Red + Blue = Purple: How to execute purple team exercises even if you think you can’t presented at BSidesAthens 2018

by Isidoros Monogioudis,

Summary : The benefits of Red and Blue Teams working together has become more widely accepted in recent years, popularizing the concept of Purple Teaming. But how can a small organization or enterprise implement a Purple Team? What human and technical resources are needed? Where do you start from? What preparation is required? And how long does it take to execute? These questions often lead to the assumption that a specially trained team with highly sophisticated technical skills and resources is needed. While most security teams would ideally have these resources at their disposal, we know this is not the reality for most organizations. However, this presentation will demonstrate how even small IT security teams can benefit from executing Purple Team exercises at a smaller scale by splitting tasks and following well-known and documented techniques to evaluate their defence toolset. This presentation will highlight the how Purple Team exercises can be carried out in practice without a sophisticated and dedicated Red Team. It will show how these exercises can be a part of the internal Information Security Management System (ISMS) program to improve an organization’s security posture and evaluate current security measures and gaps. In particular, the presentation will focus on how different reference models such as MITRE's Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) can be used to define metrics and threat models tailored for each individual organization, improving the value of the exercise’s findings. In this context, security methods are continuously evaluated and improved by being tested against a framework that takes into account the most basic and sophisticated attack methods available to adversaries. Isidoros will also provide examples (including privilege escalation attempts and command and control communication) of how predefined and well-prepared attacks with open source tools can be tested, and what security metrics and controls should be included for mitigation. For example, by using the ATT&CK matrix table, IT security teams can map the associated defensive techniques, controls, tools and commands used to clearly demonstrate the feasibility and efficiency of each attack. Finally, Isidoros will explain how the results of Purple Teaming exercising can be most effectively communicated.