BSidesSLC 2017 -- Haydn Johnson -- Planning a Purple Team Exercise; The What, Why, and How

[Music] I look at I y'all in here the talk is for how to plan a purple team exercise nice clear title so you know what room you're in there is a really good events lifelike workshop happening which I'm running to after this so if you want to join me to do that from the speak room I grabbed a couple of chocolate or to try to encourage participation from the audience we'll see what happens because it's once you've just heard you feel so yeah okay I guess we'll start and I'll pretend to try to be are exciting for everyone so some background about me because you'll want to know about me and why you're here to listen to me so I'm a

security consultant for about four years hash tag researcher not in the academic way but I really love InfoSec and all the things to do with InfoSec whether it's red or blue or purple as you can see I've spoken at b-sides Toronto Circle City can hack fair sector resize like Vegas I love the b-side there are really good community cons so the reason why I picture is upside down because it's a running joke whistle and like to bet friends the French part of Canada people don't like talking about is that I must rallyin so everything's upside down and I live in Canada so hence upside-down picture a bit more about this talk oh [ __ ] shout out to someone

special because we were in Mexico on a vacation and she let me practice this talk in front of her which is really great because she's not into information security and she could be in the Sun at the pool drinking so she was nice enough to turn into a drinking game so any time I said purple team an animal picture made a deprecating jokes she's like shot so within like the first slide she was pretty much passed out and I was talking to myself but we've done the introduction hopefully I've excited you for the talk and now back to the talk so we're here for planning a purple team exercise in case some of you guys just rocked up

their simple outline I don't even have a timer but I guess 2:30 it finishes anyhow so I wanted to show the definition of blue team red team some of the terminology then we'd go into a history lesson of red teaming don't worry it's not academic and sitting there listening to a teacher maybe you feel that way some cyber exercises because purple teaming comes from cyber exercises and red teaming an explanation of purple teaming about three examples I added one last night for the non-technical folk so it might be less interesting to some people and then storytime of a purple team event that I partook in a few years ago so this is a slide I left in my friend Lee

was meant to speak with us and he was going to update this but then because of their immigration ban or the travel visa it's not a band that is a ban he didn't edit it so it's just as some sanzu quote panin it's very zen yet because the red team hackers yes yeah exactly like purple team is no purple team I guess so if you want a terminology going to go through red team blue team again any questions just throw them out pretty approachable try to make this interactive and chocolates so red teaming ah you have the vulnerability assessment person they run a scanner they give the report Nessus qualities maybe birth I have said

someone tell me books or pen test next Thursday and then they say hey client you suck the penetration tester is a little bit more advanced they use Metasploit Metasploit Pro then till the client hey suck you suck they might use some exploits or lateral movement red teaming is the cool part they fish move laterally find sensitive information such as a database or healthcare information depending on the client custom implant hate client you stuff so it's everything that everyone wants to do so here I get to the blue team you guys I understand most of the audience at Salt Lake City are blue teamers this is according to snow are you guys blue teamers hands up one two

three yep red team is pen testers students that's mixed bag actually she lied so your blue team is not to Fenny one mostly Linux beard type people they do IT support firewalls blinky boxes basically everyone in intersect that doesn't use Metasploit I guess they're your threat hunters or threat hunting which is a new buzzword at the moment the objective of the blue team is to identify threats whether it's a true positive false positive confirm those threats respond to them mitigate the threat mitigate the damage that's happened to either the client or customer or your network or data respond to them kick them out basically like this and I are six steps I pretty much threw in there you guys

keep the network running and who can fit to get the CI a triangle so confidentiality integrity availability keeping that network up so purple teaming definition of purple team you might have heard of it maybe not this might have been your first time hearing it seeing it in the title have people heard it before Dave Kennedy mentioned it a few times in the keynote which is pretty cool I was like yes I'm talking on that the reason I like it is because if you know what a red team is and you know what a blue team is you get the instant idea the instant knowledge that it's about collaboration and that's where we read into together nurse so purple teaming is

not just the red and blue team hugging it out orchid Lee or throwing punches at each other more than shaking hands and being friends I love you love me let's purple team it's a not blue verse red or red versus blue like the halo machinima items which are pretty cool it's blue and red so this our next slide which I kind of cook pretty quickly yesterday on the flight because I really wanted to emphasize this point is that we're all the blue team so you have these I don't know whether they're green we have these happy white people always trying to attack your network which are so I have a criminal apt China Russia whether is a

friend or not we don't know but the idea is everyone is a blue team and that's really what we're trying to change so red team of blue work together symbiotically and in essence they're trying to make blue team better whether that's people process or technology so you have your people in their skill set your technology so your antivirus how your network laid out and your processes such as like your IR team has to check off all these boxes when they check out some lean malware or something I do think that as a being mutually beneficial so as a red teamer or a pen tester like myself it's going to cost me a lot of money to buy carbon black or

enterprise but any virus so I get to play with all these different software that would cost me 100 million dollars I don't have this budget so as a red team or a red team or Pentastar is that a question on the back just stretching north you can have chocolate so it's really good for red teamers so you're working together the ultimate goal of making the organization secure so you take all the the red team origin of using a different threat and attack a mindset incident detection and response coming to it as well policy and procedures tuning controls so purple team e takes a focus at what and how we can use a task to improve the blue team

again not how can I smash the blue team and then give a pen test report to a lot of the time as a pen tester I do it all and then hand them a report here some recommendations and I would really like to learn and test my skills and work with them to see the other side of if they have an open RDP server one client to the Internet are they actually getting brute force I reading all these threat reports that it's all automated and should happen but are they actually are seeing it sighing that's pretty interesting pattern they are all right cool yeah a little apt reporter and a mirror botnet so a quick history lesson of the Red

Team origin it's actually well purple teaming is actually the original red teaming if that makes sense the red team is the purple team it's just an info circuit in our industry loves to water down terms and thought so fear uncertainty and doubt we'll sell a pen test but deliver V a sell a red team at the pentathlete things like that so as a consultant working at big for part of the industry like to say sorry because we're in this sort of mass where everything all these buzzwords with marketing really aren't touching the real crux of the issues so it's a Twitter post I put that we we the red team stuffed up so badly we actually

had to create a term to remind you guys the blue team or clients so we're actually there to help you and improve your security posture as I've been explaining not just beat you up so it's not that just this is crazy purple Tamia's red team red team is purple teaming but the true red team is really beated down by just explaining the origin and because marketing color here color their white teaming something something teaming know how it is so I wanted to give more of a definitions so I looked at red team start now and red team sounds all fancy and so will look through a bit of text-based informations a bit wordy I had to increase the font

on all the slides because I was watching the Amazon talk at 11:00 as a crap I better make it much bigger so hopefully all this is readable but the red team basically bashed on the blue team over time the red team evolved to test security posture of military bases so Rafael Mudge does a talk about air fighter pilots and how they would study China or Russian air fighter pilots for days months with threat intelligence and then test their us flatters so sort of collaborative training to learn to work together to actually understand real threats so if this was in today's world it'd probably be Russia I'm guessing or maybe Russia's a friend to the US now I don't know anymore

the the Oxford point is that yo Noah right like he's not that bad like oh yeah well I was you know this might be posted I might not be led back in us ever again right so it also goes into the key aspect of the Red Team operations today is the adversarial way of thinking so I like to call it the the devil's advocate so so many people say to me why would someone do this why would they do that it's pretty malicious because it takes everyone in a world to make a world not everyone's nice and me being a nice honest person can think of something malicious or something to hack it's already being done so I have us all

Mindy with all his exploits it is finding like CloudFlare recently I'm sure there's some people already have those Odie's so the red team just makes sure all these holes are plugged and so the red team is necessary I've also got little references on the bottom which I'm going to post their slides online if you want to go read for more more information they're pretty interesting but ultimately I love purple team again because it's red and blue instantly you identify it's collaboration so more colors less colors purple team red team I agree I hate it as well but I really think there is a place for purple teaming because of the military origin of red and blue team I think there was

pink teaming that someone mentioned on Twitter a few articles ago like ten tests light or something interesting so if you really hate purple teaming or love it or you want to discuss it let's talk about it and next time would be really good next slide so we come to the cyber exercise bits there's a really fun exercises that look cool and pretty on the outside but don't really do anything for you or there's the truant ride exercises like a deadlift like red teaming which are original and give you improve mantova the years so the foundations of cyber exercises it's a good segue from those meant to be funny but other than off it was this talk is about plenty of

purple team exercise blue team exercise and all of that so these foundations come from The MITRE playbook which are cyber exercises the core of it and I wrote down my thoughts on paper and did a purple team vlog before reading this might at this this might a book and then I was like oh it matches with my thoughts it's like exactly the same so someone very down my thoughts on paper so for a cyber exercise the foundation of anything that you do is you need an objective so why are we planning it why why are we doing something if it's for kicks or for nothing so just on here is a generic example of just a red team on

so it's detecting and properly reacting during the exercise so red team does something implants does the blue team see it and this is made so big and cut off so you guys can see it but I can resize it when I post it online from objectives you get outcomes so they're very similar like a it's hard to understand the difference they're pretty much the same so outcomes are more like we want this to happen out of your the exercise the objective is to bypass any virus the outcome is to understand how it was bypassed what mitigating controls we have or can we tune can we turn the applications can the outcome be we make the antivirus more effective

so just to heat up terms The MITRE playbook has a million different terms so what I really was interested in was the events and injects so these are not just these are from the red team and it's not just oh this attack seems cool let me try it so I can attend test you do whatever you can smash grab each each implant each exploit is used for an objective as part of the exercise so is to elicit a response whether it's from the blue team the antivirus piece of technology or a process so these are correct actions for a reason it's just not smash-and-grab so it's a quote I've made from my book it's not the exact how they explained it but

I thought this was a bit clearer because it's all focused on the big exercise that we're working from so in the cyber exercise you obviously have teams there are three main types of teams I'm just summarizing because of time or there's three or four there's multiple different teams within teams obviously but the the main four I did was the ECG which is the exercise control group these guys organize the team at the red team purple team exercise the gray cell are the helpers the observers and the blue team in red teamer what we've discussed before this is all making sense everyone different foundations or teams and everything cool so the gray team I like to explain as

the director or a team lead they're the eyes and ears so if blue team misses an IRAC the team leads going to be like okay they've missed it let's let them know in a different indirect way to look for that buyer see the main IP address or something and then the ECG the exercise control group is similar they make this decision so the gray cell is almost like the middleman observing the blue team filtering it up and saying hey guys this is the result of what's happening so far and the control group ensure the objectives are met or that the responses from the blue team actually happen I've got I think a little nice diagram that explains us further on the

loan so we've given you the terminology of the red team the blue team and the purple team this talk is about cyber exercises again over and over so the different phases are planning execution and lessons learned I like to just use some simple icons that make it look cool but maybe not so there's different three different meetings or four or five but I broke it down into three main ones so there's the initial concept meeting because when you plan something you need to just lay it out on the floor brainstorm see what you go like what is the overall thing we want to achieve do we want to test meantime detection for IR this new blinky boxes come in so

you get your preliminary meeting you have your middle meetings to fill everything out and then the final meeting so your first very first meeting I like to call is a concept meeting or maybe from the book but it's called the concept meeting you brainstorm your sticky notes so a table or something you just stick it on glue clinks here it's like what has happened recently what we want to test it is relevant maybe there is a need from an audit you know how you get like these controls are missing or you've read being ready to be in seventh a you might want to follow that up audit yes I said it so something always kicks the exercise

off so some ideas that you might have initial witnesses again from an audit you might have purchased new technology you might have some visibility in your network that you know your IDs doesn't necessarily pick up very well for whatever reason or firewalls tuned wrong or switches and stuff test assumptions like we had one guy years ago be like oh meterpreter would be picked up like that just you know standards been around forever they they did a red team and they use meterpreter as it wasn't caught at all so as testing assumptions and testing this persona of we're protected is really good then you've got to consider your budget and all that or maybe you got a new team

member so you might have implemented threat intelligence to your IR team so if you got threat Intel and your investigations team how well your false positives and true positive rates I know when I was at one of the main Canadian banks as Intel we had an issue it wasn't really very automated it was very manual so the false positive rate was through the roof and the IRT was like why do we even need you guys you're just giving us more work because it was just like this domain block that domain block arts dot are you that we have Russians working in the company so yes exactly all the Kremlin or whatever it's called so you

might have seen something in the news right apt 28 a window into Russia's cyber espionage operations you might be like this is how they worked this is how they may be hacked cost company B do we have these protections please we actually have a client where ransomware got caught by one of their competitors they got ransomware infection and they are came to us saying hey we want to ensure our ransomware protections on point things like that or you might have got some awesome technology little lock and said hey is it actually any good did we need to buy it or what was it really just a waste of time you have your middle planning meetings your action

items your accountability so these are putting the teams together checklists making sure things getting getting brought to life and decide what's realistic and what's not so if I any you know when you scope a pen test out and you you've got a day to do five days work yeah those sorts of things going to this then some ideas for this is who will involve different use cases through your technology if you're testing something your red team or your blue team needs some training or preliminary preliminary recon that your red team is to do those sorts of things so you want to prevent confusion through all there so it's really important to have the main leaders in each meeting because I don't

know how many times you guys have been in like a scoping kickoff meeting scoping everything you get to the client the clients like you're doing this right like no are you just doing your scan no I'm fantastic I'm doing exploits what we can't have that you'll bring the shop down like you guys ever had that yeah so if we get to the final stage meeting we cross the t's GWI so you can you just making sure everyone understands what's going on so you make sure your red team's ready they got their access sharp they got the exploits or tools they need they've done their preliminary recon so they're not wasting time the year budgets been approved

you've had your dotted line signs you've got correct approval because you don't want to start something or a pentose without an engagement letter or authorization letter because it's not nice so you might have escalation procedures so if something happens or doesn't happen who do they talk to and why and when do you let their client know you've gained further access and then the thing about red team's and purple teams is you're attacking the organization there needs to be a contractor or like a service level agreement SLA on how long the red team can wait before winning the blue team know it's them or not so someone might be all we've found this machine it's inspected credentials have been done

things in memory is this a red team or is it an actual apt use at China or something you need to have that communication lined up as well so back to outcomes so which you'd see it for a typical red team is that they simulate threat scenarios driven to the training audience techs cyberdefense so this is almost like a typical pen test or red team just the example so it's really great because the most obvious difference between a single pen tosser and a red team so during execution you need to run the Romney exercise exercise whether it's a purple team red team and then observe what happens as much as you can so the way

this happens with my big diagram that hopefully everyone can read is that the red team is tasked with an action from the exercise control group so this all comes back to the goals and objectives of the exercise so the red team is tasked with something whether it's to test any virus tessa file or things like that it's all for a specific reason so from that the red team conduct the injecting event and then continue on that so they might drop the shell fish some one things like that angel doing a pen test or a red team but more more arm calculated so then when that happens the training audience response does their thing maybe they do it maybe they miss

it whatever happens from that is that the observers then take that collected information they note down what's happening in what's missed maybe this tool didn't pick up the signature we thought it would things like that they feed that back to the exercise control group and say here's what's happening so far it's like a constant communication an exercise control group is there you know they've got their objectives and outcomes all being planned so they can see what's happening what's missing and then if anything has not happened they'll task the blue team with action so I was at a bank as I was going to explain later and they said yo Hayden D we've got these things from the FBI

because we've been working with the FBI in American banks can you just check this one is a IP address or domain I'm not sure and then let the investigations team them okay that was weird and then ultimately we found out it was a red team and we missed it that vaio see completely or the investigations team didn't pick it up too many alerts or something like that so I have a habit of a ring at my breath so my water bottle disappeared yeah I've got coffee so what happens if there's no alerts or the blue team don't see anything or things amidst the grey team observes this and then tasks like I said the blue team to look

for a domain or an IRC or something so like can you check this user's password or something and then they will say hey blue team can you check for domain hackers fu or something so comes back to the goals and objectives of the purple team so it's all related to getting the most value out of what you want it's really high level I know but if you think of a pen test and you just do it all and give a report this is more beneficial because the blue team can can learn and the red team can learn and get back to them everything so even with any virus because you get so many alerts target what like eight years ago got

hacked by a third party and actually saw the alert but they ignored it because of such high volume so another thing to test and if this is missed they might call up and say hey blue team check the alert for malware Dexy antivirus files or something but also from the red team side is if you're using a custom implant by beacon with a beacon payload from cobalt stroke everyone use cobalt striker escena you know Rafael Mudge yep cool amazing tradecraft like well anyhow back to my transport you've got your red team they might have tried some exploit that's really advanced and the blue team doesn't see it so the red team might be tasked with using meterpreter so it's

about either going really advanced and then lowering the difficulty to wear a device or a team sees it or it's going from something easy and increasing in difficulty so it's sort of whatever suits your organization the goals objectives the budget and timeline you have so through execution you just want to keep calm and follow through and observe am I going to 230 yes all good I don't know it was just a little important up the back anyhow yeah so we just follow through on the planning keep your mind on the goal and keep going so just to reiterate you want to know how the team is responding what problems there are if there's any bottlenecks in

the processes it might be like the team sees the domain but they don't have time through investigated deep enough because how many times is you get away after alert with our site and to look into it it's going to take X amount of time you have to reach 20 tickets a day or something it's a it's a fire so then you get to the lessons learned part of the exercise planning execution and lessons learned so you need to understand what observations were made what went well what didn't positive negative both constructive and maybe not constructive depending on how much you liked the blue team or the red team so the way I a diagrammed it up was that you run the

exercise you see the bad and good you have your improvements you follow up and that the big yellow line is to emphasize that beef feed into future exercises because you don't want the exercise to just be the same one wake up I do a pen test and I find a B and C if I do it next year probably going to find a B and C and I really don't want that to happen so anything you do whether it's red blue whatever need to follow up and feed improvements back into your exercise and this all comes from collecting information from your red team from the training audience the exercise control group your observers and black Dave Kennedy said this all is

hard work and takes time but is really important so now I've given you the history of the purple teaming cyber exercise foundation Red Team Blue Team you should all be up to speed on purple teaming correct yes no awesome need more booth number chocalate for participation to get throw it out smile so we get to the fun bit early so I think it's a fun bit so we have planning so my article which sort of really was a precursor to this talk spoke about starting small so typically for any exercise you don't want to bite off more than you can chew you want to consider things like funding budget what kind of state your organization is in

what technology you have so is your security budget huge I think do you have throwning it's the best do you have a pink blinky box sad I hope but I'm if you're building up a defensive team you might have some really strong veterans for example and then you might want to train that the newer guys remember purple teaming use cases can be any size really tuned for your organization really you customize it because contests are just the same red team that this so you want to consider your sdlc program if you're doing application development is it mature is there one what things are maybe team so those things will help you decide what links to doing it

exercise what sort of budget you need and so what things annoyed the team might be more than just policy and procedure do they feel that filling in form is beneficial like when you're doing an investigation or is it just process or maybe there is a tool that frustrates them ridiculously I used to do threat Intel and the way we imported IP addresses and domains was horrendously manual and it was just like put it in Excel certain formats copy paste upload copy paste up word I was hurt horrible so that thing was actually do bite so that was really annoying and then on top of that I had to google and understand all the different threats relevant to

the bank in Canada which could be anything anything hammer toys credit card malware writing things to do things like that and I could spend all day all week just doing the new threats so as an example everything had to be done by 10:30 a.m. so I had to consciously cut myself off at 10:30 like no more threats for that day not very good friend organization when they're so large and sponsoring different events and political whatnot so we eventually matured to automate some of it or get a second person to help so I'd might go to sites and whatnot but we really had to automate this threat Intel so here we've come to be examples of purple Femi

just create out out of my mind and some experience to see hopefully of interest you I created this one yesterday because I have really technical ones because I'm technical and I wanted to add a paper based one that was maybe easier understand I guess it's more thinking outside the box which really comes back to the essence of purple teaming it's less interesting maybe but we'll see so I spoke about I thought about doing temporary access cards because with a client we were doing a physical pen test ages ago and we were tailgating in easy as no one had a visitor lanyard nothing bright so we just walked in no one cared like even their own employees

really didn't have anything identifying themselves as an employee so this was actually with Cheryl business at encrypted on Twitter we did that together and then she had another another engagement with that same client and her and the managers asked her temporary access cards but she never got one she asked and asked and they wouldn't give her one so she just a seed and tailgated away in and out to the bathroom because to some reason the bathrooms are in the middle of a where the elevators are so for a month she's our tailgating people in like you really need to test some your processes and yeah so she would SC in and out so when you threw

out temporary card access you might think about the paperwork and who you have to talk to so you've got to understand what is required to get one maybe a signature evidence of you are things like that you know standard processes it's nothing exciting but a lot of its on paper and approval but then what if it's not approved do they like if what if there's no signature or a fake signature can you pretend to be someone so it's all red teaming and social engineering as well you're just testing this process you being the devil's advocate what happens to do they approve it or can they tailgate and I showed it over and over and over so you

need to ask questions so you've got to imagine how it is now and what you could do or could not do so if a plea loses a card what happens do they get given a temporary access card how quick do they report it things like that so again you'll want to read to MIT try to get past without an approval so you want to think about not the normal process breaking processes so again this is all about working with the red team and the blue team like deep case Kennedy said in the morning understanding each other and being the devil's advocate really so we will advance in difficulty for purple teaming exercise I wanted to show

detecting port scanning because if you're a blue team you might be aware of an map or not have you guys used them up before scan your own internal environments yep you know some of the flags it's just an example everyone can do so your pen tester always runs nmap because they have five days to do what a hacker will do in a year so it could be this simple you just grab a free tool you run and map on your environment without any flags quite simple like purple teaming doesn't have to be hard to open common and open-source tool the idea in purple teaming where it helps is that you then increase in complexity so

if the basic nmap scan is caught that's awesome good job high five golden stars everywhere you start with the basics but maybe some of the security points aren't detecting things or they are so you need to understand when your lights go off why do they go off and then does anyone do anything so you might be testing antivirus here but you can also add complexity in that you're testing detection response so you've got detection that makes sense what about how the team responds so that's a way to increase complexity another way is using the different flags so using a solar scan a fragmented scan so there's multiple different ways to try to figure out and be the devil's

advocate here so it's just our n map reference guide so has a man page if you're not a pentose I grab an open source tool have a look at the man page what can you do you can slow the scan fragmented Xmas scans or even just scan one port on each system so some of you might be like and map you want meat but apt apt doesn't use Emma correct potentially maybe not if you don't detect it you'll never know so it's a start hey everyone it's just thinking about what you have what you can use as I keep reiterating you have to start somewhere and if you're a small organization maybe you've never had a pen tester or a

vulnerability scan so you want to be really careful with your environment you don't want to just crash everything so it's great to test your current technology and its effectiveness maybe your device is just not tuned and you need to go in and set it so many routers for example in a pen test default passwords or if they're not I can google them in the user user manual so yeah also it's cheap so apt won't use them okay apt will use PowerShell derbycon it's huge living off the land is really huge so it's just a quick example of saying okay and Matt's caught that's great what about something more in our difficulty stripe PowerShell or DC sync now getting

domain controllers once you have domain admin or things like that this whole iteration of being proactive so another example I wanted to show was restricted desktop environments because I think clients are starting to get better or chaos is starting to get data and restricting what you user can do so command line access reading C drives things like that accessing admin shares so clients have removed local admins from users good job might as well restrict the desktop because everyone's losing control of their data you really need to lock it down so the example the way I set this up was through software restriction policies I give mostly lots of mixed bag so you can go into Windows 10 edit software

restriction policies you can apply it to all users place like things I DLL things like that if you restrict it you can let one app in its in looks like chroot and Linux the problem with that is is that if you move say word into the the white listing you then have to allow all the different libraries for it so it's actually quite difficult to set up so then I was like okay let's look in the local policy and something simple to start with is that like hey Jesus you don't need to know where the C Drive is you just need your My Documents so we're just going to hide these drives in my computer in the my computer section or

whatever here you go in here you enable the high drive and then you restrict drives so one of the following combinations restrict all drives right but yes the the C Drive is restricted no drives for anyone malware can't reach it right you'd think so but it only restricts viewing that's the C Drive so if you open up and note that for example go through the file dialog and you type in C / windows / system 32 you can get to CMD use quick all files so you can get access without having access to that makes sense so just admins might block a little bit of PowerShell but you can use MPs de XE for example sort of bundled

together so Windows 10 is even nice enough to autofill this which is really cool so you right-click from notepad file dialog it's pretty standard pretty pretty easy I guess and right-click CMD run as admin or if you just a local user open and then as a user as you see too bad so sad you now have CMD access even though it was restricted or at least the C Drive was restricted so this example is of course trivial but it's rampant in our industry just let's block this let's block that I think hiding something is good but it's it's not the full way to blocker or block CMD access so this simple way if this is usable for your um

your environment is that you can go in and there's an actual prevent access to the command prompt section so you can go in turn it on enable it or prevent CMD access so that when the user does this and then goes directly to that command line through the notepad that it's disabled so it's just another way of purple tinea just a another example so Lee keygen invoke threat guy was meant to be here speaking with me as again the immigration issues he was worried about not that he's black hair or anything just he'd been in the Middle East app Locker he created this one so if you're sick I'm terren Ria's note yeah so AppLocker

if you're a more mature environment he basically used the local security policy to apply to everyone so this is something you'll think about app Locker and device guard it's really good so he just very simply enforced all the rules on everyone just test environment let's show you a simple way to bypass it it's a it's another key thing of suicide administrators are blocking things so he used cobalt strike he called it beep exe beacon payload and then he tried to run it it's not a Microsoft signed application so it's blocked good yet no way around it however with a dotnet framework there it I think it was Matt Graber does in insane research in this area and

there's within the framework multiple executables that allow you to do different stuff so Co Co exe was used not sure if you read the PowerShell wine but I put it in text anyway he's just running it as a platform 86 32-bit the output is going to be P word to Dec see the same thing it's called as a in this one which was denied so he's done that he's used to be beacon payload to create the executable and then he executes sit with install you tool on the host from within the dotnet framework so uses install file to XE log file to console false beep exe so if we go back it's blocked but once we sign it by itself and then

run it from itself it executes so we receive a connection and this whole idea is the purple teaming so it's a perfect example of you have something you done what you think stops it but then thinking out outside the box and then so with the blue teamers you would then work with them to walk this down and I did not do research on how to stop it but I'm sure it's out there and can find it for the talk I didn't have time so sorry for that so those are the full purple team exercises I have and to sum it up the idea of purple teaming a collective anything is that I like to think that as people process and

Technology got a human element so different skill sets you want to test you want to the red team's when we test our meantime to detection process these different processes like how many times I do a pen tester vulnerability scan and I can touch this subnet but not that subnet is really frustrating so who to escalate can we try this exploit on that system different communication whether it works or not your technology so your firewall your antivirus whole purple teaming thing is missing this to how it suits your environment but when a red team is attacking you it's it's it's more like spiring so it's there to help you get better if that makes them so

they run understand purple teaming them yep so the last last bit was story time so I really quickly I've got 13 minutes wanted to go through the the bank's red team so I was there as a threat Intel analyst doing by IOC is so IP addresses websites domains that sort of stuff doing the research in the morning and then this red team went through an assumed breach they privilege escalated they use meterpreter c2 and their exfiltrated ftp so this is a few years ago so it's not advanced and it's a big bank like one of the top four or five so any company pretty much one of them so what happened is that we had to so full

full disclosure the red team completed everything without being detected even with meterpreter as - so as I said before as a threat Intel analyst manager called me under the under the story that I have to investigate or tell the IR team about an IP address we found because we didn't detect it he said look for this see what happens so then we'd seen it I ran over to the investigators in to say hey guys can you look for it so they found it say like okay cool but I've got a team meeting in like five minutes so they all left for the team meeting now the team meeting is right on lunch so after the team meeting they all leave

they go to lunch come back three to three hours later meeting lunch and probably coffee so then they identified data exfiltration from STP so then crap hits the fan and then they all go into this wait you know if you do boxing or martial arts when you're practicing it's fine you punch you on a bag it's fine but when you compete your adrenaline goes through a roof you're blurred vision come get tunnel vision you don't follow proper technique so that's what happened with the IR team they they just didn't follow anything they broke process one guy actually logged into the FTP server hacked back to delete the data at thinking it's a cyber criminal not XY is owed security

company red teaming them it just was really bad so after that they broke process everything's broken the purple team part was the debriefing so it was like the blue team what did we see from our perspective the red team what they actually did they have what what we saw what they did the differences only gaps are the improvement opportunities so from that year you have your lessons learned because you actually did the debrief and then the processes they had in place we're not effective as they looked so as I said I even broke process by getting up and going over saying hey this is urgent have we seen this IP address instead of emailing and

into the ticketing system because we take ten minutes there was big roblox in communication so like my communication was not the best then we had different IR team members doing the same things it's really really bad so processes with bypass was hard to collaborate because the tools weren't working as you would naturally think they would so everything's good on paper till you test it and then rotating shifts we had some malware analysts who were ripping apart the binary or whatever it was and they were all working at the same time so there's three of them but it took them overnight to do it so if they broke it up into shifts that they wouldn't be totally

tired having to work 20 hours each it would be like 8 hours 8 hours 8 hours so that was one of the things they improved on and then the highest suggestion overall is to not hack back into the FTP server so there I are by our equipment they found out through doing this exercise was extremely slow which the team had been complaining about the ages the infrastructure was out of date so because it's a massive Bank like not worldwide maybe not sure depending on how the umbrella thing works nothing changed in the short-term because Jeff your red tape execs don't want to give you money things like that the issues were acknowledged and long-term plans

were put in place so some of the solutions from this purple team exercise we're creating clear and defined processes for the hierarchy because everyone just broke it they training on hacking back don't and shift our lunches so that not the whole by our team packs up the buggers off for lunch at the same time like having someone there all the time because that's when hackers attack right when you're not there so thank you very much for listening almost to the end almost takeaway from this is don't assume makes an ass out of you of me be proactive take action hopefully some of these purple team exercises maybe research more get deeper into the weeds thank you very much for listening

and I know it was lunch and everything I debate discuss ask me questions now I think we've got eight minutes so I finished a little early afterwards on Twitter or the pub this is my Twitter account Hayden Johnson I am using a u.s. one just so the immigration border can't suck down my whole life so that's at Ozzy camp but yeah really purple teaming really customized for your organization thank you [Applause]