Book Image

Purple Team Strategies

By : David Routin, Simon Thoores, Samuel Rossier
Book Image

Purple Team Strategies

By: David Routin, Simon Thoores, Samuel Rossier

Overview of this book

With small to large companies focusing on hardening their security systems, the term "purple team" has gained a lot of traction over the last couple of years. Purple teams represent a group of individuals responsible for securing an organization’s environment using both red team and blue team testing and integration – if you’re ready to join or advance their ranks, then this book is for you. Purple Team Strategies will get you up and running with the exact strategies and techniques used by purple teamers to implement and then maintain a robust environment. You’ll start with planning and prioritizing adversary emulation, and explore concepts around building a purple team infrastructure as well as simulating and defending against the most trendy ATT&CK tactics. You’ll also dive into performing assessments and continuous testing with breach and attack simulations. Once you’ve covered the fundamentals, you'll also learn tips and tricks to improve the overall maturity of your purple teaming capabilities along with measuring success with KPIs and reporting. With the help of real-world use cases and examples, by the end of this book, you'll be able to integrate the best of both sides: red team tactics and blue team security measures.

Related Content you might be interested in

Current Title:

Small book image
Purple Team Strategies
David Routin | Simon Thoores | Samuel Rossier
Jun, 2022 | 450 pages
Small book image
Practical Threat Intelligence and Data-Driven Threat Hunting
Valentina CostaGazcoacuten
Feb, 2021 | 398 pages
Small book image
Aligning Security Operations with the MITRE ATT&CK Framework
Rebecca Blair
May, 2023 | 192 pages
Small book image
Incident Response Techniques for Ransomware Attacks
Oleg Skulkin
Apr, 2022 | 228 pages
Table of Contents (20 chapters)
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Download the example code files
Download the color images
Conventions used
Get in touch
Share Your Thoughts
1
Part 1: Concept, Model, and Methodology
Part 1: Concept, Model, and Methodology
Free Chapter
2
Chapter 1: Contextualizing Threats and Today's Challenges
Chapter 1: Contextualizing Threats and Today's Challenges
General introduction to the threat landscape
Types of threat actors
Key definitions for purple teaming
Challenges with today's approach
Regulatory landscape
Summary
Further reading
3
Chapter 2: Purple Teaming – a Generic Approach and a New Model
Chapter 2: Purple Teaming – a Generic Approach and a New Model
A purple teaming definition
Roles and responsibilities
A purple teaming process description
The purple teaming maturity model
PTX – purple teaming extended
Purple teaming exercise types
Purple teaming templates
Summary
4
Chapter 3: Carrying out Adversary Emulation with CTI
Chapter 3: Carrying out Adversary Emulation with CTI
Technical requirements
Introducing CTI
The CTI process
The types of CTI and their use cases
CTI terminology and key models
Integrating CTI with purple teaming
Summary
5
Chapter 4: Threat Management – Detecting, Hunting, and Preventing
Chapter 4: Threat Management – Detecting, Hunting, and Preventing
Defense improvement process
Prevention
Threat hunting
Detection engineering and as code
Connecting the dots
Summary
6
Part 2: Building a Purple Infrastructure
Part 2: Building a Purple Infrastructure
7
Chapter 5: Red Team Infrastructure
Chapter 5: Red Team Infrastructure
Technical requirements
Offensive distributions
Domain names
C2
Redirectors
The power of automation
Summary
Further reading
8
Chapter 6: Blue Team – Collect
Chapter 6: Blue Team – Collect
Technical requirements
High-level architecture
Agent-based collection techniques
Agentless collection – Windows Event Forwarder and Windows Event Collector
Agentless collection – other techniques
Secrets from experience
Summary
9
Chapter 7: Blue Team – Detect
Chapter 7: Blue Team – Detect
Technical requirements
Data sources of interest
Intrusion detection systems
Vulnerability scanners
Attack prediction and threat feeds
Deceptive technology
Summary
10
Chapter 8: Blue Team – Correlate
Chapter 8: Blue Team – Correlate
Technical requirements
Theory of correlation
SIEM and analytics solutions
Query languages
Summary
11
Chapter 9: Purple Team Infrastructure
Chapter 9: Purple Team Infrastructure
Technical requirements
Purple overview
Adversary emulation and simulation
Enabling purple teaming with DevOps
Summary
12
Part 3: The Most Common Tactics, Techniques, and Procedures (TTPs) and Defenses
Part 3: The Most Common Tactics, Techniques, and Procedures (TTPs) and Defenses
13
Chapter 10: Purple Teaming the ATT&CK Tactics
Chapter 10: Purple Teaming the ATT&CK Tactics
Technical requirements
Methodology
Reconnaissance and resource development
Initial access
Execution
Persistence
Privilege escalation
Defense evasion
Credential access
Discovery
Lateral movement
Collection
Command and Control (C2)
Exfiltration
Impact
Summary
14
Part 4: Assessing and Improving
Part 4: Assessing and Improving
15
Chapter 11: Purple Teaming with BAS and Adversary Emulation
Chapter 11: Purple Teaming with BAS and Adversary Emulation
Technical requirements
Breach attack simulation with Atomic Red Team
Adversary emulation with Caldera
Current and future considerations
Summary
16
Chapter 12: PTX – Purple Teaming eXtended
Chapter 12: PTX – Purple Teaming eXtended
Technical requirements
PTX – the concept of the diffing strategy
Summary
17
Chapter 13: PTX – Automation and DevOps Approach
Chapter 13: PTX – Automation and DevOps Approach
Practical workflow
Rundeck initialization
Integration with the environment
Initial execution
Diffing results
Configuring alerting
Automation and monitoring
Summary
18
Chapter 14: Exercise Wrap-Up and KPIs
Chapter 14: Exercise Wrap-Up and KPIs
Technical requirements
Reporting strategy overview
Purple teaming report
Ingesting data for intelligence
Key performance indicators
The future of purple teaming
Summary
Why subscribe?
19
Other Books You May Enjoy
Other Books You May Enjoy
Packt is searching for authors like you
Share Your Thoughts

Lateral movement

To achieve their objectives, a threat actor will need to move within our network, allowing us to detect them. As we mentioned in the previous section, the attacker must map the network to know where to pivot inside our information system.

In this section, we will look at various sub-techniques related to the remote services technique, which is largely used by threat actors.

T1021 – Remote services

Once attackers obtain valid credentials, they will use them on all the assets they discovered in the discovery phase. The CTI taught us that they will mostly rely on the following:

  • T1021.001 – Remote desktop protocol
  • T1021.002 – SMB/Windows admin shares
  • T1021.004 – SSH

The good news is that lateral movement detection is quite similar to discovery detection and even covers other lateral movement techniques (relying on WinRM, DCOM objects, and so on):

Table 10.16 – Purple Teaming T1021

Once lateral...

Previous Section
End of Section 12
Next Section