Cybersecurity Post #1

Operationalize Purple Teaming with Red Teams and Blue Teams | Information Security Newsletter

On May 16th, 2023, @CISAgov  published a joint cybersecurity advisory w/ @FBI containing Tactics Techniques and Procedures on BianLian ransomware and data extortion group targeting private enterprises & critical infrastructure organizations. You can read the specific advisory here:

Reading published threat reports is a great way to learn how real threat actors operate. It's great to see CISA publishing “replay-able” techniques to practically test detections. This is a key component of these published threat reports that the industry should expect to see more of. By having access to these techniques, red teams, blue teams, and most importantly, purple teams can incorporate tests into their environments to validate preventative and detective controls.

Lets start by taking some examples from the detailed report located here:

On page 16 of 17 on the pdf, you will find APPENDIX: WINDOWS POWERSHELL AND COMMAND SHELL ACTIVITY.

This a great “beginner” or starter way to operationalize purple team activities within organizations. As shown in the screenshot above, various net commands are used for enumeration. Enumeration of domain admins is especially concerning as it provides information directly related to which accounts are most sensitive within an active directory environment.

The above tests can be viewed as “beginner” or “basic”. A network penetration test will perform these net commands but those pentests won’t be run from a device with the deployed EDR. An engaged red team will typically consider many of these net commands “noisy” and may never run a net command enumerating domain admins. Ultimately leaving an important technique never/improperly validated.

We do know from published threat reports (thank you published “replay-able” techniques 😀), activity such as net commands and enumerating domain admins are techniques used across different ransomware actors.

Most organizations don’t know their ability to detect and respond to this type of activity. Get to it, test is as soon as possible. This is a great way to get started operationalizing purple teaming. Do you get an alert that someone is enumerating domain admins within the environment?

If you like the content, please subscribe to receive more information on operationalizing purple team activities.