ENTERPRISE PURPLE TEAMING: AN EXPLORATORY QUALITATIVE STUDY - Link

ABSTRACT

Data breaches and cybersecurity incidents continue to impact businesses despite the proliferation of cybersecurity solutions and increased cybersecurity spending over the past decade. The continually evolving threat landscape requires proactive cybersecurity strategies to decrease attacker dwell time on organizations’ networks and improve the cybersecurity posture. A strategy gaining popularity is purple teaming, which refers to multiple cybersecurity teams working together to improve an organization’s security posture from a high-level perspective. This study revealed that the high-level enterprise purple teaming definition is cyber threat intelligence-led offensive operations that improve an organization’s security posture, foster collaboration between multiple teams, provide skill building and learning opportunities, and produce detections or additional knowledge about an organization's defensive posture. Many cybersecurity leaders are beginning to implement purple teaming in their security operations centers to prepare their cybersecurity teams, foster collaboration within the organization, test its people, process, and technology (PPT) framework, and progressively track its defenses in attempts to improve its security posture.

🍉DISSERTATION EXTRAS

• Extra Interview📽️
• Purple Team Perspectives with Michael Raggi - Link
• Open Source Contribution🏖️
• Field Classifications Contribution for Attack2Jira by Mauricio Velazco and Olindo Verrillo - Link
• Practitioner Summary🍹
• Enterprise Purple Teaming: An Exploratory Qualitative Study - Pracitioner Summary - Link
• Purple Team Exercise Idea Queue🌴
- Link
• Resource for NIST Cybersecurity Framework💋
• NIST Cybersecurity Framework, MITRE ATT&CK v8.2, & CIS Controls v8 CSV (Mappings Compliments of CIS - Center for Internet Security) - Link
• Spotify Playlist🎶
- Link
• YouTube Purple Team Playlist🍿
- Link

✨PURPLE TEAM FRAMEWORKS

• Atomic Purple Team by Defensive Origins - Link
• TALK: Atomic Purple Team Framework and Life Cycle with Kent Ickler & Jordan Drysdale - Link
• Purple Team Exercise Framework (PTEF) by SCYTHE - Link
• WORKSHOP: Purple Team Exercise Framework (PTEF) Workshop with Jorge Orchilles - Link

🔖PRACTITIONER RESOURCES

• Adversary Emulation Plan Library by SCYTHE - Link
• Adversary Emulation Repo by CyberSecurityUP - Link
• APT & Cybercriminal Campaign Threat Report Collection by CyberMonitor - Link
• ATT&CK Flow by The Center for Threat-Informed Defense - Link
• flow by Verizon DBIR Team (Includes an Attack Flow Schema in JSON and a python class to convert attack flow records between json-schema and json-Id attack flow) - Link
• ATT&CK Procedures by Prelude - Link
• ATT&CK Security Stack Mappings - Azure (AWS in progress) by The Center for Threat-Informed Defense - Link
• ATT&CK Workbench by The Center for Threat-Informed Defense - Link
• BLOG: ATT&CK Workbench: A Tool for Extending ATT&CK by Jon Baker and Isabel Tuson - Link
• DEMO: ATT&CK Workbench - Link
• C2 Matrix by Jorge Orchilles, Bryson Bort & Adam Mashinchi - Link
• Control Validation Compass by @IntelScott - Link
• CTI Resources Repo - Link
• DeTT&CT by Marcus Bakker @bakk3rm and Ruben Bouman @rubinatorz - Link
• MITRE ATT&CK - Link
• MITRE CAR - Cyber Analytics Repository - Link
• MITRE D3FEND - Link
• MITRE ENGENUITY - ATT&CK Evaluations - Link
• MITRE SHIELD - Link
• MITRE ATT&CK Navigator - Link
• NIST 800-53 Mapping to MITRE ATT&CK by The Center for Threat-Informed Defense - Link
• Purple Team Docs by Ben Goerz - Link
• TALK: Purple Team Summit 2020 - The 1-Hour Purple Team Exercise - Ben Goerz - Link
• Purple Teaming on Reddit r/purpleteamsec - Link
• RE&CT - Link
• TWEET: Atomic Threat Coverage @atc_project - Link
• Red Team Resources Repo. Contributors: @bigb0ss, @T145, @threat-punter - Link
• SANS Offensive Operations Poster - Purple Concepts: Bridging the Gap - Link
• Sigma Rules Repository - Link
• SpecterOps Blog - Link
• TIBER-EU Purple Teaming Best Practices - Link
• The DFIR Report - Link
• Threat Thursday Blog by SCYTHE - Link
• YARA Rules Resource - Link

🏋️TRAINING

• Antisyphon InfoSec Training - Some Purple Team related offerings - Cost: "Pay What You Can" 💲 - Link
• Applied Purple Teaming - Infrastructure, Threat Optics, and Continuous Improvement by Defensive Origins - Cost: FREE & 💲 - Link
• TRAINING: Applied Purple Teaming - How to Build a Purple Team Lab with Kent Ickler & Jordan Drysdale by Defensive Origins - Link
• Blue Team Training Toolkit - Cost: FREE & 💲 - Link
• BOSS of the SOC v3 by Splunk - Ryan Kovar, David Herrald, James Brodsky, John Stoner, Jim Apger, David Veuve, Lily Lee, and Matt Valites - Cost: FREE - Link
• DarkSide Ops 1 & 2 Training - Malware Dev & Adversary Simulation by Netspi - Cost: 💲 - Link
• Dark Vortex Training - Cost: 💲 - Link
• Hands-On Purple Team Workshop with Tim Schulz by SCYTHE - Cost: FREE - Link
• MITRE ATT&CK Training on Cybrary - Cost: FREE - Link
• Pink Badge Training Program by Prelude - Cost: FREE - Link
• Purple Academy by Picus Security - Cost: FREE - Link
• Purple Teaming: The Big Picture by Cristian Pascariu on Pluralsight - Cost: 💲 - Link
• Purple Teaming Training by AttackIQ - Cost: FREE - Link
• Red Team Operator Malware Development Courses by Sektor7 Institute- Cost: 💲 - Link
• SEC564: Red Team Exercises and Adversary Emulation by SANS Institute - Cost: 💲 - Link
• SEC599: Defeating Advanced Adversaries - Purple Team Tactics & Kill Chain Defenses by SANS Institute - Cost: 💲 - Link
• SEC699: Purple Team Tactics - Adversary Emulaiton for Breach Prevention & Detection by SANS Institute - Cost: 💲 - Link
• SpecterOps Training - Cost: 💲 - Link
• Weaponising C# - Fundamentals Training by Faith Ozavci @fozavci - Cost: FREE - Link
• Zero Point Security Training - Cost: 💲 - Link

🛠️PURPLE TEAM FREE-ISH TOOLS

• Applied Purple Teaming Threat Optics Lab - Azure TerraForm by Defensive Origins - Link
• APT-Hunter by Ahmed Khlief - Link
• APTSimulator by Nextron Systems GmbH - Link
• Atomic Operator by Josh Rickard @MSAdministrator of Swimlane - Link
• Atomic Red Team by Red Canary - Link
• Atomic Red Team wrapper script by Phage-nz - Link
• ATTACKIFY - Link
• Stratus Red Team by Datadog - Link
• ATTACK Datamap by Olaf Hartong - GitHub Link & Article Link
• Attack Range by Splunk - Link
• TALK: Purple Team Summit 2020 - Adversarial Emulation using Splunk Attack Range Local by Rod Soto and d1vious (Jose Hernandez) - Link
• Attack Simulator - Office 365 by Microsoft - Link
• Attack Surface Analyzer by Microsoft - Link
• Attack2Jira by Mauricio Velazco and Olindo Verrillo - Link
• AutoTTP by Jym Cheong - Link
• BeaconHunter by Andrew Oliveau @AndrewOliveau - Link
• BlueCloud by iknowjason - Link
• Caldera by MITRE - Link
• Detection Lab by Chris Long - Link
• DumpsterFire by TryCatchHCF - Link
• Empire by BC Security - Link
• BLOG: Overview of Empire 4.0 and C# by BC Security - Link
• Emulate.GO by Haydn Johnson - Link
• TALK: DEF CON Red Team Village - Indicators of Emulation: Extra Spicy Adversary Emulation - Ch33r10 (Xena Olsen) and haydnjohnson (Haydn Johnson) - Link
• ezEmu by Jamie Williams - Link
• Infection Monkey by Guardicore - Link
• Invoke-Adversary by CyberMonitor - Link
• Kali-Purple - Community Project - Link
• MAL-CL by 3CORESec, Nasreddine Bencherchali @nas_bench and Tiago Faria @0xtf - Malicious Command-Line collection - Link
• Meerkat by Tony Phipps - Link
• Metasploit by Rapid7 - Link
• Metta Adversarial Simulation by Uber - Link
• Operator by Prelude - Link
• BLOG: Purple is the New Red by David Hunt - Link
• PlumHound - BloodHoundAD Report Engine for Blue and Purple Teams - Link
• Pneuma by Prelude - A cross-platform GoLang agent that connects to Operator and executes attacks - Link
• Purple AD - Active Directory Purple Team Playbook by Mauricio Velazco - Link
• Purple Power by Jean-Francois Maes - An experimental defense evasion tool - Link
• Venkman by Randy Pargman - An experimental .Net Windows application that helps defenders detect when an attacker might be muting or blocking event logs on an endpoint - Link
• TALK: Texas Cyber Summit 2021 - Busting the Ghost in the Logs by Randy Pargman and Jean-Francois Maes - Link
• Purple Sharp by Mauricio Velazco - Link
• BLOG: Sharpen Your Simulation Game by Mauricio Velazco - Link
• TALK: BlackHat USA Arsenal 2020 - PurpleSharp: Adversary Simulation for the Blue Team by Mauricio Velazco - Link
• TALK: DEF CON Blue Team Village - Purple On My Mind with Olaf Hartong & Mauricio Velazco - Link
• Purple Team ATT&CK Automation by Praetorian - Link
• DEMO: Getting Started with Purple Team ATT&CK Automation - Link
• pyattack by Josh Rickard @MSAdministrator of Swimlane - Link
• Racketeer Project - Ransomware Simulation Toolkit by dsnezhkov & gitter-badger - Link
• Red Team Attack Lab by Marshall-Hallenbeck - Link
• Red Team Automation (RTA) by Olaf Hartong and Nihlander - Link
• RE:TERNAL by d3vzer0 (Joey Dreijer), Olaf Hartong, and Yaleesa - Link
• Slingshot C2 Matrix Edition VM with C2s Pre-Installed + VECTR by SANS Institute - Link
• DEMO: C2 Matrix VM Walkthru with Jorge Orchilles - Link
• Unfetter by NSA - Link
• VECTR by Security Risk Advisors - Link
• TALK: Red Team Exercise Closure and Showing Value with VECTR with Jorge Orchilles - Link
• TALK RESOURCES: Adversarial Threat Modeling - A Practical Approach to Purple Teaming in the Enterprise by Sajid Nawaz Khan @snkhan - Link

🍭PURPLE TEAM COMMERCIAL TOOLS

• ATTACKIFY - Link
• ATTACKIQ - Link
• BlindSpot - Link
• Cymulate - Link
• Pentera - Link
• PlexTrac - Link
• RELIAQUEST - Link
• SafeBreach - Link
• SCYTHE - Link
• SNAPATTACK - Link
• Verodin by Mandiant - Link
• XM CYBER - Link

💎THANK YOU

A HUGE THANK YOU to the participants that made this research possible! Special thanks to Dr. Donna Schaeffer, Dr. Andrew Hall, Dr. Alex Mbaziira, Dr. Chelsea Hicks, and Dr. Sean Zadig. Also, THANK YOU to Bassem Helmy, Ben Goerz, Bryson Bort, D. Muran-de Assereto, Joe Schottman, Jorge Orchilles, Michael Kearn, Michael A. Raggi, Micah Brown, Nikolas Loukas, and Stephen Deutsch.
Credit belongs to the original authors and publishers.

FOR THE LAWYERS

_{"The opinions expressed in this Github repo are those of the individual account, in their individual capacity, and not necessarily those of the employers. Mention of any vendors, services, products, or otherwise does not endorse them as a vendor. This content and any related discussions are solely the views, opinions, and experiences of the participants and should not be presumed to reflect the opinion or the official position of any employers of the participants. Examples and views provided herein, including strategies, goals, targets, and indicators are for illustrative purposes only and should not be regarded as representative of the participants' employers or respective portfolios. To the extent that this participation, discussion, and interview outlines a general technology direction, the participants' employers have no obligation to pursue any such approach or to develop or use any functionality mentioned herein. Any suggested technology strategy or possible future developments are subject to change at the employers' sole discretion without notice. Content in this presentation is the intellectual property of the applicable creators and may be protected under the copyright laws of the United States and/or other countries. All trademarks are the property of their respective owners and are used for informational purposes only."}