Preface
In this book, we will be building Purple Team strategies powered by relevant new approaches and practical implementations, leveraging Cyber Threat Intelligence (CTI) and the MITRE ATT&CK framework to enhance our prevention mechanisms and detection capabilities, as well as ensure continuous security improvements.
Who this book is for
This book is for anyone interested in understanding the concept of Purple Teaming and who is willing to test, emulate an adversary, and improve their cybersecurity posture. Whether you are an experienced penetration tester, member of a Security Operations Center (SOC) team, security engineer, security manager, or Chief Information Security Officer (CISO), this book will help you understand the concepts, gain experience through real-life examples, and highlight key takeaways to bring back home.
What this book covers
Chapter 1, Contextualizing Threats and Today's Challenges, defines the overall threat landscape and explains why we must adopt a proactive approach to cybersecurity. It also identifies the current issues with Red and Blue Teaming and defines the requirements for purple teaming.
Chapter 2, Purple Teaming – a Generic Approach and a New Model, defines purple teaming, including the core process and its different types of exercises and objectives. The chapter also introduces a new model for effectively applying purple teaming within your organization.
Chapter 3, Carrying Out Adversary Emulation with CTI, introduces the process of CTI and how it must be leveraged for effective and relevant purple teaming exercises.
Chapter 4, Threat Management – Detecting, Hunting, and Preventing, introduces the processes of managing threats by using threat hunting capability, detection engineering, and prevention mechanisms.
Chapter 5, Red Team Infrastructure, defines the red team infrastructure components used by both attackers and red teams. In particular, we will learn about the most common offensive frameworks and efficient phishing techniques, as well as how to leverage automation and cloud environments.
Chapter 6, Blue Team – Collect, describes the required architecture to perform an efficient event collection. We also introduce the Windows Event Forwarding protocol and provide real-life experience tips.
Chapter 7, Blue Team – Detect, details data sources and solutions that can be used by a blue team for detection. The chapter also introduces the concept of deception through practical examples.
Chapter 8, Blue Team – Correlate, introduces the theory of correlation and describes how detections should be performed within a centralized place, such as Security Information Event Management (SIEM). The chapter also introduces common query languages that can be leveraged to ease investigation and incident response.
Chapter 9, Purple Team Infrastructure, describes the technology available to ease and automate the process of purple teaming. It introduces adversary emulation frameworks as well as breach and attack simulation tools. The chapter also introduces the theory behind DevOps and how it can be used to facilitate the process of purple teaming.
Chapter 10, Purple Teaming the ATT&CK Tactics, describes the most commonly used techniques for each tactic of the MITRE ATT&CK framework. For each technique, the chapter defines how to perform the activity from a Red Team point of view, as well as how to defend against such a technique.
Chapter 11, Purple Teaming with BAS and Adversary Emulation, puts into practice the theory learned throughout the book by leveraging different frameworks and solutions, while also highlighting the various maturity levels of purple teaming.
Chapter 12, PTX – Purple Teaming eXtended, puts into practice the new concept of PTX introduced in Chapter 2, Purple Teaming – a Generic Approach and a New Model, with concrete examples, leveraging a diffing technique.
Chapter 13, PTX – Automation and DevOps Approach, puts into practice the theory of DevOps introduced in Chapter 9, Purple Team Infrastructure, with concrete examples of how to implement it, especially the diffing approach.
Chapter 14, Exercise Wrap-Up and KPIs, concludes the book by presenting Key Performance Indicators (KPIs) and reporting ideas. This chapter also presents the authors' view on the future of purple teaming.
To get the most out of this book
You should ideally have some experience in cybersecurity to get the most out of this book. If you have SOC or penetration testing experience, that especially should help forge better services and solutions.
Being familiar with a scripting language such as Python or PowerShell and having experience of managing Windows and/or Linux is a plus but not necessary to enjoy the book.
If you are using the digital version of this book, we advise you to type the code yourself or access the code from the book's GitHub repository (a link is available in the next section). Doing so will help you avoid any potential errors related to the copying and pasting of code.
Download the example code files
You can download the example code files for this book from GitHub at https://github.com/PacktPublishing/Purple-Team-Strategies. If there's an update to the code, it will be updated in the GitHub repository.
We also have other code bundles from our rich catalog of books and videos available at https://github.com/PacktPublishing/. Check them out!
Download the color images
We also provide a PDF file that has color images of the screenshots and diagrams used in this book. You can download it here: https://static.packt-cdn.com/downloads/9781801074292_ColorImages.pdf
Conventions used
There are a number of text conventions used throughout this book.
Code in text: Indicates code words in the text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles. Here is an example: "Cobalt Strike implements another technique to perform privilege escalation, which is the elevate svc-exe command."
A block of code is set as follows:
geoip {
fields => [city_name, continent_code, country_code3, country_name, region_name , location]
source => "source_ip"
target => "source_geo"
}
When we wish to draw your attention to a particular part of a code block, the relevant lines or items are set in bold:
<q2:Data>Server=http://wec01.mydomain.com:5985/wsman/SubscriptionManager/WEC,Refresh=3600</q2:Data>
Any command-line input or output is written as follows:
#Display a specific subscription in XML format
wecutil gs "Authentication" /format:XML
# Delete subscription
wecutil ds "Authentication"
Bold: Indicates a new term, an important word, or words that you see on screen. For instance, words in menus or dialog boxes appear in bold. Here is an example: "The Knowledge | Tools view allows us to see any relationships."
Tips or Important Notes
Appear like this.
Get in touch
Feedback from our readers is always welcome.
General feedback: If you have questions about any aspect of this book, email us at [email protected] and mention the book title in the subject of your message.
Errata: Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you have found a mistake in this book, we would be grateful if you would report this to us. Please visit www.packtpub.com/support/errata and fill in the form.
Piracy: If you come across any illegal copies of our works in any form on the internet, we would be grateful if you would provide us with the location address or website name. Please contact us at [email protected] with a link to the material.
If you are interested in becoming an author: If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, please visit authors.packtpub.com.
Share Your Thoughts
Once you've read Purple Team Strategies, we'd love to hear your thoughts! Please click here to go straight to the Amazon review page for this book and share your feedback.
Your review is important to us and the tech community and will help us make sure we're delivering excellent quality content.