Purple team

During an engagement IronSky collaborates with the clients security team to map out the existing technical security controls that are expected to catch actions performed during a simulated attack. (see example below) As the engagement progresses each control is assessed as to whether it detects and/or blocks the actions as expected. In this manner the defensive team can fine identify gaps in their controls and fine tune rules or configurations as required.

Our Overarching Methodology

Our approach to purple team testing follows a collaborative approach with the clients blue team. IronSky assists the client blue team in developing an defensive matrix, based on the “Cyber Kill Chain” and “Att&ck Mitre” frameworks. We then iterate over attack chains, assisting the blue team in refining their surveillance system.

Planning

Collaboratively design and agree on attack chains to be test, based on organizational threat model. The planning phase is where we determine which defensive controls are expected to catch/alert actions performed by a malicious actor. (build CKC exercise cards).

Iterative Testing

Work interactively with blue team to assess if the planned attacks triggered across the CKC.
During an engagement IronSky collaborates with the clients security team to map out the existing technical security controls that are expected to catch actions performed during a simulated attack. (see example below) As the engagement progresses each control is assessed as to whether it detects and/or blocks the actions as expected. In this manner the defensive team can fine identify gaps in their controls and fine tune rules or configurations as required.

During the reconnaissance phase the IronSky team will gather as much information from publicly available information mostly from online sources (Open-source intelligence (OSINT)). The IronSky team will analyse this information to identify sensitive information that can assist the team further

The reports provided for the engagement include the detections across the phases of an engagement Statistics per mitigation tool Success rate of detection/blocking of technique

Final Reporting

Observation
The hostname/IP address of issue identified during the engagement
Risk Impact
Business impact of vulnerability if exploited by malicious user
Root Cause Analysis
What was the initial vector that led to this vulnerability being created
Recommendation
Recommendations to address the risk over short term and long term
1
2
3
4