The Roundup: (Red + Blue != Purple Team)(Fight Me)

Topic: Red, Blue, & Purple Teaming
Moderator: Dan DeCloss
Price: $0 (Free to All Attendees)
Date:
September 29, 2022
Time: 1PM to 4PM ET
Click here to register

The adversarial relationship between the offensive and defensive side of cybersecurity is well-documented. The red team’s goal is often to “break all the things” they can get their hands on, while the blue team’s primary goal is to block said attacks and remediate findings in record time. With so much competition in the air, it seems as though many have lost sight of what the ultimate goal of the security function should be — to protect the organization from real threats.In this cast, hosted by PlexTrac CEO Dan DeCloss, you’ll hear both the red and blue teaming perspective, as two representatives from each side of the InfoSec house bring viewers insightful and entertaining talks. Additionally, the roundup will conclude with an expert trio of purple teaming panelists, discussing the benefits of cross-team collaboration and teamwork in the never-ending fight against adversaries.

The (Red + Blue != Purple Team Roundup) includes panelists from SCYTHE, Black Hills Information Security, Echelon Risk + Cyber, Aquia, and PlexTrac.

Don’t miss out on the purple teaming party… Join us live on Zoom on Thursday, September 29th from 1-4pm Eastern Time (10am-1pm PT).

Dahvid Schloss, Managing Lead, Offensive Security at Echelon Risk + Cyber

Dahvid is the Managing Lead, Offensive Security at Echelon. As an experienced professional with over 12 years of cyber-attack and defense experience, Dahvid has previously worked as a Red Team Operator with a Big 4 consulting firm leading and conducting Adversarial Emulation exercises as well as served in the military, leading, conducting, and advising on special operations offensive cyber operations. He has a wide background in cyber security including logical, social, and physical exploitation as well as incident response and system/network device hardening. ​Dahvid is also a Malware Development Instructor, growing Adversarial Emulation knowledge to those looking to expand their knowledge in the highly specialized space.

Dahvid has extensive experience assisting clients in developing strategic risk reduction strategies and activities. He has experience leading and managing adversarial emulation engagements and red team activities focusing on attack vectors from the perspective of an insider threat, financially motivated APTs, and nation state backed APTs. In these engagements, Dahvid has developed and leveraged a custom an in-memory post exploitation framework within PowerShell. He also has experience performing and leading physical and social engineering engagements with unique exploitation techniques. Dahvid also has extensive experience building and advising clients on their vulnerability management practices across the enterprise.

Prior to his Big 4 consulting days Dahvid served as an operator and liaison for the Joint Special Operations Command to other DoD agencies and several Intelligence agencies, providing mission-critical planning and coordination of special operation cyber activities. He has performed and conducted real-world offensive cyber activities to assist in the find, fix, locate process of discovering High Value Targets in terrorist organizations.

Twitter: @DahvidSchloss

 

Nick Popovich, Hacker In-Residence at PlexTrac

Nick Popovich’s passion is learning and exploring technology ecosystems, and trying to find ways to utilize systems in unexpected ways. His career has focused on adversarial threat simulation, offensive and defensive security, and advanced technical security assessments. Nick’s mission is to help individuals and organizations involved with defensive security operations to have an opportunity to observe the mechanics and methods of the attackers they’re defending against, and to assist in realistically testing those defenses. He’s a lifelong learner and loves finding new ways to get under the hood of systems and networks. He is a father of three and a husband to one.

Twitter: @pipefish_

 

Noah Heckman, SOC Analyst at Black Hills Information Security

Noah Heckman joined the Black Hills Information Security (BHIS) team in April 2021 as a SOC Analyst that monitors for alerts in SOC and performs adversarial simulation on SOC customer networks and devices. Prior to BHIS, Noah was primarily a Windows Systems Administrator for about 1,600 endpoint systems in a manufacturing company. Having attended most of BHIS’s webcasts (and now co-holding the record for most chainsaws on a webcast), Wild West Hackin’ Fest, and being an amazing supporter of the extensive online community, Noah is excited to be part of their commitment to knowledge-sharing. When not working with some of the best people around, Noah enjoys researching new technology, hiking, kayaking, fishing, and swimming — sometimes all at the same time.

Twitter: @mon0pixel

 

Kaitlyn Wimberley, SOC Analyst at Black Hills Information Security

Kaitlyn Wimberley became an official part of Black Hills Information Security (BHIS) in March 2022, after being a long-time Community Leader on the BHIS Discord server. As a SOC Analyst, Kaitlyn says she does “whatever anyone will let me do to help the good guys win more and the bad guys win less.” She chose BHIS because of the goodness and generosity in the things she saw from them (and because everyone there is “crazy smart and inspiring”). She loves doing good things with great people, as well as the encouragement she receives in both her professional and personal growth. Outside of work, Kaitlyn enjoys making music, playing video games, learning anything about everything, and going on family adventures.

 

Jorge Orchilles, Chief Technology Officer at SCYTHE

Jorge Orchilles is the Chief Technology Officer of SCYTHE and co-creator of the C2 Matrix project and author of the Purple Team Exercise Framework. He is a SANS Certified Instructor and the author of Security 564: Red Team Exercises and Adversary Emulation. He was a founding member of MITRE Engenuity Center of Threat-Informed Defense. He is a Fellow at the Information Systems Security Association (ISSA) and National Security Institute. Prior, Jorge led the offensive security team at Citi for over 10 years.

He also co-authored Common Vulnerability Scoring System (CVSS) and A Framework for the Regulatory Use of Penetration Testing in the Financial Services Industry, and author of Microsoft Windows 7 Administrator’s Reference. Jorge holds post-graduate degrees from Stanford and Florida International University in Advanced Computer Security & Master of Science. Jorge speaks English, Spanish, and Portuguese, in decreasing levels of fluency. When he’s not hacking, teaching, or writing, you’ll find him watching and playing soccer.

Twitter: @jorgeorchilles

 

Maril Vernon, Purple Team Lead / Senior Security Engineer at Aquia

Maril Vernon (@SheWhoHacks) known as the “One Woman Purple Team” is an ethical hacker, co-founder and host of The Cyber queens Podcast, Senior Offensive Security Engineer and proven Program Manager and pioneer in the Purple Teaming space — a niche in offensive security testing that has recently gained popularity demonstrating cyber resilience in the cyber threat landscape. Maril has built and tested Purple Teaming operations across multiple industries, from start-ups to FAANG-sized, most recently for Zoom Video Communications as a member of the dedicated Red Team. Maril’s expertise on Red Team best practices was recently featured on CSO Online and at the Red Team Roundup hosted by the Wild West Hackin’ Fest. Her knowledge and skill pioneering Purple Team operations has been featured on numerous webinars with the Plextrac CEO and Scythe CTO and at the subsequent Purple Team Roundup by WWHF. She has also been named one of the ‘Epic Women in Cyber’ and has interviews published with NIST and The Hacker Factory and is a contributing editor of the latest MITRE ATT&CKv11 Enterprise Matrix for Linux TTPs. Maril’s passion for closing the gender gap in cyber is highlighted in her affiliations with The Cyber Guild, The Diana Initiative, BBWIC, and WiCyS.

Twitter: @SheWhoHacks

 

Jake Williams, Executive Director of Cyber Threat Intelligence at SCYTHE

Jake Williams is the Executive Director of Cyber Threat Intelligence at SCYTHE. He is an incident responder, a breaker of software, and a former government hacker probably wanted by all the cool countries. Likes: threat modeling, application security, threat hunting, and reverse engineering. Dislikes: self-proclaimed thought leaders and anyone who needlessly adds blockchain to a solution that was operating perfectly well without it.

Twitter: @MalwareJake

 

Daniel DeCloss, Founder and CEO at PlexTrac

Dan brings over 15 years of experience in cybersecurity. Dan started his career in the Department of Defense then moved to private sector consulting where he worked at companies like Veracode as a Principal Consultant in Penetration Testing. He has also served as a Principal Security Engineer for the Mayo Clinic and a Sr. Security Advisor for Anthem. Prior to PlexTrac, Dan was the Director of Cybersecurity at Scentsy where he built the security program from infancy into a best-in-class program.

Dan has a Master’s Degree in Computer Science from the Naval Postgraduate School with an emphasis in Information Security. Dan holds the OSCP and CISSP certifications.

Twitter: @wh33lhouse

Time Speaker Presentation
1:00PM to 1:30PM ET Nick Popovich Title: Trust No 1

Abstract: Organizations have steadily transitioned to relying on third-party entities to provide many common services to employees. Examples include human resources services like benefits information and enrollment, or payroll. Other examples include surveys, corporate training, and travel and expenses. Most of the services send legitimate emails to users. This has trained the recipients to expect to receive emails from outside of their organization, and to follow hyperlinks within the emails, as a regular part of their workday.

This talk is meant to highlight how end users have become desensitized to the ominous warning banners atop external emails, and can fall victim to phishing emails that abuse the trust in large, well-known organizations. We’ll also showcase how command and control traffic can be masked by abusing the trust inherent in some third-party providers. The talk will run through examples of how threat actors can anonymously utilize built-in functionality to send phishing emails and establish c2, that originate from trusted, big-name, companies. These malicious emails genuinely originate from the large service provider’s email servers, and pass SPF, DMARC and DKIM security checks. The end-goal of this discussion that the risk is given more attention, and user awareness campaigns, technical email monitoring controls, and corporate communication strategies can take these risks into account.

1:30PM to 2:00PM ET Noah Heckman Title: Establishing Trust

Abstract: Knowing what we can and can not trust these days is a constant challenge. This talk will be discussing methodologies to detect and identify what processes, connections, and behaviors are benign and which are evil. Of course, nothing is a replace for a good analyst intuition but some good tips and tricks to assist in your investigations of potential nastiness on Windows systems never hurts.

2:00PM to 2:30PM ET Dahvid Schloss Title: To be an emulated criminal you must act like a criminal

Abstract: It’s no hidden fact that cybercrime has changed over the past 10 years, even more so in the past year. So why haven’t our testing tactics? Many times, I see new and experienced red teamers employing TTPs and technologies that are not used by actual cyber criminals while ignoring TTPs and technologies that are. This mismatch along with the lack of basic criminal knowledge creates a non-realistic red team exercise that only hinders the ability to prepare for the real attack.

So, join me (an emulated mob boss and prior SOF cyber operator) as we explore and discuss the following ways to help you “act like a criminal”

– How the world of cybercrime has changed and what it means to red teamers
– Skillsets and technologies every red teamer should have basic knowledge in
– Commonly passed up TTPs and quick tips on how to execute upon them

2:30PM to 3:00PM ET Kaitlyn Wimberley Title: Birdwatching with Kaitlyn: Canary Users in the Forest

Abstract: Are there canaries in your AD forest? There should be!

Canary users in Active Directory are an effective way to increase visibility of sketchy activity in your environment, and they are quick and simple to set up. (YES, you can do it. I know you can.) And on top of that, they cost nothing to implement.

Something something active defense blah sentence blah.

We’re going to go through how to create believable canary users, monitor them for signs of a few common attacks, and other useful canaries to add to your flock.

3:00PM to 3:45PM ET Jorge Orchilles
Maril Vernon
Jake Williams
Title: Purple Team Panel Discussion

Abstract: Join an expert trio of purple teaming panelists for a discussion on the benefits of cross-team collaboration and teamwork in the never-ending fight against adversaries.