1. InfoconDB
  2. Diana Initiative
  3. Diana Initiative 2023
  4. The Virtuous Cycle of Hunt-Focused Purple Teaming

The Virtuous Cycle of Hunt-Focused Purple Teaming

Presented at Diana Initiative 2023, Aug. 7, 2023, 4 p.m. (60 minutes)

In many organizations, defenders are siloed and operate almost independently from offensive security teams. Why should tasks such as novel attack technique research, custom payload creation, detection capability assessment, and hypothesis-based hunting all be disparately executed? What if we can reduce duplicate effort and achieve all of this through a holistic approach? In this talk, we will take the listener through our journey to simulate, detect, and proactively hunt for malicious OneNote use, which was exploited widely as an infection vector in early 2023 campaigns. This case study will illustrate the effectiveness of the cyclical threat hunting methodology we adopt at WithSecure, powered by insights gathered from cross-team collaboration. For example, we will highlight how pairing blue teamers and red teamers on an exercise enables a positive feedback loop where the blue teamer goes home with a comprehensive set of behavioral detection rules, and the red teamer armed with knowledge of how best to evade them. Attendees will leave with an appreciation of the value of interconnected, purple-minded workflows in the detection engineering process, alongside actionable ideas for identifying outliers and reducing false positives using data-driven techniques.

Presenters:

  • Jojo O'Gorman - WithSecure
    Jojo O'Gorman has been threat hunting for WithSecure's Detection and Response Team for the last 2 years. Her time is split between data-driven threat hunting, incident response, detection engineering and threat emulation. Passionate about encouraging collaboration, she runs successful internal purple team exercises, bringing together blue and red teamers to improve the service through their shared technical knowledge and practical experiences.
  • Poppaea McDermott - WithSecure
    Poppaea has been a Threat Hunter in WithSecure’s Countercept Detection and Response Team since 2021. Prior to her current role, she was a member of the Ethical Hacking team in PwC UK’s Cyber Threat Operations pillar. She is particularly interested in exploring how data science techniques can be leveraged in threat hunting and detection engineering workflows.

Links:

Similar Presentations: