WEBVTT 1 00:00:00.040 --> 00:00:02.200 Okay, so picture this. You're looking at a book cover 2 00:00:03.160 --> 00:00:07.679 and it's got this incredible, uh, really vivid illustration on it. 3 00:00:08.400 --> 00:00:10.519 On one side, you've got a knight in full red 4 00:00:10.640 --> 00:00:13.839 armor wielding a massive sword that is literally on fire. 5 00:00:14.119 --> 00:00:15.960 Yeah, it is a very cool cut, it really is. 6 00:00:16.120 --> 00:00:17.960 And on the other side there's a knight in blue 7 00:00:18.039 --> 00:00:21.800 armor holding a sword made of solid, jagged ice. They 8 00:00:21.800 --> 00:00:25.960 are locked in combat. Sparks flying fire versus ice. It's 9 00:00:26.000 --> 00:00:27.719 like the ultimate battle scene. 10 00:00:27.800 --> 00:00:30.760 It's a striking image for sure, and honestly, for anyone 11 00:00:30.800 --> 00:00:34.000 working in cybersecurity or even just you know, watching movies 12 00:00:34.000 --> 00:00:36.280 about hackers, that image that red versus blue is the 13 00:00:36.320 --> 00:00:38.719 traditional view of how the world works. Right. You have 14 00:00:39.039 --> 00:00:40.719 the red team, the attackers, trying to break in, and 15 00:00:40.719 --> 00:00:42.399 the blue team, the defenders, trying to stop them. 16 00:00:42.479 --> 00:00:45.320 Exactly. It's the classic wargame scenario, right. 17 00:00:45.240 --> 00:00:48.560 Good versus evil, attack versus defense. But today we are 18 00:00:48.560 --> 00:00:51.280 doing a deep dive into a source that asks a 19 00:00:51.320 --> 00:00:55.039 pretty radical question. What happens if those two knights stop 20 00:00:55.079 --> 00:00:57.280 trying to kill each other? What if instead of swinging 21 00:00:57.280 --> 00:00:59.759 those swords, they actually sat down, took off their helmets 22 00:00:59.759 --> 00:01:02.399 and started comparing notes in real time. That is the 23 00:01:02.439 --> 00:01:07.200 core premise of practical purple teaming by Alfie Champion. It 24 00:01:07.359 --> 00:01:10.920 sounds simple, almost counterintuitive, but the answer to your question 25 00:01:11.680 --> 00:01:13.760 is that you get something much more dangerous to the 26 00:01:13.799 --> 00:01:16.359 actual bad guys. Okay, you get resilience. 27 00:01:16.560 --> 00:01:19.280 I love that. So today we are unpacking purple teaming. 28 00:01:20.319 --> 00:01:22.239 And just to be clear right off the bat, because 29 00:01:22.239 --> 00:01:24.480 I know we have listeners from all over the industry, 30 00:01:24.879 --> 00:01:27.359 this isn't about hiring a new purple team to sit 31 00:01:27.400 --> 00:01:29.640 between the red and blue ones, right right, Like we 32 00:01:29.680 --> 00:01:31.560 aren't telling companies to go out and build a whole 33 00:01:31.640 --> 00:01:32.159 new department. 34 00:01:32.239 --> 00:01:35.200 Yeah, absolutely not. And the source is very emphatic about this. 35 00:01:35.640 --> 00:01:40.040 Purple teaming is a methodology. It's not a separate team, 36 00:01:40.319 --> 00:01:43.599 got it. It's a functional shift where the offensive side, 37 00:01:43.640 --> 00:01:45.680 the ethical hackers, and the defensive side of the security 38 00:01:45.719 --> 00:01:49.599 operation center, they collaborate openly. Okay, so the goal shifts 39 00:01:49.599 --> 00:01:53.439 from beating the defender to collaborating with the defender to 40 00:01:53.480 --> 00:01:55.000 maximize cyber resilience. 41 00:01:55.319 --> 00:01:57.239 It sounds so logical, but you know, as we went 42 00:01:57.239 --> 00:01:59.560 through champions Book, it became clear that this is actually 43 00:01:59.560 --> 00:02:01.799 a mass of shift in mindset. It really goes against 44 00:02:01.840 --> 00:02:04.239 the grain of how this industry has operated for decades 45 00:02:04.519 --> 00:02:07.560 oh completely. So to really get why this matters, I 46 00:02:07.560 --> 00:02:09.520 think we have to look at the old way. When 47 00:02:09.560 --> 00:02:12.960 we talk about traditional red teaming. What does that dynamic 48 00:02:13.080 --> 00:02:13.800 usually look like? 49 00:02:14.319 --> 00:02:17.240 What traditional red teaming is designed to be a realistic 50 00:02:17.280 --> 00:02:21.000 simulation of an adversary. The red team acts like the enemy. 51 00:02:21.080 --> 00:02:23.759 They hide their tracks, they operate in secret, and they 52 00:02:23.759 --> 00:02:26.560 try to break in without being caught. And crucially, the 53 00:02:26.599 --> 00:02:29.199 blue team often doesn't even know the test is happening. 54 00:02:29.960 --> 00:02:32.680 So it's a surprise attack like a stress test precisely. 55 00:02:32.919 --> 00:02:36.280 And while that has value, I mean you need to 56 00:02:36.280 --> 00:02:38.759 know if you can be surprised, it often creates a 57 00:02:38.840 --> 00:02:42.879 zero sum game. Yeah, think of the psychology there. If 58 00:02:42.960 --> 00:02:45.439 the red team wins, if they break in and steal 59 00:02:45.439 --> 00:02:49.520 the CEO's password or encrypt the database, the blue team 60 00:02:49.560 --> 00:02:52.879 feels like they failed. It could be incredibly demoralizing. It 61 00:02:52.879 --> 00:02:56.319 creates this ego friction where Red thinks they are geniuses 62 00:02:56.599 --> 00:02:58.560 and Blue feels incompetent. 63 00:02:58.960 --> 00:03:01.840 Right, nobody likes being tricked, especially when it's literally your 64 00:03:01.919 --> 00:03:05.240 job to stop the trick. But beyond the feelings, the 65 00:03:05.280 --> 00:03:08.759 source highlights a major operational inefficiency here, which is the 66 00:03:08.800 --> 00:03:09.599 feedback loop. 67 00:03:09.840 --> 00:03:12.919 Right. This is the critical flaw in the traditional model. 68 00:03:13.439 --> 00:03:15.520 If I'm on the red team and I hack you 69 00:03:15.599 --> 00:03:18.599 on Monday, I usually don't tell you about it immediately. 70 00:03:18.680 --> 00:03:21.439 Oh wow, I finished my operation. I read a report. 71 00:03:22.199 --> 00:03:24.280 You might not find out about the hack until I 72 00:03:24.280 --> 00:03:26.039 present that PDF three weeks. 73 00:03:25.840 --> 00:03:28.639 Later, which is just a massive document sitting on a 74 00:03:28.639 --> 00:03:29.879 desk that nobody wants to. 75 00:03:29.840 --> 00:03:33.520 Read exactly, and by then the digital evidence might be gone, 76 00:03:34.080 --> 00:03:38.680 the logs rotated out. The context is lost. In purple teaming, 77 00:03:38.800 --> 00:03:42.919 transparency is the weapon. Okay, the offensive team shares their plan. 78 00:03:43.360 --> 00:03:46.479 They say, I'm going to run this specific attack at 79 00:03:46.479 --> 00:03:49.680 this specific time, using this specific technique. 80 00:03:50.000 --> 00:03:52.639 I have to play Devil's advocate here. Though, that seems 81 00:03:52.639 --> 00:03:54.199 like cheating, doesn't it. If I tell you I'm going 82 00:03:54.240 --> 00:03:56.599 to punch you, it's easier to block. Are we actually 83 00:03:56.639 --> 00:03:58.479 testing anything? If we give the answers away? 84 00:03:58.680 --> 00:04:00.800 It feels like cheating if your goal is just to 85 00:04:00.840 --> 00:04:04.039 win the exercise. Oh but if your goal is to learn, 86 00:04:04.360 --> 00:04:07.240 it's a shortcut. This leads to the aha moment of 87 00:04:07.599 --> 00:04:11.159 purple teaming, shortening the feedback loop instead of waiting weeks 88 00:04:11.400 --> 00:04:14.960 for a report. The defender watches the attack happen in 89 00:04:15.039 --> 00:04:18.319 real time. If they miss it, they can say, hey, 90 00:04:19.480 --> 00:04:21.199 I didn't see that alert. Can you run it again? 91 00:04:21.360 --> 00:04:24.439 Run it again? That really is the magic phrase, isn't it? 92 00:04:24.439 --> 00:04:26.079 It changes everything it is. 93 00:04:26.759 --> 00:04:29.560 You can tweak your defenses on the fly, maybe ad 94 00:04:29.600 --> 00:04:32.040 just a firewall rule, or change a detection logic and 95 00:04:32.079 --> 00:04:36.079 retest immediately. Wow. That is exponentially faster than waiting for 96 00:04:36.079 --> 00:04:39.000 a yearly audit. You are fixing the hole while the 97 00:04:39.040 --> 00:04:40.879 person who found it is standing right there. 98 00:04:41.040 --> 00:04:43.879 It's the difference between taking a final exam and having 99 00:04:43.959 --> 00:04:46.480 a tutor sitting next to you explaining the answers as 100 00:04:46.519 --> 00:04:46.759 you go. 101 00:04:47.040 --> 00:04:47.800 Great analogy. 102 00:04:47.920 --> 00:04:50.480 Yeah, Now, before we get into the how I want 103 00:04:50.519 --> 00:04:52.720 to distinguish this from other terms or listeners might know. 104 00:04:53.319 --> 00:04:57.839 We hear about vulnerability assessments and penetration tests constantly. Where 105 00:04:57.839 --> 00:05:00.439 does purple teaming fit in that line? Dscape? 106 00:05:00.560 --> 00:05:03.319 Good question, that's important to draw the lines. Think of 107 00:05:03.360 --> 00:05:05.800 a vulnerability assessment like walking around a building checking for 108 00:05:05.879 --> 00:05:10.279 unlocked doors. It's usually automated scanning for unpatched software. It's 109 00:05:10.360 --> 00:05:13.879 broad covering everything, but it's very shallow. It just tells 110 00:05:13.920 --> 00:05:16.720 you the door is unlocked, not what is inside, got it? 111 00:05:16.759 --> 00:05:17.839 And a penetration test. 112 00:05:18.040 --> 00:05:20.639 A pin test is usually focused on finding flaws and 113 00:05:20.720 --> 00:05:23.079 one specific thing, like a new web app or a 114 00:05:23.120 --> 00:05:27.000 specific server. It's deeper, but it's still often about can 115 00:05:27.040 --> 00:05:30.240 we get in. It stops once they prove they can 116 00:05:30.240 --> 00:05:31.079 break the lock. 117 00:05:31.040 --> 00:05:33.680 And the source mentions assumed breach testing. 118 00:05:34.600 --> 00:05:38.480 That sounds ominous, Yes, assumed breach is where you skip 119 00:05:38.519 --> 00:05:41.160 the hard part of getting in. You assume someone clicked 120 00:05:41.279 --> 00:05:43.959 a phishing email or a laptop was stolen. You start 121 00:05:44.000 --> 00:05:47.160 the test from the inside. That is often where purple 122 00:05:47.160 --> 00:05:50.480 teaming shines because you can focus entirely on detecting movement 123 00:05:50.519 --> 00:05:53.560 inside the network, which is where the real damage happens. 124 00:05:53.279 --> 00:05:55.879 Because realistically, eventually someone is going to click the line. 125 00:05:55.920 --> 00:05:59.199 Someone always clicks the line, So purple teaming asks, once 126 00:05:59.240 --> 00:06:01.439 they are inside, can we catch them before they steal 127 00:06:01.439 --> 00:06:02.199 the crown jewels? 128 00:06:02.399 --> 00:06:06.360 Right? So we know how they work together conceptually, but practically, 129 00:06:06.399 --> 00:06:08.920 if you put a hacker and a corporate security officer 130 00:06:08.959 --> 00:06:12.560 in a room, they might be speaking different dialects entirely. 131 00:06:12.879 --> 00:06:13.759 Oh absolutely. 132 00:06:13.800 --> 00:06:17.040 The hacker is talking about exploits and shell code, the 133 00:06:17.079 --> 00:06:20.639 defenders talking about compliance and tickets. The source material spends 134 00:06:20.639 --> 00:06:22.639 a lot of time on frameworks to bridge this. 135 00:06:22.639 --> 00:06:26.360 Gap it does without a common language, this collaboration falls 136 00:06:26.360 --> 00:06:30.000 apart and the absolute standard, the Rosetta stone for this 137 00:06:30.600 --> 00:06:33.040 is itri Att and. 138 00:06:33.079 --> 00:06:35.319 Ck Periodic Table for hackers. 139 00:06:35.399 --> 00:06:39.360 It really is itr Att and Ck catalogs known adversary 140 00:06:39.399 --> 00:06:42.800 behaviors based on real world observations gives us a matrix 141 00:06:43.279 --> 00:06:46.000 across the top. You have tactics. These are the adversaries 142 00:06:46.040 --> 00:06:46.879 high level goals. 143 00:06:47.000 --> 00:06:48.959 So the tactic is the what are they try and do, 144 00:06:49.000 --> 00:06:50.399 like I want to skal data or I want to 145 00:06:50.439 --> 00:06:51.279 shut down the system. 146 00:06:51.399 --> 00:06:55.839 Correct tactic equals goal things like initial access, execution or exfiltration. 147 00:06:56.399 --> 00:06:59.800 And underneath each tactic are the techniques the how okay, 148 00:07:00.079 --> 00:07:03.079 the goal is initial access, the technique might be phishing 149 00:07:03.199 --> 00:07:04.959 or exploiting a public facing application. 150 00:07:05.040 --> 00:07:07.000 And then it drills down even further right. 151 00:07:06.920 --> 00:07:09.959 Yes, down to procedures, which are the specific tools or 152 00:07:09.959 --> 00:07:14.480 steps used. So we have PTPs, tactics, techniques and procedures. 153 00:07:14.639 --> 00:07:18.959 Why is the structure so vital for purple teaming, specifically. 154 00:07:18.439 --> 00:07:22.199 Because it removes ambiguity instead of the red team saying 155 00:07:22.240 --> 00:07:25.040 we did some hacking stuff and got your passwords. They 156 00:07:25.040 --> 00:07:28.319 can say we executed technique T one O five nine 157 00:07:28.360 --> 00:07:31.160 command and scripting interpreter using PowerShell. 158 00:07:31.360 --> 00:07:32.759 That's way more specific. 159 00:07:32.959 --> 00:07:36.120 Exactly. The Blue team can then look up T one 160 00:07:36.160 --> 00:07:38.879 O five to nine in their own database. It aligns 161 00:07:38.879 --> 00:07:41.319 the attack with the defense. It turns magic into a 162 00:07:41.360 --> 00:07:42.519 catalog number. 163 00:07:42.480 --> 00:07:45.000 And connected to This is my absolute favorite concept from 164 00:07:45.040 --> 00:07:47.160 the book. It's a visual that explains why we do 165 00:07:47.199 --> 00:07:49.160 all this work. The Pyramid of pain. 166 00:07:49.319 --> 00:07:51.319 It sounds like a wrestling move, it really does. 167 00:07:51.399 --> 00:07:54.240 Welcome to the Pyramid of Pain, but it's actually about 168 00:07:54.240 --> 00:07:55.839 how much you can annoy a hacker. 169 00:07:56.439 --> 00:07:59.079 Right. It represents the difficulty we inflict on an attacker 170 00:07:59.120 --> 00:08:02.600 when we block them. Visualize a pyramid. At the wide bottom. 171 00:08:02.639 --> 00:08:04.959 You have things that are trivial for an attacker to change, 172 00:08:05.240 --> 00:08:07.560 things like hash values and IP addresses. 173 00:08:07.759 --> 00:08:09.639 Right, So if I block an attacker's IQ address, I 174 00:08:09.720 --> 00:08:12.240 might feel good about myself. I stop them, But what 175 00:08:12.279 --> 00:08:13.600 does that actually do to them? 176 00:08:13.920 --> 00:08:17.319 To them, almost nothing. They just route their traffic through 177 00:08:17.360 --> 00:08:20.639 a different server, takes them seconds. It causes them zero pain. 178 00:08:21.279 --> 00:08:22.560 It's like change in a burner phone. 179 00:08:22.600 --> 00:08:24.759 So we're basically playing whack a mole at the bottom of. 180 00:08:24.759 --> 00:08:28.000 The pyramid, exactly moving up the pyramid, you have domain names, 181 00:08:28.000 --> 00:08:31.680 then network and host artifacts, things like specific file names 182 00:08:31.800 --> 00:08:35.759 or user agent strings. These are a bit harder to change, 183 00:08:35.759 --> 00:08:38.120 but still manageable for a sophisticated attacker. 184 00:08:38.240 --> 00:08:40.080 But then we get to the top, the point to 185 00:08:40.320 --> 00:08:41.919 end the pain zone. 186 00:08:42.080 --> 00:08:45.720 Tools and TTPs. If you can detect and block the 187 00:08:45.759 --> 00:08:48.480 tools they use, they have to go find or build 188 00:08:48.519 --> 00:08:52.519 new software. That is expensive, that takes time. But if 189 00:08:52.559 --> 00:08:55.919 you can detect the TTP, the behavior itself, that is 190 00:08:55.919 --> 00:08:56.440 the pinnacle. 191 00:08:56.639 --> 00:08:58.759 Can you give me an example of a TTP versus 192 00:08:58.799 --> 00:09:00.480 a tool, because I want to make sure I really 193 00:09:00.480 --> 00:09:00.799 get this. 194 00:09:00.879 --> 00:09:04.279 Okay, Let's say the TTP is credential dumping. The attacker 195 00:09:04.320 --> 00:09:07.320 wants to steal login information from the computer's memory. There 196 00:09:07.360 --> 00:09:09.799 are fifty different tools to do this. Mimicats is a 197 00:09:09.799 --> 00:09:13.759 famous one. If you block mimicats, the tool the attacker 198 00:09:13.840 --> 00:09:16.159 just uses a different script. But if you detect the 199 00:09:16.200 --> 00:09:19.200 behavior of a program trying to touch the memory of 200 00:09:19.240 --> 00:09:20.919 the security subsystem. 201 00:09:20.480 --> 00:09:22.559 Then it doesn't matter what tool they use exactly. 202 00:09:22.639 --> 00:09:25.679 You've blocked the technique. To get around that, the attacker 203 00:09:25.879 --> 00:09:28.480 has to invent a completely new way of stealing credentials. 204 00:09:29.080 --> 00:09:33.440 You're forcing them to relearn their tradecraft. You're making their 205 00:09:33.559 --> 00:09:35.240 job incredibly. 206 00:09:34.639 --> 00:09:37.519 Difficult, and that is the goal of purple teaming. We 207 00:09:37.559 --> 00:09:39.399 want to live at the top of the pyramid of pain. 208 00:09:39.519 --> 00:09:41.279 We want to make their lives miserable. 209 00:09:41.360 --> 00:09:43.519 We do. We want to make the cost of hacking 210 00:09:43.639 --> 00:09:46.559 us higher than the value of what they're trying to steal. 211 00:09:46.799 --> 00:09:50.960 So we have the language mitre and the goal the pyramid. 212 00:09:51.440 --> 00:09:54.960 Now let's get into mechanics. The source outlines two main 213 00:09:55.000 --> 00:10:00.200 methodologies for actually running these exercises, scenario based and atomic on. 214 00:10:00.320 --> 00:10:03.360 Very different they are, and they serve different purposes. Think 215 00:10:03.399 --> 00:10:05.919 of scenario based purple teaming like a movie plot. It 216 00:10:05.960 --> 00:10:08.519 follows a narrative arc. We call this an activity thread. 217 00:10:08.639 --> 00:10:11.159 Okay, set the scene for me. What is the plot? 218 00:10:11.480 --> 00:10:16.000 Action? A user clicks a phishing email in hr malware executes, 219 00:10:16.279 --> 00:10:19.320 the attacker performs reconnaissance to see where they are. Then 220 00:10:19.360 --> 00:10:22.759 they move latterly to a finance server. Finally they exfiltrate 221 00:10:22.919 --> 00:10:26.039 sensitive data. It connects the dots across the entire kill 222 00:10:26.120 --> 00:10:27.080 chain from start to finish. 223 00:10:27.120 --> 00:10:28.279 Show It test the whole story. 224 00:10:28.360 --> 00:10:31.039 It tests the people and the processes. This is crucial. 225 00:10:32.039 --> 00:10:36.120 Can the security operation center handle the volume of alerts? 226 00:10:37.120 --> 00:10:39.840 Do they panic when they see the attacker moving laterally? 227 00:10:40.200 --> 00:10:42.639 Do they know who to call? Do they escalate to 228 00:10:42.679 --> 00:10:43.440 the right manager. 229 00:10:43.519 --> 00:10:46.279 It's a fire drill, it is, but as. 230 00:10:46.200 --> 00:10:48.159 You can imagine, it's pretty heavy to set up. You 231 00:10:48.200 --> 00:10:51.159 need a script. You need the red team acting continuously, 232 00:10:51.200 --> 00:10:53.600 you need the Blue team monitoring. It's a production. It 233 00:10:53.600 --> 00:10:56.320 takes time and resources. You can't do that every day. 234 00:10:56.480 --> 00:10:59.000 Which brings us to the second method, which seems much 235 00:10:59.039 --> 00:11:01.639 more agile, Atomic purple teaming. 236 00:11:01.919 --> 00:11:05.600 Atomic is like the science lab. You isolate one specific variable. 237 00:11:05.960 --> 00:11:09.039 Champion calls this de chaining. You take a single link 238 00:11:09.080 --> 00:11:11.399 out of that kill chain, sage just credential dumping, and 239 00:11:11.440 --> 00:11:12.879 you test it in a vacuum. 240 00:11:12.919 --> 00:11:15.440 So no story mode, just the mechanics. 241 00:11:15.799 --> 00:11:18.039 Right. You run the attack, see if you catch it, 242 00:11:18.039 --> 00:11:19.360 fix the rule, and run it again. 243 00:11:19.399 --> 00:11:22.679 This seems perfect for what the book calls performance benchmarking. 244 00:11:22.799 --> 00:11:26.639 Yes, it's fast, repeatable, and very easy to automate. You 245 00:11:26.639 --> 00:11:29.519 can run an atomic test for process injection every Tuesday 246 00:11:29.559 --> 00:11:31.799 morning if you want, just to make sure your sensors 247 00:11:31.799 --> 00:11:32.519 are still working. 248 00:11:32.639 --> 00:11:34.960 Wow, Every Tuesday Yeah. 249 00:11:34.759 --> 00:11:37.159 It answers the question did we get better at spotting 250 00:11:37.200 --> 00:11:40.159 this specific bad thing since last month? 251 00:11:40.360 --> 00:11:42.679 Let's make this real for the listener. The book has 252 00:11:42.679 --> 00:11:46.480 this great example about a very specific problem finding out 253 00:11:46.519 --> 00:11:48.240 who the administrators. 254 00:11:47.519 --> 00:11:49.080 Are the discovery tactic. 255 00:11:49.240 --> 00:11:52.720 Right, So I'm an attacker, I have landed inside the network. 256 00:11:52.919 --> 00:11:55.240 I want to know who holds the keys to the kingdom. 257 00:11:55.600 --> 00:11:57.639 I want to find the domain admin's groups so I 258 00:11:57.679 --> 00:12:00.519 can target them. How many ways can I ask that question? 259 00:12:00.759 --> 00:12:03.879 This is where the atomic methodology really shines because it 260 00:12:03.919 --> 00:12:08.000 exposes the gaps. The book lays out a test suite. First, 261 00:12:08.120 --> 00:12:11.039 there's the classic way. You're on a Windows machine. You 262 00:12:11.080 --> 00:12:14.440 open the command prompt and you type net group, domain admins. 263 00:12:14.600 --> 00:12:16.200 Simple, old school. 264 00:12:16.200 --> 00:12:18.879 Very old school. Most security tools will catch that instantly. 265 00:12:18.919 --> 00:12:21.919 It's loud and obvious. But then method two you use 266 00:12:21.960 --> 00:12:25.480 a PowerShell script to query active directory, same question, different languages, okay. 267 00:12:25.840 --> 00:12:30.039 Method three use a specific hacker tool, something like adfind. 268 00:12:30.840 --> 00:12:33.799 This is tricky because adfind is a legitimate tool often 269 00:12:33.960 --> 00:12:37.879 used by sitzidmins to manage the network, but it's beloved 270 00:12:37.919 --> 00:12:39.879 it by attackers because it blends. 271 00:12:39.519 --> 00:12:41.279 In so it looks like normal traffic. 272 00:12:42.000 --> 00:12:45.480 And method four self using living off land binaries or 273 00:12:45.480 --> 00:12:48.320 executing code directly in memory, so nothing touches the hard drive. 274 00:12:48.440 --> 00:12:50.600 So here is the million dollar question. If I am 275 00:12:50.639 --> 00:12:52.960 the blue team and I write a detection role that 276 00:12:53.000 --> 00:12:56.039 says alert me, if anyone types net group domain admins, 277 00:12:56.080 --> 00:12:56.840 am I safe? 278 00:12:56.919 --> 00:12:59.600 You are saved from the lazy attacker who uses method one. 279 00:13:00.159 --> 00:13:04.799 You're completely blind to methods two, three, and four. And 280 00:13:05.360 --> 00:13:09.039 that is a terrifying realization for many organizations. They think 281 00:13:09.080 --> 00:13:11.360 they are covered because they've blocked the first thing they 282 00:13:11.399 --> 00:13:11.679 thought of. 283 00:13:12.080 --> 00:13:14.720 And this leads to a concept. The expert in the 284 00:13:14.759 --> 00:13:19.279 book and really the industry emphasizes capability abstraction. This is 285 00:13:19.320 --> 00:13:21.360 a bit technical, but I think it's the most important 286 00:13:21.399 --> 00:13:23.519 takeaway of the deep dive. Can you break that down? 287 00:13:23.759 --> 00:13:28.120 Yes, capability abstraction is the antidote to the whack a 288 00:13:28.159 --> 00:13:32.240 mole problem. We just listed four different ways to find 289 00:13:32.279 --> 00:13:36.480 the admin's net dot ex, a PowerShell adfind in memory execution. 290 00:13:37.639 --> 00:13:40.399 To a human, these look like four different tools, right. 291 00:13:40.480 --> 00:13:42.279 One is a command, one is a script, one is 292 00:13:42.279 --> 00:13:42.879 a program. 293 00:13:42.919 --> 00:13:45.440 But to the computer, to the network controller, they are 294 00:13:45.440 --> 00:13:48.639 all doing the same underlying thing. They're asking the domain 295 00:13:48.639 --> 00:13:51.559 controller for a list of users. They're likely using the 296 00:13:51.600 --> 00:13:54.559 same protocol like ld app or a sam. 297 00:13:54.320 --> 00:13:57.360 So capability abstraction means looking at what is happening under 298 00:13:57.360 --> 00:13:59.559 the hood, not just the shiny paint. 299 00:13:59.240 --> 00:14:02.799 On top exactly. If you can detect the ld app 300 00:14:02.919 --> 00:14:06.159 query that requests the domain admin list, you catch all 301 00:14:06.159 --> 00:14:07.519 four methods with one rule. 302 00:14:07.919 --> 00:14:10.480 Wait, really, one rule catches all of them, yes. 303 00:14:10.639 --> 00:14:12.559 Because they all have to ask the question. If you 304 00:14:12.600 --> 00:14:15.159 detect the question being asked, you don't care if they 305 00:14:15.240 --> 00:14:18.200 use a megaphone, a whipper, or a handwritten note. You 306 00:14:18.360 --> 00:14:21.559 caught the intent. That is the power of purple teaming. 307 00:14:21.919 --> 00:14:24.759 It stops you from chasing tools and helps you detect 308 00:14:24.799 --> 00:14:25.919 the underlying behavior. 309 00:14:26.080 --> 00:14:28.840 That is a light bulb moment. Stop chasing a tool, 310 00:14:28.919 --> 00:14:31.720 chase the behavior. It seems so obvious once you say it, 311 00:14:31.799 --> 00:14:36.600 but getting there requires that deep technical collaboration precisely. 312 00:14:36.519 --> 00:14:38.799 And you only get there if the red team, who 313 00:14:38.840 --> 00:14:41.679 knows the tools talks to the blue team, who knows 314 00:14:41.720 --> 00:14:42.279 the logs. 315 00:14:42.639 --> 00:14:45.240 Okay, so we are running these tests, we're firing off 316 00:14:45.360 --> 00:14:49.120 LDPP queries, we're checking logs, but we have to talk 317 00:14:49.159 --> 00:14:52.120 about the humans in the room, the logistics and human 318 00:14:52.159 --> 00:14:55.360 element section of the source material was surprisingly focused on 319 00:14:55.440 --> 00:14:56.360 just sitting together. 320 00:14:56.480 --> 00:14:59.679 Communication is critical. If you are doing your Purple Team 321 00:14:59.679 --> 00:15:03.519 extra you shouldn't be emailing each other. You should be 322 00:15:03.519 --> 00:15:05.600 in the same room or at least on a dedicated 323 00:15:05.679 --> 00:15:06.799 video call or slack channel. 324 00:15:06.840 --> 00:15:08.279 Shoulder surfing is the term they used. 325 00:15:08.399 --> 00:15:12.200 Yes, it's literal. The Blue team members should literally be 326 00:15:12.279 --> 00:15:14.399 looking over the shoulder of the Red team member as 327 00:15:14.399 --> 00:15:18.080 they type the command A enter now, and then the 328 00:15:18.120 --> 00:15:20.000 Red team members should walk over and look at the 329 00:15:20.000 --> 00:15:22.600 Blue team's screen to see what the logs look like. 330 00:15:22.799 --> 00:15:25.919 That transparency level is interesting. Do you tell the Blue 331 00:15:25.919 --> 00:15:28.440 team exactly what is coming, like, Hey, I'm about to 332 00:15:28.480 --> 00:15:31.600 run this specific malware at two point zero five pm? 333 00:15:31.840 --> 00:15:35.200 Usually yes, full transparency is better for learning. If you 334 00:15:35.240 --> 00:15:38.320 want to test surprise, do a Red team engagement. If 335 00:15:38.320 --> 00:15:41.480 you want to test detection logic, tell them exactly what 336 00:15:41.480 --> 00:15:42.039 you are doing. 337 00:15:42.360 --> 00:15:42.799 Makes sense. 338 00:15:42.879 --> 00:15:45.360 You don't want the Blue team wasting three hours wondering 339 00:15:45.360 --> 00:15:48.000 if an alert is a false alarm. You want them 340 00:15:48.000 --> 00:15:51.360 digging into the data immediately to see why it fired 341 00:15:51.480 --> 00:15:52.279 or why it didn't. 342 00:15:52.320 --> 00:15:54.360 And you have to write this down. You can't just say, oh, 343 00:15:54.399 --> 00:15:54.840 it worked. 344 00:15:55.200 --> 00:15:58.600 Data is everything you need to track success. The book 345 00:15:58.639 --> 00:16:02.080 mentions tools like v ectr, which is designed for this 346 00:16:02.519 --> 00:16:05.279 and visualizes the results, but honestly, a simple jar at 347 00:16:05.279 --> 00:16:08.039 ticket or a shared Excel sheet works too. You need 348 00:16:08.080 --> 00:16:09.240 to record the outcome and. 349 00:16:09.200 --> 00:16:10.919 The metrics aren't just pass fail, are they. 350 00:16:11.039 --> 00:16:13.840 No, it's nuanced. Did we block it, that's a win. 351 00:16:14.320 --> 00:16:16.799 Did we detect it but not block it, that's okay. 352 00:16:16.799 --> 00:16:18.799 At least the alarm rang. But maybe we can do better. 353 00:16:19.279 --> 00:16:20.080 Or was it silent? 354 00:16:20.200 --> 00:16:22.320 That silent categories the stuff of nightmares. 355 00:16:22.600 --> 00:16:26.000 It is did the attack happen and we saw absolutely nothing, 356 00:16:26.000 --> 00:16:29.919 no logs, no alerts, silence. That is the danger zone. 357 00:16:29.919 --> 00:16:32.120 That means you are bleeding and you don't know it. 358 00:16:32.240 --> 00:16:34.600 But finding those silent gaps is the whole point of 359 00:16:34.639 --> 00:16:35.279 the exercise. 360 00:16:35.360 --> 00:16:37.600 It is you'd rather find the silence now with your 361 00:16:37.639 --> 00:16:41.240 colleague then later with a real attacker. And this brings 362 00:16:41.320 --> 00:16:43.879 us back to that cultural shift we started with. We 363 00:16:44.000 --> 00:16:46.519 have to move away from the ego battles, right. 364 00:16:46.399 --> 00:16:49.120 The I gotcha moments, the gotcha culture Exactly. 365 00:16:49.399 --> 00:16:51.559 The goal isn't for the red team to win. The 366 00:16:51.600 --> 00:16:54.039 goal is for the blue team to get better. If 367 00:16:54.080 --> 00:16:56.960 the red team breaks in, steals the data, and nobody 368 00:16:57.039 --> 00:16:59.720 learns anything because they're too busy arguing or hiding the 369 00:16:59.720 --> 00:17:02.679 fail The exercise was a total waste of money. 370 00:17:02.720 --> 00:17:04.960 It's about leaving the ego at the door, you know. 371 00:17:05.079 --> 00:17:07.799 Looking at all of this, the frameworks, the atomic tests, 372 00:17:07.839 --> 00:17:11.640 the collaboration, it really feels like the industry growing up. 373 00:17:11.960 --> 00:17:14.839 It's moving from night swinging swords to scientists in the 374 00:17:14.920 --> 00:17:17.279 lab improving the immune system of the company. 375 00:17:17.440 --> 00:17:21.119 That is a perfect analogy. It's moving from combat to engineering. 376 00:17:21.519 --> 00:17:23.799 We are engineering resilience. 377 00:17:23.640 --> 00:17:26.839 So to recap our deep dive Today. Purple teeming isn't 378 00:17:26.839 --> 00:17:30.240 a new department. It's a new way of collaborating. It's 379 00:17:30.400 --> 00:17:34.319 using frameworks like year ATT and c K to speak 380 00:17:34.359 --> 00:17:36.720 the same language. It's aiming for the top of the 381 00:17:36.720 --> 00:17:40.440 pyramid of pain to block behaviors, not just tools. And 382 00:17:40.480 --> 00:17:44.319 it's using atomic tests to validate your defenses continuously. 383 00:17:44.680 --> 00:17:47.880 And doing it continuously is key, not once a year, 384 00:17:48.160 --> 00:17:51.559 but treating it as a constant cycle of improvement, because 385 00:17:51.599 --> 00:17:53.240 the attackers aren't taking days off. 386 00:17:53.519 --> 00:17:55.839 Now. Before we let you go, there was one thought 387 00:17:55.839 --> 00:17:57.599 in the source material that really stuck with me. It 388 00:17:57.640 --> 00:18:01.160 was about the adversaries themselves. We often think of hackers 389 00:18:01.200 --> 00:18:03.799 as these omnipotent wizards who can do anything. 390 00:18:04.119 --> 00:18:07.680 Ah. Yes, the mention of groups like the Lazarus group right. 391 00:18:07.960 --> 00:18:11.200 The point was that even the sophisticated attackers, state sponsored 392 00:18:11.240 --> 00:18:13.720 groups with millions of dollars, they change their tools constantly. 393 00:18:13.759 --> 00:18:16.160 They might compile a new piece of malware every morning. 394 00:18:16.920 --> 00:18:19.400 Their habits often remain the same. They have muscle memory, 395 00:18:19.519 --> 00:18:22.200 just like we do. They prefer certain ways of moving laterally. 396 00:18:22.559 --> 00:18:25.400 They have favorite commands for discovery. They are human. 397 00:18:25.480 --> 00:18:28.160 They like what they know, and that is the challenge 398 00:18:28.200 --> 00:18:30.759 we want to leave you with today. If you looked 399 00:18:30.759 --> 00:18:35.079 at your organization's security right now, are you blocking IP 400 00:18:35.240 --> 00:18:38.039 addresses the stuff that changes every day and causes low 401 00:18:38.079 --> 00:18:41.599