Download - Purple team is awesome
![Page 1: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/1.jpg)
Purple team is
awesome
By
Sumedt Jitpukdebodin
I-SECURE Co., Ltd.
![Page 2: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/2.jpg)
![Page 3: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/3.jpg)
$ whoami• Name: Sumedt Jitpukdebodin
• Job: Senior Incident Response Team @ I-SECURE Co., Ltd.
• Writer: Network Security ฉบบัก้าวสูน่กัทดสอบและปอ้งกนัการเจาะระบบ
• Website: www.techsuii.com
• Cert.: CompTIA Security+, LPIC-1 , NCLA, C|EHv6, eCPPT, eWPT, IWSS, CPTE, FSE, LFCS,
GPEN
• Group: Technical Manager@OWASP Thailand,
Admin@2600Thailand
• Hobbies: Hacking, Malware Analysis, CTF, Writing, Gamer, etc.
• Social Media: fb.com/sumedt.jitpukdebodin , @materaj
![Page 4: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/4.jpg)
![Page 5: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/5.jpg)
![Page 6: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/6.jpg)
![Page 7: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/7.jpg)
![Page 8: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/8.jpg)
Who is “Red Team”
![Page 9: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/9.jpg)
Red Team
• Penetration tester
• Try to find vulnerabilities of any surface with
Tactics, Techniques and Procedures (TTPs).
• Test with or without notifying to Blue Team.
• Test security detection and response capabilities to
improve security.
![Page 10: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/10.jpg)
Red Team
• Vulnerability Scanning
• Social Engineering
• OSINT (Open Source Intelligence)
![Page 11: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/11.jpg)
Reference:: http://resources.infosecinstitute.com/penetration-testing-methodologies-and-standards/
![Page 12: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/12.jpg)
Who is “Blue Team”
![Page 13: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/13.jpg)
Blue Team• SOC, Incident Response Team, Security Analysis, etc.
• Detection of attack and penetration testing
• Response of attack and penetration testing
• Recovery from data leakage, tampering or
compromise
• Correct evidence left by attacker or penetration tester
• Prevention and better detection of future attacks
![Page 14: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/14.jpg)
Blue Team
• Threat Intelligence
• Malware and Exploit - Reverse Engineering
• Digital Forensics
• Security Monitoring
![Page 15: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/15.jpg)
Reference:: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
![Page 16: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/16.jpg)
Basically in many company
• and often separate the job and keep
fighting each other.
• Feedback loops consist of reports being tossed
over the wall if shared at all
• Emphasis is given on remediation of vulnerabilities
rather than prevention and detection growth
![Page 17: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/17.jpg)
![Page 18: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/18.jpg)
Misleading from the top view
• Attack
• Scary report = Well done.
• Can bypass = Well done.
• Defend
• Server work fine = Well done.
• Detect and Response = Well
done.
• No alert or less alert = Well done.
![Page 19: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/19.jpg)
So, who is
“Purple Team”
![Page 20: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/20.jpg)
Purple Team
• Combine the skillset. Fulfill the gaps
• Change mind set of Red Team and Blue Team
• No alerts doesn’t mean no incident
• Scary report must have full disclosure.
• Goal of the both teams are “Improving the
security of the organization”
![Page 21: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/21.jpg)
Purple Team
Conversation
![Page 22: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/22.jpg)
![Page 23: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/23.jpg)
Scenario #1
• Red Team: Can pwnage internal pc and use the pc
to espionage data from another servers.
• Blue Team: Alert when Red Team do some
suspicious behavior in internal network.
• Purple Team: Alert and discuss with Red Team.
What they miss and what shall do next?
• Result: Coverage of Incident Response Breach
Scenario
![Page 24: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/24.jpg)
Users
AD2AD 1
. . .
FW
Server1
Server2
Server3
![Page 25: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/25.jpg)
Infected PC
AD2AD 1
. . .
FW
Server1
Server2
Server3
Brute force to AD
![Page 26: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/26.jpg)
Infected PC
AD2AD 1
. . .
FW
Server1
Server2
Server3
Successful Logon
Successful SSH
Bruteforce
Traffic C&C
C&CHacker
![Page 27: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/27.jpg)
Scenario #2
• Blue Team: Monitor psexec usage and get the Red
Team to test. Or it have any psexec alternative to
monitor. (Event ID: 7045)
• Red Team: Find another way to run psexec
alternative. (winexe, msf psexec, impacket, etc)
• Result: Blue Team get the goal.Red Team have
sharpen the skill.
![Page 28: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/28.jpg)
Scenario #3
• Blue Team: Want to detect and block ransomware
• Red Team: Test it with the brand new
ransomware(created by team)
• Result: Blue Team can test the security product and
got the real one. Red Team get the new surface to
test.
![Page 29: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/29.jpg)
Scenario #4
• Blue Team: Want to block all powershell command
(group policy, AppLocker, etc.)
• Red Team: Test and tried to find the way to bypass
(MSBuildShell, Unmanaged Powershell, etc.)
• Result: Blue Team can block powershell and similar
things. Red Team have sharpen the skill.
![Page 30: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/30.jpg)
Scenario #5
• Blue Team normally use 10 minutes to detect
“Suspicious event”. How can detect and response in
1 minute.
• Red Team show what “Suspicious event” looks like.
• Result: Better monitoring and response plans.
![Page 31: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/31.jpg)
Question?
![Page 32: Purple team is awesome](https://reader031.vdocuments.mx/reader031/viewer/2022030107/58890d251a28ab4a5c8b5135/html5/thumbnails/32.jpg)
Reference• https://danielmiessler.com/study/red-blue-purple-teams/#gs.null
• https://www.rsaconference.com/writable/presentations/file_upload/ai
r-w02-the-rise-of-the-purple-team.pdf
• http://carnal0wnage.attackresearch.com/2016/03/more-on-purple-
teaming.html
• http://tacticaledge.co/presos/Jorge%20Orchilles%20-
%20Purple%20Team%20-
%20Evolving%20Red%20vs%20Blue%20-
%20Tactical%20Edge.pdf
• http://www.slideshare.net/chrisgates/purple-teaming-the-cyber-kill-
chain-practical-exercises-for-everyone-sector-2016