Getting Started: How to Purple Team
- Grab a room! Clear Red and Blue Team calendars and work as a team in 3-4 hour segments.
- Let bygones be bygones. Bury the hatchet if you’ve burned each other in the past. You are protecting the same organization. No blame, no shame.
- Inspect what you expect. Assume nothing. Controls will fail that you expected to succeed. Others will surprise you.
- Be patient and give grace. Red is good at red. Blue is good at blue. Learn from each other, give kudos and take mutual credit for defense’s success.
Common Use Cases
Early indicators of compromise
Simulate the most common techniques an attacker uses to identify vulnerable systems and avenues of attack. These include both internal and external network and systems reconnaissance and targeted brute force attacks against authentication prompts.
Account abuse which simulates an attacker that has obtained valid credentials and Windows domain credentials. Misuse scenarios include attempting to gain remote access to the internal network from the Internet, authenticating to customer portals from unknown machines and locations.
Spear phishing technical defenses
Simulate email attacks designed to sequentially bypass each layer of defenses (inbound, desktop, outbound). Use progressively sophisticated methods to identify the effectiveness of detection controls and how to detect increasingly stealthy methods.
Malware detection and response
Simulate benign commodity and custom malware on a sample workstation.
Lateral movement and protected resources breach
Simulate user-to-admin privilege escalation on the network, network segmentation testing, misuse of service and privileged accounts and movement across the network and access to sensitive data. This testing improves systems and network hardening, but more importantly, identifies opportunities to improve security event detection and correlation.
C2 and data exfiltration
Demonstrate the end goal of the attacker. Identify and describe how dedicated external or internal threats could send confidential information outside of the network from in-scope workstations, virtual desktops, and internal systems. Use a variety of different C2 channels.