There is no Purple just a good relationship between Red and Blue

[Music] all right hello hello and welcome everyone to hopefully everyone had a good lunch if they were gone for lunch if not well you're going have to wait until after this talk so um so today what I'm going to be talking about is how uh there is no such thing as purple uh just a good relationship between red and blue so who am I um my name is Michael Hoffman I go by 1 and d0o on one and zero on uh well GitHub nowadays because I don't have any social media anymore after the old ex debacle uh I read team at Big AI um I write goang malware uh I like breaking Max uh it's a

good time making malware for Max I run and uh I'm a pilot and this is going to be a recurring theme throughout the slide deck so just Buckle in because so a quick disclaimer uh I'm speaking on behalf of myself myself alone my employer does not uh you know didn't have me come here you know so this is all my opinions and my stuff um and now that I've successfully gotten through that disclaimer I can now go onto the meat and potatoes for the talk and since I have already I'm already up here and speaking I can say that we are actually going to be talking about airplanes today because let's be honest what more

does a pilot want to talk about than flying airplanes um so and today's uh agenda we're going to be talking about why airplanes are cool uh how you can identify a VR or a very high frequency omnidirectional rad radial uh what's an ILS and what you can do if you're stuck on the ground n just kidding okay so what we're actually going to be talking about is I'm going to quickly run through what red teaming is everyone has their own definition everyone has their own ideas of what red teaming is if you go and Google uh what red teaming is you'll get anything from pen testing to vulnerability assessments to um adversary emulation all sorts stuff so

I'm going to be discussing what my definition of red teaming is and why I believe it's what you should Define yours as uh we're going to quickly talk about what blue teaming is just way everyone you know just make sure everyone's understanding of the different teams we're going to talk about some of the culture problems that comes from these types of engagements and why there is now this term called Purple teaming in the world when in reality that we just don't need it um we're going to be talking about some of the things you can do with your red and blue teams to uh establish collaboration between each other so that way you can uh you know successfully cultivate that

relationship and so you don't need to have this arbitrary team in between the two to actually do your stuff or to actually like continue to have that relationship so the quickly defined this definition I'm not going to read it out for everyone here but um basically the idea behind it is it's a group of people who uh work inside of an oper or a company or a industry that are uh supposed to be demonstrating an objective analyst of an alternative perspective on uh the environment and also working to help demonstrate real world attacks against the company to help the blue and offenders to properly understand the different techniques and tactics that are actual threats to the

company in another word a better quicker definition it's the practice of viewing it from an adversary's perspective you're here to or or adversary or competitors um the goal is you're supposed to be impacting decision-making from a companywide perspective not only just from a technical vulnerability standpoint but also from a you are uh what policies procedures are you able to recover from significant attacks like how like these processes are actually being done and actually Flex these uh Technologies because if you are never testing your procedures how do you know if they work um and uh as the old saying goes uh you don't know what you don't know um this is a great link down here

to uh red team Journal which apparently he took it down and has privated it so I had to use the web archive version because it's a great quote so a quick thing now this is obviously my definition red teaming and I'm sure everyone here has their own version uh but the way I have been brought up to to brought through my uh years of experience is red teaming is not pen testing we are not there to just find all the bugs that is a different function that is well deserved and well needed in every company but at the same time that is not what red teaming is we are not a function that just goes out

and just smashes stuff for the sake of Smashing stuff we are here to uh have objective oriented uh engagements to try to help facilitate our defensive teams bread teaming is also not part of the security compliance life cycle we are not here to be a checkbox bread teaming is supposed to give you the truth on the ground of what is actually happening in your company not just a hey yes we do security so a quick roll of what blue teing is blue teing is a is an all-encompassing term for your Defenders right these are the people that are your uh attack or your that are constantly your sack analysts your uh um sorry your uh uh detections a detections agents

your uh Intel threat Intel your incident response all these different teams combined together um and they are there to help defend the company like that is their goal and it is a challenging goal as everyone here can probably attest to especially if you're a blue teamer um there is a constant strive of alert fatigue and over like of a culture of everyone just declaring everything that is somewhat bad a incident and that leads to problems so what you'd expect you know we're here to work together we're here to be compliant I'd like to thank chat GPT for helping me make these images that's the only AI that is in this talk um but uh you know what everybody

expects right you have these red and blue teams we're here to design you know we're here to work together we're here to you know make the company better we're you know that everyone expect specs that this is what you get when in reality if you're not careful it's something more like this um it tends to be where uh blue team has a serious challenge right blue team is there to um you know they're constantly defending from everything and not only that they're also worrying about you know fishing emails and exercises to uh they're just in a constant state of being understaffed and overwhelmed and when Red teams tend to come in with this idea that we're here to just uh pardon

my French up um we're just there to break stuff and to find all the stuff and just to you know be badasses we're here to just you know just cause problems and or and to identify all the bugs so step into it more red team generally the problem statement is more defined red teaming really only takes one entry point to get in right whereas blue is covering the entire network right this causes that whole it's super easy for red to quote unquote win right because we are here to find we all we need is that one entry point A lot of times another big issue that we stem from in red teaming and blue teaming is

when red team finds stuff the reports that they're given are not like any good right we're giving them just like hey we found these vulnerabilities but we didn't talk about the chain we didn't step by step through every you know action we did on the host why your decision making was done all the important steps that as you are as a red team need to do to ensure that not only are you finding you know pointing out the vulnerabilities that you're finding and the process problems but you're able able to correctly articulate that information back to your defensive teams because at the end of the day if they don't understand what's going on it's worthless you are not helping at all the

feed the and it tends to happen where red will come in and will start smashing stuff and it becomes a red versus blue instead of a red and blue problem red is the adversary or the the the company culture tends to degrade because you run into this problem of blue is always getting their face kicked in and red is over just causing more work right we're just there breaking stuff causing more problems as we go and there's also this problem of some red teams just truly believe that they're not there to help blue at all um they believe that they're just there to find and exploit all the vulnerabilities to find the new sexy Odes and that's all they're there for

they're not there to help the defensive teams they're not there to help and which causes a problem and on top of all that red teams are internal teams in the company at the end of the day no matter what way you look at it you have internal knowledge as a red teamer you know stuff that the company is doing that is bad right and because of this you know where you can get away with stuff and if you use that and abuse that and don't properly follow the proper steps of parallel reconstruction you will end up creating a fake scenario where you're not truly giving the um the right signals so now we have this where in instead of just the red

and The Blue Team working together as a as a function we have uh the industry has decided hey let's throw another team in between the red and the blue teams and let's call this the purple team and do the steps to make these teams work together and in my professional experience that's not needed what really needs to happen is we need to work together and also this problem happens now we have the orange team the red team the purple team the Blue Team the Green Team the yellow team right the problem just keeps getting worse and then we're down to the Tomato team um the 50 Shades of Red Team here right we're now we've

splintered red teaming into 50 different things this is obviously a joke slide thanks Jason strange um but uh it's where we're at all right so a quick step from the madness beautiful view from the side of a plane okay we've we' taken a step back all right so do we really need this right do we need these purple teams or these other teams to come in and function as like a liaz on between red and blue are we really that different like do we not speak the same languages do we not have the same Tech like some sort of a technical expertise I don't believe so so my solution and the solution that I would hope that all of

you can take away from this is we need to be starting off with red versus red and blue being on a very collaborative foot from the get-go uh if you're starting a new red team you know first thing one of the first things you should do is meet your blue team if you can meet in person have drinks with them take get a get know them as the people they are because at the end of the day they are your friends and they are your teammates you've got to continue to do joint efforts together right where you're you're scheduling engagements whether covert or overt or doing things where you're working together as a team to help and help each other level up if

you don't do that you're just G to eventually the communication will drop off and when that communication drops off then your teams start to become siloed and isolated from each other and no longer become a you're no longer a functioning unit and when you're doing your attacks you need to be properly like following the the um you need to be properly giving the correct signals on your like attack pass and what I mean by that is you don't go into an attack as a red teamer and you say okay I'm going to go attack this I'm going you know I'm just a terrible example but I'm going to go get ad and the whole way you're

getting to ad you start triggering alerts left and right and you just tell blue team agor that it's the red team that doesn't help them they're not learning anything from you and you're not learning anything yourself you're just constantly abusing this internal knowledge and you're also knowing and you're teaching them that every time an alert triggers it's probably the red team and if it's the red team that's doing it they're going to ignore it you also need to be making sure and part of doing that is by establishing what I call parallel reconstruction and I'm sure probably here are wondering what the heck is that well like I said earlier in the talk apparently every red

team has internal knowledge we always do you're not going to get away from it no matter how hard you try you're going to know stuff so what you do then is when you're you're operating in these engagement spaces you actually work you any information that you know ahead of time you have to properly step the adversary to getting that information not just I know there's a Confluence page with a bunch of creds over here you actually have to perform the ident the steps as you're going through your engagement of looking for that Confluence page looking for those credentials finding those credentials having the steps of accessing those credentials and the op and then you can

use them if you don't do that that removes the steps that blue need to track while they're trying to hunt to determine how you got to this access if you're just constantly knowing I had I know that this crappy password is being used all over the company and you just use it with no reconstruction on the backside it doesn't help anybody you're literally not helping anyone so a few examples of some things you can do as a red team to try and help your blue out monthly syns get together with your teams and just chat like have a friendly conversation uh discuss hey what are you seeing on red team right what do you like the red team comes in we go hey you

know here's some of the techniques we're seeing in the wild here's some maybe some operations that we just got done doing and here let's walk you through some of the like what we did or like do you have any questions over what you the last operation we did let incidents like the incident Response Team talk about the latest incidents they've seen things they've done to like you know what their problem space is seeing like are they getting overwhelmed here are they you know are they seeing an AP hitting you somewhere are they um you know what what are blue seeing and then let threat intelligence actually discuss the actual threats that are happening like if you

have a threat intelligence team if you know that's is where I should go with that um if you have a threat intelligence team on your company you know let them come in and be like all right we're seeing apt29 hitting you know this type of assets you need to go through and you know we need to be aware that these type of attacks are hitting and or if they're hitting us specifically or they're hitting uh or they're targeting specific credentials or they're they're going after specific assets or they doing uh pipeline injections stuff like that whatever like just let them talk about the things that are going on this creat a great culture of everyone sharing and being like is an

info dump right we're here to help each other and by telling each other what our daily struggles are it helps create that camaraderie that you need between these teams another thing that uh the good folks uh sending in the back helped create and I love bringing up is the red blue games so what are these uh the red blue games are a series of objectified or not OB objective based games set up in a overt Manner and overt is just in the air right everybody's open and everyone can talk about it where you are setting up specific scenarios to try and help level up or to help level up each side uh it's a low stakes environments

no stress right this is a everyone knows we're there we're not coming in like sneak you know cover through some sort of external spot we're sitting on the servers hey we're going to be in this G area we're going to give off the advice of hey we're apt29 you should try and figure out what apt29 is doing and try and Hunt us because we're going to give you signals like that um doing this helps not only your blue team because it gives them the proper signals to actually continue working forward on like engagements but it also gives the red team time to like develop techniques right we can go through and say okay let's see if we like let's create

something new and novel for the kick of it right let's see if we can do something and see if this works right in an Real Environment uh every scenario is different so it kind of allows you to like just you know plate different scenarios oh I want a cryptool loock this one machine or hey we want to go crypto mine here or hey we want to go steal the K you know the we're on this develop machine and we're you know causing problems right all these are different scenarios you can create and doing so helps your teams like keep learning and improving this obviously helps spark new ideas for red it helps blue learn what's

going on it allows red to practice operational security or OBC in a place that if you screw up it's not going to completely burn your op like you can sit there and work on this stuff so like you can figure out the ideas or like process problems on not only red team side but also blue team side in a space where the endl scenario isn't you're going to be breached right you're actually allowed to properly run through everything in in a safe SP well I want to say safe spot but a a less stressful environment tabletops who here has wanted to just cryptool lock the crap out of their company if you're on an offensive team

exactly I mean every everybody talks about it but let's be honest if we did that company can't do business you can't do business you don't make money they're not going to hire you're not going to have a job you're done you're out right well you can tabletop scenario of this stuff where you can sit down with blue sit down with your defensive team sit down with anyone on your hunt team and just talk hey what happens if I get access to this key okay what what's our defensive playbook run through your playbook oh let's roll a die right it's hacker D and right you sit there you get to hack blast um and it allows the whole time

this is going on you to communicate back and forth with each other to constantly be like okay what worked here what what would you do as the attacker here to to bypass you know a defender or whatever you've got for an antivirus how are you going to go about that and like you can spitball and create these theoretical scenarios that maybe your company won't allow you to do in real life practice but actually like you know see how the teams respond and then like detection and H like um hardening and bypass practice like you never want to be tied to like this is our role is like especially as red is like I'm only doing this but it

is a good thing to do where you sit on a machine and go hey let's see what detections if your detections that you've actually made are actually working like let's go in and like see if they're working and then see if we can bypass them maybe you're doing some sort of file manipulation on the server and you want to go through and just determine whether or not we can uh you know the main maybe if you use cat and it you cat the file and then you pipe it and then you modify it during that it doesn't do anything because it's looking at cat instead of looking at a you know looking you specifically entering Vim or

something to actually modify the file doing those types of different looking or different detection bypasses can help G identify gaps help Harden your BL red or help Harden your detections and these can be done quickly have blue team come with you hey I have 10 different detections here I want you to test them and uh and uh and you just go through those and you just run through them as you know as well as you can blue can spitball idea or red can spitball ideas on how to bypass up blue gets their detections exercise and it's a win-win scenario between both and it completely eliminates like this is all stuff that a purple team would do but it's red team's

job like you're still doing what red team does like you're practicing your tradecraft in a environment so I guess the with one minute left my conclusion is um proper red teams and blue teams working like they should covers the purple um red teaming is one of the main function of red teaming is your job is to be the sparring partner for blue you you're only there because blue is there you're not there to just wreck stuff um and both teams working together can help improve each other and help improve all every asset of your uh cyber capabilities quick shout out and thanks uh to my wife Karen for putting up with me um Mike and toer and Jason and some

other people and my dog who got you know a bunch of pictures in this talk so any questions got any tips for anyone who doesn't have a red team but you got some offensive minded folks maybe you got a small blue team can you play this kind of activity together yeah so if you've got offensive-minded people I mean you can spe like some of the like more like red blue game stuff kind of require a bit of a lift but anyone who has some sort of technical like like offensive capability minded you could do like the tabletops pretty easily um you can really one to two people and then just bring in your blue team and just talk

through stuff um those types of games are just really like discussions right you're running through stuff without having to worry about um uh the you know the heavy lift of actually doing the operation um and then yeah it also depends on maturity too right red teams really only belong in really mature orgs uh if you're if you're if you're blue team is two people and your company is like 500 or like 10 people like you don't need a red team right or something like that but you know if if you're and if you don't have assets on like monitoring everywhere like I guess that's the best way to describe it so yeah I guess that was

going to be my immediate follow on question is do you bring other people into the room for when the blue team don't know the answers like uh yeah so like during those tabletops um you usually will have someone from the product team uh like if you're specifically hitting a product uh like are you're trying to like you know hit some sort of major you know critical storage area or something you have that team sitting in there because they're going to know what happens if you gain access to that stuff right woohoo thank our speakers [Applause] [Music] w