Introduction to Purple Teaming -

Student Guide
Table of Contents
What Are we Doing Here? 4

What’s In It For You 6

Purple Teaming Key Concepts 7

Threat Informed Defense 8
A Framework for Emulation Planning 10
Definitions 12

Purple Teaming: How it Works 13

Red? Blue? Purple. 13
Bottom Line Up Front: 14
10,000 ft View 15
Keep It Simple 15
Before You Do Anything 16
Phase I: Orientation 17
Phase II: Planning & Preparation 19
Phase III: Execution 22
Phase IV: Reporting and Remediation 23

Purple Teaming: How To Start 25

To start planning, you need four things: 25
Stakeholders 26
Exercise Schedule 27
Align Threat to Mission 28
Exercise Map Error! Bookmark not defined.
The Emulation Plan 32
Planning Considerations 33

Purple Teaming: Making It Stick 34

Frame a Purple Teaming Program 35
Get Started 35
Questions To Ask… 35

Your Next Steps 36

Know yourself and seek self-improvement

-USMC Leadership Principle #1

 What Are we Doing Here?
Specifically, how did we get here?
Well, The security community has been in something of a gilded cage of late. Revenues going
up, paychecks looking healthy, negative unemployment, a vibrant community of independent
researchers and innovative companies pushing capability by the day, but still sitting behind the
bars of configuration management cycles, compliance requirements, and our own lack of an
evolving context for the threats we face. We’re still dealing with vulnerabilities from 2016 in
some sectors.

How did it come this far? Our weapons against all of these problems haven’t aged well.

Red Teams are expensive and highly specialized. They should be innovating, not playing gotcha
or spinning their wheels on defenders who won’t or more often can’t follow through with
mitigations. I know, I’ve been there as Red Teamers describe in exquisite detail how they
maneuvered through an environment to the astonished looks of the defenders, only to return 6
months later and execute the same attacks with the same success as the first time. Re ally?

Blue Teams are overworked and spread too thinly. They should be hunting advanced threats,
not maintaining a continuous stream of slapdash capabilities and correlations they can never
get ahead of. I know, I’ve been there as Blue teams wrestle with other business units to get
fixes and mitigations in place, to grow their detection architecture into critical areas but fail on
account of not making it real to the decision-makers.

This is how we got here: the demands of running baseline security outstripped our ability to
understand and communicate the real threat picture and adapt to it.

Why are we talking about this?

 ● Because doing red and blue separately isn’t working, at least not at the same pace as
the threat
● Red, absent ties with Blue, achieves only their own objectives and has little opportunity
to advance their capabilities against strongly prepared defenders.
● Blue, without Red to test them, is flying blind. They’re focused on the wrong threats
and swamped by what should be matters of cyber hygiene popping up every day.
● Because our defense is reactive to the threat and not proactively informed by it
● Because the adversary is scaling and automating faster than the defender
● Because we need a different and better way to test, harden, and respond to that
evolved threat
● Because we lack the organizational constructs to reliably bridge between operations,
testing, and security
● Because Testing isn’t a project, it's a program. It takes specialists and specialized
capabilities. You won't get the outcome you desire if you make it someone’s collateral
duty and don't invest in it.

We can’t afford to stay in our silos of excellence anymore. Attack and Defense are
complementary and our community is wasting talent in extravagant fashion by failing to codify
their relationship in service of a threat-informed defense strategy. Look at it this way: In the
Marine Corps, we don’t have Defense Marines and Attack Marines, we have Marines who know
how to do both but specialize in one or more aspects of either. Everyone is in the fight because
they know how to fight and they understand the enemy they face.

Here’s what we’ll do about it today

● This course will introduce concepts and methodology, not advanced emulation
techniques
● We will focus on the role of the Manager-Planner in order to stimulate the growth of
homebrew Purple Teaming in support of Threat-Informed Defense throughout the
community
● We will show that codified and trusting relationships rather than new reporting chains
between organizations drives agility and growth
● We will begin to teach you the soft skills to make the case for purple teaming and the
harder planning skills to demonstrate value in a small exercise.
● ...and we will provide a framework for making threats to business the driver of your
security program because security is about BUSINESS OUTCOMES.

What’s In It For You

A new skill in a rapidly expanding field of security
The need for expertise in both attack and defense is growing, and organizations of all
sizes are searching for ways to keep pace with the evolution of the threat. In this
course we are going to introduce you to the concept of Purple Teaming.

Certification
AttackIQ wants you to be able to show off new skills on your resume or LinkedIn
profile, so we’ve partnered with Acclaim to offer certification badges.

CPE Credits
We’ve partnered with ISC(2) to offer CPE Credits for this course. You will get a PDF
Certificate after passing the Assessment at the end of the course. If you provide us
with your ISC(2) member number in your profile, we can automatically register the
CPE Hours for you.

Purple Teaming Key Concepts

 Threat Informed Defense

Before we discuss Purple Teaming in depth, let’s introduce the concept of Threat
Informed Defense. These terms will be used interchangeably throughout the course.

When MITRE first began their ATT&CK project, they had no idea how popular it
would become in the security community. The project has become so important to
information security professionals, that they identified a need for a non -commercial,
non-profit focal point that would sustain and accelerate the evolution of publicly
available resources critical to cyber defense.

The Center for Threat Informed Defense engages in collaborative research and
development projects with its members to advance the state of art and practice of
threat-informed defense. This group of members are recruited from global critical
infrastructure companies, sophisticated and innovative securities, leading
technology companies, and cybersecurity-related non-profits.

Research areas of the CTID include:

● Advance global understanding of adversary tradecraft, e.g. expand ATT&CK

into new technology domains like cloud
● Measure evolving adversary behavior, e.g. establish a “most wanted” list of
adversary techniques
● Enable continuous assessment of our defenses, e.g. develop, share and
automate adversary emulation playbooks
● Continuously identify, catalyze development of and/or research new ways to
thwart ATT&CK techniques across Protect, Detect & Respond All R&D

Outputs will be made globally available to maximize impact.

In practice, a threat informed defense is a proactive approach to cyber security that

utilizes three elements to provide an evolving feedback loop to your security team.
Those elements are:

● Cyber threat intelligence analysis

● Defensive engagement of the threat
● Focused sharing and collaboration

Being Threat-Informed
A sound defensive strategy is threat-informed by nature. It first considers the mission
of the defender, their ability to accomplish it, and the capabilities which enable it.

It assumes opposition to or an interest in interfering with the mission. It understands

both that interest and the ability of the interested party to be able to do something
about it.

Finally, it is deeply concerned with the terrain on which the question will be
contested.

A sound defensive strategy considers:

✔ Your Mission
✔ Your ability to accomplish the mission and the capabilities which underpin it
✔ The adversary’s interest in stopping you
✔ The adversary’s ability to do so
✔ The terrain on which the question will be contested

Acting Threat-Informed
A threat-informed defensive strategy makes the adversary’s job harder and should
actually frustrate the living hell out of them. This is because:

● The defender controls the shape of the terrain! It may not be so simple in
practice, but cyberspace is unique in the respect that the terrain is mutable.
Though business requirements may narrow the options, the defender, not the
attacker, has the advantage of terrain in every engagement (if they choose to
take an interest in it). Threat-informed strategies maximize this because they
understand what the attacker is likely to try, and where.
● It denies the adversary easy wins by systematically identifying and mitigating
vulnerabilities to known and documented threats. Adversaries are just as lazy
as anyone else and they won’t drop their latest Cyber WMD on someone
unless they really have to. They’d prefer to snag someone’s Proof-Of-Concept
 code and repurpose it to their needs. Being Threat-Informed makes this
much more of a frustrating endeavor.
● It requires the adversary to act in one of 3 different ways. Regardless, the
threat-informed defender is not only seizing the initiative from the adversary,
but also throwing some risk in their direction:
○ Be so circumspect that defenders have time to pick out patterns
○ Go in loud and hope to get out with the loot
○ Burn the aforementioned Cyber WMD

A Threat-Informed Defensive Strategy is one that makes the bad guys’ job harder
because it:

✔ Maximizes the advantages of controlling the shape of the terrain

✔ Denies the adversary easy wins with a solid security posture and good cyber
hygiene being default characteristics
✔ Requires the adversary to be circumspect and expend high-value capabilities
to achieve their goals

A Framework for Emulation Planning

13 Tactics: The “why” of attacker behavior

The MITRE ATT&CK Framework: twelve by anywhere from 9 to 69 in dimensions, at

present..

The x axis is made up of tactics (the “Why?” Of any attacker’s actions), the action
they’re trying to accomplish by utilizing one of the many Techniques listed below i t.

As of this writing, there are 330 individual techniques registered on the matrix.

MITRE maintains detailed descriptions of each, and a listing of which known threat
actors have used them, along with references to available toolsets which implement
them.

This framework describes cyber attacks as logical steps (tactics), whose individual
components (techniques) map easily to security controls.
Definitions
Emulation
Replicating the effects of a given technique by executing the actual process which
produces them.
Simulation
Replicating only the effects of a given technique.
Blue Team
The organization responsible for defending a larger organization’s
assets/business/operations in cyberspace.
Red Team
An organization which tests cyber defenses by emulating adversary attacks against
them.
Purple Teaming
An organizational concept which seeks to maximize defensive capabilities by
coordinating and coupling the activities of red and blue teams.
Security Pipeline
The full set of technologies and processes which define an organization’s defenses
from endpoint to border, inclusive of off-site, cloud, and other distributed assets.
Security Control
A policy, procedure, technology, or combination thereof which comprises protection
against a corresponding threat or set of threats.
Gate
A time on the clock is defined as when the blue team should have detected a red
team action before being provided with hints or debriefing.
Trusted Agent
A senior or supervisory staff member who knows the exact details and timing of all
Red Team emulations and acts to deconflict real-world and exercise events along
with guiding exercise flow.
Hot Wash
An informal and candid discussion of an organization’s performance following
execution of an exercise, training session, or other major event, conducted
immediately upon the event’s completion.
 Purple Teaming: How it Works

Red? Blue? Purple.

Blue Teams are specifically charged with defending an organization against cyber
threats. They are well-read in the business processes and outcomes they defend and
(should) work closely with IT Operations to ensure they enact the correct controls in
alignment with mission needs. They should have commensurate familiarity with the
architecture they defend as a matter of necessity. Blue Teams are specialists in
detecting, investigating, and resolving anomalous behavior and out-of-the-ordinary
events in an IT infrastructure. They execute their mission through a variety of
disciplines and continuously work to harden their posture.

Red Teams emulate cyber threats in a carefully targeted fashion to test an

organization’s defenses against truly malicious actors, but without all the
inconvenient data theft, loss of institutional credibility, and/or catastrophic business
disruption. By nature, they are deeply threat-informed, and pair that knowledge with
a “Red” mindset—one that’s inherently devious, tricky, and subversive, always
thinking laterally and trying to figure out how to break things. Red Teams ar e Threat
Emulation Specialists, able to adapt threat intelligence reports and/or sample code
into safe, workable emulations which realistically test defenders and defenses.
Purple Teaming couples and coordinates red and blue to maximize the capabilities
and impact of both. It aligns the blue team’s mission focus with relevant threats,
allowing them to base defensive architectures on Business Critical needs. It applies
“Red” thinking to carefully balanced and curated enterprises to show (not tell)
stakeholders how their most critical capabilities can be compromised and give clear
guidance on defending them. Fundamentally, Purple Teaming offers operators and
analysts the means to align detection to threat in a structured way.

Bottom Line Up Front:

Purple Teaming is the most straightforward practical expression of threat -informed

defense.

Workflow:

1) Red Team executes iterative attacks against friendly cyberspace, tuned to

replicate adversary capabilities and prevent irrecoverable disruption
● Stopped attacks generate reports of detection and mitigation details back to
the Red Team
● Successful attacks generate reports of attack method and exposure details
back to the Blue Team.
2) Red and Blue Teams jointly debrief all actions in coordination with IT Ops;
mitigations emplaced, attack techniques refined, attack surface reduced
3) Continuous testing and improvement refines detection capabilities and
enables ever-more difficult scenario execution, which refines detection
capabilities…

Threat Intelligence decided the attacks/emulations used.

Defensive engagement was happening the whole time, as well as the whole point.
Sharing and Collaboration are built-in.

This isn’t just another team to build, but a capability to generate. Purple Teaming is
an organizational concept by which red and blue functions occur simult aneously,
continuously, tightly coupled, and with full knowledge of each other’s capabilities,
limitations, and intent at any given time. Given reliable access to red capabilities, this
methodology allows security teams to iteratively increase program maturity as a
product of continuously clearing low-effort attacks from the board and closing the
ever-smaller gaps in their coverage.

You don’t create a purple team(noun), you purple team(verb). Purple Teaming is the
optimization of the relationship between adversary emulation and defense teams
and capabilities. Its significance is conceptual in that we’re combining the colors
blue and red into something whole and consistent, and practical in that there are
new disciplines, tools, and procedures to consider. The concept is simple, but there’s
no free lunch when it comes to gaining the full benefits.

10,000 ft View

Look at all these lines of words. They’re important, and we’re going to talk about
most of them, but let’s break it down first.

The Exercise Plan documents are important, too, and extremely helpful. They’re also
outside the scope of this course with a few exceptions we’ll mention and provide
templates for.
 Keep It Simple
As we go deep into the details, keep in mind that purple teaming is simple in
concept. You only need to answer a few basic questions and have the wherewithal
to see their answers turned to actions.

Purple Teaming in 4 Questions:

Who wants to hack me?
x
How might they do it?

Are my controls set up to stop it?

How can I emulate it and test them?

Before You Do Anything

Get management in your corner. How?

Tell them that Purple Teaming Can:

Optimize Security Program ROI

Optimize Security Program ROI by aligning controls to relevant threats and making
good mitigations into measurable, dashboard-able effects

Enhance Enterprise Defensibility

Enhance enterprise defensibility by allowing Security teams to spend more time
hunting, less time waiting and allow Monitoring to continuously focus more where
needed

Solve Systemic Issues

Solve Systemic issues through programmatic implementation creating more and
more gainful opportunities for collaboration across business units and IT/Security
and drive cross-functional growth
Phase I: Orientation

Understand your Org’s Mission

Develop your understanding of your organization’s mission. What does it do? How
does it create value? What are its success conditions? Who are its competitors?
What is its vertical? Market Impact? Geographic placement? Geopolitical
considerations for all of the above (as applicable)? What we’re doing here is thinking
like an attacker would, and essentially Targeting your organization. There’s
something about Sun Tzu in here, I just know it.

Understand Your Environment

Ask yourself: From a technical perspective, what are we testing against? What will
make this strange? What are the idiosyncrasies of your org’s service, data, transport,
and security architectures? Use this time in the schedule to ensure you have the
most recent and accurate documentation possible on all testable facets of your
enterprise.

Know the threats to the mission

Terrain Analysis

Turn the screws on your IT architecture review to more fully understand how it
supports your organizational mission. Why was it built the way it is? Prioritize assets
based on business outcome and recurse into business process<-capability <-asset<-
infrastructure chains that support them; this enables threat picture development
and actor assessments by helping you understand probable attack paths and
targets. IT Ops should be able to help here, if not hand you something that answers
most of it.

Threat Selection

From your understanding of the mission, architecture, and the interaction between
them, turn the table around and ask “how would I attack this?” and “who would
attack this?” This answer should be informed by the self-targeting you did 2 steps
back. Consider APTs, consider commodity malware, and consider the tools various
actors are known to use and their capabilities. There will be A LOT. Based on your
prioritization of business critical assets and/or controls, narrow it down to no more
than 2 actors mixed in phasing and tempo to train both Ops and Intelligence
functions.

Know Your Controls

Ask yourself: “What is happening where security intersects with infrastructure at
critical points in the architecture? Do my controls work against baseline threats (i.e.
dirty dozen)? What is the full list of controls and capabilities operating in the
enterprise? Are they enabled? The output of this step will later combine with that
from threat selection to produce your emulation plan.
Phase II: Planning & Preparation

Scope The Exercise

Establish Goals

Begin planning in earnest by deciding what you want to achieve: Baseline (or better
yet, up-gun) your tools, procedures, and team? Validate controls in the wake of a
major reorg or infrastructure update? Test new capabilities?

Establish Emulation Control Measures

Control measures fence off areas, assets, identities, and people whose criticality or
sensitivity is such that the risk incurred by testing them directly is unacceptable to
management. Risk is management business and it’s the job of the infosec and IT
ops teams to present them with the data needed to make informed risk decisions.
Speak plainly with the best available analysis and avoid overstating risk, just qualify it
and, where possible, quantify it. Control measures can be as simple as lists of
subnets, hosts, services, identities, or people

Determine Controls Under Evaluation

Based on the time and resources available, you may need to limit the number of
controls being tested. Remember that every control, regardless of test outcome,
needs validation at some point.
Set Timing, Sequencing, and Flow Control
Timing And Schedule:

Planning factors*: 3-4 Weeks for prep, 1 week for execution. Plan for 4 days’ worth of
work per shift. Plan for 1 more day of execution than you think you’ll need to
complete all of your emulations in order to support remedial emulation of missed,
skipped, or otherwise important emulations.

Shift, Daily, and Final reporting should be specified. (Assuming Approved budget
and personnel)

Establish the Battle Rhythm

This is where you make money. Don’t skip this part. Note: the critical element of
purple teaming is in continuous interaction between red and blue, regardless of
whether or not red is automated. Exercise Control should be lead ing debriefs of
effects, detects, and protects at least twice daily with all Do-ers in the room.

Effect (test)-based time constraints and debriefs

Set time gates for the blue team to detect and action each effect. If they blow a gate,
advise the red team to move to the next OR provide “threat intel” to point blue in the
right direction. It’s EXCON’s responsibility to understand the relative value of each
scenario and keep the exercise moving. Both a blown gate and immediate alert
have training value and need a debrief.

Empower Trusted Agents

ID and in-brief trusted agents

Senior stakeholders and leadership of red and blue should have full knowledge of
the exercise scenario, specifically red actions and their timing. NDA them as needed,
but be more certain to impress the importance of limiting what the Do-ers know as
a matter of training value. From the perspective of safety, TAs will know that
something is happening and will deconflict confusion on the analyst floors when
reality pokes its nose in.

Establish Deconfliction Procedures

The exercise controller should have quick access and a close relationship with IT Ops
Leaders and at least 2 (one per shift) IT Ops tech should be TAs IOT effect quick
deconfliction of emulation effects which may impact production. Be sure that
everyone who has cease-fire authority can contact the red team on a moment’s
notice and that the red team knows who they are.

Create the Emulation Plan

Align Emulations to Controls

Every Emulated Adversary technique should align to a control or set of controls to

test—this is the core of the emulation plan. There will be A LOT to choose from, so
narrow it down to about 4 days of work for each shift involved in the exercise. As you
think about what those detections are and how they will look, consider the sigma
project as a reference point for designing rules https://github.com/Neo23x0/sigma

Define Success Criteria

Determine your standard of success. This generally detection, prevention, or both.

Prepare a Hint Bank

There’s going to be more than one time when the blue team is stumped —this is ok
and actually good. A blown gate is worth more in training value than an immediate
detection, just be ready to keep the action moving with specifically crafted “threat
intel” notes and packages that can put them back on the right track or help slide the
last piece into place.
Phase III: Execution

Execute the Emulation Plan

…and make sure it counts. You’ll have found a way to get your emulations executed
professionally and ensuring the debriefs happen is paramount

Manage the Ebb and Flow

This is the iterative and on-call portion of the exercise. You’ll quickly see where SOC
teams and red teams alike find their friction points and the art to this Purple stuff is
in nudging the schedule and emulation timing to take advantage of it. EXCON
should be everywhere at once, assessing processes, information flows, and general
competency on both sides.

Exercise Judgement
Safety, Exercise Flow, and PRODUCTION are all subject to a degree of risk when
emulating badness. EXCON should be an experienced practitioner-leader who
knows Red, Blue, and Intel as fluently as IT architecture (very).

…and remember, No Discomfort, No Expansion

Phase IV: Reporting and Remediation

Debrief in Detail and Report

Hot Wash and Deliver the Initial Outbrief

Every day gets a rundown of catches and misses with both red and blue in the room.
Address the how and why of each, be candid, call out individual successes and
failures constructively. Right after the last hot wash should be the initial Outbrief
with your stakeholders—no more than an hour between them. This is a fresh and
rough report that assures everyone you’ve delivered value from their investment.
Deliver a final Outbrief NO LATER THAN 1 week after completing the exercise…I’ve
seen reports languish in approval-chain-purgatory for months and then nobody’s
happy when nothing comes of it because the organization has moved on.

Produce Audience-Appropriate Reports

Every stakeholder has both a boss and a job to handle; produce reports accordingly.
Some technical reports will require extra time and analysis to make useful with
compensating controls and mitigation plans. Some EXSUMs will need savvy VPs to
weigh in and executize© things into the language of risk as opposed to
vulnerabilities in libc. Talk to people about the things they care about.
Mitigate and Revalidate Control Gaps
Assess and Enact Mitigations

Ask yourself and your team: Wherever the pipeline failed, how do we fix it and what
are the best compensating controls to stand between now and that fix? Where do
controls so repeatedly overlap as to lose value in maintaining both rather than
dropping one and compensating somewhere else? Security Architecture analysis
comes back into play as red and blue refine both failed processes and tech. The Risk
Mitigation Plan mentioned earlier is a framework for describing and prioritizing
exercise outputs in terms of risks identified and controls in need of improvement.

Revalidate Updated Controls

Start up whatever Red capability you used to execute the emulation plan and throw
it at your fresh mitigations to see how they took.

Plan for future iterations

Identify Persistent Gaps

There will still be holes, but they shouldn’t be so big or numerous as before, and
you’ve stepped up your team’s capabilities to the point that the ones you filled are
matters of policy and procedure to cover rather than intense effort. The ones left
over are the subject of compensating controls, longer-term investments, and the
starting point for the next round.

Level Up The Next Exercise

A successful Purple Teaming exercise so plainly demonstrates value that every

stakeholder is going to want more. This is a process that finds maximum ROI when
executed in a spiral of increasing scenario complexity. Any Blue team becomes
purple with the proper measure of Red capabilities mixed in.
 Purple Teaming: How To Start

To start planning, you need four things:

Stakeholder support
Put your goals on paper and describe the benefits of an exercise to the right
people—this will have to go high enough for someone to make a risk decision on
running emulations in your environment. There’s value for everyone in the chain, be
sure to make it known.

A plan and some way to document execution

It could be as simple as a few .doc and .xls files (I’ve seen people run fantastic
operations that way), or it could be as complex as your own vectr.io instance (check it
out, a great tool for planning and documenting Purple Team Exercises)

Some kind of Blue Team

Whatever your organization calls it, you need dedicated defenders to work their part
of the exercise, and enough of them to dedicate at least a few entirely to the exercise
while the others hold the line in reality-land.

Some kind of Red Capability

Note that I didn’t say “team.” Engaging a Red Team is a good way to go but isn’t
absolutely necessary—you’ve got options . There is open source and commercial
tech out there that can do your emulations with relative safety and control (covered
in exquisite detail in our BAS101 course), but you’ll need someone at the helm with
experience in Red tactics without regard to your choice of manual or automated.
 Stakeholders
This is a reasonably complete list of everyone you’d want involved and signed on in
an ideal situation. Leadership at the strategic, operational, and tactical levels in
addition to the operators on the floor. There’s something new in here, the Director of
Threat-Informed Defense. This is a new role we’ve noted as critical in that it
combines deep knowledge and experience in Red, Blue, and Intelligence functions,
which are necessarily centered in the person responsible for marshaling the various
specialties involved in threat-informed defense, but also who can confidently
adjudicate exercise events and call audibles to ensure safety and maximum ROI. We
recommend identifying and empowering such a leader in your own organization.

Title Exercise Role Responsibility

CISO/Head of InfoSec** Sponsor Approve exercise, goals, and budget

SOC Director** Sponsor/Do-er Define objectives, select TTPs
EXCON** Oversight Coordinate execution and lessons learned

IR Lead** Sponsor/Do-er Define objectives, select TTPs

Red Team Lead** Sponsor Define objectives, select TTPs
Threat Intel Lead** Sponsor Define objectives, recommend TTPs
SOC Analysts Do-ers

IR Analysts Do-ers
Threat Hunters Do-ers Win the War.
Red Teamers Do-ers
Threat Intel Analyst Do-er
 Plan To Plan

Create and use a planning tracker to ensure you’ve hit the major milestones and
completed the analysis and coordination needed to execute and show value.

Exercise Schedule
Give yourself at least a month to make an exercise happen, from the start of
planning to Outbrief delivery.

2-4 weeks for planning is generally enough time to:

1) Properly engage stakeholders and gain approval
2) Conduct terrain and threat analysis
3) Generate a solid emulation plan
4) Define exercise administration and sequencing for final approval

1 week is enough time to run a good exercise, but you can go as long as you like if
you have the manpower and cycles to support it. Plan the last day for remedial
emulations that were missed, incompletely addressed, or which present special
training value. Be ready to deliver an immediate Outbrief to your stakeholders after
the final hot wash. Confirm to them that you’re delivering on their investment of
time and money and preview the detailed findings that will come out in a week’s
time. The final Outbrief should happen no less than a week after exercise
completion, but fully detailed reports on mitigation plans and continuous defense
plans can take as long as needed to make them properly actionable.

Model the Threat

If you do nothing else, do this. What you see here is a summarized version of
Orienting to the target (you) and threat selection. Once you’re answered the
questions:

What does this organization do?

How does it do it?
Who might want to disrupt it?
Who might profit from our data/IP?

Run your results through the google machine and you’ll be surprised what comes
up. Simply using your vertical as a search term can yield good information.

“[your vertical] cyber threats”

“Apt targeting [your vertical]”
“Cyber attack trends [your vertical]”

I recommend starting with the MITRE ATT&CK website: https://attack.mitre.org/

Click on “Groups” at the top of the page and reading up on each to understand their
targeting tendencies. More importantly, you get a list of all the techniques and tools
they are known to use or have used!

FireEye maintains an excellent collection of free information on all known APTs as

well.
Once you know what your threat looks like, jump into the ATT&CK Navigator and
pick out techniques to emulate!! https://mitre-attack.github.io/attack-
navigator/enterprise/

Quick and Dirty, but Effective

This is a very basic example of a threat modeling template. I’ll walk you through
filling in techniques for an advanced threat…let’s give it a spin [switch to browser]

1)Ask yourself some questions—I.E. the ones from the last slide, write down your
answers

2)Go to the oracle and ask, write down some names

3)Go to attack.mitre.org and locate the groups or tools you found

interesting/concerning
4)Click ATT&CK Navigator Layers on the right, then view in the dropdown

5)Start filling in the worksheet with what you find

This is basic and not a replacement for hard research and analysis, but it’s a
place to start the process and gives you good techniques to line up in your
emulation plan.

Exercise Map
I’ve found that a quick map of the exercise as a simplified representation of the
emulation plan is handy not only for conceptualizing the thing in my head, but it
briefs well and you can scope it for the stakeholder audience you’re engaging with.

The Emulation Plan

This is an emulation plan, or it will be one when you fill it in (we’re including this
along with some other templates for your use in the LMS). There are entries for 2
techniques within each tactic; this provides for planned Primary and Alternate
techniques in case the first one is either too easy or too hard to catch, or fails
outright. It’s a very handy reference for all of the Trusted Agents and stakeholders to
have on hand. I know I spoke about a bunch of kum-by-ya and everyone knowing
everything, but your operators will lose training value if they know what’s coming
and when every time—maybe don’t let them get ahold of this but instead have
trusted agents on hand to guide them.

Fill this out, and you’re ready to rock and roll.

You can use this format to execute basic Purple Team Ops

Planning Considerations
Most teams don’t automate and there are a variety of reasons why.
Consider Automation: Purple Team engagements specifically and Threat-Informed
Defense in general lend themselves to automation because the alternative is a too -
small sample size and restricted test scopes

Red Teams remain threat experts who can plan and shape emulation plans,
incorporate focused threat intelligence, and validate findings better than just about
anyone.

Purple Teaming: Making It Stick

 Frame a Purple Teaming Program
Start by framing a purple teaming/threat-informed defense program through the
amount of time you think you should spend on it on a regular basis.

One-Shot/On-Call/In Policy
● In response to a relevant threat intelligence package
● As part of major infrastructure or application updates

Periodic
As part of regular Security governance cycles

Continuous
Enables spiral growth of defenses

Get Started

Start, and start small.

Execute in small, tight OODA loops; be agile/safe/ready to fail

Begin your investment in the testing automation continuum

Find/Name an expert to own the exercise, testing, and threats

• Director of Threat-Informed Defense
• AIQ will be teaching courses on what this means

Be sure to grab the templates on the LMS

Questions To Ask…
Start some conversations within your organization; gauge interest, wants, needs, and
workloads as you map the political playing field you may need to navigate.

Your Next Steps

 Assessment Test
Your next immediate step is to take the assessment for this course.

● The assessment can be be found in your student portal.

● You must get at least an 80% to pass this course and will be able to attempt
the test twice.
● If you do not pass the first time, you will have to wait 24 hours before taking
the assessment again. If you need assistance with the assessment outside of
this instructor lead training, please email academy@attackiq.com

Digital Credentials
After you pass the assessment, you will receive your digital credentials through the
Credly Acclaim platform.

Digital credentials are the badges you may have seen people sharing on LinkedIn.

Digital credentials go beyond paper certificates. They are portable, verifiable, and
uniquely linked to you. They also ensure that your hard-earned achievements are
owned by you, not us - you can access and utilize your digital credential whenever,
however you see fit – including adding it to blockchain. Digital credentials make you
and your achievements - more visible to employers and your professional network.
 Share Your Achievements with Your Network
Your skills, competencies, and certifications are worth more than a static bullet point
on a resume or a paper certificate hanging on the wall in your office. When
represented as a digital credential, you can share your achievements with your
network in one click from Credly’s Acclaim platform. Peers and employers can verify
and learn more about what it is you can do thanks to earning a digital credential
from AttackIQ. And research shows that professionals who share their digital
credentials to professional networking sites are discovered by employers, on
average, six times more often than those who do not.

Share Your Knowledge With Your Network

If you enjoyed this course, please tell your colleagues about the AttackIQ Academy
and share with them the things we’ve discussed today.

Share Your Opinions

You will be receiving a survey about this course in your email. The survey is optional
and doesn’t affect your course results.

Get After it
Grab the templates off the student portal and see what you can do!

38