Sans Hackfest: 2024-10-28 Purple > Red + Blue Presenter: Mark Hillick

Sans Hackfest: 2024-10-28 Agenda Integration The Industry My Past 01 02 03 04 05 whoami Wrapping Up

Sans Hackfest: 2024-10-28 whoami

Sans Hackfest: 2024-10-28 whoami timeline (purple/red/blue) XXXX I was born in Derry, Ireland. First computer was an Amstrad CPC 464, favourite game was Shinobi but preferred sports over computers, and still would today. 2000 Graduated from college and started working on an Internet Infrastructure team, learning about firewalls, dns, anti-virus etc. 2016 Moved to the US Owned all “player security”, including “anti cheat” where we built my first “purple” team. 2008 Final requirement for GSE - proctored GSEC, and met Steve Sims for the first time :) 2021 Joined Brex Led all of Security, now the CISO. Integrated purple into how we operate 2013 Took on my first security leadership role @ Riot Games - building a team and program from scratch, making every mistake in the book. 2000 2013 XXXX 2010 2016 2021 2024 2024 Sans Hackfest Los Angeles

Sans Hackfest: 2024-10-28 Why get into Cybersecurity? Constant learning & challenge Lucrative salaries Diverse career paths 01 02 03 04 05 High demand & job security Stopping bad guys

Sans Hackfest: 2024-10-28 This is not a technical talk, itʼs about something more difficult ….. People, building & serving the business Well…

Sans Hackfest: 2024-10-28 Iʼm realistically assuming that youʼre not working at a 3-letter agency or government with nation state attackers on a daily basis Assumption

Sans Hackfest: 2024-10-28 I leveraged ChatGPT/Dalle for all of my diagrams/images. Thank you AI <3 Disclaimer

Sans Hackfest: 2024-10-28 Preparation

Sans Hackfest: 2024-10-28 The Industry

Sans Hackfest: 2024-10-28 What? What about a blue team? 01 02 03 So what is a red team? A purple team?

Sans Hackfest: 2024-10-28 What? The defensive team that analyzes attacks and develops ways to prevent and mitigate them. Blue Team members monitor systems, detect suspicious activity, and respond to incidents. 01 02 03 The offensive team that simulates cyberattacks to identify vulnerabilities and test incident response. Red Team members are experts in offensive security, such as ethical hackers and penetration testers. Facilitates communication and collaboration between Red and Blue teams to improve an organization's security posture. Huh???

Sans Hackfest: 2024-10-28 My Past

Sans Hackfest: 2024-10-28 Recruited from the industry - referrals & official job ads Evolution to include a “red” team Not really purple - why? 01 02 03 04 05 SOC -> Blue team Created sub-teams :ugh:

Sans Hackfest: 2024-10-28 “Versus” right?

Sans Hackfest: 2024-10-28 Goal of making your colleagues look bad Sending the report to the boss rather than the blue team Simply disconnecting / removing accounts 01 02 03 04 05 Not sharing TTPs or IOCs Different roadmaps Disconnects

Sans Hackfest: 2024-10-28 Donʼt be an a**hole Rule #1

Sans Hackfest: 2024-10-28 Everyone building Hired from the community Breakers defending 01 02 03 04 05 Same North Star Everyone together - builders, breakers etc Purple Anti-Cheat

Sans Hackfest: 2024-10-28 Wins Increased player numbers & enjoyment Vanguard High game integrity 01 02 03 04 05 Packman More revenue

Sans Hackfest: 2024-10-28 Itʼs ok to operate as an attacker, but the end goal is to: ● secure your company ● improve the security of the company not “hack” your employer Remember

Sans Hackfest: 2024-10-28 Integration

Sans Hackfest: 2024-10-28 Why do Security teams exist? Ensure products are shipped securely Reduce security risk to the business and the customers Make the secure way, the “easy” way, i.e. the default behaviour 01 02 03 04 05 Serve the business Enable the company to pass the various security compliance standards, and continue to operate

Sans Hackfest: 2024-10-28 Integration @ Riot SPL Transparent, public RCAs Integrate red teaming into security review & launch process 01 02 03 04 05 RFCs Iterate, iterate, iterate

Sans Hackfest: 2024-10-28

Sans Hackfest: 2024-10-28 Integration @ Brex Integrate red teaming into security review process Same rituals together (demos, stand-ups) Encourage red and blue teamers to have 1-1s 01 02 03 04 05 Same team, i.e. same reporting structure below CISO Share - reports, code, alerting configuration, tooling etc

Sans Hackfest: 2024-10-28 SPL @ Brex Pen Test Design docs, Slack Channels, Same Tooling Secure code reviews 01 02 03 04 05 We go to where our engineers are Vuln Mgmt Process - Red Team & GRC own

Sans Hackfest: 2024-10-28 Wrapping Up

Sans Hackfest: 2024-10-28 What? What about a red team? 01 02 03 So what is a blue team? A purple team?

Sans Hackfest: 2024-10-28 Itʼs not a team, itʼs a way of operating. Purple

Sans Hackfest: 2024-10-28 Wrapping Up Build into rituals & default Donʼt be an a**hole Audience focused 01 02 03 04 05 Security is here to serve the business Share & iterate, share & iterate

Sans Hackfest: 2024-10-28

Sans Hackfest: 2024-10-28 The End