How Purple Teaming Made Me A Better Blue Teamer
The Fun Uncle
So, sit down and have a drink of your choice, because it’s story time with Uncle Bert. The fun uncle, not the weird one from birthdays. Or at least I hope. I’ve been a Blue Teamer for almost 15 years in various government positions; for example SOC analist, forensics and building highly secure networks. However, the last 1.5 years I’ve been doing Purple Teaming at Chapter8, which has been a blast and during which time I’ve learned a lot!
This week we’re having a little obligated R&R with Chapter8, because it has been crazy busy and we owe it to ourselves, our families and our customers to stay healthy and fit. While I was sitting in my yard the other day, having an iced coffee and a cigar (not super healthy, I know, but one needs his hobbies), I found myself reflecting on the last year and half. How we believe Purple Teaming is finally catching on, the people who believe in us and helped us move forward, but mainly on all the things that’ve happened and what I’ve learned from them. And that last thing is what I would like to share, because sharing knowledge and experience is one of the core principles of Purple Teaming.
While I know there are people who are equally good at Blue as they are at Red, I am not one of them. Although I need to know what the Red Team is up to, I’ve never been into hacking or pentesting myself that much. I’d rather find a breadcrumb and follow the trail to catch the baddies than be one of the baddies. Of course, I keep up with the latest and greatest in hackerland so I can try and defend against it, but I’m not much of a hacker myself (and that’s ok, folks!). That isn’t really something that changed over the last year and a half, but working closely with our Hacker has certainly changed my perspectives and mindset.
For example, I got a far greater insight in the tools and how they’re used, but most importantly the methodology and procedures behind it, especially regarding Living off the Land techniques. Seeing someone use his wits, while having to improvise, adapt and overcome is just different compared to reading it in a blog. This translates into me knowing how to improve my defensives. This could mean creating new or changing existing Use Cases for SIEM, writing detection rules, or deploying defensive or deception measures. And because every network infrastructure is different, this means new things to learn and defend against every time we go somewhere new. A Great takeaway for defenders should be that no one-size-fits-all solution exists nor probably every will exist, if that already wasn’t clear.
Talking to people
Purple means Blue and Red working together, not just me with our Hacker, but also us with the customer’s Blue Team, IT Administrators and CISO (if they have them). During the time that we spend at our customers, be it several week or years, we need to engage them in what we do. Because the purpose of a Purple Team Assignment is not to deliver a hefty 50 page report and say bye, but to leave them thinking that they’ve learned something and immediately reaped the benefits of working together. This can be better defensive measures, higher forensic readiness, a better equipped analist or all of the above. We want them to feel that they’ve gained some experience, knowledge and concrete advice on the way forward. Because in the end, the greatest assets in cybersecurity aren’t the tools, but the people.
The difference for me, is that my former jobs usually had a different power balance; often as a senior talking to a junior or sometimes even enforcing legislation. Now, often it’s more of a teaching experience as an outsider, while usually also doing the hunting. And this comes in several forms, from the organisations where the IT admin is also the CISO and the log analyst, to the organisations with a full-blown SOC and everything around it. What’s really fun, is that it’s a different culture, workplace, infrastructure, history and people every time.
What this has taught me, is to really listen to the people’s stories. Why they are where they are, their struggled, how the Blue Team came or didn’t come to be, what they expect from us and how we can help each other. It’s the personal touch that makes Purple Teaming different from just sitting somewhere remote and trying to pentest their infrastructure. This often means dealing with some resistance. Some people get scared or defensive when you tell them it’s time to step up their game. That’s ok, during the time we’re there, we hope we can show that we’re there to help and not be the boogieman. Our Healer has helped me a great deal with this.
And of course, this differs for every organisation. The one I mentioned with a single Blue Teamer will require a different, more basic approach, where you sometimes have to bring your own SIEM or other measures. While a mature SOC (full-blown !=mature) might only require dotting the i’s and crossing the t’s, with more focus on Incident Response and Forensic Readiness.
Keep having fun!
I know everything until now sounds a bit serious, because it is. This brings me to my next point: don’t stop having fun! For us as a squadron (Hacker/Hunter/Healer) things can get really stressful; Hacker is going after the customer’s crown jewels, Hunter is busy finding him with the Blue Team and training them how they can do this themselves, while Healer is helping both and writing reports and findings before the end of the Assignment. So what I (and we, I think) have learned is to celebrate the little victories to relieve some stress.
Finding that text file with passwords, creating a fileless backdoor while evading detection, the IDS seeing a port scan or the use of a honeytoken our Hacker found, should be cause for some joy! And sharing these with the customer is even more fun, because they get to see in real time what is going on so they can learn, but also what worked and have that as a win.
This is a different blog than I usually write, but I just felt that it was nice to share some more human experiences instead of another tool or guide. For me, it has been somewhat surprising how much more the sum of its parts are, when bringing together the experiences of a Blue, Red and White Teamer and how much I would learn (and still am learning!). I knew it would be successful, but not like this. Have any comments? You can hit me up on Twitter here. And on that note, I’ll just leave you with one of my favourite Douglas Adams quotes:
“I’d far rather be happy than right any day.”