Professional Documents
Culture Documents
Introduction To Purple Teaming - Student Guide
Introduction To Purple Teaming - Student Guide
Student Guide
Table of Contents
What Are we Doing Here? 4
How did it come this far? Our weapons against all of these problems haven’t aged well.
Red Teams are expensive and highly specialized. They should be innovating, not playing gotcha
or spinning their wheels on defenders who won’t or more often can’t follow through with
mitigations. I know, I’ve been there as Red Teamers describe in exquisite detail how they
maneuvered through an environment to the astonished looks of the defenders, only to return 6
months later and execute the same attacks with the same success as the first time. Re ally?
Blue Teams are overworked and spread too thinly. They should be hunting advanced threats,
not maintaining a continuous stream of slapdash capabilities and correlations they can never
get ahead of. I know, I’ve been there as Blue teams wrestle with other business units to get
fixes and mitigations in place, to grow their detection architecture into critical areas but fail on
account of not making it real to the decision-makers.
This is how we got here: the demands of running baseline security outstripped our ability to
understand and communicate the real threat picture and adapt to it.
We can’t afford to stay in our silos of excellence anymore. Attack and Defense are
complementary and our community is wasting talent in extravagant fashion by failing to codify
their relationship in service of a threat-informed defense strategy. Look at it this way: In the
Marine Corps, we don’t have Defense Marines and Attack Marines, we have Marines who know
how to do both but specialize in one or more aspects of either. Everyone is in the fight because
they know how to fight and they understand the enemy they face.
Certification
AttackIQ wants you to be able to show off new skills on your resume or LinkedIn
profile, so we’ve partnered with Acclaim to offer certification badges.
CPE Credits
We’ve partnered with ISC(2) to offer CPE Credits for this course. You will get a PDF
Certificate after passing the Assessment at the end of the course. If you provide us
with your ISC(2) member number in your profile, we can automatically register the
CPE Hours for you.
Before we discuss Purple Teaming in depth, let’s introduce the concept of Threat
Informed Defense. These terms will be used interchangeably throughout the course.
When MITRE first began their ATT&CK project, they had no idea how popular it
would become in the security community. The project has become so important to
information security professionals, that they identified a need for a non -commercial,
non-profit focal point that would sustain and accelerate the evolution of publicly
available resources critical to cyber defense.
The Center for Threat Informed Defense engages in collaborative research and
development projects with its members to advance the state of art and practice of
threat-informed defense. This group of members are recruited from global critical
infrastructure companies, sophisticated and innovative securities, leading
technology companies, and cybersecurity-related non-profits.
Being Threat-Informed
A sound defensive strategy is threat-informed by nature. It first considers the mission
of the defender, their ability to accomplish it, and the capabilities which enable it.
Finally, it is deeply concerned with the terrain on which the question will be
contested.
✔ Your Mission
✔ Your ability to accomplish the mission and the capabilities which underpin it
✔ The adversary’s interest in stopping you
✔ The adversary’s ability to do so
✔ The terrain on which the question will be contested
Acting Threat-Informed
A threat-informed defensive strategy makes the adversary’s job harder and should
actually frustrate the living hell out of them. This is because:
● The defender controls the shape of the terrain! It may not be so simple in
practice, but cyberspace is unique in the respect that the terrain is mutable.
Though business requirements may narrow the options, the defender, not the
attacker, has the advantage of terrain in every engagement (if they choose to
take an interest in it). Threat-informed strategies maximize this because they
understand what the attacker is likely to try, and where.
● It denies the adversary easy wins by systematically identifying and mitigating
vulnerabilities to known and documented threats. Adversaries are just as lazy
as anyone else and they won’t drop their latest Cyber WMD on someone
unless they really have to. They’d prefer to snag someone’s Proof-Of-Concept
code and repurpose it to their needs. Being Threat-Informed makes this
much more of a frustrating endeavor.
● It requires the adversary to act in one of 3 different ways. Regardless, the
threat-informed defender is not only seizing the initiative from the adversary,
but also throwing some risk in their direction:
○ Be so circumspect that defenders have time to pick out patterns
○ Go in loud and hope to get out with the loot
○ Burn the aforementioned Cyber WMD
A Threat-Informed Defensive Strategy is one that makes the bad guys’ job harder
because it:
The x axis is made up of tactics (the “Why?” Of any attacker’s actions), the action
they’re trying to accomplish by utilizing one of the many Techniques listed below i t.
As of this writing, there are 330 individual techniques registered on the matrix.
MITRE maintains detailed descriptions of each, and a listing of which known threat
actors have used them, along with references to available toolsets which implement
them.
This framework describes cyber attacks as logical steps (tactics), whose individual
components (techniques) map easily to security controls.
Definitions
Emulation
Replicating the effects of a given technique by executing the actual process which
produces them.
Simulation
Replicating only the effects of a given technique.
Blue Team
The organization responsible for defending a larger organization’s
assets/business/operations in cyberspace.
Red Team
An organization which tests cyber defenses by emulating adversary attacks against
them.
Purple Teaming
An organizational concept which seeks to maximize defensive capabilities by
coordinating and coupling the activities of red and blue teams.
Security Pipeline
The full set of technologies and processes which define an organization’s defenses
from endpoint to border, inclusive of off-site, cloud, and other distributed assets.
Security Control
A policy, procedure, technology, or combination thereof which comprises protection
against a corresponding threat or set of threats.
Gate
A time on the clock is defined as when the blue team should have detected a red
team action before being provided with hints or debriefing.
Trusted Agent
A senior or supervisory staff member who knows the exact details and timing of all
Red Team emulations and acts to deconflict real-world and exercise events along
with guiding exercise flow.
Hot Wash
An informal and candid discussion of an organization’s performance following
execution of an exercise, training session, or other major event, conducted
immediately upon the event’s completion.
Purple Teaming: How it Works
Workflow:
This isn’t just another team to build, but a capability to generate. Purple Teaming is
an organizational concept by which red and blue functions occur simult aneously,
continuously, tightly coupled, and with full knowledge of each other’s capabilities,
limitations, and intent at any given time. Given reliable access to red capabilities, this
methodology allows security teams to iteratively increase program maturity as a
product of continuously clearing low-effort attacks from the board and closing the
ever-smaller gaps in their coverage.
You don’t create a purple team(noun), you purple team(verb). Purple Teaming is the
optimization of the relationship between adversary emulation and defense teams
and capabilities. Its significance is conceptual in that we’re combining the colors
blue and red into something whole and consistent, and practical in that there are
new disciplines, tools, and procedures to consider. The concept is simple, but there’s
no free lunch when it comes to gaining the full benefits.
10,000 ft View
Look at all these lines of words. They’re important, and we’re going to talk about
most of them, but let’s break it down first.
The Exercise Plan documents are important, too, and extremely helpful. They’re also
outside the scope of this course with a few exceptions we’ll mention and provide
templates for.
Keep It Simple
As we go deep into the details, keep in mind that purple teaming is simple in
concept. You only need to answer a few basic questions and have the wherewithal
to see their answers turned to actions.
Turn the screws on your IT architecture review to more fully understand how it
supports your organizational mission. Why was it built the way it is? Prioritize assets
based on business outcome and recurse into business process<-capability <-asset<-
infrastructure chains that support them; this enables threat picture development
and actor assessments by helping you understand probable attack paths and
targets. IT Ops should be able to help here, if not hand you something that answers
most of it.
Threat Selection
From your understanding of the mission, architecture, and the interaction between
them, turn the table around and ask “how would I attack this?” and “who would
attack this?” This answer should be informed by the self-targeting you did 2 steps
back. Consider APTs, consider commodity malware, and consider the tools various
actors are known to use and their capabilities. There will be A LOT. Based on your
prioritization of business critical assets and/or controls, narrow it down to no more
than 2 actors mixed in phasing and tempo to train both Ops and Intelligence
functions.
Begin planning in earnest by deciding what you want to achieve: Baseline (or better
yet, up-gun) your tools, procedures, and team? Validate controls in the wake of a
major reorg or infrastructure update? Test new capabilities?
Control measures fence off areas, assets, identities, and people whose criticality or
sensitivity is such that the risk incurred by testing them directly is unacceptable to
management. Risk is management business and it’s the job of the infosec and IT
ops teams to present them with the data needed to make informed risk decisions.
Speak plainly with the best available analysis and avoid overstating risk, just qualify it
and, where possible, quantify it. Control measures can be as simple as lists of
subnets, hosts, services, identities, or people
Based on the time and resources available, you may need to limit the number of
controls being tested. Remember that every control, regardless of test outcome,
needs validation at some point.
Set Timing, Sequencing, and Flow Control
Timing And Schedule:
Planning factors*: 3-4 Weeks for prep, 1 week for execution. Plan for 4 days’ worth of
work per shift. Plan for 1 more day of execution than you think you’ll need to
complete all of your emulations in order to support remedial emulation of missed,
skipped, or otherwise important emulations.
Shift, Daily, and Final reporting should be specified. (Assuming Approved budget
and personnel)
This is where you make money. Don’t skip this part. Note: the critical element of
purple teaming is in continuous interaction between red and blue, regardless of
whether or not red is automated. Exercise Control should be lead ing debriefs of
effects, detects, and protects at least twice daily with all Do-ers in the room.
Set time gates for the blue team to detect and action each effect. If they blow a gate,
advise the red team to move to the next OR provide “threat intel” to point blue in the
right direction. It’s EXCON’s responsibility to understand the relative value of each
scenario and keep the exercise moving. Both a blown gate and immediate alert
have training value and need a debrief.
Senior stakeholders and leadership of red and blue should have full knowledge of
the exercise scenario, specifically red actions and their timing. NDA them as needed,
but be more certain to impress the importance of limiting what the Do-ers know as
a matter of training value. From the perspective of safety, TAs will know that
something is happening and will deconflict confusion on the analyst floors when
reality pokes its nose in.
There’s going to be more than one time when the blue team is stumped —this is ok
and actually good. A blown gate is worth more in training value than an immediate
detection, just be ready to keep the action moving with specifically crafted “threat
intel” notes and packages that can put them back on the right track or help slide the
last piece into place.
Phase III: Execution
Exercise Judgement
Safety, Exercise Flow, and PRODUCTION are all subject to a degree of risk when
emulating badness. EXCON should be an experienced practitioner-leader who
knows Red, Blue, and Intel as fluently as IT architecture (very).
Every day gets a rundown of catches and misses with both red and blue in the room.
Address the how and why of each, be candid, call out individual successes and
failures constructively. Right after the last hot wash should be the initial Outbrief
with your stakeholders—no more than an hour between them. This is a fresh and
rough report that assures everyone you’ve delivered value from their investment.
Deliver a final Outbrief NO LATER THAN 1 week after completing the exercise…I’ve
seen reports languish in approval-chain-purgatory for months and then nobody’s
happy when nothing comes of it because the organization has moved on.
Every stakeholder has both a boss and a job to handle; produce reports accordingly.
Some technical reports will require extra time and analysis to make useful with
compensating controls and mitigation plans. Some EXSUMs will need savvy VPs to
weigh in and executize© things into the language of risk as opposed to
vulnerabilities in libc. Talk to people about the things they care about.
Mitigate and Revalidate Control Gaps
Assess and Enact Mitigations
Ask yourself and your team: Wherever the pipeline failed, how do we fix it and what
are the best compensating controls to stand between now and that fix? Where do
controls so repeatedly overlap as to lose value in maintaining both rather than
dropping one and compensating somewhere else? Security Architecture analysis
comes back into play as red and blue refine both failed processes and tech. The Risk
Mitigation Plan mentioned earlier is a framework for describing and prioritizing
exercise outputs in terms of risks identified and controls in need of improvement.
Start up whatever Red capability you used to execute the emulation plan and throw
it at your fresh mitigations to see how they took.
There will still be holes, but they shouldn’t be so big or numerous as before, and
you’ve stepped up your team’s capabilities to the point that the ones you filled are
matters of policy and procedure to cover rather than intense effort. The ones left
over are the subject of compensating controls, longer-term investments, and the
starting point for the next round.
Stakeholder support
Put your goals on paper and describe the benefits of an exercise to the right
people—this will have to go high enough for someone to make a risk decision on
running emulations in your environment. There’s value for everyone in the chain, be
sure to make it known.
IR Analysts Do-ers
Threat Hunters Do-ers Win the War.
Red Teamers Do-ers
Threat Intel Analyst Do-er
Plan To Plan
Create and use a planning tracker to ensure you’ve hit the major milestones and
completed the analysis and coordination needed to execute and show value.
Exercise Schedule
Give yourself at least a month to make an exercise happen, from the start of
planning to Outbrief delivery.
1 week is enough time to run a good exercise, but you can go as long as you like if
you have the manpower and cycles to support it. Plan the last day for remedial
emulations that were missed, incompletely addressed, or which present special
training value. Be ready to deliver an immediate Outbrief to your stakeholders after
the final hot wash. Confirm to them that you’re delivering on their investment of
time and money and preview the detailed findings that will come out in a week’s
time. The final Outbrief should happen no less than a week after exercise
completion, but fully detailed reports on mitigation plans and continuous defense
plans can take as long as needed to make them properly actionable.
Run your results through the google machine and you’ll be surprised what comes
up. Simply using your vertical as a search term can yield good information.
Click on “Groups” at the top of the page and reading up on each to understand their
targeting tendencies. More importantly, you get a list of all the techniques and tools
they are known to use or have used!
This is a very basic example of a threat modeling template. I’ll walk you through
filling in techniques for an advanced threat…let’s give it a spin [switch to browser]
1)Ask yourself some questions—I.E. the ones from the last slide, write down your
answers
This is basic and not a replacement for hard research and analysis, but it’s a
place to start the process and gives you good techniques to line up in your
emulation plan.
Exercise Map
I’ve found that a quick map of the exercise as a simplified representation of the
emulation plan is handy not only for conceptualizing the thing in my head, but it
briefs well and you can scope it for the stakeholder audience you’re engaging with.
You can use this format to execute basic Purple Team Ops
Planning Considerations
Most teams don’t automate and there are a variety of reasons why.
Consider Automation: Purple Team engagements specifically and Threat-Informed
Defense in general lend themselves to automation because the alternative is a too -
small sample size and restricted test scopes
Red Teams remain threat experts who can plan and shape emulation plans,
incorporate focused threat intelligence, and validate findings better than just about
anyone.
One-Shot/On-Call/In Policy
● In response to a relevant threat intelligence package
● As part of major infrastructure or application updates
Periodic
As part of regular Security governance cycles
Continuous
Enables spiral growth of defenses
Get Started
Questions To Ask…
Start some conversations within your organization; gauge interest, wants, needs, and
workloads as you map the political playing field you may need to navigate.
Digital Credentials
After you pass the assessment, you will receive your digital credentials through the
Credly Acclaim platform.
Digital credentials are the badges you may have seen people sharing on LinkedIn.
Digital credentials go beyond paper certificates. They are portable, verifiable, and
uniquely linked to you. They also ensure that your hard-earned achievements are
owned by you, not us - you can access and utilize your digital credential whenever,
however you see fit – including adding it to blockchain. Digital credentials make you
and your achievements - more visible to employers and your professional network.
Share Your Achievements with Your Network
Your skills, competencies, and certifications are worth more than a static bullet point
on a resume or a paper certificate hanging on the wall in your office. When
represented as a digital credential, you can share your achievements with your
network in one click from Credly’s Acclaim platform. Peers and employers can verify
and learn more about what it is you can do thanks to earning a digital credential
from AttackIQ. And research shows that professionals who share their digital
credentials to professional networking sites are discovered by employers, on
average, six times more often than those who do not.
Get After it
Grab the templates off the student portal and see what you can do!
38