Practical Purple Team | TryHackMe Atomic Bird Goes Purple #1
We covered practical purple teaming by conducting threat emulation using Atomic red team and examining the impact of said emulation by investigating and analyzing logs. We used TryHackMe Atomic Bird Goes Purple #1 room which is part of SOC Level 2 track.
Purple Teaming & Threat Emulation
The importance of Threat Emulation is invaluable when it comes to enhancing an organisation’s cyber security posture or security team’s capability. Threat Emulation is the process of simulating and replicating the tactics, techniques and procedures (TTPs) of selected threats (according to the organisation/team’s needs and current status) in a controlled environment. This includes recreating attack scenarios as detailed as possible to focus on each step of the attack chain for improving detection abilities, revealing gaps and weaknesses, and testing the effectiveness of the implemented security controls.
This process can be done through various methods, including red teaming activities, penetration testing , and the use of tools. This room uses the Atomic Red Team project to simulate attacks.
A well-configured endpoint will generate sufficient log files for threat emulation tests. Additional detection tools also increase visibility, and various options exist. This room uses Aurora EDR and Sysmon to increase the visibility of each test and enrich the logs. The purpose of the exercises is to view the results of the tests as they are and to observe the activity details and artefacts, which are crucial for detection.
You are expected to execute given custom tests and then investigate logs and system activities for each test. The most important outcome of the exercise is executing a test and following up on the actions right after it. This includes log, directory and registry investigation. You must consider everything from both Red and Blue perspectives to go Purple!
Threat Emulation Methodologies
MITRE ATT&CK
The MITRE ATT&CK Framework is an industry-known knowledge base that provides information about known adversarial TTPs observed in actual attacks and breaches. Threat emulation teams can extract many benefits from integrating ATT&CK with their engagements as it would make it efficient when writing reports and mitigations related to the behaviors experimented with.
Atomic Red Team Atomic Red Team is an open-source project that provides a framework for performing security testing and threat emulation. It consists of tools and techniques that can be used to simulate various types of attacks and security threats, such as malware, phishing attacks, and network compromise. The Atomic Red Team aims to help security professionals assess the effectiveness of their organization’s security controls and incident response processes and identify areas for improvement.
领英推荐
TIBER-EU Framework
The Threat Intelligence-based Ethical Red Teaming (TIBER-EU) is the European framework developed to deliver controlled, bespoke, intelligence-led emulation testing on entities and organizations’ critical live production systems. It is meant to provide a guideline for stakeholders to test and improve cyber resilience through controlled adversary actions.
CTID Adversary Emulation Library
The Center for Threat-Informed Defense is a non-profit research and development organization operated by MITRE Engenuity. Its mission is to promote the practice of threat-informed defence. With this mission, they have curated an open-source adversary emulation plan library, allowing organisations to use the plans to evaluate their capabilities against real-world threats.
CALDERA CALDERA? is an open-source framework designed to run autonomous adversary emulation exercises efficiently. It enables users to emulate real-world attack scenarios and assess the effectiveness of their security defences. Additionally,blue teamers can also use CALDERA to perform automated incident response actions through deployed agents. This functionality aids in identifying TTPs that other security tools may not detect or prevent.
Check out the video below for detailed explanation.
Room Answers | TryHackMe Atomic Bird Goes Purple #1
Room answers can be found here .
Video Walkthrough | TryHackMe Atomic Bird Goes Purple #1