Purple Teaming: The Best of Both Worlds

Presented at BSides Austin 2016, March 31, 2016, 1:30 p.m. (60 minutes).

As Blue Teamers, we're constantly on the lookout for the out-of-place, legit or not. We scan hosts, monitor logs, and build dashboards. But how do we know we're looking for the right thing? In this talk, we're going to pit blue team against red team, and expand our knowledge of common attack events. In a new presentation format, we're going to compromise a host via a red team method and immediately analyze for any DFIR artifacts left behind. Attendees of this talk will gain immediate knowledge of how attackers do what they do, and how defenders do what they do. We can't always be right next to a breach, but the more we know, the closer we are.

Presenters:

  • Thomas Arnold
    Thomas is a Principal Consultant with Mandiant and has over 5 years experience in digital forensics, incident response, and malware analysis/reverse engineering. He has been with Mandiant for almost 2 years, and previously worked as a US Government employee performing IR and malware analysis. Before becoming involved with Information Security, Thomas worked as a NASA propulsion flight controller, helping to launch Space Shuttles from Mission Control.
  • Matt Bromiley
    Matt has over 4 years' experience in incident response, digital forensics, and network security monitoring. He recently joined the team at Mandiant. His skills include disk, database, and network forensics, incident response/triage, and log analytics. Matt has helped organizations of all sizes with their forensic and IR needs, from local banks to large, multinational conglomerates. Matt's passion for DFIR helps him explore new topics with hopes of addressing previously-unanswered questions. When not jamming with the console cowboys in cyberspace, Matt can be found with his family, sometimes hidden in a cloud of sweet, delicious smoke of a Texas BBQ pit.

Links:

Similar Presentations: