Security Risk Advisors Threat Simulation

Purple Team Simulations build on red teaming / penetration testing and facilitate collaboration with your security analysts to validate the effectiveness of current detection capabilities as well as identify, improve and tune detection gaps in existing defensive toolsets.

It is not just a reproduction of a red team exercise, but rather opening the entire red team playbook to understand the indicators of attack and steps taken that allowed successful exploitation, escalation, and lateral movement on the internal network. We will execute various testing scenarios across the cybersecurity “kill chain”:

  • Recon
  • Exploitation
  • Privilege Escalation
  • Lateral Movement
  • Data Exfiltration

Enhanced Detection

Prior to executing the Purple Team Simulation and Analysis, we will first work with stakeholders to understand and document current detection toolsets and processes. We use our proprietary VECTR™ reporting and analysis tool to provide structure for the engagement. VECTR™ documents Purple Team test cases and objectives, Red Team attacker tools, Blue Team primary and secondary detection layers, successful detection criteria, and testing outcome. Based on the results observed we will provide guidance on general measures and specific toolset configurations that can be used to further enhance detection and response capabilities.

Common Campaigns and Use Cases

We expect to focus on the following categories

Early indicators of compromise

These simulate the most common techniques an attacker uses to identify vulnerable systems and avenues of attack. These include both internal and external network and systems reconnaissance and targeted brute force attacks against authentication prompts.

Account Abuse

Account abuse which simulates an attacker that has obtained valid credentials and Windows domain credentials. Misuse scenarios include attempting to gain remote access to the internal network from the Internet, authenticating to customer portals from unknown machines and locations.

Spear phishing technical defenses

Working directly with you to simulate email attacks designed to sequentially bypass each layer of defenses (inbound, desktop, outbound). We use progressively sophisticated methods to identify the effectiveness of detection controls and how to detect increasingly stealthy methods.

Malware detection and response

Simulates malware on workstations and places benign commodity and custom malware on a workstation to identify the effectiveness of current detection and response procedures in place.

Lateral movement and protected resources breach

Performing tests to simulate user-to-admin privilege escalation on the network, network segmentation testing, misuse of service and privileged accounts and movement across the network and access to sensitive data. This testing improves systems and network hardening, but more importantly, identifies opportunities to improve security event detection and correlation.

C2 and data exfiltration

Demonstrating, as appropriate, the end goal of the attacker. We use advanced methods to identify and describe how dedicated external or internal threats could send confidential information outside of the network from in-scope workstations, virtual desktops, and internal systems. This testing uses a variety of different C2 channels, using covert channels over a combination of encrypted and non-encrypted protocols.