I admittedly have not been to a lot of conferences, but ATTA&CKcon 2.0 has easily been my favorite so far. The SANS Purple Team Summit, which occurred the week prior, presented interesting ideas and implementations of Purple Teams (both internal and external). In this post, I'll be going over how I draw value from conferences and the lessons learned, as well as related projects Praetorian has going into the end of 2019 and start of 2020.
One of the toughest sells of attending a conference is proving that you're actually there to learn versus simply enjoying the free food and networking with infosec Twitter celebrities. In order to accomplish this, I treat conferences very similarly to how I treat learning from a textbook.
Recently, I made my way through How to Read a Book based on a recommendation from a previous Air Force supervisor. The book helped me establish a framework for thinking when reading to learn that equally applies to conferences. A crucial step lies in ingesting the material multiple times with varying goals in each iteration. In the first pass, identify keywords and themes and then seek to analyze detail in future rereads.
When attending a conference, especially a themed one such as ATT&CKcon, I find it valuable to spend my energy focusing on the speakers during the live presentations as opposed to taking notes. Afterwards, I review the videos to extract details and specific ideas. From there, I'll work to examine how those themes and ideas apply to my current work, and identify what me or my team can be doing to improve.
Before I delve much further, I want to clarify my definition of Purple Teams. Blue Teams work to defend an organization's information security. Red Teams emulate relevant threats and seek to identify previously unknown risks to an organization.
A Purple Team draws in members of the Blue Team, Red Team, and potentially other internal and external experts to solve security problems in a collaborative manner.
At Praetorian, we use Purple Teams to enhance an organization's detective capabilities by emulating specific Tactics, Techniques, and Procedures (TTPs) from the ATT&CK framework. However, I encourage you to figure out what problems face your security team and identify how bringing red and blue together can help solve these problems. Perhaps your users keep clicking on phishing emails. In this case, the Blue team could work with a Red team to discuss common themes, strategies, and TTPs across the phishing campaigns. The Blue team could then incorporate the additional context and focus on tailoring the security awareness training based on the collaborative exercises.
Over the course of the two conferences, a number of consistent themes emerged in terms of how other teams use ATT&CK and Purple Teams to improve their organization's security.
The first was with regards to feedback cycles.
In the days of waterfall and spiral development, new code would take months before it reached the end user. With the introduction of agile and DevOps, new code might hit production servers multiple times a day. Infrastructure security teams thought they were shielded from this change as their operating systems and network devices would only update monthly (if at all).
Nowadays, the ATT&CK framework provides a new focal point for the distribution of knowledge, and new techniques and procedures are being added to the matrix monthly. Infrastructure teams have to adapt to the pace of change that application security teams have long been accustomed to. This was made apparent at ATT&CKcon and the SANS Summit with multiple organizations discussing their approach to protecting and detecting new attacks.
One organization, in addition to conducting large, traditional red teams, now operates multiple red teams daily - each focused on a specific part of a specific threat path that they are concerned with. These exercises are conducted collaboratively, with both red and blue working together with the same goal in mind: identify and fix weaknesses.
The second theme I noticed was prioritization.
It appears that organizations have collectively concluded that the ATT&CK Matrix is too much. Even for an organization with near unlimited resources, it is nigh impossible to have complete "coverage" of the matrix. Even then, the definition of "coverage" for a technique is up for debate with varying procedures for multiple techniques and varying context changing the metrics. Thus, organizations have decided to prioritize the techniques relevant to their organization.
The approach to this was varied with some teams relying solely on Cyber Threat Intelligence (CTI) and others focusing on TTPs from recent Red Team reports. Regardless of their method, most everyone has decided to identify the portion of the matrix that they deem most relevant and have focused their efforts there.
Finally, researchers were discussing what it means to be "green" on a technique.
As discussed earlier, some techniques have a variety of different procedures. As an example, for Credential Dumping, there are numerous methods of dumping credentials including injecting into LSASS, saving registry keys, group policy preferences (GPP), etc. Additionally, context matters. Within a particular environment, a slew of PowerShell commands run by a service account is likely far less concerning on a server than on a user workstation. Finally, the levels of "green" could vary based on that same context and the particular TTP.
To appropriately detect a TTP, one needs the right data collected, the data to be properly formatted, the data to be sent somewhere indexable, and sufficiently tuned alerts that analysts are actually responding to correctly.
In addition to that, an analyst may want that data to be comparable with other data. A standalone system that makes it difficult for an analyst to send the data to a SIEM may leave defenders in a bind if they want to cross-reference that data with another system. A classic example is comparing EDR data with Active Directory user groups.
From these themes, Praetorian has decided to pursue a number of improvements to our Purple Team service line moving into 2020. First, we need to increase the usability of our reports. While our Excel report has changed some minds on spreadsheets, it still lacks a lot of important features that we hope to see including comparing improvements over time, integrating with Jira, and increased templatization (including the use of something like Sigma).
Our second area of focus is increasing our use of automation. In a space that is seeing an ever increasing number of products (SafeBreach, AttackIQ, Scythe - just to name a few), Praetorian has to leverage automation so that our engineers can spend more time solving tough problems for our clients. The two areas we seek to leverage this is increasing/improving the amount of TTPs we have automated. The second way is by automating our searching. The entire process of executing a TTP and determining if appropriate telemetry exists should be automated and seamless for our engineers so that they can move onto more interesting challenges.
Our final area of introspection is examining how we treat the onsite portion of our Purple Teams. Finding the balance between testing, improving, and tutoring will be a key area of focus in 2020. A number of our clients have felt that having our engineers onsite is the most valuable portion of the assessment while others value the testing coverage while still others wants us to focus on tuning various alerts. At the same time, we have to be cognizant of travel burnout. This will require establishing a fine balance and setting clear expectations for the engineers and our clients.
We're committed to being the security experts and that requires critically examining our processes and always striving to improve. Additionally, Praetorian is fully committed to continuing our work with MITRE and ATT&CK, and we’ll strive to be an active contributor to the framework. Finally, if you're looking to conduct a Purple Team, please reach out on our website. If you want to just chat with me about Purple Teams, detection methodologies, or graphs, feel free to contact me directly!