Purple Team Strategies

Purple Team Strategies

by David Routin, Simon Thoores, Samuel Rossier
Released June 2022
Publisher(s): Packt Publishing
ISBN: 9781801074292

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Leverage cyber threat intelligence and the MITRE framework to enhance your prevention mechanisms, detection capabilities, and learn top adversarial simulation and emulation techniques

Key Features

  • Apply real-world strategies to strengthen the capabilities of your organization's security system
  • Learn to not only defend your system but also think from an attacker's perspective
  • Ensure the ultimate effectiveness of an organization's red and blue teams with practical tips

Book Description

With small to large companies focusing on hardening their security systems, the term "purple team" has gained a lot of traction over the last couple of years. Purple teams represent a group of individuals responsible for securing an organization's environment using both red team and blue team testing and integration – if you're ready to join or advance their ranks, then this book is for you.

Purple Team Strategies will get you up and running with the exact strategies and techniques used by purple teamers to implement and then maintain a robust environment. You'll start with planning and prioritizing adversary emulation, and explore concepts around building a purple team infrastructure as well as simulating and defending against the most trendy ATT&CK tactics. You'll also dive into performing assessments and continuous testing with breach and attack simulations.

Once you've covered the fundamentals, you'll also learn tips and tricks to improve the overall maturity of your purple teaming capabilities along with measuring success with KPIs and reporting.

With the help of real-world use cases and examples, by the end of this book, you'll be able to integrate the best of both sides: red team tactics and blue team security measures.

What you will learn

  • Learn and implement the generic purple teaming process
  • Use cloud environments for assessment and automation
  • Integrate cyber threat intelligence as a process
  • Configure traps inside the network to detect attackers
  • Improve red and blue team collaboration with existing and new tools
  • Perform assessments of your existing security controls

Who this book is for

If you're a cybersecurity analyst, SOC engineer, security leader or strategist, or simply interested in learning about cyber attack and defense strategies, then this book is for you. Purple team members and chief information security officers (CISOs) looking at securing their organizations from adversaries will also benefit from this book. You'll need some basic knowledge of Windows and Linux operating systems along with a fair understanding of networking concepts before you can jump in, while ethical hacking and penetration testing know-how will help you get the most out of this book.

Table of contents

  1. Purple Team Strategies
  2. Contributors
  3. About the authors
  4. About the reviewers
  5. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the example code files
    5. Download the color images
    6. Conventions used
    7. Get in touch
    8. Share Your Thoughts
  6. Part 1: Concept, Model, and Methodology
  7. Chapter 1: Contextualizing Threats and Today's Challenges
    1. General introduction to the threat landscape
      1. Threat trends and reports
      2. But really, what is a threat?
      3. What posture should be adopted regarding the current threat landscape?
    2. Types of threat actors
      1. A word on attribution
    3. Key definitions for purple teaming
      1. The red team
      2. The blue team
      3. Other teams
      4. Cyber ranges
      5. Breach attack simulation
      6. Adversary (attack) emulation
      7. Threat-informed defense
    4. Challenges with today's approach
    5. Regulatory landscape
    6. Summary
    7. Further reading
  8. Chapter 2: Purple Teaming – a Generic Approach and a New Model
    1. A purple teaming definition
    2. Roles and responsibilities
    3. A purple teaming process description
      1. The Prepare, Execute, Identify, and Remediate approach
    4. The purple teaming maturity model
    5. PTX – purple teaming extended
    6. Purple teaming exercise types
      1. Example one – APT3 emulation
      2. A breach attack simulation exercise
      3. Continuous vulnerability detection
      4. A new TTP or threat analysis
    7. Purple teaming templates
      1. Report template
      2. Collaboration engineering template
    8. Summary
  9. Chapter 3: Carrying out Adversary Emulation with CTI
    1. Technical requirements
    2. Introducing CTI
    3. The CTI process
    4. The types of CTI and their use cases
    5. CTI terminology and key models
    6. Integrating CTI with purple teaming
      1. The adversary's TTPs
      2. The adversary's toolset
      3. How TIPs can help
    7. Summary
  10. Chapter 4: Threat Management – Detecting, Hunting, and Preventing
    1. Defense improvement process
      1. Defense-oriented frameworks and models
    2. Prevention
    3. Threat hunting
      1. TaHiTI threat hunting methodology
    4. Detection engineering and as code
      1. Sigma framework
      2. YARA rule
      3. Snort rule
      4. MaGMa – a use case management framework
    5. Connecting the dots
    6. Summary
  11. Part 2: Building a Purple Infrastructure
  12. Chapter 5: Red Team Infrastructure
    1. Technical requirements
    2. Offensive distributions
      1. Kali Linux
      2. Slingshot
      3. Commando VM
    3. Domain names
    4. C2
      1. Phishing C2
      2. Short-term/interactive C2
      3. Long-term C2
    5. Redirectors
    6. The power of automation
    7. Summary
    8. Further reading
  13. Chapter 6: Blue Team – Collect
    1. Technical requirements
    2. High-level architecture
      1. A word on log formats
    3. Agent-based collection techniques
      1. Beats
      2. Nxlog
    4. Agentless collection – Windows Event Forwarder and Windows Event Collector
    5. Agentless collection – other techniques
      1. Syslog
      2. Extract, transform, and load – Logstash
      3. Enrichment
      4. Filtering
    6. Secrets from experience
    7. Summary
  14. Chapter 7: Blue Team – Detect
    1. Technical requirements
    2. Data sources of interest
      1. Windows
      2. Sysmon – Windows Sysinternals
      3. Antivirus and EDR technologies
      4. Linux environments
      5. Cloud-based logs
      6. Firewall logs
      7. Proxy and web logs
      8. Other data sources of interest
    3. Intrusion detection systems
      1. Zeek
      2. Suricata
    4. Vulnerability scanners
    5. Attack prediction and threat feeds
      1. Prediction
      2. Threat feeds
    6. Deceptive technology
      1. Honeypots
      2. Honeyfiles
    7. Summary
  15. Chapter 8: Blue Team – Correlate
    1. Technical requirements
    2. Theory of correlation
    3. SIEM and analytics solutions
      1. Input-driven versus output-driven
    4. Query languages
      1. Splunk process language
      2. KQL
    5. Summary
  16. Chapter 9: Purple Team Infrastructure
    1. Technical requirements
    2. Purple overview
    3. Adversary emulation and simulation
      1. Adversary emulation versus adversary simulation
      2. Atomic Red Team
      3. Caldera
      4. VECTR
      5. Picus Security
    4. Enabling purple teaming with DevOps
      1. Understanding the complete lifecycle of GitLab
      2. Ansible – a reference in the automation environment
      3. Rundeck – automate a global security workflow
    5. Summary
  17. Part 3: The Most Common Tactics, Techniques, and Procedures (TTPs) and Defenses
  18. Chapter 10: Purple Teaming the ATT&CK Tactics
    1. Technical requirements
    2. Methodology
    3. Reconnaissance and resource development
    4. Initial access
      1. T1566 – Phishing
      2. T1190 – Exploit public-facing application
    5. Execution
      1. T1059 – Command and scripting interpreter
    6. Persistence
      1. T1053 – Scheduled task/job
      2. T1547 – Boot or logon autostart execution
    7. Privilege escalation
      1. T1055 – Process injection
    8. Defense evasion
      1. T1218 – Signed binary proxy execution
    9. Credential access
      1. T1003 – OS credential dumping
    10. Discovery
      1. T1018 – Remote system discovery
      2. T1046 – Network service scanning
    11. Lateral movement
      1. T1021 – Remote services
    12. Collection
      1. T1560 – Archive collected data
    13. Command and Control (C2)
      1. T1071 – Application layer protocol
    14. Exfiltration
      1. T1041 – Exfiltration over C2 channel
      2. T1567 – Exfiltration over web service
    15. Impact
      1. T1490 – Inhibit system recovery
    16. Summary
  19. Part 4: Assessing and Improving
  20. Chapter 11: Purple Teaming with BAS and Adversary Emulation
    1. Technical requirements
    2. Breach attack simulation with Atomic Red Team
    3. Adversary emulation with Caldera
    4. Current and future considerations
    5. Summary
  21. Chapter 12: PTX – Purple Teaming eXtended
    1. Technical requirements
    2. PTX – the concept of the diffing strategy
      1. Purpling the vulnerability management process
      2. Purpling the outside perimeter
      3. Purpling the Active Directory security
      4. Purpling the containers' security
      5. Purpling cloud security
    3. Summary
  22. Chapter 13: PTX – Automation and DevOps Approach
    1. Practical workflow
    2. Rundeck initialization
    3. Integration with the environment
      1. Import the Inventory in Ansible
      2. Configuring WinRM connections between Rundeck and Windows hosts
    4. Initial execution
      1. Using PingCastle on a remote Windows host
      2. Scheduling an Ansible playbook using Rundeck
      3. Running PingCastle to conduct a health check on an Active Directory Domain
    5. Diffing results
    6. Configuring alerting
    7. Automation and monitoring
      1. Rundeck scheduling workflow
      2. Monitoring and reporting
    8. Summary
  23. Chapter 14: Exercise Wrap-Up and KPIs
    1. Technical requirements
    2. Reporting strategy overview
    3. Purple teaming report
    4. Ingesting data for intelligence
    5. Key performance indicators
      1. Number of exercises performed during the year
      2. Proportion of manual tests performed
      3. Number of changes triggered by purple teaming exercises
      4. Failed security controls per MITRE ATT&CK tactic
      5. Purple teaming assessments objectives
      6. MITRE ATT&CK framework testing coverage
      7. MITRE ATT&CK framework detection coverage
      8. Data source integration prioritization
      9. From Sigma to MITRE ATT&CK Navigator
    6. The future of purple teaming
    7. Summary
    8. Why subscribe?
  24. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Share Your Thoughts

Product information

  • Title: Purple Team Strategies
  • Author(s): David Routin, Simon Thoores, Samuel Rossier
  • Release date: June 2022
  • Publisher(s): Packt Publishing
  • ISBN: 9781801074292