We have talked about purple teaming at great lengths in a previous post "Purple Teaming, here's what you need to know". Essentially purple teaming is the execution of Tactics, Techniques and Procedures (TTP) of a threat actor on monitored systems with the objective of identifying and bridging gaps in detection capabilities. We had a few comments on that blog post that such an activity seems daunting and requires an initial investment in both people and hardware resources.
We're writing this post hoping to prove that this is not the case and to identify shortcuts one can take in kick-starting their internal Purple Team program. As this post progress, we will also be identifying areas where such shortcuts should not be made as they will undermine the integrity of the project. Finally, this post’s purpose is getting the Purple Team program off the ground in the sense that it will start producing results and its benefits will be obvious and not present a finalised activity. Once your organisation sees the benefits of the early stage of the program, an informed business case can be presented to management; the likelihood of a positive investment decision within this context is a lot higher than if you were to follow the traditional route.
No initial investment in hardware needs to be made. Why not reuse old company workstations and servers to host the systems used for purple teaming? We have successfully tested a very capable purple teaming lab using a 7-year-old laptop that was traded for an upgrade by one of our analysts. Our old kit had 16GB of RAM available, so it could quite comfortably handle 4 VMs running at all times; all you need in order to mimic an Active Directory domain with a couple of clients connected to it and a couple of supporting services, all of this using a 7-year-old laptop.
The Purple Team program will consist of a systems lab where attacks will be taking place. Unfortunately, mirroring the infrastructure you have in play at your corporate network is one of the areas where shortcuts cannot be made. You will need to invest some time and mirror the exact configuration of your Active Directory server, the exact configuration of your end-user workstations, and all the software installed on them, everything to the T. This will ensure the integrity and applicability of your findings, and that these remain relevant for the real world, your live environment.
Software for your lab covers a wide area, so:1. You will need a hypervisor in order to run those systems as guests on top of a host computer. Oracle VirtualBox, VMWare ESXi, qemu, kvm are all cost-free options one can make on that front. We prefer Oracle VirtualBox for reasons that will become obvious a bit later.
2. We are strong proponents of automation and instrumentation. While optional, this is highly recommended as your adversarial actions may cause the lab to go belly up at some point. As such, you will need a quick and easy way to rebuild the lab from scratch. Packer and Vagrant are freely available, play nice with most hypervisors – but have free plugins for VirtualBox (hence our preference comment above) – and can be used for easy lab creation and instrumentation. If you feel the learning curve will be too much and don’t mind rebuilding from scratch manually the first 2, 3, 4 times then you can skip this and add it in version 2.0 of your framework.
3. In addition to the above, you will need licenses for everything you install on top of the hypervisor whether it is operating systems, corporate software, antivirus, etc. We do not believe this will cause trouble to most corporate environments but if it does, then there may be trial versions one can use provided they are not crippled in any way.
4. With all of that in place, you will need something to kick start your Tactics, Techniques and Procedures (TTP) execution capabilities. A fair amount of effort and research has been put on that front lately and a few excellent freeware tools have been produced and made available to the general public on the back of that. Our post - Purple Teaming What You Need to Know - names a few, and others have been made available since such as the Purple Team Attack Automation framework built on top of Metasploit. Our advice is to Think Big but Start Small. Pick one where you are familiar with its underlying technologies; use it to start getting mileage on purple teaming and getting some results. Then you can move to a more advanced/complex framework.
Yeah, you are going to need a bit of that as well. You will need to invest time to build the lab from the ground up. Host and guest operating systems should not represent a major struggle, as all you will need is to stick a DVD in – even virtually – and click next but, building and configuring it to match your environment will take time. More time will be needed to make the building and configuring process repeatable and seamless but that will pay dividends afterwards. In addition to that, you will need the time to customise the attacks on the chosen framework as close as possible to mirror your environment. We do not expect much of that as most are built quite generically but this is something that will need to be factored in. Finally, you will need time to investigate the outcome of each attack, where is everything being logged, tuning and validating your actions.
Hopefully, by now you will have realised that building a lab like this is not as difficult or as expensive as it was originally perceived to be. A motto we like, and we mentioned already once in this post, is Think Big but Start Small so you don’t need to run every TTP in your arsenal in one go – this will be daunting for every InfoSec professional. Choose those that you think matter most to your environment, pick those that you think your environment is more susceptible to, or pick high profile ones such as those related to Code Execution and Lateral Movement.
Armed with eye-watering results obtained using a relatively small budget, you can then present a much stronger case to decision makers inside your company. The true value of a full-on Purple Team Program should hopefully become quite obvious.