Scribd
Upload
283 views29 pages

Live Adversary Simulation-Red and Blue Team Tactics

This document discusses adversary emulation and purple teaming tactics for improving security. It defines red and blue teams, with red representing offensive tactics and blue representing defensive strategies. Purple teaming combines these approaches to provide continuous feedback between offense and defense. Several tools are presented that can be used for adversary emulation, including Caldera, Empire, and APTSimulator. The document demonstrates how to model real-world attacks using Caldera and stresses the importance of logging, asset inventory, and communication between red and blue teams to strengthen security posture.

Uploaded by

ivans2009
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
283 views29 pages

Live Adversary Simulation-Red and Blue Team Tactics

This document discusses adversary emulation and purple teaming tactics for improving security. It defines red and blue teams, with red representing offensive tactics and blue representing defensive strategies. Purple teaming combines these approaches to provide continuous feedback between offense and defense. Several tools are presented that can be used for adversary emulation, including Caldera, Empire, and APTSimulator. The document demonstrates how to model real-world attacks using Caldera and stresses the importance of logging, asset inventory, and communication between red and blue teams to strengthen security posture.

Uploaded by

ivans2009
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

SESSION ID: AIR-R02

Live Adversary Simulation Red and Blue Team Tactics

Stephen Sims
Security Researcher / Fellow / Curriculum Lead
SANS Institute
@Steph3nSims

#RSAC
Agenda

/2/
Intro

What is Adversary Emulation


What is “Red Team” & “Blue Team”?
“Offense” “Defense”

COMMON GOAL

Vulnerability Assessments Implementing Controls

Improve organization security


Penetration Tests posture Security Monitoring

Social Engineering Incident Response

/4/
What is “Adversary Emulation”?

/5/
Adversary Emulation
Exploitation

Delivery Installation

Weaponization Command & Control

Reconnaissance Action on Objectives

/6/
Why do Adversary Emulation?

Understand your current exposure to a realistic, relevant, threat


On top of vulnerability identification, assess detection capability
as well
Also includes testing of the human reaction as well
Repeatable, structured process that provides key areas for
improvement

/7/
Consider Purple Teaming
Red and Blue teams typically report within different silos or
hierarchies, hurting communication

vs

/8/
Feedback Loop

VULNERABILITY REPORT

REPORT ON REMEDIATED FLAWS

Information should flow in both directions


Offense informs the defense about the TTPs of bad actors
Defense informs the offense about their controls and monitoring
Offense informs the defense about their techniques
Defense informs the offense as to how they respond to incidents

/9/
Prerequisites for Purple Teaming
If you’re not looking, you can’t really purple team…

/ 10 /
How to Approach This?
Let's make blue more "red" and make "red" more blue:

Red team
• Understand prevention, detection and response
techniques
• Understand complexities and limitations of target
organization and tailor recommendations
• Present known TTPs to blue team (highlight "quick
wins") and innovate red team approach continuously

Blue team
• Understand and follow up on known adversary TTPs
• Test organization continuously and improve where
possible
• Track and report on coverage of TTPs (e.g. ATT&CK
framework)

/ 11 /
So how do we practically do this? What about our
yearly red team?
Does this mean "Purple" is better than "Red"? The answer is not that simple.  Depending on
your objectives, either could offer value. Here's an idea for a setup:

Organize a yearly red team to assess the actual state of security in the
organization. Feedback only after the exercise ends, as the exercise is typically meant
to be stealth (realistic adversary emulation)…
RED
VALUE: Periodic assessment of organization resilience

Perform continuous purple teaming to improve the state of security in the


organization. Blue team members simulate focused attack techniques as part of their
PURPL operations to immediately test effectiveness of detection and prevention controls.
E VALUE: Continuous improvement of organization resilience

/ 12 /
Demonstration
In 2017, a well-known organization fell victim to an attack
against a known Apache Struts2 vulnerability
Regardless of the lack of patching, the adversarial actions
performed were all recorded in the logs…
Let’s see a demo!

/ 13 /
What failed?
A lack of asset or software inventory (Critical Controls #1 & #2)
A lack of proper patch management
A lack of log management
A likely flat network
How does this map back to the various APT-Lifecycles available?

/ 14 /
…and it continues

/ 15 /
Tools

What’s Available to Help?


Typical “Pen Test” and “Red Team” Tools

Metasploit is an exploitation framework used by virtually all


penetration testers. It has both a free community edition and a
commercial edition available. It’s main focus is on “standardization” of
exploit development and usage.

Empire is primarily a post-exploitation tool. It has both Windows


support (using a pure PowerShell2.0 agent) and Linux / OS X support
(using a pure Python 2.6/2.7 agent). It is the result of the merger of
PowerShell Empire and Python EmPyre!

/ 17 /
APTSimulator

APTSimulator is a Windows-based tool


that makes a system look like it was
victim of a targeted attack. Key focus is
thus on the endpoint)

It supports a wide variety of the


ATT&CK tactics, as described in the
screenshot to the left.

/ 18 /
FlightSim

/ 19 /
Atomic Red Team

/ 20 /
MITRE ATT&CK
MITRE ATT&CK “…is a globally-accessible knowledge base of
adversary tactics and techniques based on real-world
observations.”

/ 21 /
Caldera

/ 22 /
Caldera – Architecture

/ 23 /
Adversary Emulation Plans
Applying MITRE ATT&CK

Prototype documents of what


can be done with publicly
available threat reports and
ATT&CK

Allow defenders to more


effectively test their networks
and defenses by enabling red
teams to more actively model
adversary behavior.

/ 24 /
Adversary Emulation with Caldera
CALDERA is focused on adversary emulation “post compromise”.
As such, CALDERA assumes that an adversary already has an initial foothold on a network.

Compromise Privilege Credential Lateral


Discovery
Host Escalation Access Movement

Tasklist
Dump PSExec
Caldera agent Localgroup PowerUp.ps1
credentials Pass-the-hash
admins

/ 25 /
Commercial Adversary Emulation Tools

/ 26 /
Demonstration

Emulating an Attack Using Caldera!


How to Apply Today’s Subject Matter
What to take away from this presentation
We need to ensure that our “blue” and “red” teams are
communicating
Validate that we are logging the correct events and information
We must also validate that this information is making its way down our
pipeline and onto a SOC dashboard
Adversary emulation can greatly improve your chances of preventing
and detecting a breach

/ 28 /
Thanks!

Stephen Sims
@Steph3nSims

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy