Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical...
Transcript of Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical...
![Page 1: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/1.jpg)
@haydnjohnson @carnal0wnage
Purple Teaming the Cyber Kill ChainPractical Exercises for Management Everyone
![Page 2: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/2.jpg)
@haydnjohnson @carnal0wnage
whoami
![Page 3: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/3.jpg)
@haydnjohnson @carnal0wnage
Chris Gates - Sr. Incident Response Engineer - Uber Inc.
Twitter: @carnal0wnageBlog: carnal0wnage.attackresearch.comTalks: slideshare.net/chrisgates
![Page 4: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/4.jpg)
@haydnjohnson @carnal0wnage
Haydn Johnson - Security Consultant - Researcher
Twitter: @haydnjohnsonTalks: BsidesTO (2015, 2016), Circle City Con, BsidesLVBig 4 experience http://www.slideshare.net/HaydnJohnson
![Page 5: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/5.jpg)
@haydnjohnson @carnal0wnage
Overview
1. Terminology for our discussion
2. Explain this Cyber Kill Chain (CKC) thing
3. Use CKC to plan possible Purple Team exercises
4. Purple Team Story Time
![Page 6: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/6.jpg)
@haydnjohnson @carnal0wnage
Terminology
![Page 7: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/7.jpg)
@haydnjohnson @carnal0wnage
Terminology
Vulnerability Assessment Person - Run Vuln Scanner….hey client you suck
Penetration Tester - Metasploit /MSF PRO (FTW)...hey client you suck
Red Teaming - Phish, move laterally, find “sensitive stuff”, maybe custom implant...hey client you suck
Purple Teaming - You did all the above, but got to charge for an extra body and to tell the client how they suck in person
![Page 8: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/8.jpg)
@haydnjohnson @carnal0wnage
No Really...
Red Teaming - “Red Team engagements are the full spectrum warfare of security assessments. In a red team engagement, the consultants attack the client organization using physical means, social engineering, and technological avenues. “
From: http://winterspite.com/security/phrasing/
![Page 9: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/9.jpg)
@haydnjohnson @carnal0wnage From: Chris Nickerson Lares Consulting
![Page 10: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/10.jpg)
@haydnjohnson @carnal0wnage
You can’t Red Team yourself
But you sure as hell can conduct training...and detection/protection validation
http://redteamjournal.com/red-teaming-laws/
![Page 11: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/11.jpg)
@haydnjohnson @carnal0wnage
Purple Team Process
![Page 12: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/12.jpg)
@haydnjohnson @carnal0wnage
No Really...
Purple Teaming - Conducting focused pentesting (up to Red Teaming) with clear training objectives for the Blue Team.
It isn't a "can you get access to X" exercise it is a "train the Blue Team on X" exercise. The Red Team activities are a means to conduct realistic training.
More here: http://carnal0wnage.attackresearch.com/2016/03/more-on-purple-teaming.html
![Page 13: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/13.jpg)
@haydnjohnson @carnal0wnage
Purple Teaming Process
Training Exercise!
1. Primary result of the exercise is create an intrusion event (aka get caught) to test instrumentation (host/network), validate detection processes and procedures, validate protections in place, force response procedures and post mortems.
Differs from Red Team where primary goal is to NOT get caught
![Page 14: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/14.jpg)
@haydnjohnson @carnal0wnage
Purple Teaming Process
Training Exercise + work the IR process
Investigate Logging vs Alert + action○ Is the event logged at all?○ Logged event != alert○ Does alert == action taken?○ Purple Team it!
![Page 15: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/15.jpg)
@haydnjohnson @carnal0wnage
But I need ideas for scenarios!
https://github.com/kbandla/APTnotes https://github.com/aptnotes/
![Page 16: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/16.jpg)
@haydnjohnson @carnal0wnage
TRANSITION SLIDE
Handy transition slide
![Page 17: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/17.jpg)
@haydnjohnson @carnal0wnage
Pyramid of Pain
http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
![Page 18: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/18.jpg)
@haydnjohnson @carnal0wnage
Lockheed Martin Cyber Kill Chain
Worst. Name. Ever.
“The seven steps of the Lockheed Martin Cyber Kill Chain® enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques and procedures.”
http://cyber.lockheedmartin.com/solutions/cyber-kill-chain
![Page 19: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/19.jpg)
@haydnjohnson @carnal0wnage
CKC is a great idea!
This is an integrated, end-to-end process described as a “chain” because any one deficiency will interrupt the entire process.
AKA:
Any deficiency in the attackers chain, will interrupt the entire process
![Page 20: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/20.jpg)
@haydnjohnson @carnal0wnage
How to use CKC
![Page 21: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/21.jpg)
@haydnjohnson @carnal0wnage
![Page 22: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/22.jpg)
@haydnjohnson @carnal0wnage
Using the CKC to drive Exercises
http://csrc.nist.gov/cyberframework/framework_comments/20131213_charles_alsup_insa_part3.pdf
![Page 23: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/23.jpg)
@haydnjohnson @carnal0wnage
Using the CKC to drive Exercises
● Rather than consolidate all attacker activities into a single chart. We **could** create charts for various attack types or CKC steps.
● This would force us to identify and DOCUMENT an organization’s methods to Detect, Deny, Disrupt, Degrade, Deceive & Contain (Destroy) for any attack type.
● As an added bonus, it creates Purple Team exercises for us when we create a plan to validate the info in the chart.
https://nigesecurityguy.wordpress.com/tag/cyber-kill-chain/
![Page 24: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/24.jpg)
@haydnjohnson @carnal0wnage
Example Attack Types
https://attack.mitre.org/wiki/Main_Page
![Page 25: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/25.jpg)
@haydnjohnson @carnal0wnage
Example Attack Types
![Page 26: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/26.jpg)
@haydnjohnson @carnal0wnage
Example Attack Types
https://attack.mitre.org/wiki/Main_Page
![Page 27: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/27.jpg)
@haydnjohnson @carnal0wnage
Example Attack Types
![Page 28: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/28.jpg)
@haydnjohnson @carnal0wnage
Mimikatz Example
● Mimikatz affects almost all organizations
● Outline your defenses against the tool○ AV○ Md5○ Command line usage○ Code certificate details○ Windows Hardening○ Detection (via ATA)
● https://adsecurity.org/?page_id=1821
![Page 29: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/29.jpg)
@haydnjohnson @carnal0wnage
Mimikatz Example
![Page 30: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/30.jpg)
@haydnjohnson @carnal0wnage
Mimikatz Example
Purple Team● Pack, Recompile, Sign with different code sign certificate● Powershell mimikatz● Various whitelist bypass techniques● Validate
○ Protected User Groups○ LSA Protection○ Registry changes prevent wdigest clear text○ Alerting!
![Page 31: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/31.jpg)
@haydnjohnson @carnal0wnage
Lateral Movement Example
● We could attempt to document every Lateral Movement tool / technique
● Instead focus on how you detect/protect/respond to a tool or suite of tools○ Ex: impacket
![Page 32: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/32.jpg)
@haydnjohnson @carnal0wnage
Lateral Movement -- impacket-psexec.py
Place holder for lateral movement example
![Page 33: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/33.jpg)
@haydnjohnson @carnal0wnage
Lateral Movement Example
Purple Team● Run impacket.py in default config
○ Did you detect it?○ Tweak detection/deny/etc until you do!
● Let your Red Team modify impacket○ Repeat the detect/deny process until the tool is
unusable in your org● Do your GPO settings prevent most use cases?
![Page 34: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/34.jpg)
@haydnjohnson @carnal0wnage
Malicious Attachments
● Everyone employs’ some sort of malicious attachment protection○ Google mail for business○ Office 365○ Proofpoint ○ FireEye
● Do you test it? Or do you just hope for the best?
![Page 35: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/35.jpg)
@haydnjohnson @carnal0wnage
Malicious Attachments
![Page 36: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/36.jpg)
@haydnjohnson @carnal0wnage
Malicious Attachmentshttps://github.com/carnal0wnage/malicious_file_maker
![Page 37: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/37.jpg)
@haydnjohnson @carnal0wnage
Malicious Attachments
![Page 38: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/38.jpg)
@haydnjohnson @carnal0wnage
Malicious AttachmentsPurple Team ● Send various types of malicious attachments via multiple
sources● Compare to your chart of assumptions
○ How many emails does it take to block a sender?
○ What types of attachments generate alerts?
○ Does suspicious stuff get moved to spam or deleted; do people open spam emails?
○ If sent to employees, do they report?
○ Did any automated actions take place?
![Page 39: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/39.jpg)
@haydnjohnson @carnal0wnage
CKC Exercise Outcomes
● Mental exercise of how we Detect/Respond/etc to attacks● Document defense posture● Answer the “Do the Blinky Boxes work?” question
The Purple Team component
● Validate the spreadsheet is accurate● Validate the blinky box is doing “something”● Identify training and coverage gaps for the org
○ Test plan for the above
![Page 40: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/40.jpg)
@haydnjohnson @carnal0wnage
Story Time #1
Privilege Escalation
Assume Breach
Meterpreter C2
Exfiltration - FTP
“Red Team” @ $canadian Bank
![Page 41: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/41.jpg)
@haydnjohnson @carnal0wnage
Story Time #1
● Receive call “Check this IP address” ○ $secretpoliceinvestigation
● IP address seen - Investigators go to meeting + lunch● 2 hours later, identify data exfil● Sh*t hits fan● Log into FTP server to delete data● Execute processes
Alerts triggered purposely
![Page 42: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/42.jpg)
@haydnjohnson @carnal0wnage
Story Time #1Debrief
Red TeamBlue Team
What we saw
What was done
The GAP
Improvements ==
![Page 43: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/43.jpg)
@haydnjohnson @carnal0wnage
Story Time #1
● Process not as effective as it looks
● Road Blocks in communication
Lessons learned
![Page 44: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/44.jpg)
@haydnjohnson @carnal0wnage
Story Time #1
● Process bypassed● Hard to collaborate● Rotating Shifts
Lessons learned
![Page 45: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/45.jpg)
@haydnjohnson @carnal0wnage
Story Time #1
● IR equipment == slow● Infrastructure out of date
Lessons learned
![Page 46: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/46.jpg)
@haydnjohnson @carnal0wnage
Story Time #1
● Big company hard to change quickly● Issues clearly acknowledged● Long term plans
Nothing changed in short term
![Page 47: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/47.jpg)
@haydnjohnson @carnal0wnage
Story Time #1
● Create defined and clear process for hierarchy● Training on hacking back - DON’T● Budget for prioritized upgrade of Lab● Shift style lunches
Solutions
![Page 48: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/48.jpg)
@haydnjohnson @carnal0wnage
Story Time #1
● Better equipment● Better processes● Better security culture● Better collaboration
2nd time around
![Page 49: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/49.jpg)
@haydnjohnson @carnal0wnage
Story Time #1
● Faster detection● Faster containment● Faster win
2nd time improvements
![Page 50: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/50.jpg)
@haydnjohnson @carnal0wnage
The Point
● What you think works, probably doesn’t● Test it● Humans will be humans, including your Blue Team
![Page 51: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/51.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
● IR Manager had identified some gaps plus had new incident responders○ Mobile Forensics ○ Response to Golden Ticket attack○ Work thru IR process as a team
● Fully internal -- No external Contractors● Partnered with senior Blue Team member ● Took things I found pentesting…chained together story for the
exercise● “Create internal havoc” attackers
Overview of a Purple Teaming Exercise
![Page 52: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/52.jpg)
@haydnjohnson @carnal0wnage
Story Time #2SMS Phish**
![Page 53: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/53.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 54: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/54.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 55: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/55.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 56: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/56.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 57: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/57.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 58: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/58.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 59: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/59.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 60: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/60.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 61: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/61.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 62: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/62.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 63: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/63.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 64: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/64.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 65: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/65.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 66: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/66.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 67: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/67.jpg)
@haydnjohnson @carnal0wnage
Purple Bucket
![Page 68: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/68.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 69: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/69.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 70: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/70.jpg)
@haydnjohnson @carnal0wnage
Story Time #2
![Page 71: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/71.jpg)
@haydnjohnson @carnal0wnage
So the take away!
![Page 72: Purple Teaming the Cyber Kill Chain - SecTor Johnson...Purple Teaming the Cyber Kill Chain Practical Exercises for Management Everyone @haydnjohnson @carnal0wnage whoami @haydnjohnson](https://reader030.fdocuments.net/reader030/viewer/2022040609/5ecd0cb023231d213a224898/html5/thumbnails/72.jpg)
@haydnjohnson @carnal0wnage
Please remember:
Document your defenses and protections
Find a way to build your attacks/validation
Pwn all the things...but in a way that helps your organization