SlideShare a Scribd company logo
www.nviso.eu
MITRE Caldera
Automated Adversary Emulation using Caldera
BruCON
10 October 2019
A few words about myself
www.nviso.eu | 2
Why are assembly developers usually wet?
Agenda for today
1 What is adversary emulation?
2 Tools of the trade
3 MITRE Caldera
4 Demo: Caldera plugins
Agenda for today
1 What is adversary emulation?
2 Tools of the trade
3 MITRE Caldera
4 Demo: Caldera plugins
This is not adversary emulation
www.nviso.eu | 5
Adversary emulation using Nessus?
Vulnerability Scans
Vulnerability Scans +
Metasploit
“Creative” Red Teams
So what is it?
www.nviso.eu | 6
Defining adversary emulation
Adversary emulation is an activity where security experts emulate how an
adversary operates. The ultimate goal, of course, is to improve how resilient the
organization is versus these adversary techniques.
Both red and purple teaming can be considered as adversary
emulation.
Adversary activities are described using TTPs (Tactics, Techniques & Procedures). These are not as
concrete as, for example, IOCs, but they describe how the adversary operates at a higher level. Adversary
emulation should be based on TTPs. As such, a traditional vulnerability scan or internal penetration test that
is not based onTTPs should not be considered adversary emulation.
TTP
Adversary emulation should be performed using a structured approach, which can be based on a kill chain or
attack flow. MITRE ATT&CK is a good example of such a standard approach.
ATT&CK
Penetration Test vs Adversary Emulation
www.nviso.eu | 7
Knowing the difference
PENETRATIONTEST
Identify and exploit vulnerabilities on a (series of)
system(s) to assess security
Focused on a specific scope
(typically an application or network range)
ADVERSARY EMULATION
Assess how resilient an organization is versus a
certain adversary / threat actor
Focused on the execution of a scenario
(typically defined by a number of flags)
VS
Typically tests both prevention & detection
(so is less valuable if there is no blue team)
Primarily tests prevention,
typically less focus on detection
Red Team vs Purple Team
www.nviso.eu | 8
Knowing the difference
RedTeam
A red team involves emulation of
a realistic threat actor (usingTTPs)
In a typical red team, interaction with the
blue team is limited (red vs blue)
PurpleTeam
A purple team involves emulation of
a realistic threat actor (usingTTPs)
In a typical purple team, interaction with the
blue team is maximized (collaboration)
VS
The goal of the purple team is to improve how
well the blue team prevents & detects
The goal of the red team is to assess how well the
blue team prevents & detects
MITRE ATT&CK
www.nviso.eu | 9
Defining a common language
"MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics
and techniques based on real-world observations.The ATT&CK knowledge base is
used as a foundation for the development of specific threat models and methodologies
in the private sector, in government, and in the cybersecurity product and service
community.” – MITRE ATT&CK website
Tactics are used to describe high-levels attack steps used by an adversary. These can be compared to
the “steps” in the Lockheed Martin Cyber Kill Chain ©
Tactics &
Techniques
MITRE ATT&CK assumes breach and thus the “first” tactic is initial intrusion. Any activity
performed before is covered by the PRE-ATT&CK framework.
How a certain tactic is executed is described by a variety of techniques. For every technique, MITRE
ATT&CK includes a description, detection & prevention recommendations and known threat actors
who use the technique.
MITRE ATT&CK
www.nviso.eu | 10
Tactics & Techniques
TACTICS
TECHNIQUES
Zooming in on a specific technique
www.nviso.eu | 11
What level of detail is offered?
Known adversaries
that use the technique
General Info
High-Level
Description
Zooming in on a specific technique
www.nviso.eu | 12
What level of detail is offered?
How to prevent?
How to detect?
ATT&CK is the common language we should all speak
www.nviso.eu | 13
Leveraging MITRE ATT&CK in your organization
Common ATT&CK pitfalls
www.nviso.eu | 14
How to not do MITRE ATT&CK
#1
Consider all ATT&CK techniques equal
Given the size of the ATT&CK matrix, it’s impossible to (a) prevent or (b) detect all
techniques.You only have limited resources and should thus prioritize!
#2
Misjudge your coverage
Most ATT&CK techniques are not “Boolean”. It’s possible that you detect or block
certain variations of a technique, but others not. Scoring should thus be fine-grained.
#3
Consider ATT&CK as the “holy trinity”
ATT&CK is a valuable tool, but it’s not a silver bullet. Recognize that, for some use
cases,ATT&CK is not perfect. Furthermore, not everything is documented!
Common ATT&CK pitfalls
www.nviso.eu | 15
Technique 1003 – Credential Dumping
Technique Prioritization
www.nviso.eu | 16
How to prioritize?
Criteria
#1
Overall popularity of the technique
The overall popularity of an ATT&CK technique is a good indicator of how
important it is to cover it (using either preventive or detective controls). In
January 2019, MITRE & Red Canary released a presentation where they
highlighted 7 key techniques! Furthermore, many vendors provide “ATT&CK
Heat Maps” where they describe what techniques they most frequently observe.
Criteria
#2
Relevance of threat actors for your organization
Next to the overall “popularity” of a technique,there is of course another factor:
Is the technique known to be used by an adversary that is interested in your
organization? ATT&CK has information on what techniques are used by what
actors. In order to figure out what threat actors are relevant for your industry
or organization, it helps to follow up on threat intelligence reports.
ATT&CK for adversary emulation
www.nviso.eu | 17
Operationalizing MITRE ATT&CK
Building an emulation plan
www.nviso.eu | 18
Let’s start building!
What threat actors (and related adversary techniques) are
relevant to the organization?
What techniques does the organization believe are covered by
security controls?
What techniques does the organization believe are detected
by monitoring use cases?
How much time & effort will be spent during the engagement?
Building a good adversary emulation plan is crucial to success.The emulation plan should mimic an actual
adversary and can include distinct phases. In MITRE’s APT3 emulation plan, the following phases are
distinguished:
1. Set up adversary infrastructure (e.g. C2) and obtain initial execution (Initial Access)
2. Internal discovery, privilege escalation and lateral movement (Lateral movement)
3. Collection, staging and exfiltration (Action on Objectives)
So what techniques should you select as part of your plan?There’s a few criteria to take into account;
Example of an emulation plan
www.nviso.eu | 19
Emulating our Russian friends
EMULATION PLAN FOR APT-28
PHASE 1 PHASE 2 PHASE 3
Initial Access
T1192 - Spearphishing Link
Execution
T1086 - PowerShell
Persistence
T1122 - COM Hijacking
Privilege Escalation
T1078 -Valid Accounts
Defense Evasion
T1107 - File Deletion
Lateral Movement
T1075 – PassThe Hash
Not every plan needs to
cover every single tactic!
Improvise!
Exfiltration
T1041 - Exfil over C&C
Agenda for today
1 What is adversary emulation?
2 Tools of the trade
3 MITRE Caldera
4 Demo: Caldera plugins
Adversary Emulation Stack
www.nviso.eu | 21
Tools of the trade
Adversary emulation can typically take two different forms:
• Automated / scripted emulation of a (number of) specific MITRE ATT&CK techniques
• Manual, full-stack emulation according to an adversary emulation plan
Different tools exist that can help emulate the two objectives listed above!
Automated / scripted
emulation
Manual, full-stack, emulation
METTA
Atomic Red Team
www.nviso.eu | 22
Quick and dirty!
When trying to “quickly” test detection of specifics techniques,
we can use Atomic RedTeam to emulate certain ATT&CK
techniques.All Atomic RedTeam tests are portable and light-
weight and allow for easy execution!
Uber METTA
www.nviso.eu | 23
Leveraging VirtualBox and Vagrant
Uber Metta leveragesYML files
andVagrant to spin up virtual
machines and execute commands!
Infection Monkey
www.nviso.eu | 24
Time for some Monkey Business!
Infection Monkey
| 25
Time for some Monkey Business!
www.nviso.eu
Covenant
| 26
Leveraging VirtualBox and Vagrant
www.nviso.eu
Adversary
Sliver
DNS C2
Unique Binary
Each binary is equipped with
plaintext canary DNS tokens.
BlueTeam
$ strings
$ nslookup canary.c2.adversary.org
Covenant
| 27
Following up on Empire
Covenant is a .NET command and
control framework that aims to
highlight the attack surface of .NET,
make the use of offensive .NET
tradecraft easier, and serve as a
collaborative command and control
platform for red teamers.
HTTPS://GITHUB.COM/COBBR/COVENANT
www.nviso.eu
Agenda for today
1 What is adversary emulation?
2 Tools of the trade
3 MITRE Caldera
4 Demo: Caldera plugins
Caldera
| 29
What is Caldera?
www.nviso.eu
Caldera is a tool built by MITRE, with the express purpose of doing adversary
emulation. It requires a bit of setup (as a server and clients need to be installed), it will
actively "attack" target systems by deploying custom backdoors. Caldera’s attack steps
are fully linked to the ATT&CK framework techniques!
Local MITRE
ATT&CK
Caldera Attack
GUI
A quick Caldera walkthrough
| 30
Abilities
www.nviso.eu
A quick Caldera walkthrough
| 31
Groups
www.nviso.eu
A quick Caldera walkthrough
| 32
Adversaries
www.nviso.eu
A quick Caldera walkthrough
| 33
Operations
www.nviso.eu
Getting up and running
| 34
“Infecting” a system
www.nviso.eu
Win
dows
Groups
A newly infected host, by the Sandcat
plugin, joins a predefined group.
But you use PowerShell?
| 35
OMFG
www.nviso.eu
Script Block Logging
Constrained Language Mode
AMSI
Microsoft ”cleaned shop” and
implemented several
PowerShell controls (for
prevention AND detection)
over the past few years!
The point is to detect
ATT&CK techniques, not
the Caldera agent!
Group Structure
| 36
How Caldera is organised
www.nviso.eu
Adversary
P1
Ability I
Ability II
P2 Ability III
P3
Ability IV
AbilityV
Foo Bar
Windo
ws
OS X
Linux
Ability
PowerShell
OS X Shell
Linux Shell
Operation
Groups
Running a quick operation
| 37
Praying to the demo gods…
www.nviso.eu
Agenda for today
1 What is adversary emulation?
2 Tools of the trade
3 MITRE Caldera
4 Developing Caldera Plugins
Caldera development
| 39
Abilities & plugins
www.nviso.eu
Using built-in
adversaries
Building
adversaries with
existing abilities
Developing
custom abilities
Developing
custom plugins
Developing custom abilities
| 40
Abilities
www.nviso.eu
Abilities are easy to create from
examples such as the one here…
Developing custom Caldera plugins
| 41
Step 1 - Creating file & folder structure
www.nviso.eu
Adding a Caldera plugin requires us to interact with the
Caldera folder structure. Inside Caldera's root folder we can
find two interesting folders: conf and plugins.While the
former will be used at a later stage to enable our plugin, the
plugins folder will be our plugin's parent location. Creating
the structure on the left is the first step in building our
Caldera plugin.
caldera
+---conf
| ---local.yml
---plugins
---brucon
---hook.py
Developing custom Caldera plugins
| 42
Step 2 - Enable the plugin in the conf folder
www.nviso.eu
Enabling a plugin requires us to modify the caldera configuration.ThisYAML file is
located under the Caldera conf folder.
# [...]
plugins:
- caltack
- ssl
- stockpile
- sandcat
- gui
- chain
- caldex
- brucon # Add our plugin's directory name to the collection
# [...
Demo – Let’s do some of this stuff!
| 43
Praying to the demo gods…
www.nviso.eu
Conclusions
| 44
Putting it all together
www.nviso.eu
Caldera is an amazing tool than be highly customized
and further extended!
Tools like Caldera do not replace a proper RedTeam…
Tools like Caldera help the BlueTeam test techniques themselves
and continuously improve
www.nviso.eu
Want to get hacked?
Reach us during business hours:
+32 (0)2 318 58 31
info@nviso.eu
Already hacked?
Reach us 24/7:
+32 (0)2 588 43 80
csirt@nviso.eu
NVISO-BE/
caldex
NVISO-BE/
caldera-abilities
Coming soon, give us few more days
to clean our code 

More Related Content

What's hot

How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshop
prithaaash
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE - ATT&CKcon
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
Erik Van Buggenhout
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
Jorge Orchilles
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
Jorge Orchilles
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
Katie Nickels
 
Purple team strategy_lascon_2016
Purple team strategy_lascon_2016Purple team strategy_lascon_2016
Purple team strategy_lascon_2016
Trupti Shiralkar, CISSP
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamer
Jorge Orchilles
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
MITRE ATT&CK
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
MITRE ATT&CK
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
MITRE ATT&CK
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
MITRE ATT&CK
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
Bhushan Gurav
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
MITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
MITRE ATT&CK
 

What's hot (20)

How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshop
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 
Purple team strategy_lascon_2016
Purple team strategy_lascon_2016Purple team strategy_lascon_2016
Purple team strategy_lascon_2016
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
So you want to be a red teamer
So you want to be a red teamerSo you want to be a red teamer
So you want to be a red teamer
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...Landing on Jupyter: The transformative power of data-driven storytelling for ...
Landing on Jupyter: The transformative power of data-driven storytelling for ...
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
 
When Insiders ATT&CK!
When Insiders ATT&CK!When Insiders ATT&CK!
When Insiders ATT&CK!
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 

Similar to Adversary Emulation using CALDERA

Introduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation Tools
Aj MaChInE
 
(SACON) Wayne Tufek - chapter five - attacks
(SACON) Wayne Tufek - chapter five - attacks(SACON) Wayne Tufek - chapter five - attacks
(SACON) Wayne Tufek - chapter five - attacks
Priyanka Aash
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Joe Vest
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
idsecconf
 
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Jennifer Burns
 
RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_Conclave
NSConclave
 
Red Team P1.pdf
Red Team P1.pdfRed Team P1.pdf
Red Team P1.pdf
soheil hashemi
 
Huntpedia
HuntpediaHuntpedia
Huntpedia
Jc Sv
 
huntpedia.pdf
huntpedia.pdfhuntpedia.pdf
huntpedia.pdf
CecilSu
 
MITRE ATT&CK framework and Managed XDR Position Paper
MITRE ATT&CK framework and Managed XDR Position PaperMITRE ATT&CK framework and Managed XDR Position Paper
MITRE ATT&CK framework and Managed XDR Position Paper
Marc St-Pierre
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
Antonio Parata
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academy
amallblitz0
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academy
ananthakrishnansblit
 
Dealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of DetailDealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of Detail
MITRE ATT&CK
 
Outpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teamingOutpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teaming
Outpost24
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
IBM Security
 
Flag4 CTF
Flag4 CTFFlag4 CTF
Flag4 CTF
ijtsrd
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
Akash Sarode
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf
 
Cloud Intrusion and Autonomic Management in Autonomic Cloud Computing
Cloud Intrusion and Autonomic Management in Autonomic Cloud ComputingCloud Intrusion and Autonomic Management in Autonomic Cloud Computing
Cloud Intrusion and Autonomic Management in Autonomic Cloud Computing
ijtsrd
 

Similar to Adversary Emulation using CALDERA (20)

Introduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation Tools
 
(SACON) Wayne Tufek - chapter five - attacks
(SACON) Wayne Tufek - chapter five - attacks(SACON) Wayne Tufek - chapter five - attacks
(SACON) Wayne Tufek - chapter five - attacks
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
 
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
 
RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_Conclave
 
Red Team P1.pdf
Red Team P1.pdfRed Team P1.pdf
Red Team P1.pdf
 
Huntpedia
HuntpediaHuntpedia
Huntpedia
 
huntpedia.pdf
huntpedia.pdfhuntpedia.pdf
huntpedia.pdf
 
MITRE ATT&CK framework and Managed XDR Position Paper
MITRE ATT&CK framework and Managed XDR Position PaperMITRE ATT&CK framework and Managed XDR Position Paper
MITRE ATT&CK framework and Managed XDR Position Paper
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academy
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academy
 
Dealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of DetailDealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of Detail
 
Outpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teamingOutpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teaming
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
 
Flag4 CTF
Flag4 CTFFlag4 CTF
Flag4 CTF
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
 
Cloud Intrusion and Autonomic Management in Autonomic Cloud Computing
Cloud Intrusion and Autonomic Management in Autonomic Cloud ComputingCloud Intrusion and Autonomic Management in Autonomic Cloud Computing
Cloud Intrusion and Autonomic Management in Autonomic Cloud Computing
 

Recently uploaded

TEST BANK For Auditing & Assurance Services A Systematic Approach, 12th Editi...
TEST BANK For Auditing & Assurance Services A Systematic Approach, 12th Editi...TEST BANK For Auditing & Assurance Services A Systematic Approach, 12th Editi...
TEST BANK For Auditing & Assurance Services A Systematic Approach, 12th Editi...
kevinkariuki227
 
TALENT ACQUISITION AND MANAGEMENT LECTURE 5
TALENT ACQUISITION AND MANAGEMENT LECTURE 5TALENT ACQUISITION AND MANAGEMENT LECTURE 5
TALENT ACQUISITION AND MANAGEMENT LECTURE 5
projectseasy
 
PAWFESSIONAL ELVA MAX.pdfAAAAAAAAAAAAAAAAAAA
PAWFESSIONAL ELVA MAX.pdfAAAAAAAAAAAAAAAAAAAPAWFESSIONAL ELVA MAX.pdfAAAAAAAAAAAAAAAAAAA
PAWFESSIONAL ELVA MAX.pdfAAAAAAAAAAAAAAAAAAA
lawrenceads01
 
Connected Small Boat Protection Solution | July 2024
Connected Small Boat Protection Solution | July  2024Connected Small Boat Protection Solution | July  2024
Connected Small Boat Protection Solution | July 2024
Hector Del Castillo, CPM, CPMM
 
Gym business MODEL .pdf .
Gym business MODEL .pdf                 .Gym business MODEL .pdf                 .
Gym business MODEL .pdf .
Divyanshu56740
 
Test Bank For Principles Of Cost Accounting, 17th Edition Edward J. Vander...
Test Bank For Principles Of Cost Accounting, 	  17th Edition Edward J. Vander...Test Bank For Principles Of Cost Accounting, 	  17th Edition Edward J. Vander...
Test Bank For Principles Of Cost Accounting, 17th Edition Edward J. Vander...
kevinkariuki227
 
TALENT ACQUISITION AND MANAGEMENT LECTURE 2
TALENT ACQUISITION AND MANAGEMENT LECTURE 2TALENT ACQUISITION AND MANAGEMENT LECTURE 2
TALENT ACQUISITION AND MANAGEMENT LECTURE 2
projectseasy
 
PETAVIT MICHAEL TAY.pdfAAAAAAAAAAAAAAAAAAAA
PETAVIT MICHAEL TAY.pdfAAAAAAAAAAAAAAAAAAAAPETAVIT MICHAEL TAY.pdfAAAAAAAAAAAAAAAAAAAA
PETAVIT MICHAEL TAY.pdfAAAAAAAAAAAAAAAAAAAA
lawrenceads01
 
Unveiling the Latest Eternal IPTV Features for Seamless Streaming in 2024.pdf
Unveiling the Latest Eternal IPTV Features for Seamless Streaming in 2024.pdfUnveiling the Latest Eternal IPTV Features for Seamless Streaming in 2024.pdf
Unveiling the Latest Eternal IPTV Features for Seamless Streaming in 2024.pdf
Xtreame HDTV
 
The Most Innovative Blockchain Company to Follow in 2024 (5).pdf
The Most Innovative Blockchain Company to Follow in 2024 (5).pdfThe Most Innovative Blockchain Company to Follow in 2024 (5).pdf
The Most Innovative Blockchain Company to Follow in 2024 (5).pdf
analyticsinsightmaga
 
Patrick Dwyer Merrill Lynch - Founder of the Dwyer Family Foundation
Patrick Dwyer Merrill Lynch - Founder of the Dwyer Family FoundationPatrick Dwyer Merrill Lynch - Founder of the Dwyer Family Foundation
Patrick Dwyer Merrill Lynch - Founder of the Dwyer Family Foundation
Patrick Dwyer Merrill Lynch
 
شركات إبراهيم العرجاني: لدعم الاقتصاد المصري
شركات إبراهيم العرجاني: لدعم الاقتصاد المصريشركات إبراهيم العرجاني: لدعم الاقتصاد المصري
شركات إبراهيم العرجاني: لدعم الاقتصاد المصري
إبراهيم العرجاني
 
Don’t Get Left Behind: Leveraging Modern Product Management Across the Organi...
Don’t Get Left Behind: Leveraging Modern Product Management Across the Organi...Don’t Get Left Behind: Leveraging Modern Product Management Across the Organi...
Don’t Get Left Behind: Leveraging Modern Product Management Across the Organi...
Aggregage
 
BBA Final SML 501 INTERNATIONAL BUSINESS .pdf
BBA Final SML 501 INTERNATIONAL BUSINESS .pdfBBA Final SML 501 INTERNATIONAL BUSINESS .pdf
BBA Final SML 501 INTERNATIONAL BUSINESS .pdf
mcdopex6
 
Girls Call Kharghar 9910780858 Provide Best And Top Girl Service And No1 in City
Girls Call Kharghar 9910780858 Provide Best And Top Girl Service And No1 in CityGirls Call Kharghar 9910780858 Provide Best And Top Girl Service And No1 in City
Girls Call Kharghar 9910780858 Provide Best And Top Girl Service And No1 in City
maigasapphire
 
A Complete Guide of Dubai Freelance Visa and Permit in 2024
A Complete Guide of Dubai Freelance Visa and Permit in 2024A Complete Guide of Dubai Freelance Visa and Permit in 2024
A Complete Guide of Dubai Freelance Visa and Permit in 2024
Dubiz
 
MEA Union Budget 2024-25 Final Presentation
MEA Union Budget 2024-25 Final PresentationMEA Union Budget 2024-25 Final Presentation
MEA Union Budget 2024-25 Final Presentation
PhysicsUtu
 
Top Digital Marketing Strategy in 2024.pdf
Top Digital Marketing Strategy in 2024.pdfTop Digital Marketing Strategy in 2024.pdf
Top Digital Marketing Strategy in 2024.pdf
Top IT Marketing
 
Family/Indoor Entertainment Centers Market: Regulation and Compliance Updates
Family/Indoor Entertainment Centers Market: Regulation and Compliance UpdatesFamily/Indoor Entertainment Centers Market: Regulation and Compliance Updates
Family/Indoor Entertainment Centers Market: Regulation and Compliance Updates
AishwaryaDoiphode3
 
Restaurant Chiraz Sindbad Hotel Hammamet
Restaurant Chiraz Sindbad Hotel HammametRestaurant Chiraz Sindbad Hotel Hammamet
Restaurant Chiraz Sindbad Hotel Hammamet
rihabkorbi24
 

Recently uploaded (20)

TEST BANK For Auditing & Assurance Services A Systematic Approach, 12th Editi...
TEST BANK For Auditing & Assurance Services A Systematic Approach, 12th Editi...TEST BANK For Auditing & Assurance Services A Systematic Approach, 12th Editi...
TEST BANK For Auditing & Assurance Services A Systematic Approach, 12th Editi...
 
TALENT ACQUISITION AND MANAGEMENT LECTURE 5
TALENT ACQUISITION AND MANAGEMENT LECTURE 5TALENT ACQUISITION AND MANAGEMENT LECTURE 5
TALENT ACQUISITION AND MANAGEMENT LECTURE 5
 
PAWFESSIONAL ELVA MAX.pdfAAAAAAAAAAAAAAAAAAA
PAWFESSIONAL ELVA MAX.pdfAAAAAAAAAAAAAAAAAAAPAWFESSIONAL ELVA MAX.pdfAAAAAAAAAAAAAAAAAAA
PAWFESSIONAL ELVA MAX.pdfAAAAAAAAAAAAAAAAAAA
 
Connected Small Boat Protection Solution | July 2024
Connected Small Boat Protection Solution | July  2024Connected Small Boat Protection Solution | July  2024
Connected Small Boat Protection Solution | July 2024
 
Gym business MODEL .pdf .
Gym business MODEL .pdf                 .Gym business MODEL .pdf                 .
Gym business MODEL .pdf .
 
Test Bank For Principles Of Cost Accounting, 17th Edition Edward J. Vander...
Test Bank For Principles Of Cost Accounting, 	  17th Edition Edward J. Vander...Test Bank For Principles Of Cost Accounting, 	  17th Edition Edward J. Vander...
Test Bank For Principles Of Cost Accounting, 17th Edition Edward J. Vander...
 
TALENT ACQUISITION AND MANAGEMENT LECTURE 2
TALENT ACQUISITION AND MANAGEMENT LECTURE 2TALENT ACQUISITION AND MANAGEMENT LECTURE 2
TALENT ACQUISITION AND MANAGEMENT LECTURE 2
 
PETAVIT MICHAEL TAY.pdfAAAAAAAAAAAAAAAAAAAA
PETAVIT MICHAEL TAY.pdfAAAAAAAAAAAAAAAAAAAAPETAVIT MICHAEL TAY.pdfAAAAAAAAAAAAAAAAAAAA
PETAVIT MICHAEL TAY.pdfAAAAAAAAAAAAAAAAAAAA
 
Unveiling the Latest Eternal IPTV Features for Seamless Streaming in 2024.pdf
Unveiling the Latest Eternal IPTV Features for Seamless Streaming in 2024.pdfUnveiling the Latest Eternal IPTV Features for Seamless Streaming in 2024.pdf
Unveiling the Latest Eternal IPTV Features for Seamless Streaming in 2024.pdf
 
The Most Innovative Blockchain Company to Follow in 2024 (5).pdf
The Most Innovative Blockchain Company to Follow in 2024 (5).pdfThe Most Innovative Blockchain Company to Follow in 2024 (5).pdf
The Most Innovative Blockchain Company to Follow in 2024 (5).pdf
 
Patrick Dwyer Merrill Lynch - Founder of the Dwyer Family Foundation
Patrick Dwyer Merrill Lynch - Founder of the Dwyer Family FoundationPatrick Dwyer Merrill Lynch - Founder of the Dwyer Family Foundation
Patrick Dwyer Merrill Lynch - Founder of the Dwyer Family Foundation
 
شركات إبراهيم العرجاني: لدعم الاقتصاد المصري
شركات إبراهيم العرجاني: لدعم الاقتصاد المصريشركات إبراهيم العرجاني: لدعم الاقتصاد المصري
شركات إبراهيم العرجاني: لدعم الاقتصاد المصري
 
Don’t Get Left Behind: Leveraging Modern Product Management Across the Organi...
Don’t Get Left Behind: Leveraging Modern Product Management Across the Organi...Don’t Get Left Behind: Leveraging Modern Product Management Across the Organi...
Don’t Get Left Behind: Leveraging Modern Product Management Across the Organi...
 
BBA Final SML 501 INTERNATIONAL BUSINESS .pdf
BBA Final SML 501 INTERNATIONAL BUSINESS .pdfBBA Final SML 501 INTERNATIONAL BUSINESS .pdf
BBA Final SML 501 INTERNATIONAL BUSINESS .pdf
 
Girls Call Kharghar 9910780858 Provide Best And Top Girl Service And No1 in City
Girls Call Kharghar 9910780858 Provide Best And Top Girl Service And No1 in CityGirls Call Kharghar 9910780858 Provide Best And Top Girl Service And No1 in City
Girls Call Kharghar 9910780858 Provide Best And Top Girl Service And No1 in City
 
A Complete Guide of Dubai Freelance Visa and Permit in 2024
A Complete Guide of Dubai Freelance Visa and Permit in 2024A Complete Guide of Dubai Freelance Visa and Permit in 2024
A Complete Guide of Dubai Freelance Visa and Permit in 2024
 
MEA Union Budget 2024-25 Final Presentation
MEA Union Budget 2024-25 Final PresentationMEA Union Budget 2024-25 Final Presentation
MEA Union Budget 2024-25 Final Presentation
 
Top Digital Marketing Strategy in 2024.pdf
Top Digital Marketing Strategy in 2024.pdfTop Digital Marketing Strategy in 2024.pdf
Top Digital Marketing Strategy in 2024.pdf
 
Family/Indoor Entertainment Centers Market: Regulation and Compliance Updates
Family/Indoor Entertainment Centers Market: Regulation and Compliance UpdatesFamily/Indoor Entertainment Centers Market: Regulation and Compliance Updates
Family/Indoor Entertainment Centers Market: Regulation and Compliance Updates
 
Restaurant Chiraz Sindbad Hotel Hammamet
Restaurant Chiraz Sindbad Hotel HammametRestaurant Chiraz Sindbad Hotel Hammamet
Restaurant Chiraz Sindbad Hotel Hammamet
 

Adversary Emulation using CALDERA

  • 1. www.nviso.eu MITRE Caldera Automated Adversary Emulation using Caldera BruCON 10 October 2019
  • 2. A few words about myself www.nviso.eu | 2 Why are assembly developers usually wet?
  • 3. Agenda for today 1 What is adversary emulation? 2 Tools of the trade 3 MITRE Caldera 4 Demo: Caldera plugins
  • 4. Agenda for today 1 What is adversary emulation? 2 Tools of the trade 3 MITRE Caldera 4 Demo: Caldera plugins
  • 5. This is not adversary emulation www.nviso.eu | 5 Adversary emulation using Nessus? Vulnerability Scans Vulnerability Scans + Metasploit “Creative” Red Teams
  • 6. So what is it? www.nviso.eu | 6 Defining adversary emulation Adversary emulation is an activity where security experts emulate how an adversary operates. The ultimate goal, of course, is to improve how resilient the organization is versus these adversary techniques. Both red and purple teaming can be considered as adversary emulation. Adversary activities are described using TTPs (Tactics, Techniques & Procedures). These are not as concrete as, for example, IOCs, but they describe how the adversary operates at a higher level. Adversary emulation should be based on TTPs. As such, a traditional vulnerability scan or internal penetration test that is not based onTTPs should not be considered adversary emulation. TTP Adversary emulation should be performed using a structured approach, which can be based on a kill chain or attack flow. MITRE ATT&CK is a good example of such a standard approach. ATT&CK
  • 7. Penetration Test vs Adversary Emulation www.nviso.eu | 7 Knowing the difference PENETRATIONTEST Identify and exploit vulnerabilities on a (series of) system(s) to assess security Focused on a specific scope (typically an application or network range) ADVERSARY EMULATION Assess how resilient an organization is versus a certain adversary / threat actor Focused on the execution of a scenario (typically defined by a number of flags) VS Typically tests both prevention & detection (so is less valuable if there is no blue team) Primarily tests prevention, typically less focus on detection
  • 8. Red Team vs Purple Team www.nviso.eu | 8 Knowing the difference RedTeam A red team involves emulation of a realistic threat actor (usingTTPs) In a typical red team, interaction with the blue team is limited (red vs blue) PurpleTeam A purple team involves emulation of a realistic threat actor (usingTTPs) In a typical purple team, interaction with the blue team is maximized (collaboration) VS The goal of the purple team is to improve how well the blue team prevents & detects The goal of the red team is to assess how well the blue team prevents & detects
  • 9. MITRE ATT&CK www.nviso.eu | 9 Defining a common language "MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.” – MITRE ATT&CK website Tactics are used to describe high-levels attack steps used by an adversary. These can be compared to the “steps” in the Lockheed Martin Cyber Kill Chain © Tactics & Techniques MITRE ATT&CK assumes breach and thus the “first” tactic is initial intrusion. Any activity performed before is covered by the PRE-ATT&CK framework. How a certain tactic is executed is described by a variety of techniques. For every technique, MITRE ATT&CK includes a description, detection & prevention recommendations and known threat actors who use the technique.
  • 10. MITRE ATT&CK www.nviso.eu | 10 Tactics & Techniques TACTICS TECHNIQUES
  • 11. Zooming in on a specific technique www.nviso.eu | 11 What level of detail is offered? Known adversaries that use the technique General Info High-Level Description
  • 12. Zooming in on a specific technique www.nviso.eu | 12 What level of detail is offered? How to prevent? How to detect?
  • 13. ATT&CK is the common language we should all speak www.nviso.eu | 13 Leveraging MITRE ATT&CK in your organization
  • 14. Common ATT&CK pitfalls www.nviso.eu | 14 How to not do MITRE ATT&CK #1 Consider all ATT&CK techniques equal Given the size of the ATT&CK matrix, it’s impossible to (a) prevent or (b) detect all techniques.You only have limited resources and should thus prioritize! #2 Misjudge your coverage Most ATT&CK techniques are not “Boolean”. It’s possible that you detect or block certain variations of a technique, but others not. Scoring should thus be fine-grained. #3 Consider ATT&CK as the “holy trinity” ATT&CK is a valuable tool, but it’s not a silver bullet. Recognize that, for some use cases,ATT&CK is not perfect. Furthermore, not everything is documented!
  • 15. Common ATT&CK pitfalls www.nviso.eu | 15 Technique 1003 – Credential Dumping
  • 16. Technique Prioritization www.nviso.eu | 16 How to prioritize? Criteria #1 Overall popularity of the technique The overall popularity of an ATT&CK technique is a good indicator of how important it is to cover it (using either preventive or detective controls). In January 2019, MITRE & Red Canary released a presentation where they highlighted 7 key techniques! Furthermore, many vendors provide “ATT&CK Heat Maps” where they describe what techniques they most frequently observe. Criteria #2 Relevance of threat actors for your organization Next to the overall “popularity” of a technique,there is of course another factor: Is the technique known to be used by an adversary that is interested in your organization? ATT&CK has information on what techniques are used by what actors. In order to figure out what threat actors are relevant for your industry or organization, it helps to follow up on threat intelligence reports.
  • 17. ATT&CK for adversary emulation www.nviso.eu | 17 Operationalizing MITRE ATT&CK
  • 18. Building an emulation plan www.nviso.eu | 18 Let’s start building! What threat actors (and related adversary techniques) are relevant to the organization? What techniques does the organization believe are covered by security controls? What techniques does the organization believe are detected by monitoring use cases? How much time & effort will be spent during the engagement? Building a good adversary emulation plan is crucial to success.The emulation plan should mimic an actual adversary and can include distinct phases. In MITRE’s APT3 emulation plan, the following phases are distinguished: 1. Set up adversary infrastructure (e.g. C2) and obtain initial execution (Initial Access) 2. Internal discovery, privilege escalation and lateral movement (Lateral movement) 3. Collection, staging and exfiltration (Action on Objectives) So what techniques should you select as part of your plan?There’s a few criteria to take into account;
  • 19. Example of an emulation plan www.nviso.eu | 19 Emulating our Russian friends EMULATION PLAN FOR APT-28 PHASE 1 PHASE 2 PHASE 3 Initial Access T1192 - Spearphishing Link Execution T1086 - PowerShell Persistence T1122 - COM Hijacking Privilege Escalation T1078 -Valid Accounts Defense Evasion T1107 - File Deletion Lateral Movement T1075 – PassThe Hash Not every plan needs to cover every single tactic! Improvise! Exfiltration T1041 - Exfil over C&C
  • 20. Agenda for today 1 What is adversary emulation? 2 Tools of the trade 3 MITRE Caldera 4 Demo: Caldera plugins
  • 21. Adversary Emulation Stack www.nviso.eu | 21 Tools of the trade Adversary emulation can typically take two different forms: • Automated / scripted emulation of a (number of) specific MITRE ATT&CK techniques • Manual, full-stack emulation according to an adversary emulation plan Different tools exist that can help emulate the two objectives listed above! Automated / scripted emulation Manual, full-stack, emulation METTA
  • 22. Atomic Red Team www.nviso.eu | 22 Quick and dirty! When trying to “quickly” test detection of specifics techniques, we can use Atomic RedTeam to emulate certain ATT&CK techniques.All Atomic RedTeam tests are portable and light- weight and allow for easy execution!
  • 23. Uber METTA www.nviso.eu | 23 Leveraging VirtualBox and Vagrant Uber Metta leveragesYML files andVagrant to spin up virtual machines and execute commands!
  • 24. Infection Monkey www.nviso.eu | 24 Time for some Monkey Business!
  • 25. Infection Monkey | 25 Time for some Monkey Business! www.nviso.eu
  • 26. Covenant | 26 Leveraging VirtualBox and Vagrant www.nviso.eu Adversary Sliver DNS C2 Unique Binary Each binary is equipped with plaintext canary DNS tokens. BlueTeam $ strings $ nslookup canary.c2.adversary.org
  • 27. Covenant | 27 Following up on Empire Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers. HTTPS://GITHUB.COM/COBBR/COVENANT www.nviso.eu
  • 28. Agenda for today 1 What is adversary emulation? 2 Tools of the trade 3 MITRE Caldera 4 Demo: Caldera plugins
  • 29. Caldera | 29 What is Caldera? www.nviso.eu Caldera is a tool built by MITRE, with the express purpose of doing adversary emulation. It requires a bit of setup (as a server and clients need to be installed), it will actively "attack" target systems by deploying custom backdoors. Caldera’s attack steps are fully linked to the ATT&CK framework techniques! Local MITRE ATT&CK Caldera Attack GUI
  • 30. A quick Caldera walkthrough | 30 Abilities www.nviso.eu
  • 31. A quick Caldera walkthrough | 31 Groups www.nviso.eu
  • 32. A quick Caldera walkthrough | 32 Adversaries www.nviso.eu
  • 33. A quick Caldera walkthrough | 33 Operations www.nviso.eu
  • 34. Getting up and running | 34 “Infecting” a system www.nviso.eu Win dows Groups A newly infected host, by the Sandcat plugin, joins a predefined group.
  • 35. But you use PowerShell? | 35 OMFG www.nviso.eu Script Block Logging Constrained Language Mode AMSI Microsoft ”cleaned shop” and implemented several PowerShell controls (for prevention AND detection) over the past few years! The point is to detect ATT&CK techniques, not the Caldera agent!
  • 36. Group Structure | 36 How Caldera is organised www.nviso.eu Adversary P1 Ability I Ability II P2 Ability III P3 Ability IV AbilityV Foo Bar Windo ws OS X Linux Ability PowerShell OS X Shell Linux Shell Operation Groups
  • 37. Running a quick operation | 37 Praying to the demo gods… www.nviso.eu
  • 38. Agenda for today 1 What is adversary emulation? 2 Tools of the trade 3 MITRE Caldera 4 Developing Caldera Plugins
  • 39. Caldera development | 39 Abilities & plugins www.nviso.eu Using built-in adversaries Building adversaries with existing abilities Developing custom abilities Developing custom plugins
  • 40. Developing custom abilities | 40 Abilities www.nviso.eu Abilities are easy to create from examples such as the one here…
  • 41. Developing custom Caldera plugins | 41 Step 1 - Creating file & folder structure www.nviso.eu Adding a Caldera plugin requires us to interact with the Caldera folder structure. Inside Caldera's root folder we can find two interesting folders: conf and plugins.While the former will be used at a later stage to enable our plugin, the plugins folder will be our plugin's parent location. Creating the structure on the left is the first step in building our Caldera plugin. caldera +---conf | ---local.yml ---plugins ---brucon ---hook.py
  • 42. Developing custom Caldera plugins | 42 Step 2 - Enable the plugin in the conf folder www.nviso.eu Enabling a plugin requires us to modify the caldera configuration.ThisYAML file is located under the Caldera conf folder. # [...] plugins: - caltack - ssl - stockpile - sandcat - gui - chain - caldex - brucon # Add our plugin's directory name to the collection # [...
  • 43. Demo – Let’s do some of this stuff! | 43 Praying to the demo gods… www.nviso.eu
  • 44. Conclusions | 44 Putting it all together www.nviso.eu Caldera is an amazing tool than be highly customized and further extended! Tools like Caldera do not replace a proper RedTeam… Tools like Caldera help the BlueTeam test techniques themselves and continuously improve
  • 45. www.nviso.eu Want to get hacked? Reach us during business hours: +32 (0)2 318 58 31 info@nviso.eu Already hacked? Reach us 24/7: +32 (0)2 588 43 80 csirt@nviso.eu NVISO-BE/ caldex NVISO-BE/ caldera-abilities Coming soon, give us few more days to clean our code 