"SHOW ME THE MONEY!" Budget Optimisation through Purple Teaming

Who doesn't love a good old fashioned cup of tea? what about the nostalgia of a fax machine? or maybe the good OLD FASHIONED pen test?... Most organisations don’t get much, if any, value from a pen test. The reports are often too vague to be useful, the scope doesn’t reflect real-world threats directly applicable to the target environment, and the Blue Team rarely gets anything from the process other than a kicking from management. Find out how purple teaming turns this on it its head by focusing precious Information Security budgets on the things that actually make you safer. See the capability of budget optimisation through the practice of purple teaming.

Stephen Ridgway

After a career in IT and IT Security spanning just short of 25 years, it's safe to say Stephen Ridgway has seen the good, the bad and the dreadfully ugly of Cyber Security. It's these mixed experiences, environments and frustrations which drove Stephen to Co-Found successful Cyber Security startup th4ts3cur1ty.company. His aim is to address failings in the InfoSec market today through common sense practices like PurpleTeaming. He strongly believes that ‘it’s not as hard as they want you to think it is’ and he’s driven to provide affordable solutions to real-world security issues for companies of all sizes and budgets.

The 1-Hour Purple Team Exercise

When teams are spread across continents, it becomes impossible to schedule day-long Purple Team exercises. See how we learned to conduct exercises with only 1-hour of hands-on time together. We will discuss how our Threat Intel team identifies and prioritizes individual ATT&CK techniques beforehand, how our Red Team prepares and executes quickly, and how our Blue Team takes away homework to verify and improve detections. We will share a template for testing T1059.001 – execution of Powershell commands and scripts – which is one of the most commonly-used ATT&CK techniques. You will leave ready to run your own 1-hour Purple Team exercises.

Ben Goerz & Dalit Ben-Izhak

Ben Goerz leads the Counter Threat Unit at Kimberly-Clark, which includes the Threat Intel, Sensor Management, and Red Teams.

Dalit Ben-Izhak is a Red Team Engineer at Kimberly-Clark, where she leads the attacks during Purple Team exercises.

"No, you aren't secure: So stop asking"

"Are we secure?"  How often does this question still get asked? Is this the right question?  (spoiler - NO, It's not!)  This talk identifies the real questions that the CISO needs to be answering and how the purple team provides the right metrics for reporting and analytics.  We will explore the goals of the purple team and how to measure the effectiveness of security controls.  Finally, we'll discuss how to communicate effectively to executives, the board, or key stakeholders and shifting the mindset to stay focused on asking the right questions rather than simply, "Are we secure?"

Dan DeCloss

Dan DeCloss is the Founder and CEO of PlexTrac and has over 15 years of experience in Cybersecurity. Dan started his career in the Department of Defense and then moved on to consulting where he worked for various companies including serving as a Principal Consultant for Veracode on the penetration testing team. Dan’s background is in application security and penetration testing, involving hacking networks, websites, and mobile applications for clients. He has also served as a Principal Security Engineer for the Mayo Clinic and a Sr. Security Advisor for Anthem. Prior to PlexTrac, Dan was the Director of Cybersecurity for Scentsy where he and his team built the security program out of its infancy into a best-in-class program.  Dan has a master’s degree in Computer Science from the Naval Postgraduate School with an emphasis in Information Security. Additionally, Dan holds the OSCP and CISSP certifications. Dan has a passion for helping everyone understand cybersecurity at a practical level, ensuring that there is a good understanding of how to reduce their overall risk.  Dan can be reached on LinkedIn at https://www.linkedin.com/in/ddecloss/ or on Twitter @wh33lhouse.

Security Through Transparency: Lessons from an S3 Incident

About halfway through 2020, Twilio suffered a security incident due to an improperly configured S3 bucket. I blogged about it here: https://www.twilio.com/blog/incident-report-taskrouter-js-sdk-july-2020.
In this presentation, I’ll take you behind the scenes to look at some of the key decision points and outcomes that could help SOCs and SIRTs better prepare for a publicly facing security incident and may guide vulnerability management and offensive security teams towards countermeasures and attack paths they hadn’t thought about before. Join me for an up close view of just what can happen in a fast-paced, always on, cloud-native environment.

Aaron Stanley

Aaron Stanley leads the Cybersecurity wing of Twilio’s 44th Trust & Security Division. A long time conjurer in the forensic dark arts, despite being a “manager” now he still retains console access to multiple AWS accounts. His life’s work is to make those who come after him succeed beyond him.

VC Panel: Investing in the Future of Purple Teams

Ron Gula will moderate a panel of venture capitalist who invest in purple team technologies and service companies.

Moderated by Ron Gula with Sid Trivedi, Greg Dracon, and Chris Steed

Purple Teaming AWS with CloudGoat and CloudTrail

"Threat hunting on cloud data sources is still in its early days and very less published case studies are present on cloud breaches for defenders to learn from. Adversary simulation tool or vulnerable by design labs are great sources for generating interesting data on which a defender can write new detection or validate existing detections. CloudGoat is one such tool developed by Rhino Security Labs made available to community. It provides capability to simulate various attack scenarios by deploying vulnerable cloud resources via terraform and performing attacks outlined as cheatsheet by CloudGoat team.

In this presentation, we will first select example attack scenarios (cloud_breach_s3, iam_privesc_by_attachment and iam_privesc_by_rollback) available in cloudgoat and emulate it in the non-prod environment. Before emulating the environments, we will also enable relevant logging data sources to capture the activity. In the second part, as a blue team we will look at approaches of exploring the cloud data sources especially AWS CloudTrail and how to hunt for TTPs generated as result of those attack scenarios.  Lastly , we can summarize the findings by mapping TTPs to Techniques from MITRE AWS Cloud Matrix and developed behavioral detections to detect the techniques used in the attacks. The attendees will gain practical understanding of emulating TTPs via cloudgoat and also learn the approaches used by defenders to hunt for TTPs and use results from them to detect such techniques on their data sources. "

Ashwin Patil

Ashwin Patil currently works as Senior Program Manager for Microsoft Threat Intelligence Center (MSTIC) and has over 10 years of experience entirely focused on Security monitoring and Incident Response defending enterprise networks. In his current role, he primarily works on threat hunting , detection research in KQL (Kusto Query Language) for Azure Sentinel and develop Jupyter notebooks written in Python to do threat hunting and investigation across variety of cloud and on-premise security event log data sources. He had certified with various SANS certifications such as GCIA, GCFE, GCIH in the field of Digital Forensics and Incident Response (DFIR).

Assumed Breach With a Side of Phish

Assumed Breach is a penetration testing methodology that helps reduce the cost and complexity of assessment by providing initial access. In a typical Assumed Breach engagement, access to Domain User credentials or a workstation joined to the network are provided to the tester.  This initial access eliminates the time and complexity of externally breaching the network so testing can focus on internal risks. Essentially, Assumed Breach focuses on what is possible after an attacker manages to breach a network or system.

While an Assumed Breach assessment may also evaluate weaknesses to network endpoints and systems visible to the internet at-large, phishing vectors may be overlooked. This shouldn't be the case.

This talk discusses a methodology for incorporating synthetic phishing simulation as part of an Assumed Breach network penetration test or Purple Team assessment. The goal of such simulation is not to train employees to avoid phishing emails; rather, by executing authentic but controlled phishing malware, the efficacy of defensive controls are tested, and the network configuration is evaluated against the possibilities after a payload has been detonated on a workstation.  Phishing simulation helps close the loop in Assumed Breach testing by illustrating a realistic scenario for how an attacker gained initial access.

The talk will provide real-world examples of using a controlled payload that establishes a C2 channel, probes the network for initial reconnaissance, and performs credential theft.

Mike Gualtieri

Mike Gualtieri is a technologist and entrepreneur who is passionate about Linux, digital privacy, and cybersecurity. He is the President of the software development firm Eris Interactive Group, Co-Founder of SAVIO Information Security, and a founding instructor for the Professional Institute at the University of Pittsburgh School of Computing & Information.  Previously, he was the innovator of Kiddix, a Linux-based OS for kids with integrated parental controls. Mike has two decades of experience in software architecture and security, working in both business and technical roles.  For the University of Pittsburgh, he has developed and teaches the two capstone technical courses for the Professional Institute, the Offensive Boot Camps, that teach students vulnerability discovery and penetration testing.

Mike's enthusiasm for security was apparent at a young age, when he decided to write a program to (weakly) password protect some of his 5.25" floppy disks, only to discover that 20 years later he had to hack into his own files and discover that the secret password was 'ninja'.

Targeting Cloud IAM policies never looked so good

"Identity and Access Management (IAM) is the cornerstone for keeping cloud environments secure. However, due to dynamically scalable infrastructure and the need to access ever-growing datasets, IAM policy misconfigurations can and do occur. In this presentation, we will dive into key findings from our Unit 42 Fall 2020 Cloud Threat Report, including: how IAM policies can be misused, what IAM policies are commonly misconfigured, who targets them, and what they can lead to.

Using the findings from a recent Red Team exercise we lead, I will detail how we compromised a massively scaled AWS environment, which maintained 1000s of workloads, 500+ users, and 1000+ unique roles. By solely exploiting misconfigured IAM trust policies, we gained access to internal data storage from an unauthenticated external account by leveraging a misconfigured IAM trust entity and how we gained admin privileges to the entire organizational cloud environment by exploiting a single misconfigured custom IAM role. By illustrating the actions we took, and the tactics used, I will show the audience how cybercriminals can perform any number of attacks against an organization who maintains these same vulnerable IAM policies.

Finally, I will detail how some of the IAM weaknesses addressed in the red team exercise are being targeted in the wild. Known cryptojacking malware families, like TeamTnT and Kinsing, have recently begun adding code to their malware targeting AWS credential and configuration files, as well as performing additional post-exploit operations. The actions taken by these groups allow the actors behind the malware families to expand the attackable surface and potentially compromise additional systems using the same tactics we demonstrate within the red team exercise. I will close the presentation by giving concrete examples of how security teams can view and configure their IAM settings to ensure they can survive cloud identity attacks. "

Nathaniel Quist

Nathaniel "Q" Quist works with Palo Alto Network’s Unit 42 and Prisma Cloud as a Senior Threat Researcher focused on researching the threats facing public cloud platforms, tools, and services. He has worked within Government, Public, and Private sectors, holds a Masters of Science in Information Security Engineering (MSISE) from The SANS Institute, where he focused on Network and System Forensics, Malware Reversal, and Incident Response. He is the author of multiple blogs, reports, and whitepapers published by Unit 42 as well as the SANS InfoSec Reading Room. Q is actively focused on identifying the threats facing cloud environments, specifically the malware targeting those environments and the actor groups behind those attacks.

The Immediate Value of Purple Teams


Ryan Leirvik

Ryan leads the Cybersecurity Management Solutions practice at GRIMM and oversees out commercial focuses. Ryan has spent the better part of two decades enhancing information security programs at the world's largest institutions in national defense, finance, insurance, retail, consumer goods, and energy. Ryan started his career building secure systems and now focuses on operationally-sound cybersecurity management solutions, where he helps clients identify and solve complex security issues facing their unique organization. He has experience in information at risk, the likelihood of compromise, roadmap development, investment prioritization, vulnerability management, incident response, and alignment of all the above within a broader cybersecurity strategy.

Ryan holds a Bachelor of Science from Purdue University, a Master of Information Technology from Virginia Polytechnic and State University (Virginia Tech) and a Master of Business Administration from Case Western Reserve University. He is on the Security and Risk Analysis Advisory Board at Penn State Altoona, and has contributed to the following publications: Originals: How Non-Conformists Move the World (VIKING); and, Beyond Cybersecurity: Protecting Your Digital Business (WILEY).

Projecting TA505 Tradecraft to Cutting Edge Systems

TA505 is a threat actor that is financially motivated, and actively targeting larger organisations in APAC, Europe and USA. Their tradecraft evolves in time as the defence teams improve their detections and security controls. Purple team exercises planning to simulate the treat actors like them should provide safer but realistic alternatives for their tradecraft and predictions. Therefore, I prepared a sample TA505+ adversary simulation project which can be used for Red and Purple team exercises against cutting edge systems such as Windows 10, Office 2019 and Windows Defender. In this project, I projected the TA505 tradecraft with a reasonable stretch such as focusing on .NET assemblies and reusing public tools. I used my Command & Control solution, Petaq C2, to replace the Cobalt Strike. In addition, I developed custom droppers, a ransomware, staged deployment for initial compromise, repurposed AMSI and UAC bypasses, and finally combined them in an attack flow. In this presentation, I'll demonstrate the techniques and tools used, but also share the results in fully updated systems.

Fatih Ozavci

Fatih Ozavci is a multidisciplinary security manager, engineer and researcher with two decades of experience on offensive and defensive security technologies. He has managed several international security assessment and research projects focused on various technologies including service provider networks, unified communications, application security and embedded systems. He shared his researches, tools, advisories and vulnerabilities in major security conferences such as Black Hat USA, DEF CON and HITB. Nowadays, he combines his skillsets to perform realistic adversary simulations and defence exercises for larger organisations. Fatih currently managed Red Team operations of 2 of Tier-1 Australian banks, and studying Master of Cyber Security (Advanced Tradecraft) at University of New South Wales at Australian Defence Force Academy.

How to Use the Purple Team to Point Stakeholders to Defensible Infrastructure

Sounil Yu

Sounil Yu is a security innovator with over 30 years of hands-on experience creating, breaking, and fixing computer and network systems. He is the creator of the Cyber Defense Matrix and the DIE Resiliency Framework, which have shaped the views of the industry, regulators, and the overall security ecosystem. He serves on the Board of Advisors of the FAIR Institute and Strategic Cyber Ventures and is an adjunct professor at George Mason University's School of Business teaching the fundamentals of Cybersecurity Technologies. He chairs the Philosophy Track for Art into Science: A Conference on Defense, where attendees discuss and define meaningful concepts in security, create practical applications of those concepts, and document them for the purposes of broader implementation.

He previously served as the Chief Security Scientist at Bank of America, leading a cross-functional team focused on driving security innovation and a thriving startup culture to meet emerging cybersecurity needs, to serve as a challenge function, and to be a change agent driving unconventional thinking and alternative approaches to hard problems in information security. Before Bank of America, he helped improve information security at several institutions spanning from Fortune 100 companies with three letters on the stock exchange to secretive three letter agencies that are not. He also created and led a nationally recognized intern program with over 300+ students to create new capabilities and tackle tough challenges in cybersecurity.

He has 22 granted patents covering a wide range of topics, including threat modeling, graph databases, intrusion deception, endpoint security monitoring, tracking media leaks, attributing malicious requests, attributing devices to organizations, detecting logic bombs, security portfolio optimization, and neutralizing stolen files. In addition to CISSP and GSEC certifications, Sounil holds a master's degree in Electrical Engineering from Virginia Tech and bachelor's degrees in Electrical Engineering and Economics from Duke University.