Purple Team Keynote

can you all hear me now yeah I think everyone's been on windows so um putting a Linux laptop in it's been a bit of a [ __ ] up so I do apologize for the late start um those of you that already know me no I can't get through a talk without some boost so I'm already celebrating the end of this talk um with um with some cheap Prosecco from Sainsbury's thank you Gemma for your help okay so today's talk I'm going to be talking about um maximizing pen tests with purple team so the whole point of this talk is to make it accessible so this is going to be very easy end of the day I want it

all to just wash over here and hopefully you'll all come out of this with some learning something I don't know hopefully some of you might sit there thinking [ __ ] hell that real waste of [ __ ] time but anyway I'm Eliza Austin I'm the CEO of that security company um my yeah so I should really go to this slide so my favorite topic is to talk about myself never mind uh if Lisa Forte is in here she already knows that one um taking the kiss out of me last night I've been a narcissist so um why am I qualified to talk about this so I know some of you might come into these talks

and think why is this person talking to me about XYZ so um I've got Batman in digital forensics not particularly great at it to be honest so I started a business and hired people that know what they're doing instead of me who's pretty um [ __ ] at it to be completely Frank tell you my favorite horror story is is I worked at marks and Spencer many years ago and they said right okay we've got this investigation here's encase go away and image this drive this evidence drive so I was like yeah [ __ ] on it I did this at Uni I know I'm talking about and I was super over cocky about it and I went and copied the

zeroed out drive to the evidence Drive by mistake and sat there and watched it I went for my lunch I came back you know those of you that do digital forensics you'll know it takes hours so I was sat there looking at it and I thought [ __ ] I [ __ ] up massively thankfully I thought he was going like so he stopped swearing stop drinking get off the stage um so so um those of you that know digital forensics know that it takes a long time to image a drive so Midway through I unplugged it and just [ __ ] the whole thing up so thankfully I wasn't in the police I wasn't working on

some pedo case so no non's got away with being Nancy what actually happened was um someone um potentially might have got away with something else um so it was nothing major and it was a lesson learned so now if I have to come across that which I don't because I'm a CEO and we don't do much um I triple check quadruple check so that's my background I also went on to work in various different companies and um set up purple team functions or try to settle purple teams and came came against massive roadblocks when I tried to do that so I'm here today to talk to you guys about how you can set up a

purple team function to get the most out of pen test in the red team in on basically boot start budget so it is expensive but let's talk about this so the am I say so normally I like to walk around and be quite fluid but I can't because the microphone's here yeah yeah there's one guy here like you are on the front row um okay so this is all about how you guys can okay so I hate it when I go to a talk and I don't actually know what I know the title but I don't actually know what we're talking about until 15 minutes in so this is literally about um how you can do this yourself so this

is very DIY it's a very sort of um manual but I'm hoping you can get something from it um you could pay my company to come and do a purple team exercise for you it's gonna cost you a lot I'll be honest um you know I'm not gonna go into that don't we I don't wanna I don't want to spoil the event with a sales pitch but um I am passionate about making cyber security and cyber defense accessible so that's what this talk is about making it available for you guys to go away take the trackers I'm gonna give you and do it yourself um and hopefully do that year on year and and really make the most out of your

your pen testing that you have to do so by the time you walk away with this talk wait walk away from this talk um you will understand a tried and tested process for purple teaming so this is something that we've come up with in our company it's a very common sense way of doing it um I do think Simplicity is best when it comes to um cyber defense if something is too complicated people are just not going to follow it um I'm going to break down the different stages of that process as well so you can take it home with you and you can manipulate it however you want um and there's some downloads as well

that you guys will be you will you will have to be honest it's [ __ ] spreadsheets you can recreate it if you want but I will show you them and talk you through them and there's also a chance to win a book one second

so thanks for counting me down um so there's this book here um professional penetration testing it's uh Edition two I don't know if that's good I have no idea but basically it's been sat on my shelf for about three years and I've never read it so I thought I'd bring it so at the end so at the end the best question gets this book if you are I'm wanting to encourage people that are not senior in Industry to ask questions basically because there were no such thing as stupid questions stupid people don't question anything and you need to take that that is true you take that ethos for your career so this is an introduction to penetration testing it's

also got how to build a lab as well so really really good so if you do win this at the end and you are senior don't add it to your collection for the sake of it give it to someone else in the room that's maybe a student or something like that they probably can't afford one even though they get [ __ ] too much boost if you ask me um okay cool so um this is what charlatans commonly say purple teaming is in our industry so this is not what it is so they commonly say we've got this automation tool and it's going to do all your purple teaming for you and basically your pen test and

rectify everything it's not [ __ ] possible I don't care what anyone says there's two men on their own [ __ ] and they're talking [ __ ] so absolutely ignore it if you come across a company that says we automate purple teaming it's not possible it's not possible so purple team intakes your most likely adversaries and your most critical threats and applies them in a remediated concept which I'll go around I'll go I'll go for in a minute off the back of penetration testing that's very targeted so automation cannot do that at this point maybe it kind of future but I don't care we're not in the future just now ai it's not AI so this is not a case

of um you know sitting around and watching jap2pt do your purple team for you so it's not going to happen um open book pen testing it should be that anyway if you want it to be unless you're doing red team in or closed book pen testing um you should be able to go to Apprentice at any point and ask for an update and they should give it to you um red team in so red team in fantastic load of fun really good but again it's very close book um and it's very targeted and we'll go through the differences in a second um vulnerability scanning that's not purple teaming either so a lot of companies I've come across that say the

new purple team and what they'll do is a vulnerability scan and then they charge you to fix the vulnerabilities it's not [ __ ] purple teaming that's common sense so in terms of um all the things that it is penetration testing but more expensive yeah it's very much more expensive but you certainly get more for it than pen testing um and red team in with Hands-On remediation it's just a chance for companies to upsell um consultancy so be very aware if you go down the purple team route when you're speaking to companies the kind of [ __ ] they're going to try and sell you okay so um this is the one slide that's very basic I'm going to assume that

everyone knows what purple teaming is um but essentially the analogy that I use for people that are not Technical and I don't know who's in the room right now um is this so if I I used to be really fat yeah so my prized possession is the contents of my fridge so if I said to um some pen testers the price was my prized possession of my home is contents of my fridge what I want you to do is come in and test from this door to the fridge and this route to the fridge so that would be pen testing so I'm giving them a very very narrow scope and I'm giving them a very very controlled view of what

I want so it might be through the fact that I I need this for an investor or maybe I need this for an auditor or something like that so that's pen testing so I'm saying this is the entrance this is what this is the fridge and this is the route to it so with red team in it's more around loosening that scope a little bit and I might say okay I'm gonna go to Starbucks while you guys get into my house somehow but my main goal is you find the contents in my fridge okay so um pen testers will go in right come in the chimney even though the chimneys only rarely used by Santa Claus

if you're good so uh I so yeah so that's you know useful not useful depending on what you need and you need to understand that um with purple team in we would go in and say okay yeah we can look at your fridge however your most likely adversaries care about your wardrobe so why we're looking at your [ __ ] Bridge right so it's totally different so in the sense of um you might try and Define your scope with purple team in the the purple teamers the pen testers will just double Define the scope they would say this is the most likely adversaries that you've got this is the techniques that they use this is the

tools that they use and this is how we're going to do it we'll have a look at your fridge we'll have a look at your wardrobe which you might not have thought and also we're going to put CCTV in every single room so you can see what we do and you can check in any point and you can be in the house at the same time so it's very different approach it's a very open book it's it's a lot of fun it's a good learning experience and it's also always done on assumed compromise as well so I just want to talk you guys through our process um as a company so that's security company this is process we come up with

again it's very very common sense however at the time that we came up with this no one else was doing it um so I'm going to talk you through it and I think that you guys should take this away and have a go and again I'll talk through how you can do it on a zero budget so you always have to start off with some sort of intelligence always and some information gathering and I'm going to go through that in a bit more detail in a minute sorry I'm really hot I swear I'm not nervous it's just the alcohol [Music] all right okay so um when it comes to threat intelligence you have to know what your most likely

adversaries are going to Target you for you have to know who they are and why they were targeting so um let's just look at the medical industry so if um if a company was to Target the NHS and they will also to Target a company in the United States that's a medical company there's going to be vastly different reasons for doing that here it's going to be disruption loss of life blah blah blah in America it's gonna be very much financial and informational so you have to really pay attention to what the target is so we would then go on to build a scenario so this wouldn't be so Andy Gil said this morning something about

building a scenario for red team and it's very much the same thing but in this case you would document that and you would hand it over to the blue team if they got one or the internal team so they would be able to turn to page seven and say um this is the section that we're on we know what commands are going on we know what they're going to be won against a lot of fun and it's a good learning experience for everyone and you can really test your internal team so that's really cool um the third stage is compromised so this is where your penetration test is sorry the back of this has come off

and I don't know if it works but I hope it does so this is where your your red teamers are going to be attacking and I've put a little red dot there for the sole purpose of just showing you wearing this whole process a red team sits so if you were to go out and get a red team that's awesome very very valuable but out of these six stages it's six in one so off the back of that you get a report and you either do something with it or you don't and a lot of companies don't but in this case when it comes to purple team and you surpass that and the results of that red team exercise which

is open book you do some remediation and I'm gonna I'm gonna show you guys doing mediation um some sort of mediation examples in a minute so um this you know might take a few weeks but you'll do some remediation then you repeat the test exactly the same as you did in round one in round two so you know exactly in round one we had these vulnerabilities we were able to be compromised in these ways blah blah blah and now we've remediated those problems and now we can see that we can fix them so rather than defending yourselves from what's in fashion what's on the news um what you're scared of you are defending yourselves literally from the

techniques and tactics and tools of your most likely adversaries rather than anybody okay then off the back of that there's an executive presentation but we're not here for that okay so um I you'll notice my slides are a bit [ __ ] and it's because I did them myself I'll be honest um the marketing ladies on holiday so honestly she isn't she's in Italy if you follow her on Twitter you'll know that she's posting pictures of making us all jealous but essentially what what I want to do here is just talk about keeping on track so you can either do this on a conference call you can do this in a meeting room but the point is make it

open book so you have your pen testers work in a particular room and you make it accessible for anyone to walk in and say like holy [ __ ] this has just happened we've seen this on the same it's just you guys and they can say yes it is if you don't look to page 30 you don't know so this image here is very much you know you've got your red team coming in you've got your blue team trying to trying to trying to defend against them and you have a purple team um person thanks guys you got a purple team person watching what they're doing so this is rather than having red and blue together and hoping that they work

well together traditionally we always don't and that's fine that's just the nature of the game you would have someone like in our case we have a purple team consultant that would sit in and would record everything that's happened so they'll say okay the red team did this on this page it was identified it wasn't identified the red team did this did The Blue Team find it yes they did can they do anything about it no so we've got weak spots so we can identify all those weak spots by keep having someone dedicated to keep it on track so um the reason this is so much more than a gap analysis I'm going to go through some um examples of reports in a

moment so um if you're sat here going what the [ __ ] is talking about hopefully a visual will help I I don't know hope so um so this is way much more powerful than a gap analysis so um CEOs and CFOs are increase on getting to the point and those of you that budget holders will know what I mean I'm going to get into the point where they're saying okay we haven't been hacked okay we have we've had no data breaches so I guess it's working okay great why are we paying all this for it maybe if we just stop paying um it'll still work because no one's interested in us and you've constantly

got these I.T directors heads of it and csos going oh no no it's working because we're doing [ __ ] um that you don't understand this gives them an opportunity to really understand it's very tangible and off the back of it you you've spent literally no money trying to do this yourself and you've got something you can evidence to them and say this is over this is where we are now okay um I've off the back of a purpose size you are looking at people processing technology you get the information such as fire Bob and keep Alice so you can find out who [ __ ] um so when it comes to downsizing a team

it's it's the obvious you need to get rid of um you can you can find out things like um do we need to get rid of this tool and keep this tool you can see duplicate tools duplicate functionality all that kind of stuff you can find out overspend under spend bottlenecks or cancer store so it's pretty cool so this I just want to go through some case studies off the back of what I just said so um in terms of people a lot of companies that have come to us with purple teaming have come to us and said we're going to be downsizing in a year don't tell anyone here's an NDA um but we don't know who to fire

so we want to test our Intel team and see who needs to get rid of want to test our pen testers we want to test our Defenders we want to test our mssp all these kinds of things so we went into this one company and they were all really nice and the Cesar was like this one lasts she's amazing she's so good she's she speaks at conferences she's amazing like you just wait when you come up against her she's got a [ __ ] nail you and we were like waking it all Converse trainers and um anyway we've got there lazy as [ __ ] absolutely lazy as [ __ ] didn't know [ __ ]

right so what we actually identified was she was crap and she was riding off the back of this one guy that was incredibly quiet and had no people's skills so he was doing all this stuff in the background and he wasn't advocating for himself within this business whereas she was off the back of what he was doing and this horrible thing to say but we identified that so then when it came to downsize we put in the report exactly the truth so this person [ __ ] and they're not very nice so if you're gonna get rid of someone probably should be I won't say a name um and this guy then um you know he was

genuinely good he got onto some training for his people's skills and he genuinely did ended up getting a promotion so when it came to the remediation phase and we were saying okay we need these use cases in place we need these alerts he was the one doing them she was the one talking about them to the CSO so it was incredibly interesting for us to identify that um excuse me

so in terms of processes um you can identify really weak or dysfunctional processes as well so um there was another case we came across where this company was complaining about the mssp the [ __ ] we hate them they don't identify anything they don't report anything towards it's really quiet so we were like great I love the fact that you've got a [ __ ] of mssp because we can try and sell your pocket scene later anyway we got into the purple team exercise and we identified that the process that they originally put in place with the original CSO that then left was that this um particular mssp was going to alert everything in Slack great

so they had a dedicated slack Channel however the internal team wasn't monitoring it so the mssp actually wasn't [ __ ] they were pretty good and they found vast majority of what we were doing um but their internal team would just slack and they didn't well they actually weren't using flight but they were pretty slack and they weren't um they weren't identifying anything and they weren't acting on it so um we identified a huge fracture processor which was pretty interesting and they ended up keeping that mssp and like mssp still with them today so that's awesome for them pieces of [ __ ] um in terms in terms of Technology my favorite story from a purple team that

we've done um is that there was this one company where you know they were like we've got this huge um vendor that does EDR and Antivirus and all this and they're not gonna like we want to test them but you're not gonna get past them we were like just modules okay our pentas is pretty [ __ ] solid so we went in and we wrote custom scripts and we did all this fancy stuff that are that their adversaries would do and that's that's the point you'd use the tools that the adversaries would do and if their adversaries are going to use um custom scripts we would do we would we would also use those anyway so they

have this fancy tool that they paid a [ __ ] ton of money for it didn't find [ __ ] however they had Windows Defender they didn't even know they had it found the vast majority of it and they duplicated the tools no one was monitoring it because they didn't even know they had it I might I've just been told to shut the [ __ ] up and hurry up because I've got five minutes so um what I'm what I want to do is has everyone

I was going to ship oh [ __ ] I'll just do it

okay oh never I'm gonna have to do this on like please forgive me if I act a little strange because I'm actually trying to use my mouse over there so basically if you've got zero budget and you don't know how to go and faff about with oh [ __ ] you now um you don't know how to go you don't know how to go and categorize you're most likely adversaries Google no don't Google have a look in the matter of attack at what I'm just going to select some random ones right so all of these that I've just highlighted and colored in let's go with red right okay I'm sorry I'm sorry I'm gonna go away in a minute you'll you'll you'll

be okay this is I've picked the shittiest example and I'm sorry so normally this would be read in every single section so basically we can see that if um when it comes to come back when it comes to um if they are not using account information [Music] we need to concentrate on what matters to you so if they're using big stops of account manipulation that's what you need to include your purple tea not just random [ __ ] okay now I need to get my little mouse back and I need to figure out how to not share this screen oh my God what am I doing right I'll not do that again yes [ __ ]

off please okay so that's just a really cheap free way of looking at looking at yourselves and going like who uses what against us so you can type in if you are in gas or oil you can type in gas or oil and it'll come up with your almost like adversaries great have a look at the techniques to use have a look at the tools and make sure you put things in place to test those things so in terms of Playbook I'm not gonna I was gonna show you guys a Playbook if anyone's interested I'll say later but it's basically a solid document of um so it's so it's the rules of the game the process Who's involved what's

happening blah blah blah if you don't have this I've put a really nice face at the bottom that I often use it's basically football without rules which is just fat men in a park with chest pains okay everyone knows how to kick a ball in the direction of the net well not everyone knows the goal the rules I mean I don't even know what terminology I'll be honest um I thought everyone else would so um so okay yeah so basically it's um it's like a booklet of the walls of Chess but this is the rules of purple team in this means that if your blue team are massively over stacked and they're really working hard

they can go right it's Wednesday the 22nd I'm gonna flip to page 15. that says Wednesday the 22nd I know what's been attacked how it's been attacked and at what time because it's very very rules focused and they can just not smoke screen themselves they can just see exactly what's happening so in terms I do definitely want to show you guys this oh [ __ ] I've got something else so this is an example of um a Tracker so this again really simple you guys can make this yourselves I have included the download to a blank tracker if you guys couldn't be bothered um but basically I love to show you all of it you've got your anniversary so in this

case it's APK menu password is used um

has it been compromised yeah foreign

so you can see very granular what is happening and why that's important for you now can anyone see my house because I can't so let's kill some time who's enjoyed the confident I'm joking okay round two I'm gonna have to do it again I'm really sorry I have to go into my screen to do it okay I've got like two seconds left so this is an example of when you get to a mediation phase I'm gonna talk a bit louder now when it gets to the mediation phase what I thought it look like you can see here purple I mean it's in progress so it might be the perfectly divided it helps people prep kick off the project or imagine

themselves and then blue means it's in the mediated so here we can see that um ABC 90 doesn't have to be an APC it can just be a happy tool here is purple which tells me that there's a project in place for identifying things that are being downloaded downloaded that shouldn't be downloaded so it might be that it's put a theme in place okay um in terms of compromising successful yeah you probably know

we are working on that problem so this is something you can show your CSO or whoever straight away right can anyone see my mouse holy [ __ ] you know what I've got dyspraxia really bad so this I'm [ __ ] killing this right now okay thank you right okay we'll smash through it so um at the end of this you're able to see so your senior leaders are able to see what do we need to do why do we need to do it how much is it going to cost and what's the effort involved so all these things here I would advise you to take a picture of it because I'm not going to talk about it sorry one two

three gone um so after all this let's recap a pen test is a snapshot in time a red team is often closed book um and a purple team is a wider view of intense capabilities of an open book approach lovely how are you going to boost up this right okay so what I would advise you to do if you think I don't even know where to [ __ ] start with this it sounds too complicated or I'm not interested in it but I think we can benefit from it is to go back through your most recent pen test reports and have a look at the times that those things happened like the dates for example

um and have a look at your theme or your logs if you've got Google workspaces sure whatever there's all those logs available and see if you identified it through logs and if you did what can you do with those logs um ask your pen test provider to work open book and sometimes they will sometimes it won't um but it'll it'll enable you to go and check internally at the logs that you've got um and I would advise as well for winning the purple team function so if you want to just get started on it rather than running an entire purple team operation just have meetings after every pen test and and have a look what

you're able to see were you able to do anything about it if not interesting note it okay um why all why are pen test process is best because anyone can recreate it this is a very downscaled version of it but anyone can recreate this um this is super easy and if you are interested in this take a photo one two three thank you um so here I'm not gonna click on it but basically I've provided a blank tracker for anyone that does want to keep track and they don't want to make their own track and that's fine you can download it it's absolutely free I'll provide these slides to whoever wants them um and the last point I wanted to make

is just about community so purple teaming is a community project so you can't do purple team alone it does take a village to raise a kid uh apparently I have no idea um but it does take a village to raise the majority of your cyber defense and I really did plan to say that yes um so similar to communities like b-sides it is often the people that let it down thank [ __ ] no one was canceled that's fantastic um we're all on the same team here this isn't red versus blue this is red plus blue and um I I hope that you can can sort of make the most out of this so I know I

smashed through it I'm really sorry um it's totally my fault starting late because I didn't um nail myself to be honest um so has anyone got any questions and if so please don't ask them I'm joking then we've got any questions you could win this book go ahead [Music] um we are actually hiring um news flash um yeah we are we are actually hiring and we are expanding and we've just done a really cool reorg so that we can grow bigger so yeah please talk to me at the end and I will be more than thrilled to chat to you any questions we have a big big bro so am I gonna win this game

yes money

okay so um so in in case anyone didn't hear that and for the camera's sake money asked with all the various different actors out there how can you determine which ones are most affordable to you so um you can do you can go out and do the really expensive option and get a get a provider that does for intelligence and they tell you that information you could do your own research and it could take a lot of time or you could literally if you want to do a boot up version just go on the micro attack framework and type in your industry so if you are medical type and medical and then comma UK and it'll really narrow it

down for you so you can end up looking at really legitimate information you can look at who's medical Amusement who's manufacturing who's Medical in a particular area um again it differs depending on what country you're in so hopefully that answers your question but it is really important to to make sure that those factors are applicable in terms of um when it comes to not apts like you're asking and when it comes to things like hacktivism if um say if you're like a retailer and you're making your clothes in an unproductive in an unethical way I mean I don't give a [ __ ] as long as it looks nice on me I yeah well thank you Kyle

um I look amazing oh my god um but so long as like what you're what you've got sorry I was gonna say what you've got looks good it's fine so long as um you understand what your demographic values so if you're a retailer and you're having your makeup mind in India and you're having children do that don't expect No One's Gonna know right so wrote that into what threat actors are looking at ethical things as well so hopefully that answers your question I don't know did it yeah yeah um any other questions time for one more to make it good um guy at the back [Music] performance okay so for anyone that didn't hear that

for the camera's sake how do you know that you're at the maturity level too except a purple team so I think if you've either got an internal security team or security functions even if it's your it team that are acting in that capacity you can benefit from this but also if you've got an mssp they can benefit from you can benefit from knowing where that what they're missing so it doesn't necessarily mean that they're crap it might be that you're not providing them with the right information so I think if you're at that stage great if you don't have any monitoring or any visibility you can't you really can't do it and it does have

to be infrastructure based so you can't purple team a website for example you're better off red teaming or doing pen testing so um so I think the winner of the book goes to um Ronnie you're not going to read it we'll go to the land of the Batman just ask the last question Elliot come on down Elliot

thank you I'm off yeah everyone please