Purple Team Strategies

Enhancing global security posture through uniting red and blue teams with adversary emulation

David Routin

Simon Thoores

Samuel Rossier

BIRMINGHAM—MUMBAI

Purple Team Strategies

Copyright © 2022 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Vijin Boricha

Publishing Product Manager: Vijin Boricha

Senior Editor: Tanya D'cruz

Content Development Editor: Yasir Ali Khan

Technical Editor: Arjun Varma

Copy Editor: Safis Editing

Project Coordinator: Shagun Saini

Proofreader: Safis Editing

Indexer: Tejal Daruwale Soni

Production Designer: Shyam Sundar Korumilli

Senior Marketing Coordinator: Hemangi Lotlikar

Marketing Coordinator: Sourodeep Sinha

First published: May 2022

Production reference: 1190522

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham

B3 2PB, UK.

ISBN 978-1-80107-429-2

www.packt.com

Contributors

About the authors

David Routin became interested in computer security at a young age. He started by learning about old-school attack methods and defense against them in the 1990s with Unix/Linux systems. He now has over two decades of experience and remains passionate about both sides of security (offensive and defensive). He has made multiple contributions to the security industry in different forms, from the MITRE ATT&CK framework, the SIGMA project, and vulnerability disclosures (Microsoft) to public event speaking and multiple publications, including articles in the French MISC magazine.

As a security professional, he has held multiple positions, including security engineer, open source expert, CISO, and now security operations center (SOC) and Purple Team manager at e-Xpert Solutions. Over the last 10 years, he has been in charge of building and operating multiple SOCs for MSSPs and private companies in various sectors (including industry, pharma, insurance, finance, and defense).

His domains of expertise are SOC creation, SIEM technologies, use case development, Blue teaming, incident response for large-scale critical incidents, and forensic (SANS GCFA/GCIH certifications) and applied norms (ISO 27001 and PCI-DSS company certifications).

Special thanks to my co-authors and friends for taking up this challenge.

To my bosses, Cédric and Christian @e-Xpert Solutions, thank you for your trust and your support.

This book is dedicated to my family for their love, patience, and flawless support. Thank you, Marie, Elisa, and Alexandre.

Simon Thoores is a cybersecurity analyst who specializes in forensics and incident response. He started his career as a security analyst after obtaining an engineering diploma in information system architecture with a focus on security. He built his forensics and reverse engineering skills during large-scale incident responses, and he finally validated these skills with GCFA. Then, he moved to the threat intelligence field to better understand and emulate attackers in order to improve infrastructure security.

I want to thank my wife, Alix, for her boundless support and trust, and I also want to thank my family for their encouragement and help. Finally, I want to thank my former and current colleagues for their help and our late-night discussions about our common passion.

We would also like to thank Dimitri Cognet for his contribution to the book as a DevOps specialist.

Samuel Rossier is currently SOC lead within a government entity where he focuses on detection engineering, incident response, automation, and cyber threat intelligence. He is also a teaching assistant at the SANS Institute. He was previously responsible for a private bank group CIRT, and also worked as an SOC manager within an MSSP. He also spent several years within a consulting cybersecurity practice.

Samuel currently holds a master's degree in information systems and several information security certifications, including GRID, GMON, eCIR, eCTHP, eCRE, eNDP, and eJPT.

He is also a contributor to the MITRE D3FEND and SIGMA frameworks and likes to speak at conferences and analyze malware. He values a strong emphasis on the people dimension of cybersecurity by sharing knowledge.

Thanks to my family, friends, and colleagues for their guidance and support.Thanks to my two sons, who are challenging me every day to be a better father.Thanks to my friends and co-authors for this amazing cybersecurity journey we are sharing together.Finally, I'd like to thank my beloved wife for her love, patience, and encouragement, and for always believing in me.

About the reviewers

Ludovic Paillard is co-founder and CTO at Soluss. He worked for several years as an analyst and engineer in an SOC. Ludovic is also involved in the training of computer science students. He is enthusiastic about data analysis and specializes in the Elastic Stack. His motto is, Make security actionable and accessible to all.

I would like to thank my wife, Yumi, for her indefectible support. I would also like to thank my partners, Sébastien and Sofiane, for the entrepreneurial adventure we share.

Finally, I would like to thank my former colleagues, who have been a source of inspiration and learning: Jérémy, Rémi, Samuel, and Simon.

Philip Pieterse is an information security consultant and manager with more than 20 years of experience in network and information security. Philip has led and supported the creation and deployment of penetration testing programs for global customers operating in multiple industries, including government and banking.

He has in-depth experience in developing comprehensive, customized penetration testing programs, including Red Team emulations. As a leader, he is highly skilled in establishing training and mentoring initiatives to cultivate high-performance teams.

Philip holds a master's degree in network and information security and has extensive training and certifications, including GXPN and GCPN through SANS and CISSP from ISC.

I want to thank my lovely wife, Celeste, and our three beautiful children, Connor, Cameron, and Zoey, for their continuous support and tolerance. You are always ready to pursue the next dream and push me to accomplish my goals. Thank you, I love you.