Purple Team Strategies: Enhancing global security posture through uniting red and blue teams with adversary emulation

Cover
Title Page
Copyright and Credits
Contributors
Table of Contents
Preface
Part 1: Concept, Model, and Methodology
Chapter 1: Contextualizing Threats and Today\'s Challenges
	General introduction to the threat landscape
		Threat trends and reports
		But really, what is a threat?
		What posture should be adopted regarding the current threat landscape?
	Types of threat actors
		A word on attribution
	Key definitions for purple teaming
		The red team
		The blue team
		Other teams
		Cyber ranges
		Breach attack simulation
		Adversary (attack) emulation
		Threat-informed defense
	Challenges with today\'s approach
	Regulatory landscape
	Summary
	Further reading
Chapter 2: Purple Teaming: a Generic Approach and a New Model
	A purple teaming definition
	Roles and responsibilities
	A purple teaming process description
		The Prepare, Execute, Identify, and Remediate approach
	The purple teaming maturity model
	PTX – purple teaming extended
	Purple teaming exercise types
		Example one – APT3 emulation
		A breach attack simulation exercise
		Continuous vulnerability detection
		A new TTP or threat analysis
	Purple teaming templates
		Report template
		Collaboration engineering template
	Summary
Chapter 3: Carrying out Adversary Emulation with CTI
	Technical requirements
	Introducing CTI
	The CTI process
	The types of CTI and their use cases
	CTI terminology and key models
	Integrating CTI with purple teaming
		The adversary\'s TTPs
		The adversary\'s toolset 
		How TIPs can help
	Summary
Chapter 4: Threat Management – Detecting, Hunting, and Preventing
	Defense improvement process
		Defense-oriented frameworks and models
	Prevention
	Threat hunting
		TaHiTI threat hunting methodology
	Detection engineering and as code
		Sigma framework
		YARA rule
		Snort rule
		MaGMa – a use case management framework
	Connecting the dots
	Summary
Part 2: Building a Purple Infrastructure
Chapter 5: Red Team Infrastructure
	Technical requirements
	Offensive distributions
		Kali Linux
		Slingshot
		Commando VM
	Domain names
	C2
		Phishing C2
		Short-term/interactive C2
		Long-term C2
	Redirectors
	The power of automation
	Summary
	Further reading
Chapter 6: Blue Team – Collect
	Technical requirements
	High-level architecture
		A word on log formats
	Agent-based collection techniques
		Beats
		Nxlog
	Agentless collection – Windows Event Forwarder and Windows Event Collector
	Agentless collection – other techniques
		Syslog
		Enrichment
		Filtering
	Secrets from experience
	Summary
Chapter 7: Blue Team – Detect
	Technical requirements
	Data sources of interest
		Windows
		Sysmon – Windows Sysinternals
		Antivirus and EDR technologies
		Linux environments
		Cloud-based logs
		Firewall logs
		Proxy and web logs
		Other data sources of interest
	Intrusion detection systems
		Zeek
		Suricata
	Vulnerability scanners
	Attack prediction and threat feeds
		Prediction
		Threat feeds
	Deceptive technology
		Honeypots
		Honeyfiles
	Summary
Chapter 8: Blue Team – Correlate
	Technical requirements
	Theory of correlation
	SIEM and analytics solutions
		Input-driven versus output-driven
	Query languages
		Splunk process language
		KQL
	Summary
Chapter 9: Purple Team Infrastructure
	Technical requirements
	Purple overview
	Adversary emulation and simulation
		Adversary emulation versus adversary simulation
		Atomic Red Team
		Caldera
		VECTR
		Picus Security
	Enabling purple teaming with DevOps
		Understanding the complete lifecycle of GitLab
		Ansible – a reference in the automation environment
		Rundeck – automate a global security workflow
	Summary
Part 3: The Most Common Tactics, Techniques, and Procedures (TTPs) and Defenses
Chapter 10: Purple Teaming the ATT&CK Tactics
	Technical requirements
	Methodology
	Reconnaissance and resource development
	Initial access
		T1566 – Phishing
		T1190 – Exploit public-facing application
	Execution
		T1059 – Command and scripting interpreter
	Persistence
		T1053 – Scheduled task/job
		T1547 – Boot or logon autostart execution
	Privilege escalation
		T1055 – Process injection
	Defense evasion
		T1218 – Signed binary proxy execution
	Credential access
		T1003 – OS credential dumping
	Discovery
		T1018 – Remote system discovery
		T1046 – Network service scanning
	Lateral movement
		T1021 – Remote services
	Collection
		T1560 – Archive collected data
	Command and Control (C2)
		T1071 – Application layer protocol
	Exfiltration
		T1041 – Exfiltration over C2 channel
		T1567 – Exfiltration over web service
	Impact
		T1490 – Inhibit system recovery
	Summary
Part 4: Assessing and Improving
Chapter 11: Purple Teaming with BAS and Adversary Emulation
	Technical requirements
	Breach attack simulation with Atomic Red Team
	Adversary emulation with Caldera
	Current and future considerations
	Summary
Chapter 12: PTX: Purple Teaming eXtended
	Technical requirements
	PTX – the concept of the diffing strategy
		Purpling the vulnerability management process
		Purpling the outside perimeter
		Purpling the Active Directory security
		Purpling the containers\' security
		Purpling cloud security
	Summary
Chapter 13: PTX – Automation and DevOps Approach
	Practical workflow
	Rundeck initialization
	Integration with the environment
		Import the Inventory in Ansible
		Configuring WinRM connections between Rundeck and Windows hosts
	Initial execution
		Using PingCastle on a remote Windows host
		Scheduling an Ansible playbook using Rundeck
		Running PingCastle to conduct a health check on an Active Directory Domain
	Diffing results
	Configuring alerting
	Automation and monitoring
		Rundeck scheduling workflow
		Monitoring and reporting
	Summary
Chapter 14: Exercise Wrap-Up and KPIs
	Technical requirements
	Reporting strategy overview
	Purple teaming report
	Ingesting data for intelligence
	Key performance indicators 
		Number of exercises performed during the year
		Proportion of manual tests performed
		Number of changes triggered by purple teaming exercises
		Failed security controls per MITRE ATT&CK tactic
		Purple teaming assessments objectives
		MITRE ATT&CK framework testing coverage
		MITRE ATT&CK framework detection coverage
		Data source integration prioritization
		From Sigma to MITRE ATT&CK Navigator
	The future of purple teaming
	Summary