Going Atomic: The Strengths and Weaknesses of a Technique-centric Purple Teaming Approach

Presented at Blue Team Con 2022, Aug. 27, 2022, 11:20 a.m. (30 minutes).

Atomic purple teaming, i.e. testing individual permutations of offensive techniques outside of a scenario-based exercise, offers an approach that can maximise kill chain coverage and provides a means to benchmark a SOC's detective capability.

Initially, the methodology for atomic testing will be presented, alongside example results from a typical engagement. We'll evaluate the significant data set that such testing can produce - e.g. which test cases produce telemetry, which produce alerts, which were prevented - and consider its application in informing SOC strategy, demonstrating Return on Investment, and providing insight into general security posture.

This empirical, data-driven approach is invaluable in developing a bottom-up view of our defenses, i.e. understanding how our detection stack fares when faced with the tactics, techniques and procedures of legitimate actors, but it is not a one-stop shop for adversary emulation. As such, this talk will consider the limitations of such an approach, and how other supplementary collaborative testing can offer a more complete view of detective capability.


Presenters:

  • Alfie Champion - Adversary Emulation Manager, TP ICAP
    Alfie specialises in the delivery of attack detection and adversary emulation services, actively contributing education content, tooling and blogs to further the industry. He has previously worked with organisations across multiple industry verticals to uplift and validate their detective capability through red or purple team engagements, and now leads the global adversary emulation function at a FTSE 250 company. He has previously spoken at BlackHat USA, RSA and T2.

Similar Presentations: