Purple Team “War” Story — №4: Blue wins

Chapter8
7 min readFeb 1, 2023

--

The first ever Chapter8 coin!

We hand out our Chapter8 coin only if we are convinced a security posture is mature enough. If the Red Team couldn’t obtain any crown jewels. Simply put; if the Blue team won the sparring match (and thus the entire team because, you know, Purple).

This is the story of an IT provider we met a few times during some of our missions and how they vastly improved their customers’ security.

Enough with the Red Team success stories. Done with Domain-Admin-before-lunch. Be gone, credentials in cleartext files in world-readable directories. Lack of multi-factor authentication. Legacy systems in the corner of a network. The scales can shift and we have this Story to prove it.

The main ingredients for this Blue Team success are: leftovers from a previous can of whoop-ass, a cup of cooperation, a scoop of learning curve, two ounces of sparring and a large dose of willingness to learn. One does not simply hand out a Chapter8 coin!

Let’s set some context and dive right in.

Disclaimer
At Chapter8, most of our Missions take place at the highest levels of the Dutch public and/or private sector. That is why we are very careful about presenting client-related information. Being fictional in context, but true in tech, these stories are the way to get the gist of a train-as-they-fight Purple Team Mission across and contribute to your security mentality.

Chapter one: humble beginnings.

Early 2021 we set out on a Mission. The high-profile client uses a third party as their IT infrastructure provider. The infrastructure is remotely managed and part of our Mission is — in our true Purple style — the evaluation of detective measures and forensic readiness.

We’ll be outright honest: the Blue Team got its butt kicked. We could plug in our Whisperbox implant without problems, run Responder, get a few NTML-hashes before lunch, one of which was Administrator@DOMAIN which was used as a service account and had a password that started with a capital G, consisted of a word in the standard Dutch dictionary, and ended with the well-known !.

From there on, it was a hop and a skip towards the organization’s crown jewels, because domain admin is nice but crown jewels are nicer (and often do not require domain admin privileges) and a completely backdoored IT infrastructure was the icing on the cake.

The IT provider did a great job at keeping stuff running, but had no proper forensic readiness: there was no central logging and monitoring and incident handling procedures were not in place. Good thing we brought our Hunterbox, an open-source SOC-in-a-box to show them what visibility they’d missed. Also, the client was supposed to have a few honeypots hidden in the network. We tried very hard to find and fire them, but to no avail 🤷‍♂.

The lack of password policy enforcement and network access controls did not help this physically nearly unaccessible environment. Do I hear you say “Watermelon!”? Yes, you are right. This was the epitome of a hard shell and a soft inside.

So far, a pretty standard Red Team assignment.

Oftentimes we get this question after a Purple Team Mission: “How do we perform, related to other clients?”. And our standard answer is “On average.” Does “on average” mean “a sufficient grade”?

No. The sad truth is that the average cybersecurity posture is low.

What stood out from the beginning was the Blue Team’s eagerness to learn. Of course, they went through the stages of denial, anger and grief but they got to the acceptance-phase pretty quickly; we’d like to think that this has a direct correlation with a purple team approach instead of a red team/penetration test approach, but we lack empirical proof for that assumption.

Chapter two: the learning curve 📈.

Fast forward one year and a bit. The client challenges us to re-test their infrastructure. A keen bit of our recommendations had been followed up and both client and IT provider felt they were ready for a rematch. Gloves on. In the Red corner: Chapter8. In the Blue corner: client, IT provider and … Chapter8!

And the progress was palpable! No more plugging-in-rogue-devices, but pNAC. No more watermelon-mush, but segmentation. No more playing around on a VDI without getting noticed by the Blue Team (user-and-entity-based analytics (UEBA) is a really, really good defensive measure).

Alas, the Red Team got the better of the Blue Team by “living off the land” — using the information that was readily available from the low-privileged account that served as a starting point. While there was unmistakenbly a lot of progress on the technical level, the amount of readable credentials in files remained tremendous. Not that all that information was available from the get-go. But using one set of credentials led to access to more information, leading to more credentials, leading to… you get the point.

So did the Blue Team and what started out as a technical learning curve grew into a cultural learning curve. Educating the population, so to speak. A very different ballgame. But one that could be focussed on right now, because of all the technical progress the Blue Team had made. Security, it is a continuous process.

Chapter three: get over here!

Scorpion — Mortal Kombat © Midway

Let’s fast forward a few months again. We get a call from the IT provider.

“Look, we’ve got this other client. They want their security posture tested. We built their network with the lessons from our previous encounters in mind. Are you up for the challenge?”

Wait whut? Are you kidding? Born ready!

And what a sparring session this became. The Red Team started, as usual, with low privileged accounts on standard workstations. These were thin clients and even though the BIOS password was not changed from the default, it proved impossible to escalate privileges or gain more network access due to hard disk encryption and a very, very segmented network.

The low privileged accounts proved to be exactly that. No information to live off the land was available. The VDIs proved to be not only hardened but also tightened with UEBA, so the Blue Team had a blast seeing the Red Team struggle. No open network shares. Man, what a change of pace. Even the internal documentation platforms did not contain information that could be used as a stepping stone.

Was everything perfect? No, every environment is prone to recommendations, albeit with low to medium impact on the crown jewels.

And there was more.

The Blue Team trapped the Red Team.

Through the use of a honeytoken…

…which they did not mention in the intake, the sneaky sneaks.

Honeytoken much?

By suggesting the presence of a plain text, temporary password in the description field of one of the Active Directory-accounts, they lured the Red Team into testing these credentials. The login attempt alerted the Blue Team to the presence of the Red Team and from that point, the incident handling procedures kicked in. And although there was room for improvement around these procedures and the overall forensic readiness of client and IT provider, they did not fall prone to panic and focussed on situational awareness instead. Good job Blue Team!

Firing that honeytoken enticed much joy, even so with the Red team, because pulling off this feat really showed how far the IT provider had come. In fact, apart from some minor findings, the only real improvements for this client were based around an insider-threat-scenario.

Needless to say that coming back like this from the first two encounters is pretty bad-ass.

Chapter four: blue wins! Now what?

Of course, <marketing mode>the real winner of this Purple Team “CTF” was the client</marketing mode>. The Walkthroughs — the final presentations of the results to tactical and c-level — were of a different tone than usual. Both client and IT provider got the first ever Chapter8 Coin.

The coin says on one side: Exercitati exercitum tuum, which roughly translates to “We trained your defenders”. On the other side it says: Hoc probamus, wich translates to “we approve of this”. Pretty cool, huh!

When their Active Directory and O365 configuration was audited by Microsoft recently, they scored a 3.5 out of 4, which positively surprised the software giant. That small IT provider is now one of our preferred partners and if you want to get in touch with these beautiful badasses, reach out to us (they’d rather not be named here because, you know, #opsec).

To conclude this “War” Story: we’re happy that our vision on Purple Teaming turned out to be a supporting vector in the learning curve of both client and provider. This is ultimately why we do what we do. To enhance forensic readiness with teamwork, because teamwork...

well…

…despite it being corny as hell…

That.

And on that note, we’d like to conclude this narrative.

Wrapping it up.

Many thanks for keeping with us until the end of this story. If you want to know more about Purple Teaming, please visit https://chapter8.com to meet our team and read about our Mission to make cyber safer from the inside.

--

--