A Day In The Life Of A Purple Teamer - Hani Momenia and Christopher Taylor

great to see everyone here um he sto the first slide so we don't need to introduce the first slide but we'll just introduce ourselves very briefly um so I'm Chris Taylor I'm not hany obviously I'm Chris um and I work as an ins response principal at the moment so very much on the blue spectrum of things myself and hany have worked previously together in a designated purple team role uh and we'll explain what that means effectively by the end of these slides so hany if you want to introduce yourself yeah my name is hany Mia uh I'm a head of red team at sap UK joined recently and in my day-to-day I run simulated attacks and try to duplicate

ttps and we're here to talk about purple teaming this is a huge concept people talk about it so hopefully we can introduce the whole topic briefly very briefly a lot very briefly very briefly um yeah so what we're going to cover today we'll give you a brief introduction um and explain what purple teaming is so there's no ambiguity there we'll explain what we think purple teaming is and everyone could argue about it later um we'll talk about how to plan an engagement so the most important step how to actually plan it and get it signed off so people understand what the hell you're doing because no one really understands what it is until you run it and it all goes

wrong uh we'll talk about how to execute the purple team itself so some of the principles and guiding principles you can use to execute your first purple team the reporting aspect to it because everyone loves to read a good rapport so how you can do a a rapport that is actually appropriate to your to your organization to your customer customer um and how that can have the biggest impact uh and then we'll just wrap up so why we think people should be more purple why you know the two teams the two principles should meet in the middle and then we'll have conclusive questions so what is purple teaming purple teaming basically is um it's a concept where red

and blue come together so traditionally people are on one or the other you're on the red team we're on the blue team we believe and we've seen this in practice that bringing the red team together and the blue team together if you don't if you work for an organization that doesn't have designated red teamers and designated blue teamers you don't have to just act as the Marshal between that you you can you can become um you know a team that effectively do a piece of both uh and bring those principles together to make security Stacks better to actually make defense in depth work uh rather than just scraping through a a penetration test once every three months

to please your inur uh we believe that actually as a principle purple teaming is it's a concept where you know genuinely speaking you launch your attack you use your Telemetry to actually build better defensive defenses and run again um so kind of hope that explains it we'll explain some of the concepts behind it as we go through so so yeah I just just add something to what it was actually purple teaming back in the days few years ago everyone just do a pentest do a red team drop a report to a blue team and team is so busy these days they have thousand thousand of thousand alerts coming to the system they don't have time to deal with the

report so what they do they just completely ignore it and there's more red team red team and red team is expensive because they need to have tools infrastructure and so on so now here we we are here to talk about prople teaming this is a kind of a new thing that Mo most of the compan is moving toward because it's more efficient and brings more value to to the company then just do a red team do a pentest here's a report there's two reports you haven't fixed from last year who car and then again and again so purple teaming is about when you bring people together so when the teams blue and red they work together through one through

one um project and their their goal is to reach one destination better security as CH said so purple teaming there's a lot we can talk about but we don't want to focus just on the theoretical part so later on we we tell you like what what's involved to be a purple teamer all right so purple teaming in AAL there's a lot of companies using different Frameworks if you go to any small medium or large companies they have these process complex process that you need to do this A and B and C and this is how the purle te looks like but to make it to simplify it we want to show you what's the purple team look like so the

purple uh circles this is the ones that the purple team red and blue work together and the ones are red it's just a offensive operation what we're trying to do in the next few slots we divide into three sections and we try to explain them and give you more details what's involved to do for example attack planning attack imulation or what what what happened with their reporting section and so on so yes so we'll talk briefly about how to plan the engagement um and how to build up an actual meaningful purple team for the organization or customer that you work for um so it looks really boring because it's planning and everyone hates planning and report

writing but effectively these are some of the most important steps to actually get your stakeholders involved to for people to understand what you're trying to achieve what those risks are and how you've reduce those risks to make sure that you're providing the absolute best possible purple team uh you're getting the better Telemetry you're increasing the the the defense of that organization so the first step is obviously brainstorming what are you trying to achieve have you written down your plans so that your stakeholders know what you're going to do what does success look like for your purple team uh what does failure look like um what what exactly and how are you going to do it

as well so get the ideas down on a piece of paper that could be a workshop just writing it on a whiteboard you need to to understand where you're going to gain valuable CTI what kind of tools you're going to use you know really plan out your engagement way before you start engaging those stakeholders with definitive that's what we're going to go and test we'll just get some cod off gate we'll run it and we'll see what the defense is pick up that that really doesn't make sense and it's not the way to win over your audience to make sure the perfect team's successful the logistic side of things obviously selecting your tools making sure that

you know you have the Staffing and the capability to run this you know do you have have people used these tools before do they need practice before you run it another major Point here as well is when you're planning your purple team engagement do you plan on running against live systems are you going to be running against our Network and how comfortable is that organization with you doing that because there's absolutely no value in running a purple team campaign against a fresh image of Windows just doesn't make sense for the organization need to run against the applicable environment and show how you're building better defenses for their security stack so adversary profiling again um we won't cover this

too much but again how are you going to get that CTI data which adversaries are applicable to your environment CTI is absolutely crucial to run the proper purple team campaign you need to understand what the attacker would do in that environment at that time um and and that profiling could be that you effectively you can gain quite a lot of free information out there but is it relevant does a stakeholder care does this attack is this attack even going to be applicable to your organization you know um so you really need to understand how to build better adversary profiles tabletop exercise so this is part of the IR function at the moment of running through your attack pathway together so

bring your stakeholders together in a room and test their IR Plan before you even run a line of cord um talk about who would respond how would they respond what does the the comm's plan look like it just makes perfect sense that while you've written all of this documentation and planning down why wouldn't you verbally hand it over before you run the the actual software and attack and some of the constant challenges we see is a lack of buying you'll be given the go-ahead and the green light you'll build these massive plans you haven't explained it to your stakeholders and how you've done your risk management so it just collapses or who logistic planning you think you assume that that

customer is going to provide you with the tools and software to use and then before you know it they turn around and said we're not willing to accept that risk so planning really is the most important aspect of this all right so we heard how important planning is a good planning it gives me less stress and less white hair and less red and this is really important when I want to when I want to do an engagement I read the plan I need to make sure the plan is solid but the fun part well a lot of people say it's the fun part which I feel is really stressful is the actual execution so what you exactly do

in a purple team like developing capabilities there's a lot of people they're trying to buy a piece of software and said this is a whole purple team engagement they just run it and that's it this is a purple team but actually developing capabilities we need to understand what type of staff and skills we have in a team do we have a people who understand networking API security do we have a people actually understand CTI and so on and do we need infrastructure if we doing in prople team engagement is that just one machine to another machine or if we done it in production or testing environment we need to make sure that uh our infrastructure is up and running and is

ready and you have a backup this is something a lot of purple teams they don't uh uh consider it do you have a backup plan if you do testing or production if something goes wrong can you bring it back is is is it going to die is it going to impact the business how much going to cost the business and so on and baing building capabilities comes with price there's a lot of times you do propo teaming you use a software like open source we have cira this execution framework we have a reporting tool like vector they're all open source you can use but how stable and efficient they are there's a paid one that you can

buy but those paid one comes with heavy price I can say we we negotiate some stuff in pass and they were asking for a lot of money it's not just really cheap to buy those softwares and when it comes to coverages do we have coverage when we do prople teaming we can't just do prople teaming in like one area we need to make sure that what about the Legacy systems that are part of the network what about the machines that they can't have an EDR on them because when you run an ADI agent on them they crash because they don't have enough memory maybe they're running on Windows XP for some reason when in the

last talk they were talking about um some old programming languages or some software re for banking that you can't even run a purple te engagement on them when it comes to attack emulation as as I said the business impact is really important you can't ignore saying that well we're going to run this piece of mar that we found from AP in Russia for example and I hope is everything's going to be fine you need to have a deep understanding why you're running on the system and the emulation is another things about the emulation side that we need to make sure we always talk to each other it's really hard they say to communicate between red and blue because

team are international they working from home no one want to jump on a team's car for some reason because the dogs or the kids are screaming background I understand those privacy but when it comes purple teing the best purple teaming I've seen so far is the one that they actually were in the office the whole room for them themselves and they were talking to each other if you can't do that I understand I work sap my team is international we have a slack Channel we always talk to each other screenshot this and we have a log live logs that we can just monitor so so those kind of things are really really important it's better to communicate before you just do

something or like well I didn't know about that yes you can you can ask and um given an update at the end of the day to your stakeholders just you're doing a purple te mean don't wait until after 6 months saying that well we've done the purple teaming it was a it was okay it was a disaster part of it give them an update every single day this is what we learned this is what we executed and this is what we you know seen so they it's good to keep an eye update with them and it comes with again challenges challenges when it comes to uh no formal planning when is the start dat when is

the end date are we um we have a solid plan Chris was talking about how important to have a solid plan planning is the one that is a lot of people confused be uh because they there's a lot of people want to get involved people are um taking other people duties oh did you run this script before oh let me run it again those kind of things we don't want to happen in propal team we want to be controlled and want to make sure that is kind of sanitized environment you don't want to people do the same thing and over over again and uh there's a lot of challenges is again my list is over over but I want to make

sure that we can cover everything in this slides the another things that is a gray area and the black boxes there's some systems when you do a purple teaming it comes to you say well do purple to me I completely support you but do not touch that system like what is in that system that we don't want us to touch those black areas that they put it in the report saying that well we don't want to touch that one because we know it's Windows 7 and we are planning to upgrade it but when you do purple team engagement that system is out of scope those kind of things is going to damage the whole purple team

result and how real is real if you're doing a simulated attack let's say in APG group Europe in China there is they doing fantastic stuff they're doing this and ttps that we never seen before and they also kidnapped this sis admin we can't do that I can't just go knock sis admin door say like yes part of our engagement we need to kidnap you for two days but we provide hotels and stuff it doesn't work like that how real is real you need to understand what's expectation from a stakeholders that when they say you've done a purple team engagement perfect but what's uh uh how real is is that is that exactly the way that people like you know EP and Iran

doing it or not so we need to make sure we communicate that there's a lot of expectation when it comes to purple teing yeah and I think the thing we're trying to drive out here is to be more scientific to be really scientific about what you're trying to achieve and how you're trying to achieve it so capturing the Telemetry as you run the attack not trying to think back what time did I click that link what time did this happen you need to be capturing those notes like this is like almost like you're going to present it to court you need to be really forensic in how you execute your purple team because we we've had it before we've been blamed

for something going wrong oh you know you were running purple team at the time we weren't um so instantly those Business Leaders they might not appreciate or understand what you're doing and they'll jump to the assumption that purple team is at fault you need to keep those notes you need to validate your detection strategies and just because you know the the fanciest EDI that you've got in your environment caught one of the actions that you did that's not failure that isn't failure that's validating the tool that works and then your next step is to test the next line of defense so you know Whit list on the EDR and run further down because your threat actor Will

constantly be evolving their my where they will get through the EDR at some point so why aren't you then testing the next line of defense you shouldn't just be relying on a line of defense um you should be testing and testing and testing and constantly going through your security sack so you've got as much Telemetry and as many alerts as you can possibly get um but yeah uh thanks for that Hy as just another point on the how real is real as well is is is the expectation of the business do they expect you to be writing zero days you know do they expect you to be going up against the best EDR that's been finally

tuned for 12 months is is that the expectations because everything's going to take a lot more time or do we just Whit list against EDR and test the next line of defense and that's the thing with the formal plan that's why you need to plan need to engage these stakeholders my clicker isn't working there so the last part then the reporting stage the one that everyone loves to do everyone loves to write a report and read one but this is your opportunity to shine this is your opportunity to prove the value of the purple team and why you need to undertake these and why a penetration test is no longer good enough I'm sick to death of receiving penetration test

reports that are effectively a quality scan absolutely sick to death of it that's not what a penetration test is you know you now differentiated penetration test testing vulnerability scanning red teaming blue teaming no a penetration test in the eyes of insurers and and all this kind of stuff should be more than that but as a company we just slide through because we we pretend it's something it isn't really penetration test is vulnerability scan this St and age need to go further than that if you're going to take security seriously so this report really is your opportunity to show what you did how you did it the value of doing it and it should be applicable to your audience so

if you're writing a report together and you want it to go to a technical team an infrastructure team so they understand what you've done as a blue teamer and a red teamer write a technical report write it with as much technical detail as you can possibly get don't hide things because you're worried about how it will be received or the politics of the organization you're meant to be agnostic you meant to be scientific it's not your problem if a security feature that they thought they had failed it's the opportunity there to write it down and get it fixed uh and again if you're talking to Business Leaders get to the point quickly because they're a bit like moths their attention

span is low so you need to get to the point really quickly what was the point with the pur team what did it do what's the next one so that that's really the focus of the report it should be easy to do it should be relatively quick to formulate if you've been capturing your notes and you've had good um you know good control of what you've been doing and how you've been doing it and your scoring is correct it should be relatively straightforward and simple and again those are the challenges report's too big no one reads it it's boring how you engaging your audience you know feedback no one likes to give feedback I was like well how have you

tried to get them to do feedback again case in point of the talk from Tim just before this one is the expectation that the human should change or should we change our Behavior to bring on board the human effectively all right yeah so when it comes to loging so make sure you take everything when we've done purple team engagement the timing was a different so some companies that have Team International they have people Europe us and stuff if they don't agree on a specific time someone can see the log in a different time in different part of the planet and they were like well we found this log exactly on that time you will mess up your report so make sure

you agree on a time saying that if you want to find a log make sure this is a time zone that we use this is one of the things and capture everything logs operating systems do not rely on Microsoft to collect logs for you because they don't maybe they send it for themselves who knows but use the tools every single things you have you have Sison you have all this tool that you can collect everything that you have collect everything even you don't use it it's good to have it because later on you might use it so why we should go purple there's a lot of benefits if you actually go purple this is not all of it

okay the seers are removed there is no barrier between a blue or red okay everyone can work together everyone can learn from each other there was so many times I've done I came from a red side there's so many times in a proper team engagement there's a things that I didn't know about how to um blue teamers think and in that case we learned something from them and they learn something from us and this is the best education you can get there's a lot of courses out there expensive you can go there but if you learn from examples that's the best way because when you learn from example you never forget it um so stuff with different skills are

are working together they feeding information to each other this is really good because help your organization to grow faster in in in purple teaming and uh yeah you know want I just too much I'll forget about I so purple team is all about testing people and process so you don't want to do a purple team and saying that well they we found these systems that are actually secure and uh we are fine with that purple team is all about testing the people's how how long takes them to respond to a Cyber attack if they still fishing campaign blue teamers what how long will it takes them to react and what they do after that so

you're not testing the machines you're not testing oh this is a Windows or Linux machine or 3DC you testing process this process is really important because when it come to threat actors They Don't Really Care just about your system they looking at people personal life the Linkin they do a lot of O they have a lot of money resources and knowledge to do whatever they want do so when you do prop te we're trying to just Adit like people and process into it measuring security and evolation so you don't want to do a prople teaming in a certain time let's say in June you do a prop teaming for three months and then uh next year there will be a new thread

actors are you going to repeat the same actors that you've done last year again yes you need to do that as well because people change the system there's a new upgrade and so on so you don't want to be fixed in one specific time if you look at the thread actors profile some of them they reusing techniques so AP like 42 they use this technique that ap22 actually used it and it's really interesting so we want to have the repeat uh testing and trying to generate a report that reflect next two years or next two years or next three years so you want to make sure that the report is continuous report and you do the testing

over over again uh make sure your defenses the last talk was talking about you put a massive firewall back in the days I came from a Cisco background you buy this Cisco firewalls expensive ones that you put it there and I thought that this is the defense this is security but when it com to purple teaming you not trying to just ch uh test edrs what about assume compromise what about if you this the company is already being compromised for months what after that how many defense layers you have this is always remind me the the whole things about shre shre was saying like oh this is a tricks are like onions security is layers how deep you can go to that

Network and and so on and also make sure that this CTR that using is the latest and Cutting Edge purple team people are people who are always learning they all every time I go to engagement I learn something new I just never go as oh master of everything or I know everything I go it's like I don't know anything so make sure that you use your CTI not just well the CTI said this way make sure you twist it try to just uh change it in a way that your company is uh working around it so don't try to just take everything from CTI put on your system like what doesn't work trying to always change stuff so a lot

of benefit of doing purple thing we can talk about it for the whole day and we're not here to sell you purple theming we're here to tell you like how important purple teing is cheers thank you so yeah we we we'll we'll wrap up now and then we'll have plenty of time for questions but effectively from the talk we hope you've learned that planning should really take most of your time and effort that should be the hardest part get the plan correct always Engage The Stak hold us early and communicate the one of the issues we do find is that the red and blue split is almost adversarial to a point where they don't work together you actually need to

work together and talk otherwise you're not purple you're still red and blue you need to communicate you can't be hiding things and you learn from each other there's so many principles I've learned from working with red teamers as a blue teamer you can't get the full picture without actually communicating and collaborating um and again failure is another type of success so yes the EDR CAU it so what okay well let's test the next line of defense or yes an alert was genuinely inappropriately escalated and you got locked out the system so um there's still plenty of opportunity there to do something else and extra and Reporting is whilst planning is the hardest part reporting is the most

important part like anything in cyber if you don't seem to write it down then the Business Leaders don't care um so you need to actually formulate a report that those Business Leaders are going to care about and continue to support your purple team in efforts um hard metric SC deadlines so in your plan this shouldn't be rolling on for months and months and years and years you need a hard stop you need to say what success looks like because otherwise You' be chasing down rabbit holes trying to get through a system you need to move on um cyber is very quick in Pace things are constantly evolving you need to evolve with it um and develop action recommendations so

the issue we always find is we beat X system right and the business leader all these thinking is how much is this going to cost me you need to actually say what the solution to that is what what that business leader do and don't recommend £100,000 worth of purple teaming tools that's not what he wants to hear or she wants to hear they want to hear actionable this is what we can do with the resources we have so what's the gold standard silver standard bronze standard what can we achieve from this so I'm out of breath Han can take all questions um no that's everything from us really uh we hope it's exactly what you're

expecting from a purple team presentation we weren't going to show you a live purple team cuz it would take us ages um but yeah have we got any questions from the audience that's perfect no questions let's go that's great go on

then so the purple team version would so again what we are seeing like say is people are buying a red team from an outsourced company or they're buying a penetration test and they're getting it done once every three months because they have to they don't respect it you don't want to change it the purple team and again you can develop your own purple team internally using junior staff they will develop with that company and understand that company so the whole point of it is that continuous integration of testing we do it with code we do it with patching it's a continual process I don't really understand why you know red team in or penetration testing is a one-off event

that is just slipped under the net to say we've got it covered uh and and and to beer a lot of Business Leaders what they'll do is they'll scope it down to the point where they know what success looks like so you'll have a penetration test against the most Rock Solid part of the network that's not really an accurate representation of that Network though is it so for R's purple team he's meant to find those dark places in the in the network those failures and it's meant to strengthen them it's bringing together all the actual principles of cyber security into an into an organization environment and again we're not here selling anything the point is

this is a process this is what people should be aiming to achieve in their environment working together go on um my question is you talk about learning yeah if someone from The Blue Team or team like you join a team what they should unn unlearn that's a good question that's very good question well I can say there's no such thing as unlearn well there is a couple of things that we don't tell The Blue Team because we are testing the process we say like for example uh when we do a dis engagement you saw the circles there's a blue ones there purple one the purple ones are there they're part of the planning but when it come to execution we don't tell

them exactly when is it we say like the next 6 months is a prop team engagement so otherwise if you say that they will stay there with 10 copies on the table okay this is loot this is them this 100% them let's block them this is not we need to blend in okay so we need to understand what's the business looks like for example if you do a property for organization that you never been you try to understand the business all right so how do you do stuff okay when is your promotion month when is your when is like the email comes from HR people for bonuses and stuff oh can we sell can we

send an Excel Macro for bonuses people going to click on it that would be great so we're trying to just kind of blend into the business process we're not trying to just tell them like oh we run sometimes we do we're like okay we're trying to run this can you see something tell us okay and how do you react on but sometimes we trying to test them saying that we run it in last 3 months you didn't see it it's fine no one complaining but let's learn from it and then we move on because we're not here to punish The Blue Team and the red is not there to try try to show off saying

oh we've done it you couldn't see us that's great we is healthy environment we're trying to just build a healthy environment everyone learn there's not on learn is more learning and there's always something to Le I would say the only thing that um you know the only thing that the real eye opener for me was that the red teamers aren't necessarily bad guys and they don't know everything they're not already in your Sy you know and that's the the assumption is that the blue again it's adversarial red or against Blue and that's what we try to break down there is you're not adversaries you're meant to be working together because the goal is the same method of

operation is different the goal is the same better security yes do you have a view of kind of what level of visibility the team is going with the organization works soly like a red team the idea is that no one really knows it's happening a very small defined group within a team is collaborative but at the same time some of the things you might want to try you don't want the whole organization know you've got something going on so is there kind of a a sweet spot I guess of I would say so yeah it depends on the maturity of your organization I think I think you have to you have to get that on board in success

early so initially you don't want to you know perfect this will be the last question that but yeah you don't want your you don't want your organization to not know who you are you don't want to be the guy guys liking the IT Crowd in the basement not known about you want to be front and center so it's becoming part of the organization's maturity model um but eventually yes you want to run a little bit more like the red team to keep things a little bit quiet and I need to know basis so I would say start you brag about it everyone knows about it everyone knows what you're going to do and gracefully move towards a more

mature model of it's business as usual you're just doing your job and the report comes out and stakeholders get it just one thing I want to add is that for people who couldn't ask us question be around and will be after party as well so ask us thousand of question that's the whole reason I came all the way from London here so come and talk to us and we'll be more than happy to answer more questions thank you very much everyone thank you [Applause]