Introduction to Enterprise Purple Teaming Artwork

Empowering Tomorrow's Automotive Software

The automotive industry is experiencing change at a tremendous rate. The software-defined vehicle is leading the future of mobility - the car is rapidly becoming an electronic device on wheels. Empowering Tomorrow's Automotive Software will look at how electrification, automation and connectivity are impacting the industry, from changing the development process and software architecture to how data is generated and processed.

The podcast is brought to you by the experts at ETAS, leaders in automotive software.

To learn more, visit etas.com

Produced by ETAS Inc.; Madelyn Downs, madelyn.downs@bosch.com

Imprint and contact information:

ETAS Inc.
15800 N. Haggerty Road
Plymouth, Michigan 48170 USA
contact.us@etas.com
Privacy Policy

All Episodes

Empowering Tomorrow's Automotive Software

Introduction to Enterprise Purple Teaming

June 23, 2026 • Vasili Kutscherjavenko, Wolfgang Neufeld, Rene Reuter

0:00 | 38:02

In the final episode of our Enterprise series, host Vasili Kutscherjavenko sits down with ETAS experts Wolfgang Neufeld and Rene Reuter to demystify the collaborative world of Purple Teaming.

Following up on previous discussions regarding independent red and blue team dynamics, the group explores how bringing attackers and defenders together in active workshops eliminates the traditional "blaming approach" and accelerates an organization's actual threat detection capabilities. The trio also take a deep dive into the modern cyber threat landscape, discussing how rapidly evolving generative AI models are altering the game, enabling even less-skilled attackers to rapidly execute zero-day vulnerabilities and accelerating the speed of enterprise breaches.

Whether you are an enterprise security leader, a plant operations manager, or a cybersecurity professional looking to optimize your incident response times, this episode offers a highly practical blueprint for building mature, resilient defense systems.

Check out our other Enterprise episodes:
Introduction to Enterprise Red Teaming
Introduction to Enterprise Blue Teaming

Tell us what you think - send us a text message!

Thanks for listening!

Email us at: contact.us@etas.com
Learn more about ETAS on our website
Follow us on LinkedIn: @ETAS

00:00:02 Voiceover

Welcome to the Empowering Tomorrow's Automotive Software podcast, brought to you by ETAS, a single source of cutting-edge software and hardware solutions that make automotive embedded systems safe, smart, secure, and sustainable.

00:00:15 Voiceover

Each episode, we'll be joined by ETAS and industry experts to discuss how electrification, automation, and connectivity are impacting the automotive industry.

00:00:25 Voiceover

Now, sit back and enjoy the discussion.

00:00:32 Vasili Kutscherjavenko

Hi, everyone, and welcome to our ETAS Empowering Tomorrow's Automotive Software podcast.

00:00:37 Vasili Kutscherjavenko

Today, we will talk about purple teaming, and within this episode, we will try to describe it.

00:00:43 Vasili Kutscherjavenko

First things first, I would like to introduce myself.

00:00:46 Vasili Kutscherjavenko

My name is Vasili Kutscherjavenko.

00:00:48 Vasili Kutscherjavenko

I'm very excited to be today the host of this episode.

00:00:52 Vasili Kutscherjavenko

I work at ETAS.

00:00:53 Vasili Kutscherjavenko

My main roles are focused on security consulting, testing and strategy.

00:00:58 Vasili Kutscherjavenko

I'm the so-called engagement manager.

00:01:01 Vasili Kutscherjavenko

This means I'm responsible for leading our enterprise and plant security team.

00:01:06 Vasili Kutscherjavenko

And before we move into attack details, let's welcome Wolfgang and Rene to the conversation.

00:01:13 Wolfgang Neufeld

So my name is Wolfgang Neufeld.

00:01:16 Wolfgang Neufeld

I'm one of the security experts here.

00:01:19 Wolfgang Neufeld

Doing penetration testing, red teaming, purple teaming, and threat and risk analysis, and yeah, I'm happy to be here and having a nice conversation about purple teaming in ways it's needed.

00:01:32 Rene Reuter

Yeah, and also, hi from my side, my name is Rene Reuter.

00:01:35 Rene Reuter

I'm the Responsible Principal Manager for the Enterprise and Plant Security Services here at ETAS.

00:01:41 Rene Reuter

And today in the podcast, I will act as one of the red, blue, purple team experts.

00:01:46 Rene Reuter

And we will try to shed some light to you what actually is purple teaming?

00:01:51 Vasili Kutscherjavenko

Thank you very much, guys.

00:01:53 Vasili Kutscherjavenko

In the previous episodes, you discussed both the red teaming and the blue teaming.

00:01:58 Vasili Kutscherjavenko

Here you explained what they are, what the benefits are, what roles are represented, and other personas inside blue teams and red teams.

00:02:11 Vasili Kutscherjavenko

Also you explained the topics from both sides, the technical and the non-technical side, which I really liked.

00:02:18 Vasili Kutscherjavenko

I really appreciate it and I hope we can keep it that way.

00:02:24 Vasili Kutscherjavenko

Let's see how these teams fit together and what are the benefits of purple teaming.

00:02:31 Vasili Kutscherjavenko

We can jump into why purple teaming or what is purple teaming with a brief explanation.

00:02:38 Rene Reuter

So basically the idea behind purple teaming is if you mix the red part, so the attack part, what we explained in the first podcast, and the blue team, so the defenders from our second episode, if you mix those two colors together, what comes out, that will be basically purple.

00:02:56 Rene Reuter

And what is meant by that is, so instead of having this more or less blaming approach means if you have just a red teaming exercise means the red team is going to prepare an attack, is executing the attack towards your organization, writes a report in the end, and will basically give you this report which highlights then what kind of exploits they have used.

00:03:20 Rene Reuter

and how they were able to achieve the target, whatever target was defined, maybe gaining access to the active directory or gaining access to a valuable database.

00:03:29 Rene Reuter

And this will then be basically put towards the blue team and the blue team gets a little bit of the blaming saying, look, the red team won again.

00:03:39 Rene Reuter

Why didn't our defense mechanism didn't work?

00:03:42 Rene Reuter

Did you do anything wrong?

00:03:44 Rene Reuter

And so this is more or less a little bit more what we refer to a blaming approach.

00:03:48 Rene Reuter

And the purple team

00:03:50 Rene Reuter

approach will try to eliminate this blaming.

00:03:53 Rene Reuter

So instead of the red team doing the assessment by itself and then writing the report, the red team and the blue team, they will sit together in a workshop and the red team will execute their prepared attacks.

00:04:08 Rene Reuter

And the blue team will get immediate feedback whether they were able to detect a certain attack vector or not.

00:04:16 Rene Reuter

And this will of course be documented in a report or in just some notes with a timestamp.

00:04:21 Rene Reuter

And so this is much more or less much more collaborative approach than blaming approach before.

00:04:27 Rene Reuter

So in red, blue, purple teaming is more or less a flavor of attack simulations.

00:04:32 Rene Reuter

So this is basically if you mix this together.

00:04:35 Vasili Kutscherjavenko

In this case, the combination of red and blue is a kind of flavor of attack simulation.

00:04:42 Vasili Kutscherjavenko

Why is it more important today than ever?

00:04:45 Vasili Kutscherjavenko

And the other fact is, Rene, you ask Sven a pretty good question the last time in the blue teaming episode, how does AI influence engagements?

00:04:59 Rene Reuter

Yes, so when we recorded the last time, the blue team episode, I would say,

00:05:05 Rene Reuter

AI models were capable of doing some basic vulnerability research, some basic exploitation.

00:05:12 Rene Reuter

If you look at the, I would compare it a little bit of the level of expertise for like, for example, a penetration tester or a vulnerability researcher, it was around on a junior level, I would say.

00:05:26 Rene Reuter

This is what we saw in using the AI models for this kind of testing approaches, but AIs are evolving faster than ever.

00:05:34 Rene Reuter

And since a couple of months in February, there were new models released by Anthropic, especially the Opus model or OpenAI's GPT models, who were specially trained on cybersecurity capabilities and having much better capabilities on basically doing exploitation and vulnerability research.

00:05:54 Rene Reuter

So this is, of course, can be leveraged by attackers now because it will basically ramp down the time for vulnerability research

00:06:04 Rene Reuter

the AI will take care of the vulnerability research and also on the exploit development.

00:06:09 Rene Reuter

That means the AI will be capable of developing exploits for known and also unknown vulnerabilities, means the risk for businesses of getting hacked will increase much more in the future, as I would also assume that the models will also improve more and more over the next couple of months.

00:06:27 Rene Reuter

And to survive this kind of game, the maturity of the incident response teams of the organizations, they must become much better or increase their maturity, especially for detection and reaction for real incidents.

00:06:41 Wolfgang Neufeld

Okay, what I think is AI is really good at finding bugs.

00:06:45 Wolfgang Neufeld

And for me as a penetration tester, doing a lot of stuff, asking AI to do the right stuff, it really helps in efficiency and everything.

00:06:54 Wolfgang Neufeld

But from my standpoint,

00:06:57 Wolfgang Neufeld

I would say organizations that were very mature in the past and had a plan on how to act on zero days because nothing else is more or less now happening.

00:07:10 Wolfgang Neufeld

Attackers are getting easier access to zero days or can create zero days in a very rapid time.

00:07:18 Wolfgang Neufeld

So this is what changes in my opinion.

00:07:22 Wolfgang Neufeld

companies who had a solid plan and are mature on how to tackle in the time window, let's say there's a vulnerability for an internet facing application and you somehow have to manage that in either patching or other preventive measures, then those companies, for those companies, not much changes in my opinion in the end.

00:07:45 Wolfgang Neufeld

The problem is not many organizations have that kind of level of maturity and for those

00:07:51 Wolfgang Neufeld

I think attack simulations and testing their processes and stuff is getting more and more important.

00:07:59 Vasili Kutscherjavenko

So in this case, the change of models bring up a new player in the game, but the security maturity model of a customer is a really huge point in the game of AI.

00:08:14 Rene Reuter

It just will increase the speed of getting hacked.

00:08:17 Rene Reuter

This will be the change for AI, I would say.

00:08:20 Rene Reuter

Depending on the maturity, of course, but what has changed is the speed for the attackers.

00:08:26 Wolfgang Neufeld

The speed and maybe also the pools of people that can attack you now.

00:08:30 Rene Reuter

Yeah, so with less expertise.

00:08:32 Wolfgang Neufeld

Yeah, with less expertise.

00:08:34 Wolfgang Neufeld

But if it comes to ransomware groups, for example, they had the money to buy expensive stuff, so it was already a business decision for them to, okay, what does it cost me to buy a zero-day and then what do I get in revenue?

00:08:48 Wolfgang Neufeld

So the

00:08:50 Wolfgang Neufeld

for the ransomware groups in my opinion was always there to do that and now maybe less skilled attackers might enter the game and try to access the market and try to attack you.

00:09:04 Wolfgang Neufeld

But in the end, from my perspective, not much is changing for companies that really had a defense system in place against zero days and a mature detection and response plan.

00:09:19 Rene Reuter

Do you think that also script kiddies are now able to attack organizations using AI?

00:09:28 Wolfgang Neufeld

To be honest, they were in the past already, but I don't think that if you have some decent security in place, the security EDR vendors and stuff.

00:09:39 Wolfgang Neufeld

I think even with AI, script kiddies will not be able to ask the right questions and to create the right programs even with AI.

00:09:47 Wolfgang Neufeld

It's luckily not that easy to do that.

00:09:52 Wolfgang Neufeld

But if you are a skilled malware engineer and you somehow can jailbreak your AI software or use jailbroken AI already,

00:10:03 Wolfgang Neufeld

If you ask the right question, AI is very impressive on doing and helping to do that.

00:10:09 Vasili Kutscherjavenko

So the fool with the tool is still a fool.

00:10:12 Wolfgang Neufeld

Yeah, this is, I think, what saves us a little bit.

00:10:16 Wolfgang Neufeld

But AI is getting better and better.

00:10:18 Wolfgang Neufeld

And if they step up in that game, when you always have to say, look, this is the program, find me all vulnerabilities,

00:10:26 Wolfgang Neufeld

If you do that now, you really have to babysit it a lot of times so it doesn't run in the wrong direction.

00:10:33 Wolfgang Neufeld

Even with some output, it can work, but not for complex tasks.

00:10:38 Wolfgang Neufeld

But if you know what you are asking and you have some feeling that, oh, there is some special bug, and even if it's complicated, even with reversing tasks or exploits that you have to write where you had to have some skills in the past,

00:10:53 Wolfgang Neufeld

that weren't easily to adapt, that you had like three or five years to adapt for a certain exploitation challenge, now you can do that.

00:11:03 Wolfgang Neufeld

And the skilled exploit developer that uses AI, he will be very efficient and this is something that changed.

00:11:13 Vasili Kutscherjavenko

So it is a bit scary and also good news to hear that not much

00:11:20 Vasili Kutscherjavenko

It's changed that before we have also those script kiddies which are involved in the game.

00:11:26 Vasili Kutscherjavenko

But you're digging me into my next question about security maturity model of a company.

00:11:33 Vasili Kutscherjavenko

My question is how, when and why can I conduct a purple teaming and what kind of information is needed?

00:11:44 Rene Reuter

So I would say that depends clearly on what you want.

00:11:48 Rene Reuter

So there are typical scenarios which make sense at the moment to do a purple teaming and there are three main scenarios I would say at the moment which are the most ones which are simulated using purple teaming.

00:12:03 Rene Reuter

The first one is a very classic phishing and lateral movement scenario.

00:12:08 Rene Reuter

Phishing is basically where you send a crafted spear phishing e-mail to employees stating them, okay, look, here is a salary where you attach basically a compromised or a malicious file, like an Excel file, call it salary of the employee's Excel sheet, so the likelihood that someone will open it is very, very high, then basically will execute your malicious

00:12:32 Rene Reuter

code and you gain access towards this employee endpoint and from there usually then the attacker tries to further elaborate within the network and is doing lateral movement.

00:12:44 Rene Reuter

Then there's also a second scenario which is classical web application exploitation and data exfiltration means when an attacker is constantly scanning for vulnerabilities for internet facing web applications from that organization or company and is trying to find vulnerabilities like for example a SQL injection where he can exfiltrate data from the database.

00:13:07 Rene Reuter

Or he's finding some, it's called IDOR, insecure direct object references, which is a web application attack where you basically just alter an ID you see, for example, an URL pass, and then gain access to a different customer.

00:13:23 Rene Reuter

So this is one of the scenarios where you can then basically exfiltrate data or access sensitive data.

00:13:30 Rene Reuter

And the last one is also a very classic one, it's basically a ransomware simulation.

00:13:36 Vasili Kutscherjavenko

Ransomware sounds crucial.

00:13:38 Vasili Kutscherjavenko

How does this work?

00:13:41 Wolfgang Neufeld

Yeah, even ransomware has some classic ways that they follow.

00:13:46 Wolfgang Neufeld

Ransomware is currently a business, as already said.

00:13:50 Wolfgang Neufeld

They are highly organized groups that do different things.

00:13:54 Wolfgang Neufeld

There are different steps that are more or less always the same.

00:13:59 Wolfgang Neufeld

This is why there are currently standards also established for a while.

00:14:05 Wolfgang Neufeld

that you can look up.

00:14:07 Wolfgang Neufeld

One of the frameworks of the standards you might have heard of already is MITRE ATT&CK, which is a tech framework which helps you to also plan for a red team or purple team engagements.

00:14:25 Wolfgang Neufeld

What's in there?

00:14:26 Wolfgang Neufeld

There are techniques, tactics, and procedures.

00:14:29 Wolfgang Neufeld

That is what it's called, the so-called TTPs.

00:14:32 Wolfgang Neufeld

And in the end, in these TTPs, you can more or less then define on how the engagement should look like.

00:14:41 Wolfgang Neufeld

And these are different phases that you then design more or less with that in place.

00:14:49 Wolfgang Neufeld

And depending on the skill set of the company that you hire to do this assessment, then they are able to also customize any of the three things.

00:15:02 Wolfgang Neufeld

even the tactics, the techniques, or the procedures in the end, so that you are not only testing against just one of the templates that's in there, because this is the easiest thing that if you have a script, then there will be some kind of checksum or some implementation in the security vendors.

00:15:21 Wolfgang Neufeld

if it's available and say, okay, if that script is run exactly with the same hash value, then it's easy to detect.

00:15:28 Wolfgang Neufeld

But what if you change something in there, then some vendors even fail already at that point.

00:15:34 Wolfgang Neufeld

These are the classic ones.

00:15:35 Wolfgang Neufeld

And this is what better purple teams or red teams can already do.

00:15:40 Vasili Kutscherjavenko

Awesome.

00:15:40 Vasili Kutscherjavenko

Sounds great.

00:15:41 Vasili Kutscherjavenko

So in this case, techniques are the how, the techniques are the why, and the procedures

00:15:51 Vasili Kutscherjavenko

is a specific implementation of a script or whatever.

00:15:58 Vasili Kutscherjavenko

Is it right?

00:15:59 Wolfgang Neufeld

Yeah, that's exactly.

00:16:01 Wolfgang Neufeld

And most of the time the procedures is that what the technical person, the red team, will adjust at that point.

00:16:09 Wolfgang Neufeld

The other tools are the high level parts where you can say, okay, you are in a certain phase.

00:16:13 Wolfgang Neufeld

For example, let's say I want to break into the company, so-called initial access phase.

00:16:21 Wolfgang Neufeld

And this is always the same.

00:16:22 Wolfgang Neufeld

So an attacker needs to find a way how to break in.

00:16:26 Wolfgang Neufeld

And this is something that normally doesn't change.

00:16:29 Wolfgang Neufeld

But this is something where you can say, OK, how to ease the setup in the end.

00:16:33 Wolfgang Neufeld

Let's say, for example, for the initial access, you can say either we have to do the full program, like going for the phishing mail, setting up domains, phishing the user, and all that stuff.

00:16:46 Wolfgang Neufeld

Or we can say, okay, we skip this because we know our employees will always find someone who clicks on the mail or it's always reasonable that some kind of credentials are out there that you can buy.

00:16:59 Wolfgang Neufeld

And then you start with some so-called assumed breach that you say, okay, we give you an infected or an infected laptop that simulates the attacker.

00:17:12 Wolfgang Neufeld

Somehow the attacker has made it to the client.

00:17:16 Wolfgang Neufeld

And from there you start your investigation.

00:17:19 Wolfgang Neufeld

That saves a lot of money and it's also a very realistic part to go from there.

00:17:25 Wolfgang Neufeld

Because the old way of thinking, it's long over that you say, okay, we want to prevent that the attacker is even able to come to the point that he has a compromised endpoint or an internal standpoint from where he can act.

00:17:39 Wolfgang Neufeld

If you still think like that, then your company is really in high risk because that is gone the times that you can prevent stop.

00:17:46 Wolfgang Neufeld

You have to prevent, yeah, as much as possible, but in the end you have to take into account that the attacker is one step further in your network and act as an internal.

00:17:58 Rene Reuter

I would also highlight that the old thinking of trusting your internal networks are also gone with that approach, because basically, as Wolfgang already mentioned, so the chances that an attacker will compromise one of your employees via an endpoint or even a server, which is internet facing, is very, very likely nowadays.

00:18:20 Rene Reuter

So you have to adapt your defense-in-depth mechanisms much more.

00:18:28 Rene Reuter

and assume also that the internal network might be compromised.

00:18:32 Rene Reuter

So you have to set up proper monitoring protections there as well.

00:18:37 Wolfgang Neufeld

Exactly.

00:18:38 Wolfgang Neufeld

And when we come to the purple teaming approach, this is where you then do so-called atomic steps.

00:18:44 Wolfgang Neufeld

Like, for example, you have the possibility that you are now on the endpoint, and now what has an attacker to do?

00:18:51 Wolfgang Neufeld

An attacker now normally tries to elevate the privileges on the host system that he is.

00:18:56 Wolfgang Neufeld

And this is where the security solutions shine, where they can detect, okay, some.

00:19:02 Wolfgang Neufeld

somebody is trying with a very simple who am I call in a CMD executable, trying to find out what rights do I have current, what programs might already have known security vulnerabilities.

00:19:17 Wolfgang Neufeld

So it starts enumeration.

00:19:19 Wolfgang Neufeld

And in this enumeration phase for a privilege escalation, there are a lot of indicators that a security solution can flag.

00:19:28 Wolfgang Neufeld

And now the interesting part starts with

00:19:32 Wolfgang Neufeld

OK, what is the blue team doing with that information?

00:19:34 Wolfgang Neufeld

This is already in the attacker is already in my network, but he's not literally moving in the network right now.

00:19:42 Wolfgang Neufeld

He's still in the phase of trying to get a better foothold to get admin rights on the system or system rights on a Windows system or root rights on a Linux system.

00:19:54 Wolfgang Neufeld

and go from there.

00:19:56 Wolfgang Neufeld

So there are a lot of possibilities to catch him.

00:19:58 Wolfgang Neufeld

And this is where now purple teaming tries to find out how good are your procedures, how good are your reaction times at that point.

00:20:06 Vasili Kutscherjavenko

Am I understood it right?

00:20:10 Vasili Kutscherjavenko

There are different flavors of purple team engagements like with a assume breach scenario.

00:20:19 Vasili Kutscherjavenko

Is it the normal way to do assume breach or is it

00:20:25 Vasili Kutscherjavenko

more like a black box test or what is your advice to do purple teaming?

00:20:32 Rene Reuter

I would say that highly depends on what the customer wants to see or what wants to be tested by the customer.

00:20:40 Rene Reuter

Frankly speaking, I would always advise to go for the assumed breach scenario because Wolfgang already mentioned it, you're going to save a lot of money.

00:20:48 Rene Reuter

if you just assume that someone already compromised one of your clients in the network instead of spending a lot of money on the phishing attempts from the red team, because the chances that one of your employees, and this is of course not any blaming towards your employees, but the chances that someone will click on a malicious file or will browse to a malicious website is very likely.

00:21:12 Rene Reuter

So questions what must be asked from a customer perspective is am I willing to

00:21:18 Rene Reuter

spend this money to find out that basically breaching or hacking an endpoint is very easy to achieve?

00:21:28 Rene Reuter

Or should we more concentrate on, okay, this is already achieved and the chances are very high that an attacker is achieving that, but what happens after that?

00:21:36 Rene Reuter

Because yes, a client can be hacked and this is obviously not good for the company, but the question is more or less afterwards,

00:21:43 Rene Reuter

What is the attacker able to do with it?

00:21:45 Rene Reuter

So, what kind of systems is he able to access?

00:21:49 Rene Reuter

Is he even able to elevate his privileges, what Wolfgang just mentioned?

00:21:54 Rene Reuter

Is he then able to move into your network?

00:21:57 Rene Reuter

targeting valuable systems like your active directory, issuing golden tickets, those are all potential attacks attackers are doing.

00:22:06 Rene Reuter

So this is more or less the question I think personally purple teaming should answer, not about can we compromise a single client.

00:22:15 Wolfgang Neufeld

Yeah, and there are very much cheaper things how you can achieve it.

00:22:19 Wolfgang Neufeld

Everyone knows the phishing e-mail that is sent out in every company for awareness sessions and stuff like that.

00:22:27 Wolfgang Neufeld

There you have already the percentage on how many people click on something, and this is very much very cheaper than a purple teaming engagement.

00:22:36 Wolfgang Neufeld

Purple teaming engagement is something from the business side that you really want to check also the processes and the technical improvements that you have in the end, because...

00:22:48 Wolfgang Neufeld

After we, for example, let's say we mimic something that a real attacker would do.

00:22:54 Wolfgang Neufeld

So we have the possibility to run code on an endpoint as a normal user.

00:22:59 Wolfgang Neufeld

And let's say some of the ransomware groups, for example, they bring so-called bring your own vulnerable drivers, so drivers that are possible to install for a user.

00:23:12 Wolfgang Neufeld

you normally need admin rights for that, but let's assume somehow we already achieved that step because of bad third-party software on the client.

00:23:21 Wolfgang Neufeld

And then we are now doing the installation of the driver with the admin rights.

00:23:27 Wolfgang Neufeld

And this is a crucial step where we say, okay, how can you now determine that the installation of a vulnerable driver is happening in your organization currently?

00:23:39 Wolfgang Neufeld

Do you have alerting on that?

00:23:41 Wolfgang Neufeld

And this is something where purple teaming then shines because you see the red team is now telling you, we are now installing this driver and this is a crucial point where if that succeeds and the attacker is then able to drive more or less with that driver and he can talk to the driver, then he can on that level really disable everything what is on the host system in terms of security.

00:24:11 Wolfgang Neufeld

So you have achieved the same level that the security guard, the security software has if you have driver level access.

00:24:19 Wolfgang Neufeld

So after that point, you can be sure if you have a skilled attacker, you will see nothing anymore, at least from that host.

00:24:29 Wolfgang Neufeld

So this is something where you then start in the discussion with the blue team and say, okay, look, you have this option, for example, that you monitor what drivers are being loaded.

00:24:40 Wolfgang Neufeld

Maybe you have a checklist, maybe you have a good and known bad list.

00:24:44 Wolfgang Neufeld

Microsoft already has something that it prevents known vulnerable drivers, for example, but yeah, what about the zero angel again or the AI that will assist you to find that stuff?

00:24:56 Wolfgang Neufeld

So this is why it's so important to have purple teaming and this is where it really shines.

00:25:01 Vasili Kutscherjavenko

Will there be such kind of evidence for an engagement or is it everything on the fly?

00:25:08 Vasili Kutscherjavenko

When the team's sitting together, how do you ensure evidence of attacks, of detects, of...

00:25:18 Wolfgang Neufeld

It depends.

00:25:19 Wolfgang Neufeld

So there are low-hanging fruits where can, for example, from experience, then exactly tell the blue team, okay, do this step, and you already, for example, for the driver point, you could say, look,

00:25:32 Wolfgang Neufeld

this is the web page, this is the implementation, we have the perfect rule for you, just implement it.

00:25:37 Wolfgang Neufeld

There are sometimes these cases, but in the end there are also a lot of cases where you say, okay, this is a lot more than just tuning one or two rules in your SIEM because sometimes the process is bad.

00:25:50 Wolfgang Neufeld

So what we often see is that they have endpoint detections and then you have, for example, the detection on the loading of the driver.

00:26:00 Wolfgang Neufeld

But then your reaction time for this event is like, okay, in the next 48 hours, your SOC team will call you with an e-mail or send you an e-mail and say, okay, there was something suspicious.

00:26:13 Wolfgang Neufeld

Yeah, great.

00:26:14 Wolfgang Neufeld

So you have a host system that was completely compromised.

00:26:17 Wolfgang Neufeld

48 hours is much too late.

00:26:19 Wolfgang Neufeld

You have lost it.

00:26:21 Wolfgang Neufeld

And depending on the system and the speed of the attackers that automate more or less everything, 48 hours might be too late.

00:26:28 Wolfgang Neufeld

And this is also a type of discussion that you then have to take out of the purple teaming session and say, okay, look, this is the lessons learned.

00:26:36 Wolfgang Neufeld

Try to improve that.

00:26:38 Wolfgang Neufeld

Try to find out how to get budget or

00:26:42 Wolfgang Neufeld

whatever to improve that process in the end.

00:26:44 Vasili Kutscherjavenko

Understood.

00:26:45 Vasili Kutscherjavenko

So in this case there will be a kind of transcripted way of working together, right?

00:26:54 Vasili Kutscherjavenko

And the kind of guidance for the whole team.

00:26:58 Vasili Kutscherjavenko

So for the red team is, for the blue team is, so the purple team will guide through an engagement.

00:27:05 Rene Reuter

Yes.

00:27:06 Rene Reuter

So there will be one or even more dedicated purple teamer sitting in the workshop and the task for them is basically leading the workshop and getting everybody on board and organizing everything and telling the red team, okay, now it is your duty to execute the following attack.

00:27:26 Rene Reuter

Please share what you're doing and then also immediately asking the blue team, did you see anything in your

00:27:33 Rene Reuter

Security solutions, so the purple team part is basically the one doing a little bit of the orchestration of both teams and supervising them and just organizing the workshop all around it.

00:27:46 Rene Reuter

But I also want to circle back a little bit more to our ransomware example because I think we got lost a little bit in the technical details.

00:27:54 Rene Reuter

So just to summarize it again, because we started with this ransomware example.

00:27:58 Rene Reuter

So what we learned is, okay, the attacker is starting with the initial access compromising an endpoint, either using phishing techniques or we start with the assumed breach.

00:28:07 Rene Reuter

Then next step would be to escalate privileges on this compromised endpoint.

00:28:14 Rene Reuter

So let's assume he was able to, like Wolfgang said, using, for example, vulnerable driver vulnerabilities and he's now has system or root rights on this endpoint.

00:28:27 Rene Reuter

What are now the next steps?

00:28:29 Wolfgang Neufeld

I think now this is something where the EDRs got better and better.

00:28:35 Wolfgang Neufeld

So the first thing that I would say in the past, it was really hard to get initial access.

00:28:41 Wolfgang Neufeld

And this is still one point that is hard today, but if the user somehow executes an executable or a package, if you get the social engineering to the user, then getting the initial foothold is still something that is possible if you can download executables or stuff like that.

00:29:01 Wolfgang Neufeld

The problem now is EDRs did become really good at catching

00:29:06 Wolfgang Neufeld

when a user tries to move laterally.

00:29:08 Wolfgang Neufeld

So going from one computer to another one or does enumeration in the network.

00:29:14 Wolfgang Neufeld

This is where EDRs in my opinion got really good for various reasons.

00:29:21 Wolfgang Neufeld

And this is something where you then have to find out, okay, are my processes in place?

00:29:26 Wolfgang Neufeld

Because you will highly likely often get some kind of alerting there.

00:29:32 Wolfgang Neufeld

But then what do you do with that kind of alerting?

00:29:35 Wolfgang Neufeld

Is it high enough?

00:29:36 Wolfgang Neufeld

Do you do something with it?

00:29:38 Wolfgang Neufeld

If the attacker is able to move laterally in the end, then you at least need to have some kind of overview on where did he successfully move everything.

00:29:50 Wolfgang Neufeld

This is what we covered also in the blue team.

00:29:54 Rene Reuter

You need to have logs.

00:29:55 Wolfgang Neufeld

Yeah, exactly.

00:29:57 Wolfgang Neufeld

And before you call the incident response team, it helps you with recovering your data.

00:30:05 Rene Reuter

Okay, so now the attacker successfully moved in the internal network and of course what they are seeking the attackers is they will not move to another endpoint.

00:30:13 Rene Reuter

What they are doing is they of course try to scan a little bit in the internal network and try to find for obvious reasons valuable targets.

00:30:22 Rene Reuter

This could be a myriad of systems, those could be database systems, SharePoint systems, file servers, or of course the active directory, depending a little bit of the goal of the attacker.

00:30:34 Rene Reuter

But if you look back to our ransomware example, usually what they do is they look for file storage systems, so file servers and SharePoints.

00:30:42 Rene Reuter

So first of all, they will, in this next phase, they will laterally move towards those systems using credentials they somehow gained

00:30:50 Rene Reuter

Either from the compromised endpoint, using the credentials there or using different techniques, and the next thing is he will try to exfiltrate this data.

00:31:01 Rene Reuter

So using C2 channels is usually very common.

00:31:06 Rene Reuter

What else is there?

00:31:07 Wolfgang Neufeld

Yeah, I think it depends on the amount of data that you want to exfiltrate.

00:31:12 Wolfgang Neufeld

So if you just go for example for the credentials somehow, some small megabyte packages, then you can go over the standard C2 channels.

00:31:23 Wolfgang Neufeld

But some ransomware groups sometimes simply exfiltrate everything they find.

00:31:27 Wolfgang Neufeld

So it's more terabytes

00:31:31 Wolfgang Neufeld

on data, then you go for the cloud, for example, and move that to S3 buckets in Amazon or whatever.

00:31:39 Wolfgang Neufeld

This is usually the thing then.

00:31:42 Rene Reuter

Okay, and then so now he has exfiltrated the data and I guess in our ransomware example, last step would be to basically encrypt your data.

00:31:50 Wolfgang Neufeld

Yeah.

00:31:51 Rene Reuter

And of course, not sharing the private key with you because what they will do, they will try to blackmail you and will exfiltrate money.

00:31:59 Rene Reuter

And this is one of the core reasons to do ransomware.

00:32:05 Wolfgang Neufeld

And there are also many steps that you can simulate where an EDR should then alert

00:32:11 Wolfgang Neufeld

But this is somehow shockingly working quite well.

00:32:14 Wolfgang Neufeld

If you do it on your own, if you have your own crypto written in Python, for example, or stuff like that, it seems to be very hard to detect this encryption, actually.

00:32:24 Wolfgang Neufeld

So this unfortunately seems to work also pretty fine in our engagements that we try still.

00:32:32 Wolfgang Neufeld

But yeah, so this is something that would be the last line of defense where you really want to find out, okay, someone is scripting stuff.

00:32:40 Wolfgang Neufeld

because maybe you are lucky that some systems, that you can at least, for example, save the backup servers or whatever, depending on the skill set of the attacker.

00:32:50 Wolfgang Neufeld

If the attacker is good, then he will first encrypt your backups or delete your backups and start then the encryption.

00:32:57 Rene Reuter

If you have a backup server.

00:32:58 Wolfgang Neufeld

If you have a backup server.

00:32:59 Rene Reuter

There's an if involved.

00:33:00 Rene Reuter

And also, even if you have a backup server, reality shows that a lot of companies have never tried to

00:33:07 Rene Reuter

basically play back the backup.

00:33:09 Rene Reuter

This is also one of the scenarios a lot of people are not testing.

00:33:13 Rene Reuter

Just by doing a backup doesn't mean you can roll it back.

00:33:16 Rene Reuter

So this has also been tested.

00:33:19 Wolfgang Neufeld

Yeah, what time do you need to fully restore?

00:33:21 Wolfgang Neufeld

So sometimes you have the backup and the backup would run, but it would take too much time, like really weeks.

00:33:30 Wolfgang Neufeld

to deploy all the computers that are encrypted with the backups.

00:33:35 Wolfgang Neufeld

And then you don't know in that step, okay, maybe the attacker still has access to your systems, where are the backdoors?

00:33:42 Wolfgang Neufeld

And then he would simply visit you back and then re-encrypt everything.

00:33:47 Wolfgang Neufeld

So yeah, it's not that easy.

00:33:50 Vasili Kutscherjavenko

Sounds great.

00:33:51 Vasili Kutscherjavenko

So the ransomware example was a nice one.

00:33:57 Vasili Kutscherjavenko

So you started out with compromising endpoints, then escalate privileges, disabling security solutions, scanning lateral movement, exfiltration, and at the end you had the encryption example.

00:34:11 Vasili Kutscherjavenko

So those kind of things are available inside MITRE framework, right?

00:34:18 Vasili Kutscherjavenko

With TTPs, so with the techniques, techniques and procedures, also known IOCs, indicators of compromise.

00:34:27 Vasili Kutscherjavenko

So another question came up in my head.

00:34:30 Vasili Kutscherjavenko

Does this approach with Mitre covers all?

00:34:36 Vasili Kutscherjavenko

So in this case, all attacks, all IOCs, or is there something more?

00:34:43 Vasili Kutscherjavenko

How to ensure so?

00:34:46 Wolfgang Neufeld

I think that's a good question.

00:34:47 Wolfgang Neufeld

In the end, Mitre has

00:34:50 Wolfgang Neufeld

made a design decision.

00:34:52 Wolfgang Neufeld

And MITRE is there that they say, okay, we will cover what has been done in reality and then we will try to structurize it.

00:35:02 Wolfgang Neufeld

So every attack that you see in the MITRE framework has somehow been seen in reality.

00:35:10 Wolfgang Neufeld

Some attacker used that type of procedure, technique, whatever, to compromise something.

00:35:19 Wolfgang Neufeld

00:35:20 Wolfgang Neufeld

This is more or less fact-based.

00:35:22 Wolfgang Neufeld

What the MITRE framework is not covering is what if an attacker uses software, for example, that was not compromised before.

00:35:33 Wolfgang Neufeld

So it's like some kind of basic checks.

00:35:37 Wolfgang Neufeld

But what if your environment differs a lot from what MITRE is covering?

00:35:42 Wolfgang Neufeld

Then you might have problems.

00:35:44 Wolfgang Neufeld

And this is what we see, not much, but it's a development.

00:35:49 Wolfgang Neufeld

what we think will be the future because security solutions are getting better and better and attackers are trying to fly under the radar.

00:35:59 Wolfgang Neufeld

And what they are doing is they try to find security problems in software that has high capabilities in your environment.

00:36:10 Wolfgang Neufeld

Where they, for example, a software, something like an installation, what is it called,

00:36:18 Wolfgang Neufeld

software distribution management system, where you can say, okay, on all laptops now distribute this new application.

00:36:26 Wolfgang Neufeld

And if you have the rights to this application, this is much more likely to not trigger an alarm in an EDR system if you say, hey, this is the new crypto software that everyone needs, which then in the end encrypts all your workstations and stuff like that.

00:36:45 Wolfgang Neufeld

This is something that can evade

00:36:47 Wolfgang Neufeld

your EDR system and security system.

00:36:50 Wolfgang Neufeld

And this is something where we invented some kind of flavor to check for this kind of stuff and do a purple teaming assessment with another flavor.

00:37:00 Wolfgang Neufeld

But this would be too much for this episode.

00:37:02 Wolfgang Neufeld

And I think we will cover this in the upcoming episode then.

00:37:07 Vasili Kutscherjavenko

Sounds great.

00:37:09 Vasili Kutscherjavenko

So guys, thank you very much for explanation, for your time, for such good conversation here.

00:37:16 Vasili Kutscherjavenko

And sorry for

00:37:18 Vasili Kutscherjavenko

how to say, drifting you up with my questions sometimes.

00:37:21 Vasili Kutscherjavenko

It's fine.

00:37:23 Vasili Kutscherjavenko

And yeah, for all of us, if you need help or need more information, feel free to reach out to us.

00:37:31 Vasili Kutscherjavenko

And thanks for listening and hope you join to another session.

00:37:35 Vasili Kutscherjavenko

Thank you.

00:37:36 Wolfgang Neufeld

Thank you.

00:37:37 Wolfgang Neufeld

Bye.

00:37:40 Voiceover

Thank you for joining this episode of the Empowering Tomorrow's Automotive Software podcast.

00:37:45 Voiceover

Please leave a comment or review with your feedback or what you'd like to hear in future episodes.

00:37:50 Voiceover

To learn more about automotive embedded systems and ETAS's capabilities, visit our website at ETAS.

00:37:56 Voiceover

That's ETAS.com.