Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincent Van Mieghem, Deloitte

1.847 visualizaciones

Publicado el

This session discusses Deloitte’s purple teaming approach which is using ATT&CK as a guiding principle to help both teams improve.

This session shows how this works in a customer scenario, how to scope that scenario, how to plan the scenario and choose the various TTPs to be covered to how we assist the customers blue team in understanding the TTPs and helping them design detective capabilities for them.

When the Blue Team is able to connect the dots from offensive activities in the network and what they see in their logs, firewalls, SIEMs, etc. they have the ability to fully understand what adversaries do and what the TTP’s of attackers actually look like if they are active in their network.

It’s much easier to find the needle in the haystack if you know there is a needle to find to begin with. Purple teaming is providing this pointy needle, used to accelerate the Blue Team.

Publicado en: Tecnología
  • ⇒ www.HelpWriting.net ⇐ is a good website if you’re looking to get your essay written for you. You can also request things like research papers or dissertations. It’s really convenient and helpful.
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí

MITRE ATT&CKcon 2018: From Red VS Blue to Red ♥ Blue, Olaf Hartong and Vincent Van Mieghem, Deloitte

  1. 1. Headline Verdana Bold FROM RED vs BLUE to RED 💜💜 BLUE MITRE ATT&CKcon Olaf Hartong & Vincent Van Mieghem
  2. 2. 2 WTHAY?
  3. 3. 3 VINCENT VAN MIEGHEM RED TEAM SPECIALIST ABOUT VINCENT • Red team operator • Technical guy • Focus on AV evasion techniques • Software engineering background HOBBIES Computers et al. Lifting when I get bored @_vivami github.com/vivami vvanmieghem@deloitte.nl
  4. 4. © 2018 Deloitte LLP. All rights reserved. 4 OLAF HARTONG SPECIALIST LEADER BLUE TEAM ABOUT OLAF Olaf is technically responsible for the Blue Team services within Deloitte NL. Focus on; Incident Response, Threat Hunting, Building SOCs and Purple Teaming HOBBIES Photography, biking, snowboarding Background in Tele and Data communications and Arts. Former documentary photographer Dad of 2 boys @olafhartong github.com/olafhartong ohartong@deloitte.nl
  5. 5. 5 OUR DEFINITION OF RED TEAMING SIMULATING A REALISTIC ADVERSARIAL ATTACK AGAINST YOUR ORGANIZATION © 2017 North Korea's Korean Central News Agency
  6. 6. 6 Execute scenario ATailor scenario A TI based Red Teaming (TIBER) approach Threat Intelligence Tailor scenario B 1 2 3 4 Tailor scenario X Execute scenario B Execute scenario X Blue team debrief Remediation plan 5
  7. 7. 7 RED TEAMING PITFALLS CAN BE ANTAGONIZING BLUE TEAM CAN BE TIPPED OFF THE REPORT MIGHT NOT BE PUT TO GOOD USE YOU’RE MERELY THERE FOR COMPLIENCE REASONS THE BLUE TEAM LACKS THE SKILL OR KNOWLEDGE TO FOLLOW UP
  8. 8. 8 RED vs BLUE
  9. 9. 9 RED + BLUE = PURPLE, COMBINING STRENGTHS RED TEAM Realistic, simulated attack, following the profile of an actual threat actor to the organization. The red team will try and achieve a number of agreed objectives without raising any detection or response. BLUE TEAM Continuous monitoring of and response to indicators of attacks and compromises. To this end, the blue team establishes and improves on detection measures in the IT infrastructure and defines and implements specific “use cases” to monitor for. PURPLE TEAM Combining the red and blue team efforts in an interactive setting: by performing an attack while the blue team is actively watching which elements are and are not detected. Afterwards, both blue and red team improve their approach and retry.
  10. 10. 10 WE ALL SPEAK THE SAME LANGUAGE… RED TEAM THREAT INTELLIGENCE BLUE TEAM MITRE ATT&CK
  11. 11. 11 …WE ALL SPEAK ATT&CK… Threat Intelligence Tailor the scenario Execute the attack scenario Monitor within the SIEM/SOAR/? 1 2 3 4 MITRE ATT&CK MATRIX
  12. 12. 12 …SO WE DON’T END UP LIKE THIS © Disney, All Rights Reserved, Muppets
  13. 13. 13 TIBER STYLE PURPLE TEAMING Gain threat intelligence on attacks to similar companies Identify an attack scenario mapped to ATT&CK Execute the attack scenario Monitor within the SIEM/SOAR/? 1 2 3 4 Evaluate attack and identify gaps in detection 5 Develop additional detection methods, request additional logging 67 Replay the attack scenario Exercise complete
  14. 14. 14 OPEN SKIES WHAT TRACES DO I LEAVE? HOW DOES A RED TEAM THINK? CAN I ADOPT MY TTP’S TO FALL OFF THE RADAR? FOCUS DETECTION BASED ON ATT&CK SKILL/KNOWLEDGE BOOST FOR BOTH TEAMS
  15. 15. 15 QUESTIONS?

×