Let’s Get Offensive: Building a Purple Culture

TL;DR: Determine what purple culture means to you then develop a plan.

• RSAC 2022 Dark Arts Village — YouTube Video

Introduction

A friend asked if I would give a talk, but the caveat was that it must be recorded in about a week. I’ve spent the majority of my time the past year doing things related to my doctoral dissertation 🎓 on Enterprise Purple Teaming (GitHub + Dissertation), so I thought, why not share some thoughts for people interested in purple. I usually capture talk-related information in GitHub, but decided to give Medium a try. 😅

Context

While it seems the overall organizational culture generally stems from executives and upper management, I believe that managers and individual contributors can influence the cultural dynamics in their respective teams and departments.

What I’ll be sharing

I’ll start with a brief discussion of offensive skill sets and what that actually means. Next, I’ll provide a Team Workshop Idea for Managers, then I’ll share some talking points for managers during the workshop (that can be repurposed to build a template for purple culture in your organization, or for individual contributors to take the initiative with their managers), then I will finish with additional ideas for managers. So with that…let’s begin!

Offensive Operations

Internal red teams, let alone mature internal red teams, are rare and a commodity that many organizations might not be able to afford. If your organization doesn’t have a red team, think outside the box. Also, when I discuss red, red teams, offensive operations, or offensive skills, please adapt that to your respective organization, as each organization is unique with its own set of circumstances. For example, more and more, I am finding defensive professionals learning offensive skills. So, even if you do not have an official internal red team, you can reach out to the blue members on your team that have offensive skills.

Let’s say you don’t have any blue teamers with offensive skills, then I would suggest finding willing participants to expand their offensive skill set. Luckily ☘️, I haven’t met a security team (yet) that is unwilling to learn new skills when encouraged. On the off chance, your team doesn’t want to learn any offensive skills, I’d suggest going “back to basics.” Learn about the kill chain and how attacks generally proceed as a team, such as attackers needing to establish a foothold (persistence), etc.

💡Team Workshop Idea for Managers

What You’ll Need:

• Google Jamboard or another resource to write brainstorming ideas from your team.
• Possibly a meeting scribe to help with organizing the notes and feedback.
• Team Meeting with an Agenda.

Discussion Topics

1. Ask what Purple Culture means to them.
2. Ask where they see offensive skill sets bringing value to existing operations.
3. Ask where they see offensive skill sets bringing value outside the immediate security organization.
4. If you have a red team, ask how they think defensive skill sets or interaction with the defensive teams could benefit the red team.

Ensure you capture all the feedback from your team. Below, I will provide some thoughts about the discussion topics above. These Discussion Topics can be repurposed to build out a purple culture roadmap for your organization or for individual contributors to show initiative and discuss potential projects with their managers.

Discussion Topic 1: Purple Culture

What Purple Culture means to me:

• Collaboration
• Cooperation
• Offensive skills across the team
• Communication
• Skill Building
• Problem-solving mentality
• Curiosity
• Continuous Improvement
• Practice for real incidents
• Focus on improving security posture over politics or self-interest
• Red learns blue tradecraft and vice versa
• Treat security personnel as humans and not just resources (a cog in the corporate machine)
• High-performing teams
• People empowered to defend the organization
• “Offense informs defense”
• & More

Discussion Topic 2: Offensive Skills in Security Operations

CONTEXT: I believe the core Security Operations Department includes the following: SOC, DFIR, CTI, Hunt, Detection Engineering, Red, and Purple.

• SOC: Red could host workshops for the SOC, Red could review logs including False Positives and Closed Tickets for things that could’ve been overlooked.
• DFIR: Red can consult during incidents.
• CTI: Red could train CTI on obtaining procedures, Red could train CTI on using their BAS solution to test the procedures, Red could consult on potential alternative procedures, Red could provide insight on threat actor activity.
• Detection Engineering: Red consultation for detections and potential atomic detections, high-fidelity detections based on red activity.
• Hunt: Red consultation for hunts, high-fidelity hunts based on red activity.
• Security Operations Overall: Red could create custom challenges for blue, including malicious javascript for blue to deobfuscate, payloads to analyze, maldocs to analyze, etc., Red could create a CTF for the security team, Red could do HTB/THM/other with Blue, Red could do a technique review with Blue and train them on what to look for (example: process hollowing).

Discussion Topic 3: Offensive Skills in the Organization

• AppSec: Consider creating a Bug Bounty Program (research Private vs. Public Bug Bounty programs). Ensure people, process, and technology is addressed appropriately before onboarding a Bug Bounty Program.
  — Resource: Bug Bounty Programs: Enterprise Implementation by Jason Pubal
  — Luta Security
• Exploit Dev: Consider security research on your or vendor’s software/hardware.
  — SANS PenTest HackFest by Ryan Adamson — A Seriously Righteous Hack
• Vulnerability Management: Red consultation for exploits, ease of exploitation for vulnerabilities, chaining CVEs, and prioritization of unpatched vulnerabilities.
• Risk Management: Red consultation, Third Party Review, Vendor Onboarding, Mergers and Acquisitions, etc.
• DevSecOps: Red integration into software development.
• Organization-Wide: Red could create an organization-wide CTF for everyone to learn about cybersecurity and offensive skills, Security Chaos Engineering.
  — SANS Purple Team Summit by Cari Cistola and David Lavezzo — Order Through Chaos: Data-Driven Hypothesis Creation Using Security Chaos Engineering

Discussion Topic 4: Red Team Defensive Skill Building OR Defensive Team Interaction

• SOC SIT IN: Red could sit in with the SOC and learn how they get detected.
• BOTS: Red could do Splunk’s Boss of The SOC with the Blue Team.
• CTI Interaction: Red could get a heads up from CTI about emerging techniques, the evolving threat landscape, or even TTPs of attackers targeting the organization. The Red-CTI relationship could help build intelligence-driven red team operations or purple team exercises.
• Tradecraft: Red could learn blue tradecraft with the purpose of improving their operations, which in turn makes blue better. Red could learn how they are detecting a payload, red can improve their payload, which would give blue a chance to build better detections or gain visibility.

Finally, I’ll finish with a brief review of some manager-oriented ideas to encourage purple culture.

Manager Discussion

• Encourage your team to enter into CTFs and hack together (HTB/THM/etc.).
• TTP Friday (or day of your preference)— 30 minutes to 1-hour brainstorming session on detection, a focused purple session, or learning more about various attacker techniques
• Alternate Analysis Training — U.S. Army — The Red Team Handbook
• Re-Org: Bring Red under Security Operations
• Virtual gathering for red and blue, except it isn’t work-related, where the red and blue members focus on building relationships without manager oversight.
• Consider getting approval for a testing lab with a gold image and your organization’s security stack. If that’s not possible, consider a detection lab, such as Splunk’s Attack Range, or Chris Long’s Detection Lab.

Conclusion

One main takeaway: Define what purple culture means to you and take steps towards building that in your organization.

Thank you for reading! Happy purple-ing! 💜

For The Lawyers

“The opinions expressed in this blog are those of the individual account, in their individual capacity, and not necessarily those of the employers. Mention of any vendors, services, products, or otherwise does not endorse them as a vendor. This content and any related discussions are solely the views, opinions, and experiences of the participants and should not be presumed to reflect the opinion or the official position of any employers of the participants. Examples and views provided herein, including strategies, goals, targets, and indicators are for illustrative purposes only and should not be regarded as representative of the participants’ employers or respective portfolios. To the extent that this participation, discussion, and interview outlines a general technology direction, the participants’ employers have no obligation to pursue any such approach or to develop or use any functionality mentioned herein. Any suggested technology strategy or possible future developments are subject to change at the employers’ sole discretion without notice. Content in this presentation is the intellectual property of the applicable creators and may be protected under the copyright laws of the United States and/or other countries. All trademarks are the property of their respective owners and are used for informational purposes only.”