Mastodawn

My talk at @BSidesLV is now available! In this session I shared insights on how we’re using purple teaming and threat intelligence at Banco do Brasil to enhance our security strategy.

Catch the full video here and let me know your thoughts: https://youtu.be/Rx0wWb8zlQE

#CyberSecurity #PurpleTeaming #ThreatIntel #BSidesLV

- YouTube

Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.

Show thread

Kileen Sep 9, 2024

@cgoncalves @BSidesLV thanks for sharing!!! I’m looking forward to watching this and others this next week.

Show thread

Carlos Gonçalves 🇧🇷

Sep 9, 2024

@thekileen @BSidesLV I would love to know your thoughts.

Show thread

Kileen Sep 10, 2024

@cgoncalves @BSidesLV of course!

Show thread

Claus Cramon Houmann Sep 9, 2024

@cgoncalves @BSidesLV Interesting, @cgoncalves. We've implemented a brand new type of tool to enhance purple teaming and make CTI data actionable for detection engineering teams. See #OpenTIDE if interested.

Show thread

Carlos Gonçalves 🇧🇷

Sep 9, 2024

@claushoumann @BSidesLV thanks, I’ll take a look.

Show thread

Claus Cramon Houmann Sep 9, 2024

@cgoncalves @BSidesLV need more - ping me for a private intro.

Show thread

Kileen Sep 10, 2024

@cgoncalves I appreciated your honesty when it came to developing your Purple Team workflow! To be frank, I’ve seen Vectr mentioned before, but I have not used it. I see that you use Vectr to build an executable that launches the campaign. I’ve previously used Caldera to do something similar, but instead of an executable, the Caldera agent acts as a Remote Access Trojan on an endpoint. I would like to hear about why you selected Vectr instead of something else.

It also sounded like the assumption was the red team exercise started at the point that someone has already gotten inside your network aka “assume breach.” Is that correct? You were more interested in spending time detecting the threat activity after the initial access was established…hence the whole purpose of purple-teaming.

I’d be curious to hear about how your CTI team prioritizes certain Mitre Att&ck techniques to use within the Purple Team exercise.

Show thread

Carlos Gonçalves 🇧🇷

Sep 10, 2024

@thekileen thanks for the questions. Let's break it down.

Vectr is being used right now as a tool for managing the purple team campaigns. We ingest intel data, create the test cases and extract reports from there. The red team decides how to execute their part, whether it's with tools like Caldera, Cymulate, or even launching attacks manually.

Yes, we took an assumed breach approach. It doesn't mean that the organization is ignoring initial access, we have other initiatives focusing on that. But we think that this helps us focus on the real risk once someone gets in, and at the same time we're covering the insider threat. Also, the reason for this links with the third question.

We're using Mitre's Top ATT&CK Techniques (https://top-attack-techniques.mitre-engenuity.org/) to help us prioritize technique simulations. When applying this methodology, initial access and impact rarely rank as top priorities. With limited resources and time, we're heavily relying on the concepts of choke points and actionability from the methodology to select which techniques to simulate.

And, as I mentioned in the talk, it's important to reassess the top techniques regularly to make sure they align with your needs, especially as your defense capacity improves for certain tactics.

Oh, and I haven't even mentioned how the risk team joins the purple team exercise...