December 22, 2022
by Hacker Valley Blue
Daniel Borges, Senior Red Team Engineer at CrowdStrike and author of Adversarial Tradecraft in Cybersecurity, brings his unique perspectives on learning, training, and failure to the pod. Collaboration is key in any purple team, and Dan believes collaboration comes from a place of knowledge and understanding— of ourselves, others, and the security tools we use every day. In this episode, Daniel talks about the process of writing a book as a cyber practitioner and where he sees the gaps in purple teaming today.
Timecoded Guide:
[00:00] Pivoting from robotics to computer science to InfoSec
[08:06] Finding a purple team in the Target breach aftermath
[14:19] Understanding the trends of cyber practices & purple teaming
[22:09] Deconflicting & blue team maturity ratings
[30:40] Writing a book that covers blue & red perspectives
[38:43] Failing as an opportunity for upward career mobility
Sponsor Links:
Thank you to our friends at Axonius and Plex Trac for sponsoring this episode!
The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley
PlexTrac, the Proactive Cybersecurity Management Platform, brings red and blue teams together for better collaboration and communication. Check them out at plextrac.com/hackervalley
What is one of your purple teaming pet peeves?
In Dan’s experience, a huge purple team pet peeve is how red and blue teams hinder one another. When there isn’t solid communication between red and blue, bad blood is easily bred and the tension of a high-pressure situation, such as an attack incident, becomes so much worse. Jumping into an engagement or a test without communication and cooperation between both sides doesn’t unify, it only divides and burns out practitioners.
“It's extremely important when bringing people in, they know there's going to be an exercise, so they don't think the world is on fire. If you're doing incident response and detection, it's a marathon, not a sprint. You can't be putting out fires every day, you're gonna burn out.”
What are your key takeaways about collaboration from your experiences in purple team settings?
Collaboration, especially between red and blue teams, requires compromise and conscious thought. Instead of the selfish “us vs them” mentality of the red and blue silo structure, a purple team unites everyone on the same team, under the same end goal. Dan also recommends that practitioners stop and think about their reactions when collaborating together. Reactionary behavior hurts your team— and it wastes your time, too.
“Sometimes, you have to let somebody fail. Sometimes, you have to let them do it and learn the lesson and if the impacts are not big enough, it's just better that way. It's just better that they see for themselves why this was a bad idea.”
For those who might be interested in buying your book, Adversarial Tradecraft in Cybersecurity, what can they expect from it?
When Dan began writing his book, he knew he wanted to look at techniques from both red and blue team perspectives. Part of his book is logistical, including how techniques can be applied in general situations. Another part of Dan’s book is about lessons learned, especially from the failures he’s experienced as a practitioner. The final piece, and perhaps the most important, is theory and ideas to consider to expand your perspective on the situations you may encounter in the field yourself.
“[My book] is a lot of lessons learned from my time doing this. I've been attacking somebody and they found my code this way, or how I stopped a real campaign of attackers doing this technique. I think it's a lot of practical advice.”
What advice would you give to anyone looking to get into InfoSec?
InfoSec, or information security, is a field that requires balance to avoid burnout. Dan advises considering a career in InfoSec as a marathon, not a sprint. While the learning process can be long and difficult, Dan believes that InfoSec, just like purple teaming, isn’t as difficult as someone might think from the outside. If you’re able to think about a problem in a new way and engage your intelligence in your work, you can and will succeed.
“I think a lot of InfoSec people are just smart people that can sit there and think about a problem. And if that sounds like you, then give it a shot because it's probably easier than you think and we need the people.”
---------------
Links:
Keep up with our guest Daniel Borges on LinkedIn and his blog
Check out Daniel’s book Adversarial Tradecraft in Cybersecurity: Offense versus defense in real-time computer conflict
Thank you to our friends at Axonius and PlexTrac for sponsoring this episode!
Connect with Davin Jackson on LinkedIn and Twitter
Watch the live recording of this show on our YouTube
Continue the conversation by joining our Discord
Hear more from Hacker Valley Media and Hacker Valley Blue