SlideShare a Scribd company logo

Adversary Emulation and Its Importance for Improving Security Posture in Organization

Download as PPTX, PDF
Digit Oktavianto
Digit Oktavianto

The document discusses adversary emulation and its importance for improving security posture. It begins with an introduction to adversary emulation, comparing it to simulation. Adversary emulation involves closely mimicking the actual tactics, techniques, and procedures of a known adversary based on threat intelligence. The document outlines the benefits of adversary emulation, such as helping organizations test their defenses against the latest real-world threats. It also provides guidance on developing an adversary emulation plan, including researching a specific adversary and modeling their behaviors to design scenario-based tests that are executed sequentially.

1 of 27
Jakarta, Indonesia Adversary Emulation and Its Importance for Improving Security Posture in Organization CDEF Meetup 25th February 2021 Digit Oktavianto @digitoktav https://medium.com/@digit.oktavianto https://blueteam.id/ 1 25/02/2021
Jakarta, Indonesia https://blueteam.id/ T1033 : System Owner/User Discovery  Infosec Consulting Manager at Mitra Integrasi Informatika  Co-Founder BlueTeam.ID (https://blueteam.id)  Born to be DFIR Team  Community Lead @ Cyber Defense Community Indonesia  Member of Indonesia Honeynet Project  Opreker and Researcher  {GCIH | GMON | GCFE | GICSP | CEH | CSA | ECSA | ECIH | CHFI | CTIA | ECSS} Certifications Holder 2 25/02/2021
Jakarta, Indonesia •What is Adversary Emulation About? • Adversary Emulation vs Adversary Simulation • Phase of Security Assessment •Benefit and Importance of Adversary Emulation •Developing Adversary Emulation Plan •Getting Started with Adversary Emulation https://blueteam.id/ Agenda 3 25/02/2021
Jakarta, Indonesia What is Adversary Emulation About? https://blueteam.id/ 4 25/02/2021
Jakarta, Indonesia Introduction : Adversary Emulation Adversary Emulation is a type of red teaming activities which focuses on the emulation of a specific adversaries / threat actor and leverage the threat intelligence to define the behavior and TTPs that will be used in the emulation plan. https://blueteam.id/ 5 25/02/2021
Jakarta, Indonesia Threat Informed Defense Threat-informed defense applies a deep understanding of adversary tradecraft and technology to protect against, detect, and mitigate cyber-attacks. It's a community-based approach to a worldwide challenge. More info : https://www.mitre.org/news/focal-points/threat-informed-defense https://blueteam.id/ 6 25/02/2021
Jakarta, Indonesia Threat Informed Defense MITRE Threat Informed Defense Research Focus : • Increase the global understanding of cyber adversaries and their tradecraft by expanding upon the MITRE ATT&CK knowledge base • Advance threat-informed defense in cyber operations with open-source software, methodologies, and frameworks • Publish data sets critical to better understanding adversaries and their movements • The goal is to change the game on adversaries by relentlessly improving our collective ability to prevent, detect, and respond to cyber attacks. https://blueteam.id/ 7 25/02/2021
Jakarta, Indonesia Adversary Emulation vs Adversary Simulation Merriam-Webster dictionary translation of emulation and simulation https://blueteam.id/ 8 25/02/2021
Jakarta, Indonesia Adversary Emulation vs Adversary Simulation • Adversary Emulation : a process of imitate the activities or mimicking or copying the adversaries or threat actor behavior. • Adversary Simulation : a process of simulate or represent the functioning of adversaries or threat actor behavior when attacking the target. Tim MalcomVetter mentioned in his blog post (https://malcomvetter.medium.com/emulation- simulation-false-flags-b8f660734482) about this : • Emulation implies an EXACTNESS to the copy, whereas Simulation only implies SIMILARITY with some freedom to be different. I am totally agree with his opinion. https://blueteam.id/ 9 25/02/2021
Jakarta, Indonesia Introduction : Adversary Emulation https://blueteam.id/ 10 25/02/2021 Phase of Security Assessment
Jakarta, Indonesia Introduction : Adversary Emulation https://blueteam.id/ 11 25/02/2021 Jorge Orchilles’s Slide About Adversary Emulation (https://www.slideshare.net/jorgeorchilles/adversary-emulation-and-red-team-exercises-educause)
Jakarta, Indonesia Introduction : Adversary Emulation • Jorge Orchilles and Scythe in their blogpost differentiate term of red teaming, adversary emuation / simulation and purple teaming in this statement : • “Adversary Emulations may be performed in a blind manner (Red Team Engagement) or non-blind (Purple Team) with the Blue Team having full knowledge of the engagement.” • Based on that statement, it can be conclude that Red Teaming and Purple Teaming is part of Adversary Emulation. It depends on the engagement, if the engagement performed without Blue Team knowing the activities, than it is called as red teaming. If the engagement involved blue team, then it is called purple teaming. https://blueteam.id/ 12 25/02/2021
Jakarta, Indonesia Benefit and Importance of Adversary Emulation https://blueteam.id/ 13 25/02/2021
Jakarta, Indonesia Benefit and Importance of Adversary Emulation Red Team using Adversary Emulation plan to develop an attack emulation and/or simulation and execute it against your enterprise infrastructure. These activities leverage real-world attacks and TTPs by Threat Actor, so you can identify and finding the gaps in your defense before the actual adversary attacking your infrastructure. Adversary Emulation also help security team greater visibility into their environment. Performing Adversary Emulation continuously to strengthen and tune your defense over the time. https://blueteam.id/ 14 25/02/2021
Jakarta, Indonesia Benefit and Importance of Adversary Emulation • Adversary Emulation is just like IR and Tabletop Exercise, but in different perspective. This exercise allows your organization to test your security team against the latest threats used by real threat actor which posing the greatest risk to your organization in specific industry. • Adversary emulation giving proof of how a targeted attacker could penetrate your infrastructure and compromise sensitive assets, and/or documentation. • Adversary emulation showing that defensive capabilities succeed / failed in preventing + responding the simulated attack. It is giving you analysis of your organization’s strengths and weaknesses based on the result of the simulation. • Adversary emulation can help you not only to prioritize current existing technology capability improvement, but also also giving you a recommendation for future investments and provide recommendations for maturing your cybersecurity posture. • A focus on objective-based testing demonstrates the effectiveness of your security controls • Adversary Emulation can help you to measure your organization’s cybersecurity maturity level by evaluating it across the kill chain phases of the MITRE ATT&CK® framework or other relevant frameworks. https://blueteam.id/ 15 25/02/2021
Jakarta, Indonesia Developing Adversary Emulation Plan https://blueteam.id/ 16 25/02/2021
Jakarta, Indonesia Developing Adversary Emulation Plan https://blueteam.id/ 17 25/02/2021 Adam Pennington’s Slide : Leveraging MITRE ATT&CK for Detection, Analysis & Defense (https://www.slideshare.net/AdamPennington4/rhisac-summit-2019-adam-pennington-leveraging-mitre-attck-for-detection- analysis-defense)
Jakarta, Indonesia Developing Adversary Emulation Plan I quote a paragraph from Tim MalcomVetter About Emulation Plan in Practice (https://malcomvetter.medium.com/emulation-simulation-false-flags-b8f660734482): “In practice, emulating is very hard. First, not all threat actors have publicly or privately available intelligence in the format necessary to complete all of the threat actors’ steps with the precision required to meet the definition. Second, even for those that do, certain key steps may be out of bounds, legally, for the person “replaying them” (such as compromising third party infrastructure). Third, the “programmed TTPs” were collected at a single point in time, and techniques that were used during that string of events may not be reused in the future by that threat actor, so replaying them with precision may not be that valuable of an exercise.” https://blueteam.id/ 18 25/02/2021
Jakarta, Indonesia Developing Adversary Emulation Plan Adversary emulation plans are based on known-adversary TTPs (Tactic, Technique, and Procedure) and designed to empower red teams to emulate a specific threat actor in order to test and evaluate defensive capabilities from a threat- informed perspective. • Each emulation plan focuses on a specific named threat actor. • Each adversary emulation plan is gathered from threat intelligence reports and other artifacts that capture and describe breaches and campaigns publicly attributed to a specific named threat actor • To develop each plan, Red Team should do the research and model each threat actor, focusing not only on what they do (e.g.: gather credentials from victims) but also how (using what specific tools/utilities/commands?) and when (during what stage of a breach?) • Red Team then develop the emulation content that mimics the underlying behaviors utilized by the threat actor • To describe the details flow of emulation plan, Red Team should develop the operational flow which provides a high-level summary of the captured scenario(s). • The scenario(s) of emulation plan is broken down into step-by-step procedures provided in both human and machine- readable formats. (like .yaml in Caldera for example). Scenarios can be executed end-to-end or as individual tests. • The emulation plan scenarios will vary based on the adversary and available intelligence, but typically follow a sequential progression of how the actor breaches then works towards achieving their operational objectives within a victim environment https://blueteam.id/ 19 25/02/2021
Jakarta, Indonesia Developing Adversary Emulation Plan For example, the MITRE The ATT&CK Evaluations of APT29 Emulation Plan (https://github.com/mitre-attack/attack- arsenal/blob/master/adversary_emulation/APT29/Emulation_Plan/APT29_EmuPla n.pdf) signaled a significant evolution to the process and established a close-to- ideal structure of components that made up the emulation plan. Those were: • Intelligence Summary: An overview of the adversary and references to cited Intelligence • Operational Flow: Chains techniques together into a logical flow of the major steps that commonly occur across the selected adversary’s operations • Emulation Plan: The TTP-by-TTP, command-by-command walkthrough to implement the adversary’s operational tradecraft as described in the Intelligence Summary and the Operational Flow https://blueteam.id/ 20 25/02/2021
Jakarta, Indonesia Developing Adversary Emulation Plan https://blueteam.id/ 21 25/02/2021 APT3 Operational Flow https://attack.mitre.org/resources/adversary-emulation-plans/
Jakarta, Indonesia Getting Started with The Adversary Emulation https://blueteam.id/ 22 25/02/2021
Jakarta, Indonesia Getting Started with the Adversary Emulation When starting the Adversary Emulation Exercise, Emulation Plan is one of the most critical part. The Emulation Plan section is a specific, detailed breakdown of the tactics of the adversary group. 1. For developing the Emulation Plan, red team firstly must gather the threat intelligence document related to threat actor group that they want to emulate. 2. Red team must identify the tactics the adversary group uses for an attack, along with the particular techniques and procedures for each tactic. Mostly the TTPs defined based on MITRE ATTCK Framework as a standard. 3. To detail an emulation plan in exercise, red team must breakdown the tools that they will use to emulate the particular TTP. This information is available as part of the MITRE ATT&CK description of the adversary group, and also from Threat Intelligence Report. 4. Red Team also need to build the infrastructure as part of the emulation plan such as C2 Infrastructure, or Infrastructure for collecting sensitive data after exfiltration phase (if any) 5. Execute the emulation plan as procedure and workflow defined in the exercise. Follow up the result of the exercise. https://blueteam.id/ 23 25/02/2021
Jakarta, Indonesia Notable Tools and Resources for Adversary EMulation Some notable tools for adversary emulation : • Caldera (MITRE) • Atomic Red Team (Red Canary) • APT Simulator • Red Team Automation (Endgame) • Infection Monkey (Guardicore) • Blue Team Toolkit (BT3) (Encripto) • AutoTTP (https://github.com/jymcheong/AutoTTP) • Purple Team ATT&CK Automation (https://github.com/praetorian-inc/purple-team-attack- automation) • ATTPwn (https://github.com/ElevenPaths/ATTPwn) • PurpleSharp (https://github.com/mvelazc0/PurpleSharp) • Prelude Operator (https://www.prelude.org/) https://blueteam.id/ 24 25/02/2021
Jakarta, Indonesia Notable Tools and Resources for Adversary EMulation Some notable tools for developing adversary emulation : • MITRE ATT&CK Navigator • NSA Unfetter (https://nsacyber.github.io/unfetter/) • MITRE Cyber Analytical Repository (https://car.mitre.org/) • VECTR (More into for your Purple Teaming) • _YOUR THREAT INTEL REPORT_ Provider https://blueteam.id/ 25 25/02/2021
Jakarta, Indonesia • Adversary emulation is needed by organization to fill the gaps for their current existing security assessment activity • Adversary emulation is HARD. Combining the threat intelligence and Adversary TTPs is not a simple task to do. • Threat-informed defense approach needed by every organization to get a deep understanding of adversary tradecraft and technology to protect against, detect, and mitigate cyber-attacks. • Developing Adversary Emulation Plan is a Critical part in Adversary Emulation Exercise before the Execution of scenarios defined. • Adversary Emulation showing that defensive capabilities succeed / failed in preventing + responding the simulated attack. It is giving you analysis of your organization’s strengths and weaknesses based on the result of the simulation • Adversary Emulation can help you to measure your organization’s cybersecurity maturity level by evaluating it across the kill chain phases of the MITRE ATT&CK framework or other relevant frameworks. https://blueteam.id/ TLDR ; Summary and Key Takeaway 26 25/02/2021
Jakarta, Indonesia THANK YOU Q & A https://blueteam.id/ 27 25/02/2021

Recommended

Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
Erik Van Buggenhout
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
Jorge Orchilles
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
Jorge Orchilles
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
MITRE ATT&CK
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshop
prithaaash
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 

Recommended

Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
Erik Van Buggenhout
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
Jorge Orchilles
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpCon
Jorge Orchilles
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
MITRE ATT&CK
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshop
prithaaash
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
MITRE ATT&CK
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
MITRE ATT&CK
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
Jorge Orchilles
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
MITRE ATT&CK
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
Jorge Orchilles
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
MITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE - ATT&CKcon
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 Matrix
Jorge Orchilles
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
MITRE ATT&CK
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
MITRE - ATT&CKcon
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
MITRE ATT&CK
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix
Jorge Orchilles
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- Campaigns
MITRE ATT&CK
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
Bhushan Gurav
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamer
Jorge Orchilles
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
idsecconf
 
smpef
smpefsmpef
smpef
rsharmam
 

More Related Content

What's hot

ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
MITRE ATT&CK
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
MITRE ATT&CK
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
Jorge Orchilles
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
MITRE ATT&CK
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
Jorge Orchilles
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
MITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE - ATT&CKcon
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 Matrix
Jorge Orchilles
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
MITRE ATT&CK
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
MITRE - ATT&CKcon
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
MITRE ATT&CK
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix
Jorge Orchilles
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- Campaigns
MITRE ATT&CK
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
Bhushan Gurav
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamer
Jorge Orchilles
 

What's hot (20)

ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
Exploring how Students Map Social Engineering Techniques to the ATT&CK Framew...
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 Matrix
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
 
Sharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK FrameworkSharpening your Threat-Hunting Program with ATTACK Framework
Sharpening your Threat-Hunting Program with ATTACK Framework
 
ATT&CKcon Intro
ATT&CKcon IntroATT&CKcon Intro
ATT&CKcon Intro
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- Campaigns
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamer
 

Similar to Adversary Emulation and Its Importance for Improving Security Posture in Organization

Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
idsecconf
 
smpef
smpefsmpef
smpef
rsharmam
 
Symantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security SimulationSymantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security Simulation
Symantec
 
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Shakas Technologies
 
RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_Conclave
NSConclave
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesAmit Kumbhar
 
u10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacobu10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji JacobBeji Jacob
 
Security in Machine Learning
Security in Machine LearningSecurity in Machine Learning
Security in Machine Learning
Flavio Clesio
 
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramIDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
Digit Oktavianto
 
Adversarial Attacks and Defenses in Malware Classification: A Survey
Adversarial Attacks and Defenses in Malware Classification: A SurveyAdversarial Attacks and Defenses in Malware Classification: A Survey
Adversarial Attacks and Defenses in Malware Classification: A Survey
CSCJournals
 
User centric machine learning for cyber security operation center
User centric machine learning for cyber security operation centerUser centric machine learning for cyber security operation center
User centric machine learning for cyber security operation center
Sai Chandra Chittuluri
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
IJERA Editor
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf
 
Capture the flag
Capture the flagCapture the flag
Capture the flag
Kachkad Narender
 
Final Year IEEE Project 2013-2014 - Cloud Computing Project Title and Abstract
Final Year IEEE Project 2013-2014 - Cloud Computing Project Title and AbstractFinal Year IEEE Project 2013-2014 - Cloud Computing Project Title and Abstract
Final Year IEEE Project 2013-2014 - Cloud Computing Project Title and Abstract
elysiumtechnologies
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCriterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
CruzIbarra161
 
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon
 
IEEE 2014 JAVA DATA MINING PROJECTS Security evaluation of pattern classifier...
IEEE 2014 JAVA DATA MINING PROJECTS Security evaluation of pattern classifier...IEEE 2014 JAVA DATA MINING PROJECTS Security evaluation of pattern classifier...
IEEE 2014 JAVA DATA MINING PROJECTS Security evaluation of pattern classifier...
IEEEFINALYEARSTUDENTPROJECTS
 
2014 IEEE JAVA DATA MINING PROJECT Security evaluation of pattern classifiers...
2014 IEEE JAVA DATA MINING PROJECT Security evaluation of pattern classifiers...2014 IEEE JAVA DATA MINING PROJECT Security evaluation of pattern classifiers...
2014 IEEE JAVA DATA MINING PROJECT Security evaluation of pattern classifiers...
IEEEMEMTECHSTUDENTSPROJECTS
 
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Jennifer Burns
 

Similar to Adversary Emulation and Its Importance for Improving Security Posture in Organization (20)

Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
 
smpef
smpefsmpef
smpef
 
Symantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security SimulationSymantec Cyber Security Services: Security Simulation
Symantec Cyber Security Services: Security Simulation
 
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
 
RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_Conclave
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
u10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacobu10a1 Security Plan-Beji Jacob
u10a1 Security Plan-Beji Jacob
 
Security in Machine Learning
Security in Machine LearningSecurity in Machine Learning
Security in Machine Learning
 
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting ProgramIDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
IDSECCONF 2020 : A Tale Story of Building and Maturing Threat Hunting Program
 
Adversarial Attacks and Defenses in Malware Classification: A Survey
Adversarial Attacks and Defenses in Malware Classification: A SurveyAdversarial Attacks and Defenses in Malware Classification: A Survey
Adversarial Attacks and Defenses in Malware Classification: A Survey
 
User centric machine learning for cyber security operation center
User centric machine learning for cyber security operation centerUser centric machine learning for cyber security operation center
User centric machine learning for cyber security operation center
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
 
Capture the flag
Capture the flagCapture the flag
Capture the flag
 
Final Year IEEE Project 2013-2014 - Cloud Computing Project Title and Abstract
Final Year IEEE Project 2013-2014 - Cloud Computing Project Title and AbstractFinal Year IEEE Project 2013-2014 - Cloud Computing Project Title and Abstract
Final Year IEEE Project 2013-2014 - Cloud Computing Project Title and Abstract
 
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares theCriterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
Criterion 1A - 4 - MasteryPros and Cons Thoroughly compares the
 
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial ModellingDevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
DevSecCon Asia 2017 Pishu Mahtani: Adversarial Modelling
 
IEEE 2014 JAVA DATA MINING PROJECTS Security evaluation of pattern classifier...
IEEE 2014 JAVA DATA MINING PROJECTS Security evaluation of pattern classifier...IEEE 2014 JAVA DATA MINING PROJECTS Security evaluation of pattern classifier...
IEEE 2014 JAVA DATA MINING PROJECTS Security evaluation of pattern classifier...
 
2014 IEEE JAVA DATA MINING PROJECT Security evaluation of pattern classifiers...
2014 IEEE JAVA DATA MINING PROJECT Security evaluation of pattern classifiers...2014 IEEE JAVA DATA MINING PROJECT Security evaluation of pattern classifiers...
2014 IEEE JAVA DATA MINING PROJECT Security evaluation of pattern classifiers...
 
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
 

More from Digit Oktavianto

What the Hackers Do to Steal the Data?
What the Hackers Do to Steal the Data?What the Hackers Do to Steal the Data?
What the Hackers Do to Steal the Data?
Digit Oktavianto
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
Digit Oktavianto
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Leverage Endpooint Visibilit with MITRE ATT&CK Framework
Leverage Endpooint Visibilit with MITRE ATT&CK FrameworkLeverage Endpooint Visibilit with MITRE ATT&CK Framework
Leverage Endpooint Visibilit with MITRE ATT&CK Framework
Digit Oktavianto
 
Information Security Awareness
Information Security AwarenessInformation Security Awareness
Information Security Awareness
Digit Oktavianto
 
Career Opportunities in Information Security Industry
Career Opportunities in Information Security IndustryCareer Opportunities in Information Security Industry
Career Opportunities in Information Security Industry
Digit Oktavianto
 
Cyber Security Attack and Trend
Cyber Security Attack and TrendCyber Security Attack and Trend
Cyber Security Attack and Trend
Digit Oktavianto
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
Digit Oktavianto
 
Kelas Belajar Ubuntu Indonesia - Setup Your Blog Under Ubuntu Server
Kelas Belajar Ubuntu Indonesia - Setup Your Blog Under Ubuntu ServerKelas Belajar Ubuntu Indonesia - Setup Your Blog Under Ubuntu Server
Kelas Belajar Ubuntu Indonesia - Setup Your Blog Under Ubuntu Server
Digit Oktavianto
 
Seminar and Workshop Computer Security, BPPTIK Kominfo
Seminar and Workshop Computer Security, BPPTIK KominfoSeminar and Workshop Computer Security, BPPTIK Kominfo
Seminar and Workshop Computer Security, BPPTIK Kominfo
Digit Oktavianto
 
Setup Your Personal Malware Lab
Setup Your Personal Malware LabSetup Your Personal Malware Lab
Setup Your Personal Malware Lab
Digit Oktavianto
 

More from Digit Oktavianto (11)

What the Hackers Do to Steal the Data?
What the Hackers Do to Steal the Data?What the Hackers Do to Steal the Data?
What the Hackers Do to Steal the Data?
 
Windows Forensic 101
Windows Forensic 101Windows Forensic 101
Windows Forensic 101
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Leverage Endpooint Visibilit with MITRE ATT&CK Framework
Leverage Endpooint Visibilit with MITRE ATT&CK FrameworkLeverage Endpooint Visibilit with MITRE ATT&CK Framework
Leverage Endpooint Visibilit with MITRE ATT&CK Framework
 
Information Security Awareness
Information Security AwarenessInformation Security Awareness
Information Security Awareness
 
Career Opportunities in Information Security Industry
Career Opportunities in Information Security IndustryCareer Opportunities in Information Security Industry
Career Opportunities in Information Security Industry
 
Cyber Security Attack and Trend
Cyber Security Attack and TrendCyber Security Attack and Trend
Cyber Security Attack and Trend
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
Kelas Belajar Ubuntu Indonesia - Setup Your Blog Under Ubuntu Server
Kelas Belajar Ubuntu Indonesia - Setup Your Blog Under Ubuntu ServerKelas Belajar Ubuntu Indonesia - Setup Your Blog Under Ubuntu Server
Kelas Belajar Ubuntu Indonesia - Setup Your Blog Under Ubuntu Server
 
Seminar and Workshop Computer Security, BPPTIK Kominfo
Seminar and Workshop Computer Security, BPPTIK KominfoSeminar and Workshop Computer Security, BPPTIK Kominfo
Seminar and Workshop Computer Security, BPPTIK Kominfo
 
Setup Your Personal Malware Lab
Setup Your Personal Malware LabSetup Your Personal Malware Lab
Setup Your Personal Malware Lab
 

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 

Adversary Emulation and Its Importance for Improving Security Posture in Organization

  • 1. Jakarta, Indonesia Adversary Emulation and Its Importance for Improving Security Posture in Organization CDEF Meetup 25th February 2021 Digit Oktavianto @digitoktav https://medium.com/@digit.oktavianto https://blueteam.id/ 1 25/02/2021
  • 2. Jakarta, Indonesia https://blueteam.id/ T1033 : System Owner/User Discovery  Infosec Consulting Manager at Mitra Integrasi Informatika  Co-Founder BlueTeam.ID (https://blueteam.id)  Born to be DFIR Team  Community Lead @ Cyber Defense Community Indonesia  Member of Indonesia Honeynet Project  Opreker and Researcher  {GCIH | GMON | GCFE | GICSP | CEH | CSA | ECSA | ECIH | CHFI | CTIA | ECSS} Certifications Holder 2 25/02/2021
  • 3. Jakarta, Indonesia •What is Adversary Emulation About? • Adversary Emulation vs Adversary Simulation • Phase of Security Assessment •Benefit and Importance of Adversary Emulation •Developing Adversary Emulation Plan •Getting Started with Adversary Emulation https://blueteam.id/ Agenda 3 25/02/2021
  • 4. Jakarta, Indonesia What is Adversary Emulation About? https://blueteam.id/ 4 25/02/2021
  • 5. Jakarta, Indonesia Introduction : Adversary Emulation Adversary Emulation is a type of red teaming activities which focuses on the emulation of a specific adversaries / threat actor and leverage the threat intelligence to define the behavior and TTPs that will be used in the emulation plan. https://blueteam.id/ 5 25/02/2021
  • 6. Jakarta, Indonesia Threat Informed Defense Threat-informed defense applies a deep understanding of adversary tradecraft and technology to protect against, detect, and mitigate cyber-attacks. It's a community-based approach to a worldwide challenge. More info : https://www.mitre.org/news/focal-points/threat-informed-defense https://blueteam.id/ 6 25/02/2021
  • 7. Jakarta, Indonesia Threat Informed Defense MITRE Threat Informed Defense Research Focus : • Increase the global understanding of cyber adversaries and their tradecraft by expanding upon the MITRE ATT&CK knowledge base • Advance threat-informed defense in cyber operations with open-source software, methodologies, and frameworks • Publish data sets critical to better understanding adversaries and their movements • The goal is to change the game on adversaries by relentlessly improving our collective ability to prevent, detect, and respond to cyber attacks. https://blueteam.id/ 7 25/02/2021
  • 8. Jakarta, Indonesia Adversary Emulation vs Adversary Simulation Merriam-Webster dictionary translation of emulation and simulation https://blueteam.id/ 8 25/02/2021
  • 9. Jakarta, Indonesia Adversary Emulation vs Adversary Simulation • Adversary Emulation : a process of imitate the activities or mimicking or copying the adversaries or threat actor behavior. • Adversary Simulation : a process of simulate or represent the functioning of adversaries or threat actor behavior when attacking the target. Tim MalcomVetter mentioned in his blog post (https://malcomvetter.medium.com/emulation- simulation-false-flags-b8f660734482) about this : • Emulation implies an EXACTNESS to the copy, whereas Simulation only implies SIMILARITY with some freedom to be different. I am totally agree with his opinion. https://blueteam.id/ 9 25/02/2021
  • 10. Jakarta, Indonesia Introduction : Adversary Emulation https://blueteam.id/ 10 25/02/2021 Phase of Security Assessment
  • 11. Jakarta, Indonesia Introduction : Adversary Emulation https://blueteam.id/ 11 25/02/2021 Jorge Orchilles’s Slide About Adversary Emulation (https://www.slideshare.net/jorgeorchilles/adversary-emulation-and-red-team-exercises-educause)
  • 12. Jakarta, Indonesia Introduction : Adversary Emulation • Jorge Orchilles and Scythe in their blogpost differentiate term of red teaming, adversary emuation / simulation and purple teaming in this statement : • “Adversary Emulations may be performed in a blind manner (Red Team Engagement) or non-blind (Purple Team) with the Blue Team having full knowledge of the engagement.” • Based on that statement, it can be conclude that Red Teaming and Purple Teaming is part of Adversary Emulation. It depends on the engagement, if the engagement performed without Blue Team knowing the activities, than it is called as red teaming. If the engagement involved blue team, then it is called purple teaming. https://blueteam.id/ 12 25/02/2021
  • 13. Jakarta, Indonesia Benefit and Importance of Adversary Emulation https://blueteam.id/ 13 25/02/2021
  • 14. Jakarta, Indonesia Benefit and Importance of Adversary Emulation Red Team using Adversary Emulation plan to develop an attack emulation and/or simulation and execute it against your enterprise infrastructure. These activities leverage real-world attacks and TTPs by Threat Actor, so you can identify and finding the gaps in your defense before the actual adversary attacking your infrastructure. Adversary Emulation also help security team greater visibility into their environment. Performing Adversary Emulation continuously to strengthen and tune your defense over the time. https://blueteam.id/ 14 25/02/2021
  • 15. Jakarta, Indonesia Benefit and Importance of Adversary Emulation • Adversary Emulation is just like IR and Tabletop Exercise, but in different perspective. This exercise allows your organization to test your security team against the latest threats used by real threat actor which posing the greatest risk to your organization in specific industry. • Adversary emulation giving proof of how a targeted attacker could penetrate your infrastructure and compromise sensitive assets, and/or documentation. • Adversary emulation showing that defensive capabilities succeed / failed in preventing + responding the simulated attack. It is giving you analysis of your organization’s strengths and weaknesses based on the result of the simulation. • Adversary emulation can help you not only to prioritize current existing technology capability improvement, but also also giving you a recommendation for future investments and provide recommendations for maturing your cybersecurity posture. • A focus on objective-based testing demonstrates the effectiveness of your security controls • Adversary Emulation can help you to measure your organization’s cybersecurity maturity level by evaluating it across the kill chain phases of the MITRE ATT&CK® framework or other relevant frameworks. https://blueteam.id/ 15 25/02/2021
  • 16. Jakarta, Indonesia Developing Adversary Emulation Plan https://blueteam.id/ 16 25/02/2021
  • 17. Jakarta, Indonesia Developing Adversary Emulation Plan https://blueteam.id/ 17 25/02/2021 Adam Pennington’s Slide : Leveraging MITRE ATT&CK for Detection, Analysis & Defense (https://www.slideshare.net/AdamPennington4/rhisac-summit-2019-adam-pennington-leveraging-mitre-attck-for-detection- analysis-defense)
  • 18. Jakarta, Indonesia Developing Adversary Emulation Plan I quote a paragraph from Tim MalcomVetter About Emulation Plan in Practice (https://malcomvetter.medium.com/emulation-simulation-false-flags-b8f660734482): “In practice, emulating is very hard. First, not all threat actors have publicly or privately available intelligence in the format necessary to complete all of the threat actors’ steps with the precision required to meet the definition. Second, even for those that do, certain key steps may be out of bounds, legally, for the person “replaying them” (such as compromising third party infrastructure). Third, the “programmed TTPs” were collected at a single point in time, and techniques that were used during that string of events may not be reused in the future by that threat actor, so replaying them with precision may not be that valuable of an exercise.” https://blueteam.id/ 18 25/02/2021
  • 19. Jakarta, Indonesia Developing Adversary Emulation Plan Adversary emulation plans are based on known-adversary TTPs (Tactic, Technique, and Procedure) and designed to empower red teams to emulate a specific threat actor in order to test and evaluate defensive capabilities from a threat- informed perspective. • Each emulation plan focuses on a specific named threat actor. • Each adversary emulation plan is gathered from threat intelligence reports and other artifacts that capture and describe breaches and campaigns publicly attributed to a specific named threat actor • To develop each plan, Red Team should do the research and model each threat actor, focusing not only on what they do (e.g.: gather credentials from victims) but also how (using what specific tools/utilities/commands?) and when (during what stage of a breach?) • Red Team then develop the emulation content that mimics the underlying behaviors utilized by the threat actor • To describe the details flow of emulation plan, Red Team should develop the operational flow which provides a high-level summary of the captured scenario(s). • The scenario(s) of emulation plan is broken down into step-by-step procedures provided in both human and machine- readable formats. (like .yaml in Caldera for example). Scenarios can be executed end-to-end or as individual tests. • The emulation plan scenarios will vary based on the adversary and available intelligence, but typically follow a sequential progression of how the actor breaches then works towards achieving their operational objectives within a victim environment https://blueteam.id/ 19 25/02/2021
  • 20. Jakarta, Indonesia Developing Adversary Emulation Plan For example, the MITRE The ATT&CK Evaluations of APT29 Emulation Plan (https://github.com/mitre-attack/attack- arsenal/blob/master/adversary_emulation/APT29/Emulation_Plan/APT29_EmuPla n.pdf) signaled a significant evolution to the process and established a close-to- ideal structure of components that made up the emulation plan. Those were: • Intelligence Summary: An overview of the adversary and references to cited Intelligence • Operational Flow: Chains techniques together into a logical flow of the major steps that commonly occur across the selected adversary’s operations • Emulation Plan: The TTP-by-TTP, command-by-command walkthrough to implement the adversary’s operational tradecraft as described in the Intelligence Summary and the Operational Flow https://blueteam.id/ 20 25/02/2021
  • 21. Jakarta, Indonesia Developing Adversary Emulation Plan https://blueteam.id/ 21 25/02/2021 APT3 Operational Flow https://attack.mitre.org/resources/adversary-emulation-plans/
  • 22. Jakarta, Indonesia Getting Started with The Adversary Emulation https://blueteam.id/ 22 25/02/2021
  • 23. Jakarta, Indonesia Getting Started with the Adversary Emulation When starting the Adversary Emulation Exercise, Emulation Plan is one of the most critical part. The Emulation Plan section is a specific, detailed breakdown of the tactics of the adversary group. 1. For developing the Emulation Plan, red team firstly must gather the threat intelligence document related to threat actor group that they want to emulate. 2. Red team must identify the tactics the adversary group uses for an attack, along with the particular techniques and procedures for each tactic. Mostly the TTPs defined based on MITRE ATTCK Framework as a standard. 3. To detail an emulation plan in exercise, red team must breakdown the tools that they will use to emulate the particular TTP. This information is available as part of the MITRE ATT&CK description of the adversary group, and also from Threat Intelligence Report. 4. Red Team also need to build the infrastructure as part of the emulation plan such as C2 Infrastructure, or Infrastructure for collecting sensitive data after exfiltration phase (if any) 5. Execute the emulation plan as procedure and workflow defined in the exercise. Follow up the result of the exercise. https://blueteam.id/ 23 25/02/2021
  • 24. Jakarta, Indonesia Notable Tools and Resources for Adversary EMulation Some notable tools for adversary emulation : • Caldera (MITRE) • Atomic Red Team (Red Canary) • APT Simulator • Red Team Automation (Endgame) • Infection Monkey (Guardicore) • Blue Team Toolkit (BT3) (Encripto) • AutoTTP (https://github.com/jymcheong/AutoTTP) • Purple Team ATT&CK Automation (https://github.com/praetorian-inc/purple-team-attack- automation) • ATTPwn (https://github.com/ElevenPaths/ATTPwn) • PurpleSharp (https://github.com/mvelazc0/PurpleSharp) • Prelude Operator (https://www.prelude.org/) https://blueteam.id/ 24 25/02/2021
  • 25. Jakarta, Indonesia Notable Tools and Resources for Adversary EMulation Some notable tools for developing adversary emulation : • MITRE ATT&CK Navigator • NSA Unfetter (https://nsacyber.github.io/unfetter/) • MITRE Cyber Analytical Repository (https://car.mitre.org/) • VECTR (More into for your Purple Teaming) • _YOUR THREAT INTEL REPORT_ Provider https://blueteam.id/ 25 25/02/2021
  • 26. Jakarta, Indonesia • Adversary emulation is needed by organization to fill the gaps for their current existing security assessment activity • Adversary emulation is HARD. Combining the threat intelligence and Adversary TTPs is not a simple task to do. • Threat-informed defense approach needed by every organization to get a deep understanding of adversary tradecraft and technology to protect against, detect, and mitigate cyber-attacks. • Developing Adversary Emulation Plan is a Critical part in Adversary Emulation Exercise before the Execution of scenarios defined. • Adversary Emulation showing that defensive capabilities succeed / failed in preventing + responding the simulated attack. It is giving you analysis of your organization’s strengths and weaknesses based on the result of the simulation • Adversary Emulation can help you to measure your organization’s cybersecurity maturity level by evaluating it across the kill chain phases of the MITRE ATT&CK framework or other relevant frameworks. https://blueteam.id/ TLDR ; Summary and Key Takeaway 26 25/02/2021
  • 27. Jakarta, Indonesia THANK YOU Q & A https://blueteam.id/ 27 25/02/2021