a response to end web scan uh versus response to password spray for

password 3 you want to start looking for successful logins maybe not for an investment so it's something important to remember context is crucial to response and for the logic bypass you'll not always find a silver bullet for each and every single one of those tdps you should do great but if you don't then you want to be aware of them so you can put some mitigating controls in place now if the review committee finds all the answers to these questions satisfying you know they'll hand this query over to the sim expert obviously you're not limited to these questions you can add your own questions to this these are just sample questions that you can have in your in your review process

and once the same sme deploys the content the sprint is complete so at the end of this phase you would achieve agile content creation i know i'm just throwing out big words out there but it is indeed agile uh it will help you stay current with the threats uh this makes your blue team self-sufficient obviously when your rating resources are limited you don't want to be relying on red team to build detection using purple team because otherwise they'll become the bottleneck for you and the most important part is documented trail and ticket uh you know enterprise ticketing software like servicenow and jira right uh if the person who wrote the detection left the company you have something to

go back to and refer to on how the detection was written or you want to modify the detection maybe you want to audit those detection all those things documented drill helps you with that so you know now we've you know done the basic training on how to shoot past tackle drivel and we have become matchfit i'll head over to brad to talk about the friendly match written right into it thanks manu so what you see here is the adversarial services life cycle this is uh how we envision it so what you see is uh the life cycle end to end if you look to the left we start with our planning phase and we finish

ultimately on the right side by validating that we have both robust detection and a strong response we'll talk more about each of these in later slides but for now keep in mind that the red team performs the exercise planning helps train the blue team test the detection and response controls during the execution phase which we'll talk about uh helps with the aars aars is a military term you can kind of think of it if you're not familiar with this concept as somewhat of an improvement plan and we'll show some examples of what that will look like and as well we really believe that the red team has the opportunity during the adversarial services life cycle

to improve the overall security posture by driving remediation for all the great assessment findings that are going to come out of your exercises especially during the execution step so let's talk a little bit about our prerequisites and our planning phase to us a successful planning phase will really ensure a good red team exercise it'll ensure your leadership sees a security value uh with all the things that the team is doing both red and blue and it'll keep the red team ultimately out of legal trouble we'll talk a little bit about what i mean by that uh on the left side of the slide you see things that we think are critical in uh this phase

and on the right side you see examples so let's jump into what those look like so again to the left side you see during this phase you want to define your objectives definitely getting buy-in and support understanding what's important to your executives and leadership is important when you go to say write your rules of engagement document and you'll be doing that right we'll talk a little bit about the sections that you for sure want to have in your rules of engagement ultimately your rules of engagement you're going to run that by your legal team ensure they understand what you'll be doing they're going to help keep you out of trouble right when you begin your

exercise you're going to be able to focus on the exercise without really concerns of uh you know are you breaking uh some kind of legal issue hopefully not the law but your legal team will help guide you in all of that and really important to be on the same page with them before you begin your exercise you're going to establish your timeline for emulating the different phases of attack or whatever it is that you're doing during your simulation or your emulation establishing your timeline is going to help you stay on track some people and teens will refer to as uh the concept of time boxing uh your engagement this you know is a fancy term uh but it

helps keep you moving through consistently on track and the phases that you want to target the things that you want to find during your engagement during your exercise the things that are important to you so timeline we'll talk about but that's very important if you have the opportunity to establish a white cell this is a person or sub team that mediates between red and blue they're really a facilitator we'll talk a little bit more about that as well as well as a green cell so if you have the luxury of a dedicated green cell team or person they will help you manage your red team infrastructure uh in any other infrastructure that might be pertinent

to your exercise and then to us in our opinion we believe that it's important that if you're going to be deploying any special infrastructure like c2 to do it in this phase and the reason being once you get into your execution or um down the road somewhere in your exercise there'll be a trade-off if you need to go back and redeploy or to deploy uh again even managing infrastructure there's a trade-off so if you're especially if you're managing your own infrastructure as a red team go ahead and do it in this phase it will save you time and energy when the clock really starts during your execution of the engagement so looking at the examples just a little

bit about what all those things mean so your objectives defined by your executives or leadership team uh could be that you are going to start from the outside and you're going to be checking if the attacker can exfil data or whatever is important could be intellectual property it could be pii whatever it might be it's important at your organization determining your rules of engagement again you're going to be putting in what's uh going to happen during your engagement what your objectives are what you'll do what you won't do so this might be like spearfishing everyone but executives um you're going to be laying out your target network uh and what to do if for some reason you need to stop the

engagement what would at least high-level procedures be maybe you find an active threat on the network which will be really bad um what do you do if that were to occur um and then timeline so you see here examples 8th of june to 14th of june we're going to do an initial foothold to do that we're going to do spearfishing and there's a physical pen test aspect to it that we want to include for 15 to 21st of june could be we're going to walk through persistence data collection discovery credential access and how we're going to do that we won't go through all these examples but you get the idea that laying this out ahead of time will

save you energy and time when you get into that execution so laying out a timeline very important so let's talk just a little bit about simulation versus emulation we won't deep dive that there are talks courses on doing emulations however we think that there's a few things that we should leave you with uh when we're talking about the differences uh so when we're talking about simulation versus emulation you see there on the left uh this plays into our planning and execution phases we may need to adjust slightly our playbooks to accommodate these different uh simulation versus emulation especially ttps and how we conduct those so you see for both simulation and emulation these are objective based assessments um

however in a simulation operators are using their own ttps everything is pretty much on the table uh as long as it's spelled out in the roe or obviously uh wouldn't be anything that was illegal but for the most part any ttp that you would find in minor or it could be custom is on the table whereas with an emulation you're emulating a specific threat actor and in this case uh you're bound uh more to emulate and mimic their ttps based on the threat intelligence or open source collection data that you have on that specific thread actor once you've chosen them in who you want to mimic during your exercise and for that attack navigator is a great tool that

can help you narrow down and answer some of the big questions about what ttps a specific threat actor will use and what specific threat actors might be relevant to my organization and company looking to the right uh just a little bit more on examples so let's say with a simulation we're doing phishing attacks and lateral movement that could be more generically we're going to send phishing emails to employees they're going to have malicious payloads in them in macros and that's how we will do that simulating a ransomware attack again more general it could be as simple as uh dropping flags or commodity payloads on open smv shares that we find and then opening notepad with just a fake

ransomware message to the user to read whereas you see when we get into an emulation we might be still doing the same activities but they begin to look a lot more specific to actual threat actors so what you might uh see in that scenario is you begin asking what threats target my company you know impact my industry where i have my headquarters the company i operate from uh any partnerships that my company has um those things will be the basis of what a potential threat actor would be that is targeting my company and once we know that we want to ask the question that's probably just as important is do we have enough applicable ttps

for that threat actor to play out in that in our environment so the reason we call that out is if your environment is heavy for a particular architecture or let's say that there's none of that architecture but this threat actor that you've chosen relies heavily the ttps are impactful to that technology which you don't have you might want to take a step back and rethink you know is there uh more data to be collected uh do you have enough applicable ttps if this is going to be a good exercise uh if you were to say well i'm a political uh campaign firm i've chosen apt 28 what would that look like so would i have enough applicable tptps

and so going forward with that knowledge and those considerations uh again more specifically if i'm trying to gain initial access uh and now i'm bound to say targeting iot and voip or printers with default credentials can i do that in my environment if it were for lateral movement maybe my threat actor being apt-28 is known to do a lot of past the hash does that work in my environment and if i'm going to be maintaining access um can i do legitimate credentials probably so these are things that i want to keep in mind as i narrow down and limit the ttps that i'm going to be emulating during an emulation so we won't walk through all of these

but again if we were talking about emulating ransomware versus a simulation more specifically what that would look like maybe i'm gaining initial access and tying it to malicious emails and i'm focused on the perimeter for a particular thread and maintaining access could be tied to a very specific tool like in the case with darkseid teamviewer so keeping those things in mind looking at the differences between the simulation and emulation these things uh we specifically think it's important to call out and if you're going to be running an emulation keep those things in mind when you uh plan your exercise so establishing the y cell we won't talk too much about this but we want you to

know what it is if you're unfamiliar with the concept as well as some practical things that we think are important so our white cell is our unbiased communications facilitator and sometimes they're our referee now hopefully in your organization your red and blue team uh you don't have moments where it gets adversarial uh that would be bad um but if it did why cell can often help is that unbiased referee in between both teams during the exercise it's another value that you get from the white cell just quickly some key points um they are facilitator and a lot of times they facilitate a lot of important deconfliction information between both teams we'll talk a little bit about what

deconfliction means if you're unfamiliar with that concept but for now know that they serve that important role a lot of times white cell will lead your outbriefs out briefs maybe end of day might be weekly between red and blue that meeting might be even monthly whatever works in your organization but why so often in their capacity leads the outbreaks and we want to note that identifying a y cell team member can be challenging and the reason for that is because uh if in your company you think that uh white cell or white cell the person that wants to play this role uh expects maybe a couple hours a week where they're putting on this hat well it's

been our experience white cell was basically a full-time job while the execution and exercise is happening so know that going in that if a person wants to play this role that maybe only has a little bit of time in between say their normal day job or meetings it's probably not going to be that effective um however remember too that if you can have a white cell member it's very valuable because otherwise you're going to be trading especially with your red team time and energy so we talked a little bit about the key points just some additional goals and benefits deconfliction this is really where you don't want your blue team to mistake an alert for an actual attacker maybe

they think it's the red team and valuable time is lost uh we don't want that to happen we want the blue team to investigate make um accurate but fast conclusions and ultimately relay that to our white cell for deconfliction is it the is it the red team is it not the red team do we need to focus uh more on this than that um this is an important thing to ensure that deconfliction of information happens um exercise outbreaks again this could be daily or weekly and whatever works for your teams but it's important to the exercise to have that cross-flow of information and then again white cell services that sandy check and sometimes referee between the two teams

and finally reporting it's been our experience that white cell also sometimes they remember things differently and more accurately than maybe red team did or blue team maybe red team doesn't quite remember something gets missed from the log white cell is another person involved in the exercise that can say no no it happened this way or what i wrote down was this so reporting is another place where they can be really valuable and so the green cell uh to us uh not too many teams uh have this luxury a team dedicated to managing red team or whatever infrastructure you might have in your environment um but they play that part so they manage uh the red team

other infrastructure related infrastructure related systems they will be the administrator of any special software or hardware that might be used often the red team ends up managing their own infrastructure but again there's a trade-off if if there is no white cell or green cell and in terms of goals and benefits uh resourcing and resiliency no different than any other it system if you have special infrastructure involved in your exercise a green cell not only ensures that somebody's there to manage the systems but they're available during the exercise it's like any other outage uh with it if your infrastructure goes down it's going to impact the exercise possibly the environment could stop the exercise and so if you happen to be on a cyber

range um or a private range versus your production network there's trade-offs obviously to each one we won't go into that really but cyber ranges can be really awesome but they often require completely separate infrastructure if you have any special software like traffic generators uh things of those types that are especially useful in cyber ranges this is where green cell really is helpful in managing all of that so we'll talk about the execution in our aars again on the left side you see our key points we think it's really important to strictly follow your rules of engagement always we also think it's important to call out that red team should not do anything that obstructs the blue team's ability

to investigate for example turning off edr tools things like that that could blind the blue team now i know that sometimes especially in later when teams are very mature there may be times where you want to do cyber deception campaigns and things like that where you are actually obscuring maybe blue team's view but most of the time you don't want to do anything in your exercises is going to hinder the blue team's ability to investigate and respond and also for red team if you're not getting caught easily increase the level of noise at some point in your exercise you can think about when the appropriate time is based on your operations but increase the noise so blue team has

the ability to develop some iocs to hunt you by is going to make a better exercise for both teams and so on the right side again examples um we talked about uh aar as being a military concept kind of like an improvement plan this just lays out another piece of your reporting of what went well what didn't go well what can be improved and how you want to plan for future success doesn't have to be super verbose but capturing these items will add again maturity and rigor to your exercises for both teams so what you see on the right side for red that might be that the redirectors that you deployed really helped obfuscate your c2

infrastructure from the blue team and made it more challenging for them and help the red team so for blue it might be correctly and quickly identifying uh red team's smb password sprays that led them to a compromised laptop on the network that was on a marketing segment maybe wasn't as protected as other segments uh we won't go through all of these um but you get the idea of how you want to uh develop your aar uh in all your exercises so we'll talk a little bit about um adversary emulation again just some additional things that we want to leave you with um again it's a little things that will be important uh especially during your planning and execution so

again just some additional considerations uh they may require more white carding uh during your execution especially and that's okay it's okay to use white cards make sure to log it into your report so that everybody knows why it was used and remember that not all ttps will be applicable uh some won't be stealthy some won't even be possible so you want to emulate a threat actor known to have the resources to do zero days um not everybody can burn a zero day on a red team exercise most of us i'd say cannot um that's all right though we can still have a productive exercise emulating or mimicking those ttps of that threat actor and remember too

um ttps from a specific threat actor today have probably evolved so even what we know about that threat actor and how they uh work in environments during their operations has probably changed they're probably not doing exactly the same thing they're not using the exact same tools that's okay there's still value in doing apt or red team emulations but just keep those things in in mind and how to still get that value and sometimes it can be helpful to have an insider sometimes this could be why cell it could be someone from your it staff but they will help you be able to emulate certain parts of your exercise that might not be possible otherwise and

you'll still still be able to get validity from those ttps and be able to have a blue potentially detect and respond and so keep that in mind as well so remediation we'll talk a little bit about remediation and how we see and break down remediation we put it into two categories uh prevention and detection and response so prevention is anything that denies it degrades or disrupts the attackers tactics costing them time and stealth for detection and response this is really anything that involves the collection monitoring for say a bypass of preventative controls as well as things that cannot be prevented not everything can be prevented but usually everything can be detected so just some examples of those for

prevention putting in place mfa putting in additional network segmentation maybe having a stronger password policy all great preventative controls in looking at the detection and response so again not everything can be prevented motto talked about dc sync we may not be able to always prevent it but if it happens we can detect and we can have a robust response to that if the detection were to fire and mfa is a great preventative control but we all know that there are bypasses out there um so what happens if mfa is bypassed can we detect it and can we adequately respond to it and of course things that are very difficult in cases to be able to

prevent and also difficult at times to detect and respond to would be abusing legitimate user accounts or in cases of legitimate admin accounts these are the things that we want to be able to detect abnormal activity or use of those accounts and be able to take an effective response to it so looking at this slide we talked uh earlier when we looked at this slide more to the left of our planning execution and aars now we're going to talk a little bit more about the reporting the remediation all the way over to uh the right side where we're going to have our blind test for response so we'll be taking our ttps used in the

red team exercise there you see in the execution step those ttps will be the basis of our unit tests and those will be used to build new or better detections whether our ttps are mapped to say miter attack or if they're custom custom ttbs really doesn't matter we will be able to take either path and our purple team exercises and detection pipeline process work for building and testing detections from either so during our unit tests for detection as a team we will slow down we will be replaying the ttps used in the red team engagement and we're going to validate uh our expected alerts are triggered and once we have high fidelity detections working our red team will do

that blind test using those ttps to validate that we have an effective response and last thing we want to know that this is a great place to measure team improvement we think about that as how much time did it take say initially during our execution in our regime exercise uh to detect something or if we didn't detect it all and to respond and now how much faster is that after our purple team says and this can really be the basis of showing improvement and we'll talk a little bit about metrics and reporting so metrics and tools metrics demonstrate again that improvement in that value we think about important metrics in terms of time time is a key

metric in our opinion time is money whether you're an attacker or a defender attackers want to orient to the environment faster than defenders and defenders want to kick out uh the attackers uh from the environment faster than the attacker can achieve their objectives right so time is key we won't deep dive all of these tools or even the metrics but we want to leave you with some tools that we think are great and could be helpful for doing metrics and reporting when you do your exercises uh and um what comes out of those so you see here again key adversarial metrics could be like mean time to compromise mean time for privilege escalation for renting for

blue team could be mean time to detect mean time to respond and meantime for recovery some tools that will help you do that you see on the right side uh detection navigator which moto mod talked about that can be uh very useful that we've found as well as miter tag navigator uh attack navigator will also be useful in your emulation planning if you're doing one and then also you can check out uh detect and vector uh also some useful tools in this category so uh at the end of our adversarial services lifecycle is going to provide feedback on all the great work that was completed during phase one two and three it's going to help train the blue team

to engage be able to track and be able to hunt for adversaries whether it's the red team or an actual adversary and our remediation fees uh is going to ensure that improvements in prevention detection response and our overall posture is improving and of course the strong preventions and detections are really the foundations of a strong response you're going to be able to show progress and value by repeating all of these phases all these phases are recurring and um they're going to work for whatever type of exercise you are planning so in closing uh again we think that blue team can use this training to proactively hunt for example uh let's say that an exploit is released for a zero day

doesn't really matter if it's a zero day or a five-day whatever it might be blue team's going to be able to use this methodology to proactively hunt uh with iocs for a zero-day exploit whatever it might be and be able to build detections from the iocs again all phases are methodically linked they're recurring and they provide you the basis for continuous security posture improvement especially around detection response and importantly as well it's going to provide transparency to your leadership team they're going to see the value of what their budgets are doing they're going to see all the great red team assessment findings all the improvement with time and in regards to what comes out of your purple team

exercises and all the great detections and response that your team is improving with and so they're going to know again what they're getting for their money the metrics the documentation and the communication all of these coming out will be improved especially around reporting and communication this will build additional transparency so that your management teams understand all the great things that the teams are doing so and with that we'd like to give a big thanks to everyone for coming to hear our talk and especially to charlotte b-sides for having us and we'll answer any questions out there now