The Roundup: Purple Team

MC: Dan DeCloss
Topic: Purple Team
Price: $0 (Free to Attendees)
December 02, 2021
Time: Noon to 5PM ET
Click here to register

“There truly is a collaborative aspect to Purple Teaming, which is in stark contrast to the traditional, adversarial nature of your Red and Blue Teams. All too often, Red and Blue Teams are concerned with outsmarting and outperforming one another. Purple Teaming is a reminder that whether you’re red or blue, you’re on the same team in the fight against external threats.”

Join Dan DeCloss from PlexTrac for this Roundup event.       


Evan Peña, Managing Director, Professional Services at Mandiant

Evan Peña is the global Red Team Managing Director for Mandiant. Evan has over a decade of experience in enterprise information technology administration, leading covert red team operations to evaluate incident response procedures and assessing enterprise network defense capabilities from the perspective of an attacker. In addition, Evan participates in security diverse assessments of large government agencies and Fortune 500 companies. These networks consist of an online presence of hundreds of thousands of address space around the world. Evan developed and was the lead instructor for the “Creative Red Teaming” training course that has been delivered at several leading conferences. Evan has also developed several open-source tools that have been released to the security community to enhance awareness in the community.

Twitter: @evan_pena2003

Adam Mashinchi, Director, Open Source Programs at Red Canary

Adam Mashinchi is the Director of Open Source Programs at Red Canary, where he manages the open source strategy and portfolio, including the teams, resources, and initiatives. Before Red Canary, Adam defined and managed the development of enterprise security and privacy solutions with an emphasis on adversary emulation and usable encryption at a global scale, leading numerous technical integration projects with a variety of partners and services. Adam brings with him a diverse technical background in enterprise systems administration, web and application development, mobile operating systems, and computer security. He holds a Master of Science in Applied Computer Science from Southern Oregon University with a focus on computer security and encryption. Adam is a member of the C2 Matrix team, as well as a regular attendee and participant at cybersecurity conferences such as at DEFCON’s Red Team Village, Wild West Hackin’ Fest, and Grayhat, speaking on topics ranging from insider threats in modern enterprises to the basics of Red Teaming.

Twitter: @Adam_Mashinchi

Jorge Orchilles, Chief Technology Officer at SCYTHE

Jorge Orchilles is the Chief Technology Officer of SCYTHE and co-creator of the C2 Matrix project and author of the Purple Team Exercise Framework. He is a SANS Certified Instructor and the author of Security 564: Red Team Exercises and Adversary Emulation. He was a founding member of MITRE Engenuity Center of Threat-Informed Defense. He is a Fellow at the Information Systems Security Association (ISSA) and National Security Institute. Prior, Jorge led the offensive security team at Citi for over 10 years.

Twitter: @jorgeorchilles

Maril Vernon, Offensive Security Engineer at Zoom Video Communications

Maril Vernon, @SheWhoHacks, is a Red Team Operator for Zoom Communications and PluralSight author, specializing in Red Teaming tools, Purple Team methodology, MITRE, and Cloud Security strategies. Maril’s expertise on VPN exploits was featured on the Cyber Security Forum Initiative, and she is a contributing editor of the latest CIS AWS Foundation Benchmark for cloud security. She broke in to information security a year and a half ago and is an example of what you can achieve in a short time..

Twitter: @SheWhoHacks

Frank Duff, General Manager of ATT&CK Evaluations at MITRE Engenuity

Frank Duff is the General Manager for MITRE Engenuity’s ATT&CK Evaluations. Frank has spent over 15 years at the MITRE Corporation, starting in radar signal analysis and then transitioning to cyber security. He was on the forefront of early endpoint detection and response research, before leading a team responsible for developing and executing test methodologies. He now leverages this experience to foster public-private partnerships to drive organizational security and product improvement.

Twitter: @FrankDuff

Jamie Williams, Principal Adversary Emulation Engineer at MITRE

Jamie is an engineer for The MITRE Corporation where he works on various exciting efforts involving security operations and research, specializing in adversary emulation and behavior-based detections. He also leads teams that help shape and deliver the “adversary-touch” within MITRE ATT&CK® and MITRE Engenuity ATT&CK® Evaluations.

Twitter: @jamieantisocial

Time Speaker Presentation
12:00PM to 12:45PM ET Jorge Orchilles Title: Launching the Purple Team Exercise Framework v2

Abstract: The Purple Team Exercise Framework (PTEF) was launched over a year ago and received industry recognition as the standard for running Purple Team Exercises. The PTEF focuses on fostering collaboration in enterprises that have internal Cyber Threat Intelligence, Red, and Blue Teams. In the past year, we have seen an uptick of organizations and leaders understanding the efficiency and value that purple teaming provides but not having the internal resources to run these exercises. As such, and after many consulting engagements running Purple Team Exercises for clients, we have updated the PTEF and are launching version 2. PTEFv2 implements lessons learned and feedback provided by enterprises, partners, consultants, and managed service providers that have begun offering Purple Team Exercises as professional services. With PTEFv2, it does not matter where you work or what your role is, you can now implement Purple Team Exercises to bring the full value purple teaming provides.

1:00PM to 1:45PM ET Maril Vernon Title: Pioneering a Purple Team Program: Strategy, Planning, and Roadmap

Abstract: An overview and some lessons learned on starting a purple team program from the ground-up in a large enterprise to complement ongoing red team operations and other offensive testing activity. This will include methodology, tools, roadmap, and more.

2:00PM to 2:45PM ET Evan Peña Title: The Industrialization of Red and Blue Teaming

Abstract: The industrial revolution was brought on by purpose-built machinery and automation. A similar revolution has occurred in security, leading to the industrialization of red and blue teaming. In large part, this industrialization has been realized through security instrumentation platforms.

By leveraging security instrumentation platforms, you are bringing together red and blue teaming initiatives with greater symbiotic mutualism across three major areas. First, you can validate the efficacy of security controls such as firewalls, WAFs, DLPs, EDRs, and SIEMs. If those controls aren’t working as needed, you can leverage perspective analytics to instrument them. Second, you can apply configuration assurance to verify that a change that has been made actually does what’s desired. You can also determine if that change negatively impacts other facets of security. Third, you can utilize automated, ongoing checks to ensure that what was working continues working in perpetuity. Should something stop functioning, blocking, detecting, correlating, etc., as needed, alerts will be generated in response to the environmental drift.

The money you spend on security plus the level of effort isn’t resulting in security effectiveness. You hire security professionals, deploy security controls, and build processes. You make this investment of time, money, and resources so when an attack occurs, you can fight and be able to prevent the attack–or at least detect and respond. Two groups are critical in this fight. They include: security penetration testers (red teams that are tasked with offensive actions to evaluate defenses) and security operations (blue teams that focus on operating these security defenses).

Yes, red teams can add tremendous value. But the legacy, manual, and expensive process of scanning, penetrating, reporting, and hoping the blue team will act on the findings largely isn’t resulting in value or reduced risk. For the blue team, you invest millions in endpoint, network, email, and cloud security controls, but organizationally you are probably spending painfully few cycles to determine if this complex mix of solutions is actually working.

We need to readjust so that we are focusing on security effectiveness and the efficacy of our security controls. We need to industrialize our approach to red and blue teaming with security instrumentation through automation, environmental drift detection, prescriptive actions, and analytics that enable us to finally and empirically manage, measure, and improve security effectiveness.

• Improving and integrating red teaming and blue teaming activities
• Industrializing security efforts with greater automation
• Leveraging security instrumentation to measure, manage, and improve security effectiveness

3:00PM to 3:45PM ET Frank Duff and Jamie Williams Title: A Look at ATT&CK Evaluation’s through Purple Colored Glasses

Abstract: Since 2018 we have been performing public evaluations of various defensive solutions, ranging from enterprise, ICS, managed services, to our newest adventure into deception technologies. From the beginning we adopted purple teaming to keep the process fair and transparent through collaboration, communication, and mutual trust.

In this talk we will unpack how we built and maintained a purple teaming culture, extending the benefits beyond just the interactions between red and blue teams. We have grown to learn how purple teaming extends to every stakeholder and aspect of the process — ranging from engineers to managers at the beginning of planning all the way to final production of results. We will share our lessons learned, as well as breakdown how you can adopt your own shade of purple!

4:00PM to 4:45PM ET Adam Mashinchi Title: 2-for-1 Talk: ATT&CK Coverage and InfoSec Internships

Abstract: In this Two-Topic Talk™ the audience will get an update on the Atomic Red Team™ project’s efforts to define and increase the test coverage of MITRE ATT&CK® techniques. Throughout the presentation the audience will also be shown a way to create and maintain positive internship opportunities for information security and engineering roles. Due to the dual-topic nature of the presentation, the subject matter will be applicable to both cyber security practitioners as well as those looking to create or manage interns in a modern infosec landscape.