Cloud Security Today

The world of purple teaming

Matthew Chiodi Season 4 Episode 9

Send us a text

This month, we welcome Eric Gagnon, Team Lead of Adversary Simulation, Purple Teaming, and Tradecraft Development at Desjardins. The conversation covers a wide range of topics related to cybersecurity, including purple teaming, red teaming, blue teaming, and Eric's journey in cybersecurity. Eric shares insights on certifications, threat hunting, cloud security, and the importance of knowledge exchange between red and blue teams. He also discusses the use of AI in cybersecurity and the need to stay sharp in the field.

Takeaways

  • Purple teaming involves collaborative operations to exchange ideas, evaluate security controls, and test out tactics, techniques, and procedures (TTPs) real threat actors use.
  • Certifications in cybersecurity, such as Offensive Security Certified Professional (OSCP) and Offensive Security Certified Expert (OSCE), provide valuable knowledge and an edge in the field.
  • Threat hunting involves looking for a granular activity that may indicate a compromise, filtering out the noise, and focusing on the suspicious behavior of threat actors.
  • Cloud security requires automation, cyber hygiene, and visibility, focusing on prioritizing techniques and testing them against the enterprise's environment.
  • Knowledge exchange between red and blue teams during a purple team engagement is essential and should include a common language, centralized documentation, and reporting against the MITRE ATT&CK framework.
  • Staying sharp in cybersecurity involves continuous learning, participation in CTFs, engaging with passionate individuals, and challenging oneself through talks, podcasts, and specialized training.

Chapters

00:00
Introduction to Purple Teaming and Cybersecurity Journey

08:09
Certifications and Insights in Cybersecurity

15:08
Threat Hunting and Granular Activity Detection

35:02
Knowledge Exchange in Purple Teaming: Red and Blue Collaboration

39:57
Staying Sharp in Cybersecurity: Continuous Learning and Engagement

The future of cloud security.
Simplify cloud security with Prisma Cloud, the Code to Cloud platform powered by Precision AI.

Disclaimer: This post contains affiliate links. If you make a purchase, I may receive a commission at no extra cost to you.

Matt (00:01.102)
Eric, thank you for coming on the show.

Eric M. Gagnon (00:03.302)
Thank you for having me, Matt.

Matt (00:05.454)
This is going to be fun. I was looking through the show from the last three plus years and I've never had anyone on to cover purple teaming, red teaming, blue teaming, none of that. So this is, this is going to really be really good. So you get to be the first one to talk about it.

Eric M. Gagnon (00:18.63)
Awesome. Yeah.

That's awesome. So I'm the right guy. So I touch pretty much all those colors.

Matt (00:27.342)
That's great. All right, so let's jump right in. Tell me a little bit about your background and your journey in cybersecurity. How did you get started? What led you to your current role at Desjardins?

Eric M. Gagnon (00:40.966)
Yeah, so basically right now I'm the manager of the red team, the purple teaming and also an offensive proactive research team at Desjardins. First of all, Desjardins is one of the largest federation of credit union in North America. It's like a big financial institution and we have a really mature security team. We have 30 people.

offensive security experts that doing like pen testing, that doing threat modeling, application security, offensive proactive research, red teaming and purple teaming. And we also have a really good defensive team. They have like more than 200 experts in their team doing like suck analysis, detection engineering, threat.

intelligence, Straton thing, forensics, incident response, and all those other blue teaming jobs that exist out there. So how did I get started? I think pretty much like every hacker my age, we got a family computer at a pretty young age. And my dad taught me how to use basic commands, pretty much to start games and menus.

stuff like that and I really liked it. And basically I always wanted to learn new stuff to show my friends, show my family and started repairing computers at a really young age. I didn't do like zero day stuff and hack the NASA at eight years old. That wasn't me, but actually worked at Staples selling computer as my first job. So I always liked computers. So when...

was time for me to select a career. Basically, I choose computing. I went to University of Moncton in New Brunswick for a computer science degree. I quit the program after three years because I was looking into the future that that degree was getting me into and I wasn't really liking like the...

Eric M. Gagnon (03:03.718)
programming and developing aspect of it. So I quit and I didn't regret it. I did one year of college degree for technical computing and cybersecurity and networking. And that was one of the most memorable time that I had in cybersecurity at schools because the professor back then was giving us like a white card to

hack any computer that they had into the lab system. And he told us to take that opportunity because that's going to be the only time in our life that we're going to be able to hack stuff legally and stuff. So he did regret those words because after a few weeks I was able to control every student's laptops and also had access to their monitoring system. But that was a...

a really fun time. After college, I went to work for a computer firm doing like sys admin stuff, providing like network and security advisor for small and medium businesses. Again, always in Moncton, New Brunswick. I helped the firm to build a new kind of antivirus system, I would say, that was working as an alarm system.

in the house. So basically each time a computer of one of our clients get infected, we just get a notice that they need help. So we call them, do you need help to fix your computer, clean it up and then everything. So that was a really good project that I work on at Hurley Carrier. And also at that time, it was like 2006, I did my first cybersecurity certification called

Comtia Security Plus. So it's basically the entry level of cybersecurity. You cover pretty much all the subject, but you don't go too deep into it. Basically the introduction of the CISSP certification that is well known.

Eric M. Gagnon (05:21.406)
After that, I went to move to Quebec City in 2009. I was looking forward to new opportunities. I wanted to work in a big firm, a big institution. So I applied at Desjardins. It was actually my bank at the time. I was a customer and they were looking for a cybersecurity technician.

So I apply, I was pretty much the only one with certification at the time that applied. My first role was working on the role -based access control system that we put up in place. It was a big system at the time. And I was also introduced in 2009, working at Desjardins with a colleague to the concept of conference. And...

the cybersecurity community. There was an event called the AGFest in Quebec City that introduced me to that new world that I wasn't alone in it. So I got also into CTF and CTF captured a flag if some of your audience don't know the term. It's like a little challenge that you have to solve to...

get a little bit of a string called a flag and you make points. So at Dish of Buying, I pretty much move up some kind of quickly into the latter. So I was at, after the first years, they built up the security operation center. So it's basically the blue team.

team that they built up. So they needed a guy to work on the vulnerability management aspect. So put up in place a scanner that's going to find out if your system is being patched and stuff like that. And at the time I was really interested on determine which vulnerability was critical for the enterprise, which one was more dangerous than the other.

Eric M. Gagnon (07:41.03)
So I started studying how to exploit those vulnerabilities. I did a certification in offensive security called OSCP, Offensive Security Certified Professional, that you would learn all the basic stuff about pen testing, exploiting known vulnerabilities, and you have like a big hard 24 -hour exam at the end. That's it.

really crazy you have to hack like five computers in 24 hours and basically hacking is not like you see in the film that you type really quickly and you access granted it's not that it's not that it's not more complex so yeah so i did that one and after that right the year after i did the osce so it pretty much the step the next level of the oscp so it's

Matt (08:19.502)
No, that's not hacking.

Eric M. Gagnon (08:37.766)
Offensive Security Certified Expert and instead of exploiting known vulnerabilities, you exploit new vulnerabilities. So it's basically you have to find zero days in application, either web or executables or a server or something like that. And then you develop your exploit and you're trying to get access to the system through that exploit.

and the exam is 48 hour without sleep. So it's a really crazy exam also.

Matt (09:14.062)
You mentioned, you mentioned a couple certifications there and you know, in our, in our industry certifications are a big, a big topic, right? People love to debate, you know, are they worth it? is there value in it? Is it just a piece of paper? Now you you've mentioned a couple of certifications. So for you, it sounds like it sounds like you've, you've got a lot of value out of those certifications. Is that, is that true? Do you, would you generally recommend them for?

Eric M. Gagnon (09:17.606)
Yeah.

Eric M. Gagnon (09:40.998)
Absolutely.

Yeah, absolutely.

Matt (09:44.014)
Everybody, some people new to the industry, how do you look at it?

Eric M. Gagnon (09:47.014)
Yeah, absolutely. I will recommend some certification. Some are more practical than the other. Some have more realistic aspect to it. And some might not be as good. I won't name the bad ones, but I think the one from Offensive Security are really good. The one from the SANS are also really good.

CumCy Security Plus have a really good entry point and also the CISSP that if you want to cover like a large level of cybersecurity and discover every aspect of it.

Matt (10:31.726)
I think that's great. I think that's good advice. I've been in security now for a long time, say 24 years. This next month, that'll be 24 years. And I started out right out of college by focusing on certifications. And I thought at the time...

that it was a great way to help differentiate myself from my peers, right? People coming out of university who maybe had a four year degree, but didn't have any, they didn't have certifications. They didn't have anything beyond that. So in my experience, I thought they were really helpful. And then I did this CISSP a couple years out of university. And like you said, that's very broad, but it really opened my eyes to a lot of different areas and security that I hadn't, that I hadn't been in. And so I thought it was, I thought it was helpful.

Eric M. Gagnon (11:18.598)
Absolutely, yeah, I really find those really helpful. And especially since I was working in the SOC, the Security Operations Center, and basically doing defensive stuff. So doing offensive security certification gave me an absolute edge over my colleagues that didn't have that offensive perspective.

of analyzing vulnerabilities or analyzing threat, doing incident response, always add that kind of edge to be able to have an idea where the threat actor would go. Because if I could hack that vulnerability, if I could go to that system, a real threat actor could literally do the same thing. So after...

Matt (12:13.582)
Yeah, I like that.

Eric M. Gagnon (12:14.982)
Yeah, so after getting that knowledge, I want to work on the cyber threat intelligence team at the job line. So it's basically to gather information about the threat actors that are targeting the industry and what tooling they were using, what kind of trade craft, the tactic techniques and procedure that they are using. I was a little bit exploring.

those tooling, those tools set on our production environment if it was working. And I started a little bit to poke around malware analysis. So I work with the government of Canada with the CCCS on some malware analysis project with them. And it was really insightful to work with all those professional and get.

like new tools and analyze malware and stuff. And after a few years, I was always looking into new ways to detect malicious activity into our system. Basically, the typical way that an incident response is being started is that a security system trigger an alert.

and then you get a stock analyst that look if it's a true positive alert and send it to the incident response. It's either that or somebody just disclosed an incident and they investigated. But I always had the mindset that if the company is already breached and the threat actor didn't trigger any alerts, how can you find those?

threat actor inside the enterprise. And in 2016, somebody came up with the term threat hunting and that really picked up my interest. And so it's basically like I like to explain to my colleague, it's a really hard job because you have to find really granular activity that might be suspicious, might not be. You have to filter out.

Eric M. Gagnon (14:39.75)
all the noise and you're trying to focus on the activity that is mainly done by threat actor behavior. When they hack into a system, they typically doing some typical stuff like discovery and then they try to install and persistence, move laterally and stuff like that. And that behavior is not always picked up by.

a security control or security system. But if you look closely and you baseline your enterprise, you might pick up some noise that indicate that you're being compromised. So I tell my friends, it's basically looking for a needle in a haystack full of needle and you need to find the sharpest one. So it's a really hard job. It's really painful. But at the end is always paid off because,

You develop new detection capability, new detection logic. You have new tool set that you develop during your threat hunting engagement. And so that could be a whole conference, a whole interview altogether just about threat hunting. So after a while, I did, yeah, yeah, sure.

Matt (15:56.494)
Let me ask you this. Let me ask you this. So when you think about the concept of purple teaming, right? So I think a lot of people are familiar with traditional red teams or even blue teaming. But talk to us a little bit about the concept of a purple team and how it differs from traditional red team or blue team approaches.

Eric M. Gagnon (16:11.846)
Yes.

Eric M. Gagnon (16:22.342)
Yeah, so typical red team is a full adversary simulation engagement that will trying to stay under the radar and simulate real threat activities. And basically they're going to trigger an incident response and it's going to train the blue team to response to that kind of scenario. So that's a typical red team. But what you want to do with.

purple teaming. It's to have a collaborative.

operations to exchange idea, exchange knowledge, and test out your, evaluate your security controls. So there's a lot of purple teaming definition out there. There's a lot of purple teaming definition out there. There's a lot of purple teaming definition out there. There's a lot of purple teaming definition out there. There's a lot of purple teaming definition out there. There's a lot of purple teaming definition out there. There's a lot of purple teaming definition out there. There's a lot of purple teaming definition out there. There's a lot of purple teaming definition out there. There's a lot of purple teaming definition out there. There's a lot of purple teaming definition out there. There's a lot of purple teaming definition out there. There's a lot of purple teaming definition out there. There's a lot of purple teaming definition out there. There's a lot of purple teaming definition out there. There's a lot of purple teaming definition out there. There's a lot of purple teaming definition out there. There

There's a lot there is like doing pen testing or a red team and they consider it a purple team because they work with the blue team afterwards. My definition is it's really focused on the evaluation of security controls. So you set your red teamers with your blue teamers and you test out trade craft or TTPs.

that stand for tactics, techniques and procedure that is being used by real threat actors or red teamers and stuff. And you want to evaluate how your security controls would behave. And you also exchange that knowledge with the blue team. So if they are in incident response and they are aware of new techniques of attacks,

Eric M. Gagnon (18:15.59)
they might look for it into their incidence response.

Matt (18:21.71)
So if I'm hearing you correctly, you're talking about, it's really about collaboration. So do you see in your experience, I know that you've done a couple different talks on this at some conferences. In fact, I met you, I think it was last year at the FSISAC conference down in Florida. That's where we met and we kind of were, that's where the beginning of, that's how long it took to do this. That was almost a year ago in order to get to the recording today. So, but when I think about it,

Eric M. Gagnon (18:37.414)
Yeah, exactly.

Eric M. Gagnon (18:45.606)
Yeah.

Matt (18:51.182)
I, you, again, you have the red team. These are usually the offensive ones, the ones that are going after attacking a system. You have the blue team. You tend to think of them as being on the defensive side. You're bringing red and blue together, right? You get it. You get purple. Have you seen that this is more effective than having those separate teams or, or the team's still separate, but they're just coming together for various different activities. What's the, how, what's the, what does that look like in the real world?

Eric M. Gagnon (19:18.598)
They're still separate because there's some activity on the offensive security side that need to stay secret of the blue team, especially the adversary simulation stuff. But the rest of the offensive security should be shared that that knowledge specifically should be shared with the blue team to make sure that you all play on the same field.

So basically, since I'm Canadian, I could do a hockey analogy. I'm going to try. So basically, when you have a hockey team, you have your offensive guy, you have your defense and your goaler. And basically, before a match, they're going to train themselves. But to train their defense and their goaler, they're going to pick up their best offense line. And they're going to pick up their best defense line.

Matt (19:53.55)
Please do.

Eric M. Gagnon (20:15.718)
play them against their defense, against their goaler, and to find out where's their weakness, and to see if they could always do the same top corner trick on the goaler and it's always getting in. They have to make sure that that gap is known by the whole team. So that's the analogy I have about hockey and cybersecurity.

Matt (20:42.926)
I love it. I think it works well. I mean, Hey, I'm an American. I'm not, this might be offensive, but I don't watch hockey that often, but I understand the analogy. And so that was helpful. Let me ask you this. What, what advice would you give to somebody who's just getting started in their career? And maybe they're listening to this and they're like, wow, that sounds exciting. Right. I want to be a red teamer or a blue teamer.

I mean, you kind of, you kind of made this mention before, but it's, it's just like the 1995 movie hackers, right? It's the exact same thing, right?

Eric M. Gagnon (21:13.926)
Yeah, yeah, yeah. With the exception that, yeah, it's not like the movies, but if you're listening to the Prodigy soundtrack in your headphones while you're hacking, you might feel like you're in a movie. But typically, like purple teaming is not a one guy role, it's not a team specific role. So you can't...

really trying to be a purple teamer. But I think the idea behind it is to get knowledge about each side of cybersecurity. So if you're a blue teamer, try to get knowledge from the red team. If you're a red teamer, try to gather information about how to do detection engineering and stuff like that. There's a lot of conference talking about purple teaming and

Most of them right now are actually trying to merge both red teaming and blue teaming at the same time. So if you go at Blackat now, you have a lot of blue teaming conference that is being taught there. Learn from experts. So if you have the chance to get into a community, exchange with the expert that are doing purple teaming in their enterprise,

to see about their background and stuff. Try to do CTF, so it's a capture the flag. So basically if you're a blue teamer, try to do like web application hacking and try to do basic stuff first. You're gonna learn some really cool stuff and that's gonna help you in your blue teaming side at your work. And there's also a lot of blue teaming CTF that...

are going, are appearing on the market. So if you're going to those CTF, try the blue teaming track, try the boss of the sock CTF from Splunk. So those kinds of approach and learning perspective will help you into your career. And I also have two specialized training for purple teaming.

Eric M. Gagnon (23:37.286)
There's one from SpectreOps that are doing Tradecraft analysis. So it's basically dissecting Tradecraft from the red team, from Tretaacker, and try to build a detection logic based on that Tradecraft, especially on the behavior. You don't want to detect the tool itself, but how it behaves. So even if the Tretaacker changed the tool set,

it would behave the same. And the other one is from SANS, it's the SEC 599, Defending Advanced Adversary. And it's specific for purple teaming, but mainly how to scope your engagement, scope your operation around purple teaming. You're gonna learn a lot about the MITRE ATT &CK framework. It's a really good framework to...

document the tactics, the techniques and the procedure that is being used out there and about the attack kill chain. So the way an attacker would typically use those TTPs to get into a network and get into his goal.

Matt (24:58.094)
So let me ask you this, when you look at your team at Desjardins, to the extent that you can share, obviously there's some sensitive details you won't be able to cover, but how do you integrate purple teaming into your regular operations? And then the follow on question would be, what benefits have you observed? I don't know how long you've had, you've done purple teaming at your company, but what does that look like?

Eric M. Gagnon (25:25.03)
Yeah, we had done purple teaming for five years and we had a lot of variation on how we would do those engagements. At the beginning it was just like a full month that we would get some red teamers and blue teamers on that specific project and they would run through specific TTPs that

are well known, like running Mimikats, running Kerberos, Sting attacks, and stuff like that against the production environment, against our security control. And the blue team would like observe the result and document it into a platform. And that evaluate a lot since there's so much new trade graphs, so much new techniques that are getting like...

disclose or there's an article about it and stuff that we run a full daily operation of purple teaming. So basically, at Deja Vente, we work on three weeks sprints and each sprint we're trying to focus on one or more techniques and we cover up a lot of different procedure into that technique.

and we have each week two afternoons that we run those test case that we develop against our production environment. So we could like in a sprint, we could do around 15 test case. So it's 15 procedure that we would test against our real environment. And then we could, we gonna find out if there's gap into the

the results. So if we were expecting that a test case would be detected or blocked and we find out after running it that it was only logged, we have a gap into our result. So we would suggest a recommendation on how to improve that security gap. Is it either like a new technology, new capability, new detection logic that could

Matt (27:33.486)
Hmm.

Eric M. Gagnon (27:48.87)
be put up in place.

Matt (27:51.214)
So how do you, you mentioned, you know, the different techniques, the TTPs, like how, how do you prioritize for, for testing in them? Like, how do you typically recommend people think about prioritizing techniques and are there certain criteria that you use to determine, you mentioned your sprints, whether it's relevant or important for the sprint. How do you, how would you recommend our listeners think about that?

Eric M. Gagnon (28:16.038)
Yeah, so at first I would look into the Mitre attack framework because you have all the known and the past attack techniques that happen. So everything that is well known from the threat actor and would prioritize those that have the more frequency of attack, the one that are more attached at different threat actors. Like Mimikatz is...

one of the obvious ones that you want to try. Everyone's talking about that tool, that technique. So I would address that first. I would do a baseline of all those procedures that are really popular, tested against your environment. After you've done all that, you want to try to focus more on trade craft or procedure that will offer a unique perspective or a unique advantage.

for an attacker is either offering up sickness, so it's going to stay under the radar or it's going to be a security bypass. So obviously a long time ago, the enterprise was only protected by a firewall and an antivirus system and it was getting really trivial to bypass those. So right now you have EDRs, you have anti -spam, you have a lot of security controls. So if

there's a new bypass that exists, you want to try it against your enterprise right away because you know the attacker will use that kind of tradecraft against you. There's also the threat intel team that could help you focus on threat and procedure that are targeting your industry that have more chance targeting your enterprise.

So you want to focus on those TTPs and you also want to get your red team to innovate on those TTPs. So you want the trade craft that have potential risk against your enterprise and try to build up your own trade craft as a red teamer to have a different suffocation level.

Eric M. Gagnon (30:42.598)
to see into the future. So if the tool set that is being used right now is not working against your enterprise, is being blocked, but your red team could just tweak it a little bit or approach it a different way and then you don't see anything, that is a potential risk for your enterprise. You want to test that, you want to exchange that information with your blue team. So again, you all play on the same,

Matt (31:01.198)
Hmm.

Eric M. Gagnon (31:12.454)
playing field. And the last one I would focus on is if your blue team has new capability, new technology like XDR detection, AI implementation, stuff like that, you also want all the tradecraft that you gather around that new security control, you want to test it out against your blue team.

your enterprise.

Matt (31:43.886)
So probably one of the big questions that it's in my mind that I'm sure it's in my listeners mind right now too is how do you approach the differences between securing cloud environments versus traditional on -premise setups? Like are there specific challenges that you face with each? How do you approach cloud versus on -prem differently?

Eric M. Gagnon (32:05.382)
Yeah, I'm not a cloud security expert. I did one CTF oriented around Azure. It was really fun. Since we are a large enterprise, we have a dedicated cloud security teams that are really useful. But I would say that in the cloud environment for cybersecurity, you have to automate it a lot of stuff.

that on -prem is basically, you just have to connect it to your CM to get your monitoring. You run your script to get your hardening tools, and you get your sysadmin that run through a checklist on your new system, and you get all your security stack on it. But in the cloud environment, since it's more dynamic and scalable,

You have to make sure that if somebody just pop up a machine in there, that you automatically get the monitoring aspect of it, that you get hardening patch management and all that segmentation stuff done automatically. You can't depend on a sysadmin to go through each time somebody start up a VM in the cloud environment. So I would say automation is a really good tool.

good aspect on the red team perspective. I would also look at the cyber hygiene because if you get a misconfiguration or a credentials leak from internal system or something on Prem, it's less likely for an attacker to leverage those and those information because they have to get.

into your enterprise network and stuff like that. But if you get a leak from a SaaS platform, you find credentials on GitHub or anywhere, you could externally exploit that cyber hygiene or misconfiguration or leak right away without being noticed. So on the red team, I think the cloud.

Eric M. Gagnon (34:28.326)
is a really good attack vector. It's a new attack vector.

Matt (34:33.966)
So a follow on to that would be in your opinion, like what would you say are some of the most critical considerations for organizations when they're thinking about either, you know, most organizations, I shouldn't say most, but a good number of organizations, they have red teams. They may not have a blue team, but let's say they're thinking about this. Like what are some of the strategies that you might say, hey, this doesn't matter whether you're doing this on -prem.

or in the cloud, how would you encourage them to think about implementing these strategies for the cloud?

Eric M. Gagnon (35:10.534)
Yeah, I would start first with the MITRE ATT &CK framework. They have a specific matrix for cloud environment. So you have the, again, all the tactics and the procedure and the technique used by the attackers, but really focus on cloud environment and SAS and YAS. So this would be the...

the entry point I would look into to start doing purple teaming, blue teaming, and after you're ready, a red team engagement. You also have to take care of your visibility because in cloud environment, your blue team might not have the same visibility as they have on -prem.

Also, the language might not be the same, the tooling might not be the same. They might have to connect to a different security platform to even see the alerts. They might not get the alerts through their regular platform that they have on -prem. So, if you have an approach of purple teaming, you have to take all that into consideration.

Matt (36:30.894)
So in your experience, what are some of the key elements of a successful knowledge exchange between a red team and a blue team during a purple team engagement, right? So obviously I think it's a good idea, but are there certain elements that you're looking for?

Eric M. Gagnon (36:46.694)
Absolutely. So one of the most important one is to have a common language. Red teamers have the reflex to over -complexify simple explanation. They could literally just take the definition from the MITRE ATT &CK framework and you have a really good knowledge base that everyone understands.

It's linked to most of the cybersecurity tools, most of the blogs now. So it's a really good framework to surround your documentation around to have like the same common knowledge. There's also these TICs frameworks that is frameworks for exchanging Intel that is really well known into the cyber threat Intel field. We use it basically to establish like.

the sophistication of attacks, they have like seven levels. So that's again, if you take the Mitre Attack framework with the TIC, the Sticks sophistication level, you have a really good understanding and way to explain your attack to the blue team and red team. Also an important aspect when you're doing documentation, it has to be centralized, has to be accessible.

from both teams, from the red and blue team. So basically what we do, we use a platform called Vector, V -E -C -T -R, developed by SRA. It's a free platform, it's not open source, but it's a really well done platform for documenting purple team activity. So you basically have your red side of the...

documentation that the red team input their description of the attack, the operation guide, how to execute the attack, if they have tool set or specific executable that is being used, they all put it into that framework. And the blue team would document the observation side of it. So again, they're going to say,

Eric M. Gagnon (39:09.51)
my HDR was able to block that attack and all the evidence that was being captured, the log files and stuff like that. So it's a really good platform that help us centralize all the information and also help us parse that data. So afterwards, if we want to use that data for further analysis, it's all in the same platform.

There's also reporting against the attacks framework, the MITRE attack framework. So you see like a heat map, I would say, of the attack that you have done, which one has been detected or logged or being blocked in your environment.

Matt (39:57.582)
So how do you stay sharp? What's your routine? Because there's constantly new threats that are evolving. What does your routine look like? How do you stay sharp?

Eric M. Gagnon (40:07.558)
Yes, yeah, so I have a really old system based on RSS feeds. I used to be a huge user of Google Reader. I don't know if you remember that platform. After a while, I changed this to Feedly. I imported all my feeds in there. So I keep it up pretty much up to date, well -divided. I keep up with the...

Matt (40:23.63)
yeah.

Eric M. Gagnon (40:36.166)
Twitter a lot, have really good person that I follow in there. And I surround myself with passionate people. I have a lot of person into my teams that are really passionate about different stuff in cybersecurity. We exchange a lot on that. I get myself into communities like we have the AGFest in Quebec, we have the North Sect.

that was actually just last week in Montreal. They both have like big CTF, so I really like that to stay sharp because as a manager, you don't have the chance to touch your keywords that much other than emails. So CTF is basically my main way to still develop codes and stuff like that. And speaking of CTF also,

I'm also doing online stuff like Actabox and try Acme, ProLabs and that kind of stuff I really like. And also challenge myself once in a while to do conference, to do talks, to do podcasts and yeah, that kept me on edge.

Matt (41:55.694)
I love it. It's a great routine. It's a great routine. You're challenging yourself. You're not letting yourself become comfortable. As you mentioned, when you become a manager and you start to move up the chain, it's easy to, it's easy to get comfortable. Right. So continuing to put yourself in a spot where you're uncomfortable will lead to growth. That's great. So is there anything else I should have asked you? We covered a lot of different things. Is there anything else that I should have asked you?

Eric M. Gagnon (42:06.502)
Yeah.

Eric M. Gagnon (42:21.558)
man, I would say probably something about AI. I think it's the topic of the year. Everybody's talking about AI. So I don't have like, I think that's going to be a really good tools for a blue teaming perspective. I did, like I mentioned, I did a CTF last week at NortSec. There was a blue team challenge that I was really, really working hard on.

Matt (42:26.67)
That's it. I didn't ask you that.

Eric M. Gagnon (42:50.95)
and they had that new Elasticsearch platform. It's like the new Siam that I wasn't accustomed to. And you have to generate like a custom query based on the KQL language that I didn't know anything about. So I know what I was looking for. I just didn't know how to write the query itself, but ChatGPD was just on the...

Matt (42:57.87)
Hmm.

Eric M. Gagnon (43:16.774)
on the site and just, okay, get me all the user that was logged on on each computer into the logs for the last seven days and generate me a query, put it into the SIEM, got me the result that I was expecting. So that helped a lot. And also on the red team, I would say that's a really good attack surface that will be pretty testing out like.

all those chat bots and LLM feature that is getting into the enterprise, it represents some kind of risk and as a Red Team, we're going to leverage that for sure.

Matt (43:57.07)
It's awesome. Well, Eric, thank you for coming on the show. This has been super interesting.

Eric M. Gagnon (44:01.126)
Thank you very much for inviting me on your show.