By Erik Goldoff, Ray Van Hoose, and Max Boehner || Guest Authors

This post is comprised of 3 articles that were originally published in the second edition of the InfoSec Survival Guide. Find it free online HERE or order your $1 physical copy on the Spearphish General Store.

Blue Team – Defend, Detect, Protect

by Erik Goldoff || CISSP, @ErikG

“Blue team” is a high-level term covering defensive security, whose goals are to reduce attack surface, as well as detect and respond to threats.

Here are some, but not all, of the sub-topics under the umbrella of blue team operations:

• Defensive Security
• Infrastructure Protection
• End-User Education
• Incident Response (IR)
• Business Continuity/Damage Control
• Security Operations Center (SOC)
• Threat Hunting & Digital Forensics (DF)

Transitioning to blue team positions is easier for existing IT staffers (user support/help desk operations, or network team). You need to be able to understand what is normal for your environment in order to quickly recognize the abnormal (potential security events). Your existing IT jobs are a great place to gain understanding of your environment from various fundamental perspectives.

As part of defensive security and/or infrastructure protection, it is vital that security stack components be configured and deployed properly — so as to not ignore threats, but not so stringent as to prevent productivity. You do not want your security solution to present the denial-of-service you are trying to prevent. Endpoint security, endpoint detection and response (EDR), and security information and event management (SIEM) are tools used in defensive security.

End users are often the weakest link in any organization with regards to security threats. You need to help them understand not only what to do, but also why, in order to help increase cooperation. Publishing periodic phishing test results by department can be more motivational than just individual training.

Should your organization be breached by a cybersecurity attack, how do you proceed to mitigate the threat and damage while keeping your enterprise operating as it should? Your SOC and incident response teams can help identify the threat, the source, and the immediate remediation, while still maintaining “chain of custody” for any evidence found, as your organization may have legal requirements for cooperation with authorities and/or qualifying for insurance reimbursements.

Being reactive is not enough. A proactive approach to threats is imperative for an organization. The threat hunting teams may find evidence of incursion before a major incident evolves. Did they find IOCs and EOCs (indicators/evidence of compromise) that alerted the DF/IR teams? Digital forensics (DF) gathers data on the attack methods, points of entry, incursion path, and potential exfiltration targets, while incident response (IR) helps to lock down the environment as necessary by disabling accounts restricting network access, shutting down exfiltration paths, removing malware, etc. Different parts of cybersecurity work together to detect, identify, and eradicate attacks.

If you are going to defend against cybersecurity attacks, you needs to know about the tools and techniques available to defend with, as well as what tools and techniques your attackers are using. Knowledge is power!

Blue Team Resources

---

Red Team – Adversarial Simulation

by Ray Van Hoose || @_meta.

The question: How can we know how effective our security will be at detecting and mitigating the impact of a successful hack?

The answer: Red teaming.

Red team operations utilize covert and strategic attack techniques in an attempt to infiltrate systems undetected. While job titles may vary (operator, engineer, security specialist, etc.), the overall objectives remain consistent: to emulate adversarial actions, document response times and effectiveness, and proactively improve detection and response capabilities.

What are the minimum tools one would need to survive as a red teamer?

• a clipboard
• a USB stick
• a convincing story

Considerations and Job Requirements

• Strong communication and social skills
• Technical skills that cover a broad variety of domains
• Spy-gadgets and costumes would (likely) come from your personal budget
• Knowledge and understanding of blue team tactics, techniques, and procedures
• Ability to maintain composure while under pressure and in awkward situations
• Knowledge of the potential legal considerations and complications
• Solid understanding of the business side of the organizations

Finally, you should be aware the while executing some of the exercises, particularly in on-premise engagements, it is not uncommon to be arrested, including a chance at being jailed.

Skills and Techniques to Survive

Communication

The most important skill. You’ll be interacting with law enforcement, physical and cyber security teams, as well as debriefing leadership and working with developers and the blue teams to improve detection and mitigation capabilities.

Documentation

Considering the range of legal complications and varied types of attacks, simply documenting the scope can be daunting. Commonly documented items also include attacks, exploits, the security team’s responses to those attacks, artifacts created, steps to reproduce, and suggesting improvements to policies and processes of the blue teams.

Exploitation

Many red team exercises require you to first exploit (social or technical) their systems. Even if you are given an “assumed breach” option to gain initial access, stealthily gaining more shells often requires additional exploitation.

Tools and techniques for gaining initial access:

• gophish – quickly and easily set up phishing engagements
  • github.com/gophish/gophish
• Use a SSO (Single Sign-On) vendor to provide a clean phishing link!
  • jordanpotti.com/2019/08/26/phishing-with-saml-and-sso-providers/

Post-Exploitation

Exploiting a vulnerability to get you a foothold is only the first step. Ideally, this leads you to additional systems that you are able to stealthily exploit to gain persistence and all of the shells.

Red Team Resources

• Responder – monitor and manipulate response in order to gain control of the network
• Mimikatz – extract passwords, hashes, PIN codes, and Kerberos tickets from memory
• Cobalt Strike – commercial (costly) product providing tool(s) for adversarial emulation

---

Purple Team – With Our Powers Combined…

written by Max Boehner

What It Is

Purple teaming is a collaborative activity performed by blue teamers and red teamers with the goal of improving defenses. In other words: red teamers share or demonstrate tools, tactics, and procedures (TTPs) to train the blue team. This can range from a one-off, “Do you get an alert if I run this attack tool?” to complex, repeatable, and defined processed.

What It Isn’t

Purple teaming is not red teaming, despite the involvement of red teamers. Red teaming tests the blue team’s detection and response by performing simulated attacks without informing the blue team, while trying to remain undetected. During purple teaming, you want the blue teamers to be aware and on the lookout.

Why Do It?

Blue teamers need to understand adversary TTPs to defend against them. Red teamers know these TTPs and can execute them. Purple teaming can be an effective way to bring this together.

Here are some potential use-cases:

• Validating that event logging and forwarding are working as expected
• Discovering detection gaps and developing new detections
• Establishing time-to-response metrics and discrepancies between attack activities and alert notifications

Getting Into Purple Teaming

The bad news first: dedicated purple team positions are rare. Most organizations cannot afford dedicated full-time purple teams.

The good news: If you have experience in blue, red, or ideally both, and have a collaborative mindset, you can still do purple teaming. Folks starting in infosec might want to pick red or blue first, gather experience there, and then get involved in purple later on. A good way to train for purple activities is to set up a testing lab that includes machines to run attacks, with centralized logging configured to analyze the telemetry generated during an attack. Of course, you can also attend training courses that focus on purple teaming.

Purple Team Resources

Read more in our “Infosec for Beginners” blog series:

• How to Get a Job in Cybersecurity
• John Strand’s 5 Phase Plan For Starting in Computer Security
• From High School to Cyber Ninja—For Free (Almost)!
• Blue Team, Red Team, and Purple Team: An Overview
• Pentesting, Threat Hunting, and SOC: An Overview
• What Is Penetration Testing?
• How to Perform and Combat Social Engineering
• The Human Element in Cybersecurity: Understanding Trust and Social Engineering 
• Build a Home Lab: Equipment, Tools, and Tips
• Questions From a Beginner Threat Hunter
• Shenetworks Recommends: 9 Must Watch BHIS YouTube Videos
• Mental Health – An Infosec Challenge