dylan

defend your memory. coming soon.

This year we're bringing our Adversary Simulation and Capability Development training to Asia for the first time with @BlackHatEvents #blackhatasia26 #adversary-simulation-and-capability-development-49767" target="_blank" rel="nofollow noopener">blackhat.com/asia-26/traini… If you want some hands on red teaming and tool development training from seasoned experts (@_batsec_ ), the early bird pricing is now available!

@_xpn_ and with all the KLM strikes etc, i’m sure even if i had come it would not have been a smooth journey

@_batsec_ Understandable! Queue for Amsterdam immigration was a nightmare a few weeks ago, people started mentioning Brexit and it ended up in two people arguing over migration/flags/boats... Probably best staying home xD

i can’t make it to redtreat this year sadly. my karaoke set will have to wait till next year.

@NullMode_ means you’ll have to sing wonderwall in my place as well

@_batsec_ Not good m8. I'll go in your place, I have so much to offer the red team world

@_xpn_ spent a bit too long in 🇪🇺 this year… bloody brexit

@_batsec_ Dom lock you in the cupboard again?

@__invictus_ my powers are stronger than i ever realised

@_batsec_ Still managed to fuck everyone's flights up though eh mate 🤣🤣🤣

join the waitlist odineye.io

defend your memory. coming soon.

@Teach2Breach @frodosobon @inversecos the large difference in standards when it comes to red teams

@_batsec_ @frodosobon @inversecos what is your point?

i really do not understand this recent take that “socks is all you need”. imo nothing highlights the difference in standards of what a ‘red team’ is than this.

the point is to use the necessary tradecraft to achieve the objectives, the client then advances their ability to detect this tradecraft and the cycle continues. this type of exercise is mostly pointless unless the client already has a high level of maturity. that’s why purple team exercises are more universal and offer the most benefit to organisations looking to start building their maturity level.

@_batsec_ @_EthicalChaos_ @inversecos So the point is to conduct a Red Team, compromise all the IT infra of a customer with completely new tradecraft, and then saying, lets see how they respond if i do some noise. Yeah, that's what Blue Teams need.

* CTO

i need to just start tweeting the CEO the next time i’m doing targeting for an op.

@_EthicalChaos_ @frodosobon @inversecos for sure, there is a lot of value and lessons that are learnt from perform an effective threat hunt. tracking a TAs pathway thru the network and identifying alternative c2 channels or persistence is not an easy task.

@_batsec_ @frodosobon @inversecos 💯%. This is where cracks show. How many times have you heard at this stage? - "This is what we would have done". Clients often miss the point of carrying the action through. The ones that do, often get the best out of it as it highlights assumptions in the theory of the playbook

@_EthicalChaos_ @frodosobon @inversecos yeh that’s true but a SOCs response to a detection is a whole new topic. this is why I like running a “detect and evict” scenario at the end of an RT and raising the noise level massively. detection means nothing without eviction.

@_batsec_ @frodosobon @inversecos Yes and no. A PT doesn't account for how the SOC would react to such a detection IF they have the capability to detect the TTPs used. So you can still have a red team that mimics a specific TA. On the other hand you might not use all the TTPs in a RT but should in an equiv PT

@_EthicalChaos_ @frodosobon @inversecos agreed, but emulation is not a red team. if a client what to check if they would catch a TA employing the same TTPs someone else caught them using, then that’s fair. but it’s a purple team.

@_batsec_ @frodosobon @inversecos But at the end of the day, if the customer is asking for emulation of a specific type of actor, you'd need to deliver both and not just pick the easier option.

@kyleavery yep, don’t get me started on this. the lack of any meaningful regulation is evident and really concerning.

does the concept of a purple team not exist outside europe? why is the difference between simulation and emulation even a conversation.

@frodosobon @inversecos lol yeh proving my point perfectly

@_batsec_ For me the reason behind this is that the more EDRs and dynamic análisis improves the more reasons attackers have to avoid endpoints. @inversecos has a nice article about an NSA op against China University that follows that direction. BTW i did red team for 10 years...