On This Page

ATT&CKing the Enterprise - A Purple Team's approach to protecting your environment

Ryan Linn
August 4-7


Even organizations who are not ready for Red Teaming, or who can't afford it can benefit from a greater understanding of the adversarial mindset, but how to get it? Threat and Malware analysis provide some insight, but may be limited to traditional atomic IOCs. So, how do we move beyond that?

This course will introduce actual advanced attacks using MITRE's ATT&CK framework and walk students through cutting edge attack TTPs, including evasion techniques, novel means of persistence, and how living on the land ain't what it used to be. Throughout these hands-on exercises, we will discuss how best to detect the trails and identify true malfeasance. We will even discuss defensive tactics for organizations who don't have in-house EDR products at their disposal.

Day by Day overview:

Day 1 - ATT&CK Overview and Initial Exploitation
  • Overview of ATT&CK framework
  • How to use ATT&CK and Pre-ATT&CK to map real attacks
  • Real attacks mapped with ATT&CK
  • Operational assumptions (How to Purple)
  • Setting expectations, communication, and documentation (how ATT&CK can establish a common language to unify Purple teams)
  • In the weeds: Preparing your Red Team Op
  • In the weeds: Preparing your Blue Team, critical questions
  • Post-Exploitation: The art of C2, detections, evasions
  • Cutting edge persistence, rethinking detection

Day 2/3 - Inside the Perimeter: Moving "without a trace"
  • The Latest in Escalation and Lateral Movement (and what you need to have if you want to detect it)
  • Fileless Malware
  • Diskless exploitation
  • Abusing Kerberos
  • Evasive maneuvers and execution: more than just living off the land and why more security controls probably won't help you
  • How do Attackers know what you don't know about your environment? Discovery, Credential Access, and Collection for everyone

Day 3/4 - Thinking beyond traditional IR and Hunting
  • What if you don't have an EDR product?
    • Detecting Escalation and Lateral movement with Honeynets and Honey Tokens
    • Defensive WMI Subscriptions
  • Getting better IOCs: Using Threat Intelligence with ATT&CK
  • Analysis of ATT&CK trends to prioritize how limited resources are spent
  • Clever exfiltration, pull out your packet sniffers
  • Quick wins for Blue Teamer

Who Should Take this Course

This course is designed for red team members, pen testers, and defenders who want to better understand the technical aspects of some of the latest trending attacks and their defense.

Student Requirements

The ideal student would have experience as a penetration tester, red team member, defender, or incident responder. This is a technical class, so knowledge of Windows is required. A basic knowledge of Linux will be helpful, but is not required.

What Students Should Bring

Students should bring a laptop with a wired network adapter that has the ability to install software. The laptop should have enough free disk space and memory to install a virtualization platform such as VMWare Player or VirtualBox and at least 10G of free disk space.

What Students Will Be Provided With

Students will be provided with a virtual machine with tools installed as well as a workbook to follow along with in-class exercises.


Ryan is the leader of a red team, a penetration tester, an author, a developer, and an educator. He comes from a systems administration and Web application development background, with many years of IT security experience. Ryan currently works as the team lead for a red team at a large organization, and is a contributor to open source projects including Metasploit and BeEF, the Browser Exploitation Framework.

Thomas McCarthy is the Director of Nuix's Cyber Threat Analysis team. He has more than a decade's experience as an organizational hardening and infrastructure security expert, conducting hundreds of penetration tests and advanced attack simulations for some of the world's largest companies across all industry verticals. Tom applies this real-world intelligence to Nuix's solutions and security programs. He is lead instructor for Nuix's Hack It and Track It class and a certified security and forensics trainer for the United States Secret Service, National Cyber Forensics Institute, Australian Federal Police, Majura Forensic Facility, National Israeli Police Academy, and other governments and institutions around the world. Tom is an established security researcher who frequently presents his findings to organizations and at global industry conferences. He contributes to multiple open source security projects.

Heather Linn has worked in incident and problem management, vulnerability management, software test, access controls, TVM, penetration test, DFIR and purple team consulting, red teaming, and now hunt. She has worked for startups and Fortune 50 companies. Purple team has been her favorite thing to do, followed by pentest and red team. Her current passion is trying to revolutionize how people think about what we do through evolution of the MITRE ATT&CK framework. She holds a Bachelor of Science in CIS, an OSCP, CISSP, GCFA, and is formerly a GSEC, GCIH, and future GREM and GNFA. She is also a published fiction writer and a professional technical editor.