Dear PenTest Readers,
In this issue we would like to take a closer look at the methodology of Purple Teaming. Having Red and Blue teams working separately seems to not be as efficient as it could in some cases, the Purple Teaming approach as a blended cooperation of offensive and defensive seems to be a perfect answer. Our contributors provide you with thorough definitions on how to understand the phenomenon of Purple Teaming properly, as well as interesting articles and case studies on application of this methodology.
The issue starts with an article written by Farzan Karimi that presents a specific aspect of Purple Teaming, “Impact Analysis Operation”, utilised by him and his colleagues at their company - Electronic Arts. Bruno Rodrigues in his article shows you how to set up a proper playground for the Purple Team. Alexandros Pappas provides an overview of how Purple Teaming and Threat Intelligence can benefit the enterprise. Tyler Robinson presents using this methodology as an investment for the company, Siegfried Moyo presents how it impacts the general cybersecurity resilience, and Bruno Schmid clarifies the definitions and indicates the most useful tools for the joint operations of Red and Blue Teams.
As usual, we have a couple of very interesting articles dedicated to other, various techniques and topics from the realm of infosecurity.
Without further ado,
Please check them out by yourselves.
Special thanks to all the contributors, proofreaders, and reviewers who helped in the creation of this issue.
Enjoy the reading!
Table of Contents
Impact Analysis Operations: The Missing Purple Team Component
by Farzan Karimi
There is a traditionally missed opportunity to better emphasize the value of a Purple Team when it comes to a live incident. From personal experience, when an incident starts, the Red Team stops all activities so the Blue Team can conduct their investigation. This makes sure there are no deconfliction issues between Red Team and actual attacker traffic. Rather than stop all Red Team activities during an incident, we propose integrating the Red Team as a core IR contributor. The Red Team can provide a unique service that can help expedite the closure of an ongoing incident. We’ve utilized this service at Electronic Arts with overwhelmingly positive feedback, and now reference it as an “Impact Analysis Operation”.
The Purple Team Playground
by Bruno Rodrigues
Most enterprise environments, due to their complexities, won’t allow Red Teams to actively “hack” into the boxes. This could be because systems are business-critical, and cannot go down because of a security assessment. Even more, when you can perform such attacks, you will be limited to a strict scope. Most of the times Red Teams won’t be engaged, and you’ll still want to to find new vulnerabilities on multiple different systems. That’s where SecGen comes in handy: form a simple VM to more complex scenarios you can deploy in your infrastructure or in any public cloud a couple of machines so your Purple Team can be attacking and defending.
Purple Team Tactics and Threat Intelligence
by Alexandros Pappas
There is increasing recognition that Red Teams and Blue Teams should work together, creating a Purple Team. This Purple Team isn’t necessarily new, but a combination of existing Red and Blue Teams working together to serve an identical goal: improved organizational security posture! It might be regarded as a process (by engaging both Teams), as opposed to a unique entity. The Red Team should be conducting objective assessments mimicking known and quantifiable threats. As part of this process, the threat actor’s TTPs should be known. Based on this modern approach, the Purple Team improves security by removing the “win or lose” mentality between Teams, and enhances cooperation, as transparency benefits everyone.
Purple Teams: A True Return On Investment For Network Security
[FULL ARTICLE AVAILABLE IN THE FREE PREVIEW]
by Tyler Robinson
An ideal Purple Team brings togethers stakeholders in security and information technology to illustrate the challenges on all sides of protecting a complex environment. While black box, Red Team penetration tests still have value depending on strategic objectives, a Purple Team engagement is likely to be more valuable in larger organizations who have more security engineers because they can generally build robust security programs around vulnerability management, identify management, firewall policy, security assessment, governance, and Level 1-4 security operations (even if out-sourced).
SSO Attacks Testing and Mitigation
by Jason Gordon
SSO Pentesting is at its infancy. There are few tools on the market and none are fully automated. Unlike a typical pentest suite, you can’t just point at a server and let the tests run. Expert knowledge of the SSO protocols are typically required for a successful testing. Running tests requires setting up SSO test connections, which requires cooperation from both the Identity Provider and Service Provider organizations.
Understanding Purple Teaming
by Bruno Schmid
Purple Teaming is a more collaborative approach instead of the old-fashioned Red Team vs. Blue Team methodology. It should enhance the relationship between the Red and Blue Teams, improve output from both sides and identify gaps on both sides and maximize their results. And if the Red and Blue Teams work well together, a Purple Team will be redundant.
Purple Teams For Sustainable Cyber Resilience
by Siegfried Moyo
Red and Blue Teams, in most cases, work in silos to meet their goals of either being or an attacker or a defender, respectively. Cyber Resilience forces security teams to think about business processes and criticality, which makes it imperative that silos should not exist. These silos can only be broken by a team that would create an environment that provides a solid complementary and synergistic effect between Red and Blue Teams. The team that breaks the silos is called the Purple Team.
A Practical Approach to OSINT Gathering
by Jerod Brennen
Social engineering is (and will continue to be) an excellent technique to use during your pentests. If social engineering attacks are in-scope, then knowing the names and titles of your targets will help you craft more effective phishing campaigns. If social engineering isn’t in-scope, you can still use this OSINT to collect valid email addresses (for login usernames), to build out possible password lists, and to answer secret questions in password management portals.
Secure Configuration Review of Network Devices
by Dinesh Sharma
In an enterprise network, there are many networking devices such as routers, switches, firewall, repeaters, and endpoints. These devices accomplish different tasks for example; routers are used to connect an intranet to the internet or to connect to another network, which is part of the internet. Switches are used to connect internal host to another. Repeaters, on the other hand, are used to enhance the strength of the signals. This way, they are all connected to establish a complete enterprise network.
by Nithin Chelliya
One of the most common attack vectors when it comes to social engineering attacks is trust. Hackers have always been the types of people who have harnessed any technology out there int he wild in order to gain an edge. Hence, it is not surprising that attackers have managed to find a way to weaponize machine learning to exploit our natural tendency to trust that what we see is real.