We then add the Docker repo GPG keys: sudo install -m 0755 -d /etc/apt/keyringsĬurl -fsSL https: ///linux/ubuntu/gpg | sudo gpg -dearmor -o /etc/apt/keyrings/docker.gpg We first install the necessary dependencies: sudo apt-get update In order to install Docker, we will be following the official instructions. If you wish to run all the tooling outlined in this blog on one virtual machine, then we recommend a 圆4/amd64 architecture. At time of writing, Vectr does not support ARM architectures. Please note that throughout these instructions, a virtual machine with an ARM architecture is used, if the virtual machine you are running is not ARM, then please adjust the relevant installation instructions to match your particular architecture. Now that you have all the tools to follow along, let’s dive in and get it all set up. Vectr will be used to track our purple teaming activities on our local Kubernetes cluster. Laurel will be used to transform these auditd logs into JSON format so that they are easier to work with and query. We will be using an auditd configuration file on our virtual machine in order to get host-level telemetry from our Kubernetes cluster. Minikube will make it possible for us to run a Kubernetes instance on our virtual machine.Ī free Sumo Logic account will be used in order to monitor our Kubernetes installation. This virtual machine will be running our Kubernetes cluster as well as various other logging tools in addition to Vectr itself.ĭocker will act as our Kubernetes driver and will host our Vectr instance, all on the same virtual machine. Tooling overviewīefore getting into the various techniques, tactics and procedures (TTPs) as well as technical details, let us step back for a moment and do a quick overview of all the tooling involved and highlight the function that each piece performs. Some additional resources on purple teaming can be found here and here – you can also check out this case study to learn how Sumo customers leverage the platform to perform their own purple teaming exercises. Overall, however, purple teaming generally encompasses the dynamic of collaboratively attacking a system, checking the results of the attack, tracking the related metrics and then iterating all with the goal of improving system security, response and resiliency. Purple teaming engagements and exercises can come in many flavors and may lean more to one side of the red-blue spectrum than the other, depending on how the exercise is laid out and who the recipient of the engagement is. It should come as no surprise then, that purple teaming is a mix of both blue and red aspects of the cyber security spectrum. This dichotomy between red and blue is often blurry, as some red teamers may want to perform threat hunting to hone their evasion skills and some SOC analysts may want to understand how an attack tool works in order to craft more comprehensive detection logic. With those on the attacking end (penetration testers, red teamers) being associated with the red color and those on the defending end (SOC analysts, threat hunters) being associated with the blue color. Within the information security community, colors have been ascribed to the attack/defense spectrum. What is purple teaming?īefore diving head first into the tooling, attacks & defenses, we should pause for a moment and outline what purple teaming is and why it's a powerful tool for developing defenses for complex applications and networks. We will provision and configure this lab, send the relevant telemetry to a free Sumo Logic instance and track our testing activities using the awesome Vectr tool. Now, let’s extend this work and outline how to set up a Kubernetes home lab. The Sumo Logic team has previously authored articles on Kubernetes DevSecOps vulnerabilities and best practices as well as Kubernetes logging and monitoring. From a threat detection standpoint, however, it is often difficult for newcomers to this space to gain the relevant hands-on experience without trampling over production environments. Kubernetes, and containerization in general, has a wealth of benefits for many teams operating cloud-native applications.
0 Comments
Leave a Reply. |