The Rise of the Purple Team

Similar documents
USE CASE IN ACTION Splunk + Komand

All the Cool Kids Are Red Teaming Should You Be Drinking the Kool-aid Too?

Live Adversary Simulation: Red and Blue Team Tactics

RastaLabs Red Team Simulation Lab

K12 Cybersecurity Roadmap

Incident Response Agility: Leverage the Past and Present into the Future

Fidelis Overview. 15 August 2016 ISC2 Cyber Defense Forum

Reducing the Cost of Incident Response

Trustwave Managed Security Testing

IMEC Cybersecurity for Manufacturers Penetration Testing and Top 10

Cloud and Cyber Security Expo 2019

RSA IT Security Risk Management

10x Increase Your Team s Effectiveness by Automating the Boring Stuff

n Explain penetration testing concepts n Explain vulnerability scanning concepts n Reconnaissance is the first step of performing a pen test

ICS Security Monitoring

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

RSA INCIDENT RESPONSE SERVICES

Qualys Indication of Compromise

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

SOLUTION BRIEF ASSESSING DECEPTION TECHNOLOGY FOR A PROACTIVE DEFENSE

Security analytics: From data to action Visual and analytical approaches to detecting modern adversaries

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

RiskSense Attack Surface Validation for IoT Systems

State of the. Union. (or: How not to use Krebs as an IDS ) (Information Security) Jeff McJunkin Senior Technical Analyst Counter Hack Challenges

SECURITY AUTOMATION BEST PRACTICES. A Guide on Making Your Security Team Successful with Automation SECURITY AUTOMATION BEST PRACTICES - 1

RSA NetWitness Suite Respond in Minutes, Not Months

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Novetta Cyber Analytics

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Un SOC avanzato per una efficace risposta al cybercrime

Pieter Wigleven Windows Technical Specialist

RSA INCIDENT RESPONSE SERVICES

Bad Intelligence: Or how I learned to stop buying and love the basics

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Building a Threat-Based Cyber Team

Incident Response Services

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

A Risk Management Platform

Introduction to Threat Deception for Modern Cyber Warfare

THREAT INTEL AND CONTENT CURATION: ORGANIZING THE PATH TO SUCCESSFUL DETECTION

Think Like an Attacker

Security Operations 2018: What is Working? What is Not.

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

Building Resilience in a Digital Enterprise

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

ICS Penetration Testing

Overview of the. Computer Security Incident Response Plan. Process Resource Center

Transforming Security from Defense in Depth to Comprehensive Security Assurance

How Breaches Really Happen

Incident Play Book: Phishing

CompTIA Cybersecurity Analyst+ (CySA+) Course Outline. CompTIA Cybersecurity Analyst+ (CySA+) 17 Sep 2018

Getting Security Operations Right with TTP0

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Security Automation Best Practices

SECURITY AUTOMATION BEST PRACTICES. A Guide to Making Your Security Team Successful with Automation

CASE STUDY. How 16 Penetration Tests Missed A Vulnerability Which Could ve Cost One Company Over $103 Million In PCI Fines

IBM Resilient Incident Response Platform On Cloud

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Application Security Approach

An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

Security Operations & Analytics Services

CYBERSECURITY PENETRATION TESTING - INTRODUCTION

ATTIVO NETWORKS THREATDEFEND PLATFORM INTEGRATION WITH CISCO SYSTEMS PROTECTS THE NETWORK

First Look Showcase. Expanding our prevention, detection and response solutions. Marco Rottigni Chief Technical Security Officer, Qualys, Inc.

Nebraska CERT Conference

INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER

First Look Showcase. Expanding our prevention, detection and response solutions. Sumedh Thakar Chief Product Officer, Qualys, Inc.

Building a Resilient Security Posture for Effective Breach Prevention

Fighting Phishing I: Get phish or die tryin.

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Training for the cyber professionals of tomorrow

4/13/2018. Certified Analyst Program Infosheet

One Hospital s Cybersecurity Journey

Protect Your Organization from Cyber Attacks

LTI Security Services. Intelligent & integrated Approach to Cyber & Digital Security

Behavioral Analytics A Closer Look

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Reinvent Your 2013 Security Management Strategy

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

ATT&CKing for better Defense: An Introduction to the MITRE ATT&CK Framework

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Advanced Security Tester Course Outline

FROM SIEM TO SOC: CROSSING THE CYBERSECURITY CHASM

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Managed Security Services - Automated Analysis, Threat Analyst Monitoring and Notification

Readiness, Response & Resilence:

Vulnerability Assessments and Penetration Testing

Are we breached? Deloitte's Cyber Threat Hunting

CYBER RESILIENCE & INCIDENT RESPONSE

C T I A CERTIFIED THREAT INTELLIGENCE ANALYST. EC-Council PROGRAM BROCHURE. Certified Threat Intelligence Analyst 1. Certified

WHITEPAPER ATTIVO NETWORKS DECEPTION TECHNOLOGY FOR MERGERS AND ACQUISITIONS

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

From Managed Security Services to the next evolution of CyberSoc Services

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

How to Prepare a Response to Cyber Attack for a Multinational Company.

Transcription:

SESSION ID: AIR-W02 The Rise of the Purple Team Robert Wood Head of Security Nuna @robertwood50 William Bengtson Senior Security Program Manager Nuna @waggie2009

Typical Team Responsibilities Red Vulnerability scanning Social engineering Physical and digital pentesting (typically done in a vacuum) Open source intelligence gathering Blue Threat intelligence Malware and exploit reverse engineering Digital forensics Active monitoring 2

Overlap 3

Current State and often operate in a vacuum on a day-to-day basis, sometimes even within their own teams Feedback loops consist of reports being tossed over the wall if shared at all Emphasis is given on remediation of vulnerabilities rather than prevention and detection growth Teams are incentivized by their ability to outwit the other side are often composed at least partially of outsourced groups 4

5

Team Structure and Incentives

7

Org Chart Issues Teams typically report to different leads with different agenda, objectives, etc. 8

Misaligned Incentives Red Team Big scary report = job well done Success is dependent on how many controls the team can bypass (Blue team failure points) Blue Team No alerts = preventative controls all worked! A lot of alerts means that detection capabilities are firing on all cylinders 9

Aligned Incentives Purple Team Big scary report = improvements No alerts = badly tuned SIEM No attack success = New TTPs for Success is improvement in both attack and defense 10

Red Teaming What does company? look like at your

Approach Passive reconnaissance OSINT Active reconnaissance Social engineering Emails Physical Port scans Service discovery Vulnerability referencing CVE? 12

What should it look like?

Approach Passive reconnaissance OSINT Active reconnaissance Social engineering Emails Physical Port scans Service discovery Vulnerability referencing CVE? 14

Feedback Loops

How d you do that? Team paring: Allow the to see how things work: Exploits Pivoting Credential harvesting Allow the to see how things work: Active monitoring and alerts Response playbook Policies What are the specific forensic artifacts from all of the above? Do we understand why these attacks are succeeding? 16

Can you see me now? During vulnerability scans and more in depth exploit attempts: Does the have logs of all attack activity? Are alerts set up for successful or continued attempts? Does the know how to query logs for attack activity? What is the response procedure for the various scans and attacks that are attempted? Each of the above represent a potential gap that can be improved upon This can occur for all parts of an organization (corporate network, product, badging systems, employee workstations, etc.) 17

Who told you that? Manage social engineering campaigns together Use experience with real campaigns to drive more realistic campaigns Use alerting to modify your TTPs for Use to monitor results and cross-reference with reporting from employees 18

Outsourced Help Engage during scoping efforts and regular touch points where possible for interactive discussions Push to deliver bug reports (i.e. JIRA tickets) instead of 100 page PDFs for tighter integration into remediation workflows Removes a translation step for Have keep a journal of where, how, and what attacks are conducted for future cross-reference with hunt teams 19

Metrics for Success

What do I measure? Do I measure or? BOTH! 21

Metrics Attack complexity Number of targets Duration of exercises Boxes compromised Users compromised Historical data 22

Email Campaign 23

Vulnerabilities Across Enterprise 24

Metrics Attacks Detected Detection Time Response Time Forensic Information Improvement from Previous Tests 25

Attacks By Protocol 26

True vs. False Positives 27

Login Attempts https://labs.opendns.com/2013/05/24/big-data-driven-security-with-splunk/ 28

Purple Team Metrics Measure improvement scan over scan Measure growth in team knowledge learning playbook learning TTPs 29

Apply It

What should you apply? Proactive protection Tabletop exercises Threat modeling Security assessments 31

Next Week Pairing (tester + responder) Walk through common techniques Walk through protection mechanisms in place Identify gaps Improve on these gaps 32

3 Months Out Pairing (tester + responder) exercises with pairing Execute discovery or payload, determine if it is detectable See what is currently being monitored to determine what tactic to use Communication between teams to allow growth 33

6 Months Out Pairing (tester + responder) understands what is being monitored and alerted on. Starts to think what would happen if another vector was used instead starts to predict attacks and provides preventative measures instead of responsive 34

6+ Months Pairing (tester + responder) Continued security exercises Each iteration continues to advance in techniques used Each cycle improves overall security stature 35

Questions? Robert Wood batman@nuna.com @robertwood50 Will Bengtson punisher@nuna.com @waggie2009 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback