Course Description
Red and blue Teams often find themselves pitted against each other. This stems from the fact that their goals during an exercise are not always aligned. The red team aims to behave like a realistic threat actor and evade defenses to reach certain objectives in the targeted network. The blue team, often already swamped with ongoing activity, attempts to block, detect and react to all attacks on the organization.
Red teamers are measured in stealth and how many objectives were achieved. Blue teams are measured in Mean Time to Detect (MTD) and Mean Time to Respond (MTR), how quickly they can contain and eliminate the threat. However, both parties individually spend significant time researching the same attacker techniques to improve their toolkits & skillsets instead of working together against the real adversary. Why not work together? Enter Purple Teaming.
This hands-on training connects red and blue in a series of live attack-defense exercises and demos. The group of participants will be split in two teams. On day one, the first team will be guided to attack a simulated corporate active directory environment. The other team will have access to defensive tooling to detect and respond to the attacks. On the second day, the teams change roles, and the exercise is repeated for a different attack path.
Along the way, there will be regular purple team meetings, where the blue team presents detections and actions taken and the red team explains the executed techniques. Both days culminate in a lessons-learned moment, where you will be able to network and interact with your counterparts on the other side.
Course contents
Both teams will be guided separately by an instructor during the exercise and will have access to all PowerPoints from both days at the end of the training. This training aims to present a mix of obvious and less-obvious attack techniques to red teamers and gives insight on detection by using open-source tooling for the blue teamers. The participating teams change roles on the second day.
Day Schedule
- Introduction to the lab environment
- Testing VPN connection & VM access
- Preparation and introduction to the exercise
- Red team & blue team activities
- Frequent Purple Team meetings
- Lessons learned
Red Team Overview
The attacking side will follow the Unified Kill Chain. Topics covered on the red team side include:
- Introduction to red teaming
- Introduction to Cobalt Strike
- Introduction to BloodHound & active directory attacks
- Establishing a foothold
- Credential dumping
- Lateral movement
- Persistence
- Achieving client objectives
All members of the Red Team can access a personal Windows Server VM with several tools, including:
- Cobalt Strike client with connection to Cobalt Strike team server
- Various Beacon Object Files & CNA scripts to extend Cobalt Strike’s functionality
- Various CSharp tools for in-memory execution
Most tools (except Cobalt Strike) are completely free and open source.
Blue Team Overview
- Introduction to detection tooling in the lab (free and/or open source):
- Wazuh (Elastic & OSSEC based SIEM) with custom detection rules and additional log sources:
- Sysmon
- Sysmon4Linux
- Auditd
- Elastic Agent with Security in detection mode (Free EDR)
- Velociraptor for artifact collection and live incident response
- Wazuh (Elastic & OSSEC based SIEM) with custom detection rules and additional log sources:
- Detecting activity and posting IOCs
- Eliminate Red Team footholds (later during the day)
We hope after this training you will be able to:
- Trigger more interaction between red and blue teamers in your organization
- Identify how red and blue can work together to identify and close the gaps in your defense, improving detection and response capability
- Better understand how both sides operate
- Better understand attacker techniques.
Who should take this course?
This course is intended for:
- Blue teamers who want to learn and understand the offensive side
- Pentesters/red teamers who want to learn and understand the defensive side
No prior red team experience is required. Most of the tools used in the lab are free and/or open source.
Hardware Requirements
Any OS with Wireguard support and RDP client should do. You will get access to a Windows Attacker VM in the target network over VPN.
Additionally, Bring your own Linux VM, preferable Kali.
Trainer Biography
Dennis Van Elst is a red team operator, infosec lecturer and purple team advocate. At DXC, he actively promotes collaboration between the Strikeforce red team and Blue Teams, such as Threat Hunting, Digital Forensics, Incident Response and Threat Intel. This resulted in several internal workshops focusing topics like defense evasion, active directory attacks and edge attacks, where the red team prepares various attacks and the Blue Team verifies & improves detection.
At Thomas More Belgium, he teaches second bachelors the basics of Ethical Hacking & Penetration Testing. Third bachelor students are pitted against each other in red team – blue team exercises, where one side of the class attacks a simulated corporate environment and the other side defends, using free and open-source software.
His view on information security is that the practical approach results in a better understanding of both the offensive and defensive perspective, ultimately improving both sides. The best way to completely understand a technical topic is by doing it! Dennis brings this approach to the classroom and organizes the training from the red team’s point of view.
- LinkedIn: https://be.linkedin.com/in/dennis-van-elst
- Twitter: @0xbad53c
- GitHub: https://github.com/0xbad53c
Thomas Eugène is a threat hunter and incident responder. Before DXC, Thomas was part of the CERT.be Team, supporting and coordinating the incident response team, publishing advisories, providing advice to improve security for citizens and Belgian companies.
At DXC, he worked for the DXC TVM EMEA pentest team, before moving to the global Threat Hunting team. Consequently, Thomas developed a good understanding of differences between the offensive and defensive side. This knowledge helped him develop a collaboration between the blue and red team.
He actively promotes this partnership through internal meetings and workshops. During the training, he will bring the blue team point of view.