From the course: Kali Purple Essential Training
Introduction to Kali Purple - Purple Tutorial
From the course: Kali Purple Essential Training
Introduction to Kali Purple
What is Kali Purple? Well, put simply, it's a new variant of the Kali operating system designed to be used in the cyber defense role. However, this undersells somewhat the role that Kali Purple is starting to play in cyber defense. Let's take a look at what adopting Kali Purple means for cyber defense. Kali Purple is the same underlying Debian-based Linux operating system, which has been used by penetration testers for many years. However, the tools it holds are focused not on simulating offensive activities but on enabling defensive activities. This is a key difference as it not only provides workstation tools for the defense analyst to use, but it also provides a range of open-source cyber defense servers and services that can be easily set up as part of the cyber defense infrastructure for an organization. Kali Purple is very new and it's an evolving concept. As it evolves, the cyber defense community will contribute not only to its toolset, but also to the direction it takes as a capability for training and for operational use. The main focus for the initial launch of Kali Purple has been the delivery of a set of cyber analyst tools and servers that can be used in the operational environment for activity monitoring and attack detection, threat hunting, forensics, and incident response. Kali Purple's monitoring capability comes from the ability to easily install the ELK Stack SIEM on the Kali Purple operating system. ELK stack is a solution consisting of the elastic database and the Kibana graphical interface and query language, together with agents that can be installed on the organization's fleet of endpoints, workstations, and servers for log collection. ELK stack can be configured with alerts to monitor specific events in real-time that are recorded in the logs being collected from endpoints. From these alerts, analysts can investigate the logs to determine what activities are occurring and whether they're malicious. A second monitoring and attack detection tool in the initial Kali Purple release is Wazuh. This provides not only the ability to collect and query logs, but it also has a good range of analytical tools and dashboards to scan for vulnerabilities, alert on attacks, and check standards and policy compliance. It has its own host agents, which enable a remote host investigation. The threat-hunting capability in Kali Purple comes from the Malcolm tool developed at Idaho Labs for the U.S. Department of Homeland Security. Malcolm integrates five important tools: The Arkime deep packet inspection tool, the Zeek session collection tool, the Suricata intrusion detection system, and the OpenSearch database with the same Kibana interface that's used in ELK stack. With Malcolm, we have the ability to hunt through a packet capture at the session level and dig deeper into individual packets to get full details of session activity. Having access to threat intelligence is a key part of cyber defense. The OpenCTI server is included in the Kali Purple repository and is a simple deployment allowing the storage, access, and sharing of threat information. The OpenTAXII, STIX/TAXII threat exchange server has been added to the Kali Purple repository. This makes standing up a threat intelligence exchange server simple, and it comes with the Python libraries to build STIX client software. For forensics, the Kali Purple workstation contains many forensics tools that have grown over the years in the Kali platform. This includes the OllyDgb debugger, radare2, the Sleuth kit with its autopsy GUI, and a range of carving and imaging tools. Kali Purple also contains a number of new forensics tools and more are being added with each release. Look out for the Hopper disassembler and debugger, which is coming shortly. The main incident response investigative tool provided in Kali Purple is Velociraptor, an advanced open-source endpoint monitoring digital forensics, cyber response, and case management server platform. It enables the incident responder to hunt for specific artifacts and monitor suspicious activities across a fleet of endpoints. This is all using the Velociraptor Query Language. In addition to the investigative incident response tools, Kali Purple provides the OpenEx tool to support the development and running of crisis exercises. This includes standard integration into email and SMS platforms and simulates media interactions. In this course, you'll become familiar with using Kali Purple. We'll explore the tools available in the workstation, and we'll install and run a number of the Kali Purple server tools. We won't be deep-diving the tools, but this course will prepare you for your own journey of discovery into the world of Kali Purple and its toolset.
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.
Contents
-
-
-
Introduction to Kali Purple5m 37s
-
(Locked)
Introduction to virtualization3m 31s
-
(Locked)
Virtualization using Proxmox4m 5s
-
(Locked)
A first look at Proxmox5m 23s
-
(Locked)
Installing Kali Linux6m 44s
-
(Locked)
A quick tour of Kali Linux7m 39s
-
(Locked)
Installing the Kali Purple workstation5m 40s
-
(Locked)
A quick tour of Kali Purple3m 21s
-
(Locked)
A first look at the Kali Purple servers2m 37s
-
(Locked)
Creating a Kali Purple server template5m 15s
-
-
-
-
-
-
-
-
-