| GitHub | https://github.com/cgoncalves1 |
| https://www.linkedin.com/in/carlosecg/ | |
| https://twitter.com/cgoncalves1 | |
| Website | https://www.carlosgoncalves.org |
My 5-year-old just tried to bypass Roblox's verification to unlock chat features using this fake picture. It didn't work... this time.
Nice try, kid. Keep practicing. Soon you'll be hacking the planet!
Just a few more days and I’ll be in San Francisco for the RSA Conference for the first time. And I’ll be hosting two sessions: one talk titled “Lessons Learned from Implementing an Intel-driven Purple Teaming Process.” The second one is a birds of a feather titled “Is Threat Intel Answering the Right Questions?”
If you’ll be around, ping me. I would love to meet fellow practitioners there.
Se você for 🇧🇷 então, me chama pra gente trocar uma ideia!
Is Threat Intel answering the right questions?
Many of us rely on threat intelligence to guide our defenses, but which aspects truly matter most? Are IOCs by themselves enough? Does focusing on who is behind an attack overshadow more pressing concerns? And how might TTPs fit into the big picture?
I’d love to hear your thoughts and experiences. Let’s discuss what threat intel does well, where it falls short, and whether we’re asking the right questions in the first place.
@claushoumann Hey, thanks for bringing this up, it’s definitely not provoking! In my organization, the DE tasks are handled by our SOC teams. When I mention the blue team in my talk, it's just a general term, we actually have six teams focused on defense and incident response.
You make a great point that CTI data might not always be useful for defenders, and this was something I was concerned about when I took over the CTI team. In our early rounds of purple teaming, we noticed that our defense success was getting worse. Collaboration wasn't great, and the defense teams ended up with a pile of reports that weren't helpful.
That's when we decided to switch things up and get all the teams directly involved in the purple teaming exercises. Now, DE is done by defenders within one of our SOC teams, working together with the other teams - CTI, incident response and red team - during these exercises. We only move to the next exercise when all the DE tasks are done, even if it means that the detection team says that they can't do anything with what we have now.
That's how we're trying to make all the data - from CTI insights to red team activities - actually meaningful and actionable for our defense and risk teams.
@thekileen thanks for the questions. Let's break it down.
Vectr is being used right now as a tool for managing the purple team campaigns. We ingest intel data, create the test cases and extract reports from there. The red team decides how to execute their part, whether it's with tools like Caldera, Cymulate, or even launching attacks manually.
Yes, we took an assumed breach approach. It doesn't mean that the organization is ignoring initial access, we have other initiatives focusing on that. But we think that this helps us focus on the real risk once someone gets in, and at the same time we're covering the insider threat. Also, the reason for this links with the third question.
We're using Mitre's Top ATT&CK Techniques (https://top-attack-techniques.mitre-engenuity.org/) to help us prioritize technique simulations. When applying this methodology, initial access and impact rarely rank as top priorities. With limited resources and time, we're heavily relying on the concepts of choke points and actionability from the methodology to select which techniques to simulate.
And, as I mentioned in the talk, it's important to reassess the top techniques regularly to make sure they align with your needs, especially as your defense capacity improves for certain tactics.
Oh, and I haven't even mentioned how the risk team joins the purple team exercise...
My talk at @BSidesLV is now available! In this session I shared insights on how we’re using purple teaming and threat intelligence at Banco do Brasil to enhance our security strategy.
Catch the full video here and let me know your thoughts: https://youtu.be/Rx0wWb8zlQE
