This document discusses adversary emulation methodologies used for red team assessments. It describes mapping adversary tactics, techniques, and procedures (TTPs) to different abstraction levels - strategic, tactical, and operational. The strategic level involves mapping adversary objectives to a kill chain model. The tactical level maps adversary phases and the operational level maps specific techniques. It discusses the differences between emulating known adversaries versus simulating new threats. TIBER-EU methodology is summarized, which structures red team assessments for financial institutions. Key roles like the red team, blue team, and different authorities are defined. The importance of including the blue team response is highlighted to fully test an organization's security posture.
The document discusses the MITRE ATT&CK framework, which is a knowledge base of adversary behaviors and tactics collected from real-world observations. It describes how the framework categorizes behaviors using tactics, techniques, and procedures. The framework can be used for threat intelligence, detection and analytics, adversary emulation, and assessment and engineering. The document provides examples of how organizations can map their detection capabilities and data sources to techniques in the framework to improve visibility of attacks. It cautions against misusing the framework as a checklist rather than taking a threat-informed approach.
Presentation talks about introduction to MITRE ATT&CK Framework, different use cases, pitfalls to take care about.. Talk was delivered @Null Bangalore and @OWASP Bangalore chapter on 15th February 2019.
The document discusses demilitarized zones (DMZs) in computer networks. A DMZ is a small subnetwork located between a company's private network and the outside public network. It contains devices like web, FTP, and email servers that are accessible to internet traffic but isolated from the internal network. DMZs provide enhanced security by separating internal and external networks, and only allowing specific services that need to be accessed from the outside. The document outlines common DMZ architectures, security considerations, and the types of servers and services typically located in a DMZ.
This document discusses adversary emulation and the MITRE Caldera tool. It begins with defining adversary emulation and distinguishing it from penetration testing. Various tools for adversary emulation are presented, including METTA, Atomic Red Team, Infection Monkey, and Covenant. The document then focuses on MITRE Caldera, describing what it is, how to set it up, develop custom abilities and plugins for it. It demonstrates running a quick Caldera operation and concludes by discussing how Caldera can be highly customized and help blue teams test techniques to improve security.
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryMITRE ATT&CK
This document discusses validating ATT&CK techniques using endpoint detection and response (EDR) telemetry. It describes how Red Canary analyzes EDR data to validate coverage of ATT&CK techniques. An automated workflow is used that involves deploying test infrastructure, running atomic red team tests, and analyzing results to identify any mismatches between expected and actual telemetry. Challenges with EDR telemetry quality and level of detail are also outlined. The key benefits of the approach are validating at scale and offloading detections from endpoints while providing behavioral context.
MITRE ATT&CK framework is about the framework that is followed by Threat Hunters, Threat Analysts for Threat Modelling purpose, which can be use for Adversary Emulation and Attack Defense. Cybersecurity Analyst widely use it for framing the attack through its various used Tactics and Techniques.
The document discusses the MITRE ATT&CK framework, which is a knowledge base of adversary behaviors and tactics collected from real-world observations. It describes how the framework categorizes behaviors using tactics, techniques, and procedures. The framework can be used for threat intelligence, detection and analytics, adversary emulation, and assessment and engineering. The document provides examples of how organizations can map their detection capabilities and data sources to techniques in the framework to improve visibility of attacks. It cautions against misusing the framework as a checklist rather than taking a threat-informed approach.
Presentation talks about introduction to MITRE ATT&CK Framework, different use cases, pitfalls to take care about.. Talk was delivered @Null Bangalore and @OWASP Bangalore chapter on 15th February 2019.
The document discusses demilitarized zones (DMZs) in computer networks. A DMZ is a small subnetwork located between a company's private network and the outside public network. It contains devices like web, FTP, and email servers that are accessible to internet traffic but isolated from the internal network. DMZs provide enhanced security by separating internal and external networks, and only allowing specific services that need to be accessed from the outside. The document outlines common DMZ architectures, security considerations, and the types of servers and services typically located in a DMZ.
This document discusses adversary emulation and the MITRE Caldera tool. It begins with defining adversary emulation and distinguishing it from penetration testing. Various tools for adversary emulation are presented, including METTA, Atomic Red Team, Infection Monkey, and Covenant. The document then focuses on MITRE Caldera, describing what it is, how to set it up, develop custom abilities and plugins for it. It demonstrates running a quick Caldera operation and concludes by discussing how Caldera can be highly customized and help blue teams test techniques to improve security.
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryMITRE ATT&CK
This document discusses validating ATT&CK techniques using endpoint detection and response (EDR) telemetry. It describes how Red Canary analyzes EDR data to validate coverage of ATT&CK techniques. An automated workflow is used that involves deploying test infrastructure, running atomic red team tests, and analyzing results to identify any mismatches between expected and actual telemetry. Challenges with EDR telemetry quality and level of detail are also outlined. The key benefits of the approach are validating at scale and offloading detections from endpoints while providing behavioral context.
MITRE ATT&CK framework is about the framework that is followed by Threat Hunters, Threat Analysts for Threat Modelling purpose, which can be use for Adversary Emulation and Attack Defense. Cybersecurity Analyst widely use it for framing the attack through its various used Tactics and Techniques.
Network Scanning Phases and Supporting ToolsJoseph Bugeja
This presentation focuses on the network penetration scanning phase. It introduces tools and techniques that professional pen-testers and ethical hackers need to master to find target machines, openings on those targets and vulnerabilities.
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...MITRE ATT&CK
The document discusses the challenges faced by civil society organizations from sophisticated spyware and the role of ATT&CK in understanding adversary tactics. It notes that civil society groups operate with limited resources and high expectations, facing both common and advanced threats. The talk emphasizes providing actionable advice to stakeholders and audiences, highlighting relevant findings from different perspectives including researchers, analysts, and lawyers. It argues ATT&CK can help identify how spyware gains initial access and maintains persistence, while acknowledging its limitations for mobile threats. The talk calls on defenders to give practical advice to help protect users.
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour January 2021
By Valentine Mairet, Security Researcher, McAfee
The MITRE ATT&CK framework is the industry standard to dissect cyberattacks into used techniques. At McAfee, all attack information is disseminated into different categories, including ATT&CK techniques. What results from this exercise is an extensive repository of techniques used in cyberattacks that goes back many years. Much can be learned from looking at historical attack data, but how can we piece all this information together to identify new relationships between threats and attacks? In her recent efforts, Valentine has embraced analyzing ATT&CK data in graphical representations. One lesson learned is that it is not just about merely mapping out attacks and techniques used into graphs, but the strength lies in applying different algorithms to answer specific questions. In this presentation, Valentine will showcase the results and techniques obtained from her research journey using graph and graph algorithms.
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
Jorge Orchilles is an experienced red team leader who has led offensive security assessments for large financial institutions. The document discusses adversary emulation, which involves the red team emulating realistic adversary tactics, techniques, and procedures to obtain access to an organization. This helps evaluate an organization's preparedness against sophisticated attacks. It describes measuring how people, processes, and technologies prevent or detect the red team's activities to identify areas for improvement.
From MITRE ATT&CKcon Power Hour January 2021
By Adam Pennington, ATT&CK Lead, MITRE
Adam leads ATT&CK at The MITRE Corporation and collected much of the intelligence leveraged in creating ATT&CK’s initial techniques. He has spent much of his 12 years with MITRE studying and preaching the use of deception for intelligence gathering. Prior to joining MITRE, Adam was a researcher at Carnegie Mellon’s Parallel Data Lab and earned his BS and MS degrees in Computer Science and Electrical and Computer Engineering as well as the 2017 Alumni Service Award from Carnegie Mellon University. Adam has presented and published in a number of venues including FIRST CTI, USENIX Security and ACM Transactions on Information and System Security.
The document discusses sniffing and packet capture techniques used for ethical hacking. It defines sniffing as intercepting network traffic to steal passwords, emails, files and other sensitive data. It describes protocols vulnerable to sniffing like HTTP, SMTP, FTP etc. It covers tools for sniffing like Wireshark, tcpdump. It discusses active sniffing techniques like ARP spoofing using tools like Arpspoof, Ettercap and MAC flooding using Macof, Etherflood. It also covers DNS poisoning and tools in the dsniff package for sniffing passwords and files.
Vapt( vulnerabilty and penetration testing ) servicesAkshay Kurhade
The VAPT testers from Suma Soft are familiar with different ethical hacking techniques such as Foot printing and reconnaissance, Host enumeration, Scanning networks, System hacking Evading IDS, Firewalls and honeypots, Social engineering, SQL injection, Session hijacking, Exploiting the network etc. https://bit.ly/2HLpbnz
Chapter 11: Information Security Incident ManagementNada G.Youssef
This document discusses information security incident management. It defines what constitutes an information security incident, such as unauthorized access or denial of service attacks. It also outlines the key aspects of an incident response program, including preparation, detection, response, and documentation. The document explains the roles of incident response coordinators, handlers, and teams. It also covers investigation practices, evidence handling, and federal and state data breach notification requirements.
Caldera is an automated adversary emulation tool developed by MITRE that links to the MITRE ATT&CK framework. It deploys custom backdoors on target systems to emulate adversary techniques. The tool has a graphical interface to define groups, abilities, adversaries, and operations. Abilities are suites of actions that achieve goals, while adversaries are malicious actors equipped with abilities. Multiple abilities can be grouped in phases, and phases describe the progression of an adversary. Caldera actively attacks targets by deploying backdoors linked to ATT&CK techniques.
Command and Control is one of the most important tactics in the MITRE ATT&CK matrix as it allows the attacker to interact with the target system and realize their objectives. Organizations leverage Cyber Threat Intelligence to understand their threat model and adversaries that have the intent, opportunity, and capability to attack. Red Team, Blue Team, and virtual Purple Teams work together to understand the adversary Tactics, Techniques, and Procedures to perform adversary emulations and improve detective and preventive controls.
The C2 Matrix was created to aggregate all the Command and Control frameworks publicly available (open-source and commercial) in a single resource to assist teams in testing their own controls through adversary emulations (Red Team or Purple Team Exercises). Phase 1 lists all the Command and Control features such as the coding language used, channels (HTTP, TCP, DNS, SMB, etc.), agents, key exchange, and other operational security features and capabilities. This allows more efficient decision making when called upon to emulate and adversary TTPs.
It is the golden age of Command and Control (C2) frameworks. Learn how these C2 frameworks work and start testing against your organization to improve detective and preventive controls.
The C2 Matrix currently has 35 command and control frameworks documented in a Google Sheet, web site, and questionnaire format.
https://docs.google.com/spreadsheets/d/1b4mUxa6cDQuTV2BPC6aA-GR4zGZi0ooPYtBe4IgPsSc/edit#gid=0
https://www.thec2matrix.com/matrix
https://ask.thec2matrix.com/
Learn how Red Teams and Blue Teams work together in virtual Purple Teams
Leverage Cyber Threat Intelligence to understand adversary tactics, techniques, and procedures
Perform adversary emulations in Red or Purple Team Exercises
Choose which command and control to use for the assessment to provide the most value
Measure and improve people, process, and technology
From Theory to Practice: How My ATTACK Perspectives Have ChangedMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour December 2020
By Katie Nickels, Director of Intelligence, Red Canary
Good analysts (and good human beings) change their minds based on new information. In this presentation, Katie will share how her perspectives on ATT&CK have changed since moving from ATT&CK team member to ATT&CK end-user. She will discuss how her ideas about coverage, procedures, and detection creation have evolved and why those perspectives matter. Katie will also share practical examples from observed threats to help explain the nuances of her perspectives. Attendees should expect to leave this presentation with a better understanding of how to handle challenges they’re likely to face when navigating their own ATT&CK journey.
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...Edureka!
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Certifications" talks about some of the major cybersecurity certifications required to get into the security industry. If you're interested in a developing an exciting career in cybersecurity, check out 2018's top ten cybersecurity certifications.
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
This document discusses Nationwide's experience using threat intelligence to focus their MITRE ATT&CK activities. Their initial broad approach analyzing 240+ techniques at once was unsuccessful. They then prioritized techniques based on threats to the financial sector. This focused their efforts on the 27 most relevant threat actors and the 100+ techniques associated with them. They mapped techniques to the ATT&CK matrix and conducted intelligence research. This intelligence-led approach improved their security posture understanding and enabled prioritized, actionable recommendations. The process is ongoing to constantly evolve their defenses based on the latest intelligence.
Security architecture - Perform a gap analysisCarlo Dapino
This document discusses security architecture and strategies for evaluating security posture. It describes how security strategies have changed from perimeter-based to zero-trust models. It also summarizes differences between securing on-premises versus cloud environments, and recommends evaluating security using a layered analysis approach. Lastly, it provides tips for threat modeling, incident response, and ensuring security architecture is integrated with enterprise architecture.
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
From ATT&CKcon 3.0
By Jonny Johnson, Red Canary and Olaf Hartong, FalconForce
As defenders, we often find ourselves wanting "more" data. But why? Will this new data provide a lot of value or is it for a very niche circumstance? How many attacks does it apply to? Are we leveraging previous data sources to their full capability? Within this talk, Olaf and Jonny will walk through different data sources they leverage more than most when analyzing data within environments, why they do, and what these data sources do and can provide in terms of value to a defender.
William F. Crowe presented on the cybersecurity kill chain, which models the stages of a cyber attack based on military doctrine. The model developed by Lockheed Martin includes stages of reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. ISACA and the European Union Agency for Network and Information Security also use similar kill chain models to analyze the process of advanced persistent threats targeting critical systems and data.
The Cyber Kill Chain is a framework that describes cyber attacks in seven phases from an attacker's perspective: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. It was developed by Lockheed Martin based on military doctrine to measure the effectiveness of defense strategies. Each phase of the kill chain can be mapped to corresponding defensive tools and actions, and understanding what phase an attack is in helps determine an appropriate response. Tracking similarities in tactics across phases can provide insights into threat actors and campaigns. The goal is to disrupt attacks as early in the kill chain as possible to improve security.
Using IOCs to Design and Control Threat Activities During a Red Team EngagementJoe Vest
The term Red Team or Red Teaming has become more prevalent in the security industry. Both commercial and government organizations conduct "Red Team Exercises". What does this mean? What is a Red Team engagement? How is it different that other security tests? Isn't current penetration and vulnerability security testing enough?
Red Teaming share many of the fundamentals of other security testing types, yet focuses on specific scenarios and goals that are used to evaluate and measure an organization's overall security defense posture.
Organizations spend a great deal of time and money on the security of their systems. Red Teams have a unique goal of testing an organization's ability to detect, respond to, and recover from an attack. When properly conducted, Red Team activities can significantly contribute to the improvement an organization's security controls, help hone defensive capabilities, and measure the effectiveness of security operations.
This presentation introduces the Red Teaming concept of IOC management, how a Red Team operator can use specific IOCs to blend in to a target, and how to design specific scenarios to test a Blue Team's defensive posture.
Professional Services :
We offer bespoke penetration services to meet the requirements of our clients. We bring years of global experience and stamina to guide our clients through the ever-evolving cyber security threat landscape
We are driven to understand your security concerns and are committed to delivering high quality security solutions, such as :
-Research Powerhouse
-Client-centric Focus
-Affordable
-Certified Security Experts
-Global Consulting Services
https://redfoxsec.com/
Network Scanning Phases and Supporting ToolsJoseph Bugeja
This presentation focuses on the network penetration scanning phase. It introduces tools and techniques that professional pen-testers and ethical hackers need to master to find target machines, openings on those targets and vulnerabilities.
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...MITRE ATT&CK
The document discusses the challenges faced by civil society organizations from sophisticated spyware and the role of ATT&CK in understanding adversary tactics. It notes that civil society groups operate with limited resources and high expectations, facing both common and advanced threats. The talk emphasizes providing actionable advice to stakeholders and audiences, highlighting relevant findings from different perspectives including researchers, analysts, and lawyers. It argues ATT&CK can help identify how spyware gains initial access and maintains persistence, while acknowledging its limitations for mobile threats. The talk calls on defenders to give practical advice to help protect users.
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour January 2021
By Valentine Mairet, Security Researcher, McAfee
The MITRE ATT&CK framework is the industry standard to dissect cyberattacks into used techniques. At McAfee, all attack information is disseminated into different categories, including ATT&CK techniques. What results from this exercise is an extensive repository of techniques used in cyberattacks that goes back many years. Much can be learned from looking at historical attack data, but how can we piece all this information together to identify new relationships between threats and attacks? In her recent efforts, Valentine has embraced analyzing ATT&CK data in graphical representations. One lesson learned is that it is not just about merely mapping out attacks and techniques used into graphs, but the strength lies in applying different algorithms to answer specific questions. In this presentation, Valentine will showcase the results and techniques obtained from her research journey using graph and graph algorithms.
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
Jorge Orchilles is an experienced red team leader who has led offensive security assessments for large financial institutions. The document discusses adversary emulation, which involves the red team emulating realistic adversary tactics, techniques, and procedures to obtain access to an organization. This helps evaluate an organization's preparedness against sophisticated attacks. It describes measuring how people, processes, and technologies prevent or detect the red team's activities to identify areas for improvement.
From MITRE ATT&CKcon Power Hour January 2021
By Adam Pennington, ATT&CK Lead, MITRE
Adam leads ATT&CK at The MITRE Corporation and collected much of the intelligence leveraged in creating ATT&CK’s initial techniques. He has spent much of his 12 years with MITRE studying and preaching the use of deception for intelligence gathering. Prior to joining MITRE, Adam was a researcher at Carnegie Mellon’s Parallel Data Lab and earned his BS and MS degrees in Computer Science and Electrical and Computer Engineering as well as the 2017 Alumni Service Award from Carnegie Mellon University. Adam has presented and published in a number of venues including FIRST CTI, USENIX Security and ACM Transactions on Information and System Security.
The document discusses sniffing and packet capture techniques used for ethical hacking. It defines sniffing as intercepting network traffic to steal passwords, emails, files and other sensitive data. It describes protocols vulnerable to sniffing like HTTP, SMTP, FTP etc. It covers tools for sniffing like Wireshark, tcpdump. It discusses active sniffing techniques like ARP spoofing using tools like Arpspoof, Ettercap and MAC flooding using Macof, Etherflood. It also covers DNS poisoning and tools in the dsniff package for sniffing passwords and files.
Vapt( vulnerabilty and penetration testing ) servicesAkshay Kurhade
The VAPT testers from Suma Soft are familiar with different ethical hacking techniques such as Foot printing and reconnaissance, Host enumeration, Scanning networks, System hacking Evading IDS, Firewalls and honeypots, Social engineering, SQL injection, Session hijacking, Exploiting the network etc. https://bit.ly/2HLpbnz
Chapter 11: Information Security Incident ManagementNada G.Youssef
This document discusses information security incident management. It defines what constitutes an information security incident, such as unauthorized access or denial of service attacks. It also outlines the key aspects of an incident response program, including preparation, detection, response, and documentation. The document explains the roles of incident response coordinators, handlers, and teams. It also covers investigation practices, evidence handling, and federal and state data breach notification requirements.
Caldera is an automated adversary emulation tool developed by MITRE that links to the MITRE ATT&CK framework. It deploys custom backdoors on target systems to emulate adversary techniques. The tool has a graphical interface to define groups, abilities, adversaries, and operations. Abilities are suites of actions that achieve goals, while adversaries are malicious actors equipped with abilities. Multiple abilities can be grouped in phases, and phases describe the progression of an adversary. Caldera actively attacks targets by deploying backdoors linked to ATT&CK techniques.
Command and Control is one of the most important tactics in the MITRE ATT&CK matrix as it allows the attacker to interact with the target system and realize their objectives. Organizations leverage Cyber Threat Intelligence to understand their threat model and adversaries that have the intent, opportunity, and capability to attack. Red Team, Blue Team, and virtual Purple Teams work together to understand the adversary Tactics, Techniques, and Procedures to perform adversary emulations and improve detective and preventive controls.
The C2 Matrix was created to aggregate all the Command and Control frameworks publicly available (open-source and commercial) in a single resource to assist teams in testing their own controls through adversary emulations (Red Team or Purple Team Exercises). Phase 1 lists all the Command and Control features such as the coding language used, channels (HTTP, TCP, DNS, SMB, etc.), agents, key exchange, and other operational security features and capabilities. This allows more efficient decision making when called upon to emulate and adversary TTPs.
It is the golden age of Command and Control (C2) frameworks. Learn how these C2 frameworks work and start testing against your organization to improve detective and preventive controls.
The C2 Matrix currently has 35 command and control frameworks documented in a Google Sheet, web site, and questionnaire format.
https://docs.google.com/spreadsheets/d/1b4mUxa6cDQuTV2BPC6aA-GR4zGZi0ooPYtBe4IgPsSc/edit#gid=0
https://www.thec2matrix.com/matrix
https://ask.thec2matrix.com/
Learn how Red Teams and Blue Teams work together in virtual Purple Teams
Leverage Cyber Threat Intelligence to understand adversary tactics, techniques, and procedures
Perform adversary emulations in Red or Purple Team Exercises
Choose which command and control to use for the assessment to provide the most value
Measure and improve people, process, and technology
From Theory to Practice: How My ATTACK Perspectives Have ChangedMITRE - ATT&CKcon
From MITRE ATT&CKcon Power Hour December 2020
By Katie Nickels, Director of Intelligence, Red Canary
Good analysts (and good human beings) change their minds based on new information. In this presentation, Katie will share how her perspectives on ATT&CK have changed since moving from ATT&CK team member to ATT&CK end-user. She will discuss how her ideas about coverage, procedures, and detection creation have evolved and why those perspectives matter. Katie will also share practical examples from observed threats to help explain the nuances of her perspectives. Attendees should expect to leave this presentation with a better understanding of how to handle challenges they’re likely to face when navigating their own ATT&CK journey.
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...Edureka!
** CyberSecurity Certification Training: https://www.edureka.co/cybersecurity-certification-training **
This Edureka tutorial on "Cybersecurity Certifications" talks about some of the major cybersecurity certifications required to get into the security industry. If you're interested in a developing an exciting career in cybersecurity, check out 2018's top ten cybersecurity certifications.
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
This document discusses Nationwide's experience using threat intelligence to focus their MITRE ATT&CK activities. Their initial broad approach analyzing 240+ techniques at once was unsuccessful. They then prioritized techniques based on threats to the financial sector. This focused their efforts on the 27 most relevant threat actors and the 100+ techniques associated with them. They mapped techniques to the ATT&CK matrix and conducted intelligence research. This intelligence-led approach improved their security posture understanding and enabled prioritized, actionable recommendations. The process is ongoing to constantly evolve their defenses based on the latest intelligence.
Security architecture - Perform a gap analysisCarlo Dapino
This document discusses security architecture and strategies for evaluating security posture. It describes how security strategies have changed from perimeter-based to zero-trust models. It also summarizes differences between securing on-premises versus cloud environments, and recommends evaluating security using a layered analysis approach. Lastly, it provides tips for threat modeling, incident response, and ensuring security architecture is integrated with enterprise architecture.
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
From ATT&CKcon 3.0
By Jonny Johnson, Red Canary and Olaf Hartong, FalconForce
As defenders, we often find ourselves wanting "more" data. But why? Will this new data provide a lot of value or is it for a very niche circumstance? How many attacks does it apply to? Are we leveraging previous data sources to their full capability? Within this talk, Olaf and Jonny will walk through different data sources they leverage more than most when analyzing data within environments, why they do, and what these data sources do and can provide in terms of value to a defender.
William F. Crowe presented on the cybersecurity kill chain, which models the stages of a cyber attack based on military doctrine. The model developed by Lockheed Martin includes stages of reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. ISACA and the European Union Agency for Network and Information Security also use similar kill chain models to analyze the process of advanced persistent threats targeting critical systems and data.
The Cyber Kill Chain is a framework that describes cyber attacks in seven phases from an attacker's perspective: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. It was developed by Lockheed Martin based on military doctrine to measure the effectiveness of defense strategies. Each phase of the kill chain can be mapped to corresponding defensive tools and actions, and understanding what phase an attack is in helps determine an appropriate response. Tracking similarities in tactics across phases can provide insights into threat actors and campaigns. The goal is to disrupt attacks as early in the kill chain as possible to improve security.
Using IOCs to Design and Control Threat Activities During a Red Team EngagementJoe Vest
The term Red Team or Red Teaming has become more prevalent in the security industry. Both commercial and government organizations conduct "Red Team Exercises". What does this mean? What is a Red Team engagement? How is it different that other security tests? Isn't current penetration and vulnerability security testing enough?
Red Teaming share many of the fundamentals of other security testing types, yet focuses on specific scenarios and goals that are used to evaluate and measure an organization's overall security defense posture.
Organizations spend a great deal of time and money on the security of their systems. Red Teams have a unique goal of testing an organization's ability to detect, respond to, and recover from an attack. When properly conducted, Red Team activities can significantly contribute to the improvement an organization's security controls, help hone defensive capabilities, and measure the effectiveness of security operations.
This presentation introduces the Red Teaming concept of IOC management, how a Red Team operator can use specific IOCs to blend in to a target, and how to design specific scenarios to test a Blue Team's defensive posture.
Professional Services :
We offer bespoke penetration services to meet the requirements of our clients. We bring years of global experience and stamina to guide our clients through the ever-evolving cyber security threat landscape
We are driven to understand your security concerns and are committed to delivering high quality security solutions, such as :
-Research Powerhouse
-Client-centric Focus
-Affordable
-Certified Security Experts
-Global Consulting Services
https://redfoxsec.com/
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
Join Jorge Orchilles and Phil Wainwright as they cover how to show value during Red and Purple Team exercises with a free platform, VECTR. VECTR is included in SANS Slingshot C2 Matrix Edition so you can follow along the presentation and live demos.
VECTR is a free platform for planning and tracking of your red and purple team exercises and alignment to blue team detection and prevention capabilities across different attack scenarios. VECTR provides the ability to create assessment groups, which consist of a collection of Campaigns and supporting Test Cases to simulate adversary threats. Campaigns can be broad and span activity across the kill chain or ATT&CK tactics, from initial access to privilege escalation and lateral movement and so on, or can be a narrow in scope to focus on specific defensive controls, tools, and infrastructure. VECTR is designed to promote full transparency between offense and defense, encourage training between team members, and improve detection, prevention & response capabilities across cloud and on-premise environments.
Common use cases for VECTR are measuring your defenses over time against the MITRE ATT&CK framework, creating custom red team scenarios and adversary emulation plans, and assisting with toolset evaluations. VECTR is meant to be used over time with targeted campaigns, iteration, and measurable enhancements to both red team skills and blue team detection capabilities. Ultimately the goal of VECTR is to help organizations level up and promote a platform that encourages community sharing of CTI that is useful for red teamers, blue teamers, threat intel teams, security engineering, any number of other cyber roles, and helps management show increasing maturity in their programs and justification of whats working, whats not, and where additional investment might be needed in tools and team members to bring it all together.
This document discusses different types of security assessments:
1) Technical security testing assesses security flaws through vulnerability assessments, network penetration testing, web application testing, and source code analysis.
2) Security process assessments evaluate weaknesses in security processes by reviewing frameworks like NIST CSF and COBIT.
3) Security audits involve compliance checks both internally and externally to verify proper security controls are in place.
V-Empower is a global security solutions and services company established in 2000 that provides state-of-the-art security solutions and consulting services through in-depth research and analysis. It offers comprehensive penetration testing, application security assessments, security program development, and training services. V-Empower saw a 206% increase in revenue in 2006 and its security team consists of over 27 consultants worldwide who have been featured in publications and by clients such as Microsoft.
V-Empower is a global security solutions and services company established in 2000 that provides state-of-the-art security solutions and services through in-depth research, analysis, and knowledge sharing. It offers comprehensive penetration testing, application security assessments, security program development, and training services. V-Empower has experienced significant revenue growth and its security team consists of highly talented experts that provide services to some of the world's largest companies.
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013beltface
1. The document discusses building a purple team program by combining knowledge from blue (security) and red (penetration testing) teams. It provides examples of threat modeling, tabletop exercises, and red team exercises performed for two clients.
2. The results and corrective actions from exercises on Client1 are discussed, such as installing Security Onion and Qualys. Building communication and getting management buy-in is advised to start a purple team program.
3. Resources like the Freenode IRC channels #misec and #ladosanostra are provided for learning attack paths and purple team strategies. Doing regular threat modeling, exercises, and assessments is presented as a proactive approach to security.
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Core Security
Vulnerability Assessments, Penetration Tests and Red Teaming – Do you know what these tactics are all about? In this session, we will present our understanding of these practices in terms of when to apply them and what to expect. Nowadays, organizations run on top of hundreds, if not thousands, of Information Technology assets with some of them on premise and others cloud based. Having control over all of this is a challenging task. Based on our extensive experience with securing our customers, I will show what real findings and attack trends look like while hopefully, shedding some light on how to be prepared to resist current attacks.
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
This presentation provides an overview off common adversarial emulation approaches along with attack and detection trends. It should be interesting to penetration testers and professionals in security operations roles.
This document provides an agenda for a cyber threat hunting workshop. The agenda includes sections on threat hunting, threat intelligence, and honeypots. The threat hunting section further discusses topics such as the threat hunting framework, types of threat hunting, use cases, and case studies. It aims to help participants understand the concepts, processes, tools, and techniques involved in threat hunting.
This document provides an agenda for a cyber threat hunting workshop. The agenda includes sections on threat hunting, threat intelligence, and honeypots. The threat hunting section further discusses topics such as the threat hunting framework, types of threat hunting, use cases, and case studies. It aims to help participants understand the concepts, processes, tools, and techniques involved in threat hunting.
An APT29 simulation was conducted using the MITRE ATT&CK framework involving 3 virtual machines - an attacker system, domain controller, and 2 Windows workstations. The simulation began with generating a PowerShell payload using Pupy and delivering it to a workstation by disguising it as a document file. Once executed, the payload established a command and control connection back to the attacker, initiating the first stage of the simulated APT29 intrusion.
FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019Saeid Atabaki
The document provides an overview of building an effective red team program. It introduces Saeid Atabaki and Abeer Banerjee, the red team lead and operator, respectively. It then discusses what red teaming is, how it differs from penetration testing, and the value of an in-house versus third-party red team. The document outlines the key steps to forming an in-house red team program, including developing strategy, organizational structure, procedures, managing risks, and measuring performance. It also notes some common pitfalls in red team program development, such as resistance to adversarial methodologies.
Reorganizing Federal IT to Address Today's ThreatsLumension
New reports show U.S. government servers are faced with 1.8 billion cyber attacks every month. View this technical presentation on ‘Reorganizing Federal IT to Address Today’s Threats’ by Richard Stiennon, analyst with IT Harvest and author of Surviving Cyber War, and Paul Zimski, VP of Solution Strategy with Lumension, as they examine:
*Today’s threats targeting government IT systems
*How federal IT departments can be reorganized to improve security and operations
*What key endpoint security capabilities should be implemented
Get expert insight and recommendations on improving your approach to securing IT systems from today’s sophisticated threats.
Tech Throwdown: Secure Containerization vs WhitelistingInvincea, Inc.
To address the inadequacy of traditional anti-virus solutions, white-listing and secure containerization approaches have both gained traction in the enterprise. Both approaches have the overarching goal of preventing a successful breach at the endpoint, but each works differently and also focus on different parts of the cyber kill chain.
Invincea, a secure containerization solution, inoculates high-risk and Internet-facing applications against attack by running them in secure virtual containers, which have restricted access to the underlying host OS. This effectively removes the most common means of delivering the infection (see figure below). Any successful exploits of targeted applications (such as IE, Java, Flash, etc.), including by 0-day exploits, are kept safely in quarantine where additional forensic details may be uncovered.
Whitelisting attempts to prevent infections by allowing only certain known executables to run. This means whitelisting solutions will not see initial exploits; rather, whitelisting focuses on the next step beyond the exploit where many attacks then attempt to launch 2<sup>nd</sup> stage (malicious) executables with additional goals such as privilege escalation, lateral movement, or data exfiltration. In other words, whitelisting solutions do not have visibility into exploits of existing programs and for memory-resident malware. In addition, whitelisting solutions that prevent unknown software from running will flag legitimate software (such as patches) that are not updated with the whitelist.
Adversary emulation involves leveraging your Red Teams to use real world adversary tactics, techniques and procedures (TTPs), alongside attack frameworks such as MITRE ATT&CK to: Identify control gaps (and weaknesses); Validate your monitoring, detection and response capabilities; Prioritising your security investments towards mitigating any shortcoming that may be observed using this approach.
"Cyberhunting" actively looks for signs of compromise within an organization and seeks to control and minimize the overall damage. These rare, but essential, breed of enterprise cyber defenders give proactive security a whole new meaning.
Check out the accompanying webinar: http://www.hosting.com/resources/webinars/?commid=228353
Certified in Risk and Information Systems Control™ (CRISC™) is the most current and rigorous assessment which is presently available to evaluate the risk management proficiency of IT professionals and other employees within an enterprise or financial institute.
CRISC help enterprises to understand business risk, and have the technical knowledge to implement appropriate IS controls.
This CRISC Certification training course accredited by ISACA is ideal for IT professionals, risk professionals, control professionals, business analysts, project managers, compliance, professionals and more.
To know more about CRISC Certification training worldwide,
please contact us at -
Email: support@invensislearning.com
Phone - US +1-910-726-3695,
Website: https://www.invensislearning.com
Similar to NVISO - A Journey Through Adversary Emulation - Jonas Bauters (20)
Prescriptive analytics BA4206 Anna University PPTFreelance
Business analysis - Prescriptive analytics Introduction to Prescriptive analytics
Prescriptive Modeling
Non Linear Optimization
Demonstrating Business Performance Improvement
High-Quality IPTV Monthly Subscription for $15advik4387
Experience high-quality entertainment with our IPTV monthly subscription for just $15. Access a vast array of live TV channels, movies, and on-demand shows with crystal-clear streaming. Our reliable service ensures smooth, uninterrupted viewing at an unbeatable price. Perfect for those seeking premium content without breaking the bank. Start streaming today!
https://rb.gy/f409dk
SATTA MATKA DPBOSS KALYAN MATKA RESULTS KALYAN CHART KALYAN MATKA MATKA RESULT KALYAN MATKA TIPS SATTA MATKA MATKA COM MATKA PANA JODI TODAY BATTA SATKA MATKA PATTI JODI NUMBER MATKA RESULTS MATKA CHART MATKA JODI SATTA COM INDIA SATTA MATKA MATKA TIPS MATKA WAPKA ALL MATKA RESULT LIVE ONLINE MATKA RESULT KALYAN MATKA RESULT DPBOSS MATKA 143 MAIN MATKA KALYAN MATKA RESULTS KALYAN CHART
SATTA MATKA DPBOSS KALYAN MATKA RESULTS KALYAN CHART KALYAN MATKA MATKA RESULT KALYAN MATKA TIPS SATTA MATKA MATKA COM MATKA PANA JODI TODAY BATTA SATKA MATKA PATTI JODI NUMBER MATKA RESULTS MATKA CHART MATKA JODI SATTA COM INDIA SATTA MATKA MATKA TIPS MATKA WAPKA ALL MATKA RESULT LIVE ONLINE MATKA RESULT KALYAN MATKA RESULT DPBOSS MATKA 143 MAIN MATKA KALYAN MATKA RESULTS KALYAN CHART
Cover Story - China's Investment Leader - Dr. Alyce SUmsthrill
In World Expo 2010 Shanghai – the most visited Expo in the World History
https://www.britannica.com/event/Expo-Shanghai-2010
China’s official organizer of the Expo, CCPIT (China Council for the Promotion of International Trade https://en.ccpit.org/) has chosen Dr. Alyce Su as the Cover Person with Cover Story, in the Expo’s official magazine distributed throughout the Expo, showcasing China’s New Generation of Leaders to the World.
AI Transformation Playbook: Thinking AI-First for Your BusinessArijit Dutta
I dive into how businesses can stay competitive by integrating AI into their core processes. From identifying the right approach to building collaborative teams and recognizing common pitfalls, this guide has got you covered. AI transformation is a journey, and this playbook is here to help you navigate it successfully.
Satta matka fixx jodi panna all market dpboss matka guessing fixx panna jodi kalyan and all market game liss cover now 420 matka office mumbai maharashtra india fixx jodi panna
Call me 9040963354
WhatsApp 9040963354
The Steadfast and Reliable Bull: Taurus Zodiac Signmy Pandit
Explore the steadfast and reliable nature of the Taurus Zodiac Sign. Discover the personality traits, key dates, and horoscope insights that define the determined and practical Taurus, and learn how their grounded nature makes them the anchor of the zodiac.
The Role of White Label Bookkeeping Services in Supporting the Growth and Sca...YourLegal Accounting
Effective financial management is important for expansion and scalability in the ever-changing US business environment. White Label Bookkeeping services is an innovative solution that is becoming more and more popular among businesses. These services provide a special method for managing financial duties effectively, freeing up companies to concentrate on their main operations and growth plans. We’ll look at how White Label Bookkeeping can help US firms expand and develop in this blog.
Unlocking WhatsApp Marketing with HubSpot: Integrating Messaging into Your Ma...Niswey
50 million companies worldwide leverage WhatsApp as a key marketing channel. You may have considered adding it to your marketing mix, or probably already driving impressive conversions with WhatsApp.
But wait. What happens when you fully integrate your WhatsApp campaigns with HubSpot?
That's exactly what we explored in this session.
We take a look at everything that you need to know in order to deploy effective WhatsApp marketing strategies, and integrate it with your buyer journey in HubSpot. From technical requirements to innovative campaign strategies, to advanced campaign reporting - we discuss all that and more, to leverage WhatsApp for maximum impact. Check out more details about the event here https://events.hubspot.com/events/details/hubspot-new-delhi-presents-unlocking-whatsapp-marketing-with-hubspot-integrating-messaging-into-your-marketing-strategy/
The Most Inspiring Entrepreneurs to Follow in 2024.pdfthesiliconleaders
In a world where the potential of youth innovation remains vastly untouched, there emerges a guiding light in the form of Norm Goldstein, the Founder and CEO of EduNetwork Partners. His dedication to this cause has earned him recognition as a Congressional Leadership Award recipient.
2. Classification: Internal
Contents
| 2
The journey is more important than the destination
Our Methodology
Realistic Attack
Penetration Testing
& Red Teaming
Simulation & Emulation
TIBER
Purple Teaming1
2
3 4
5
6
5. Classification: Internal
There is more
| 5
What a traditional pentest will not cover
Exposure to a realistic threat that is targeting your critical systems
On top of vulnerability identification, assess detection capability
Testing of the human reaction and user awareness
Repeatable, structured process that provides key areas for improvement
6. Classification: Internal
A Realistic Attack
| 6
This is where the red team comes in
Process People
Technology
Pentest A Pentest B
Assess resilience
Improve resilienceTTPs
7. Classification: Internal
Penetration Test vs. Red Team
| 7
Key differences
Penetration Test Red Team
Objective Gain insight in
system/network
vulnerabilities
Test resilience against a realistic
attack in terms of protection,
detection, and response
Scope Limited with focus on
technical
Broad, including people,
processes, technology
Approach Vulnerability focused,
breadth first
Objective focused, depth first
User awareness No Yes
Detection tested No Yes
Response tested No Yes
Methodology Reconnaissance and
exploitation
Tactics, techniques, procedures
(TTPs)
8. Classification: Internal
Outputs & Metrics
| 8
What results can you expect from each type of test?
―Time to
Initial foothold
Network propagation
Objectives
―Time to detection
―Time to remediation
―Successful/Prevented TTPs
―Kill Chain and corresponding TTPs
―Reached Objectives
―Results within a specific context
and scope
―#Vulnerabilities and risk ratings
(Total, Stats per system, etc.)
―Ad-hoc remediations
9. Classification: Internal
Summarizing the most important differences
| 9
In conclusion
Penetration Test
Identify and exploit vulnerabilities on a
(series of) system(s) to assess security
Focused on a specific scope, breadth-first
(application, system, subnet)
Red Team
Assess how resilient an organization is versus
a realistic threat
Focused on objectives (flags) through the
execution of certain scenarios, depth-first
VS
Assess people, processes, and technology in
terms of prevention, detection, and response
Assess technology in terms of preventive
controls
10. Classification: Internal
Objective-Based Penetration Test
| 10
Something in between
Penetration Test
Identify and exploit vulnerabilities on a
(series of) system(s) to assess security
Focused on a specific scope, breadth-first
(application, system, subnet)
Red Team
Assess how resilient an organization is versus
a realistic threat
Focused on objectives (flags) through the
execution of certain scenarios, depth-first
VS
Assess people, processes, and technology in
terms of prevention, detection, and response
Assess technology in terms of preventive
controls
Objective-based Penetration Test
15. Classification: Internal
What does a realistic attack look like?
| 15
The Cyber Kill Chain™
Reconnaissance Delivery Installation
Action on
Objectives
Weaponization Exploitation
Command &
Control
The Cyber Kill Chain™, created by Lockheed Martin in 2011, is a sequence of steps that describes
how adversaries operate.
16. Classification: Internal
What does a realistic attack look like?
| 16
Cyber Kill Chain™ limitations
Reconnaissance Delivery Installation
Action on
Objectives
Weaponization Exploitation
Command &
Control
Even though it’s highly useful and has been widely adopted, there are some limitations.
19. Classification: Internal
The Unified Kill Chain
| 19
You’re only as solid as what you build on
Initial Foothold
(Compromised System)
Network Propagation
(Internal Network)
Access
Action on Objectives
(Critical Asset Access)
20. Classification: Internal
Abstraction Levels
| 20
Emulating the adversary on multiple levels
Strategic
Tactical
Operational
―Definition of flags/objectives
―“Why”
―Sequence of phases aimed to
achieve strategic objectives
―Grouping of related techniques
―“What”
―Specific techniques & procedures
―Execution and completion of
tactical phases
―“How”
22. Classification: Internal
Strategic Level
| 22
Mapping the adversary’s objectives to the Kill Chain
Initial Foothold
(Compromised System)
Network Propagation
(Internal Network)
Access
Action on Objectives
(Critical Asset Access)
Yellow Tier
Confidential data online
External server or
website compromise
Access to internal
network
Credentials obtained via
phishing
Orange Tier
Local server admin
Local workstation
admin
Domain Administrator
Red Tier
Crown Jewel
Sensitive Data
Critical Asset
23. Classification: Internal
Strategic Level
| 23
Mapping the adversary’s objectives to the Kill Chain
Initial Foothold
(Compromised System)
Network Propagation
(Internal Network)
Access
Action on Objectives
(Critical Asset Access)
Yellow Tier
Confidential data
online
External server or
website compromise
Access to internal
network
Credentials obtained
via phishing
Orange Tier
Local server admin
Local workstation
admin
Domain Administrator
Red Tier
Crown Jewel
Sensitive Data
Critical Asset
24. Classification: Internal
Tactical Level
| 24
Mapping the adversary’s tactical phases to the Kill Chain
Execution
Credential
Access
Lateral
Movement
Data
Collection
Initial Foothold
(Compromised System)
Network Propagation
(Internal Network)
Access
Action on Objectives
(Critical Asset Access)
Information
Gathering
Weakness
Identification
Build
Capabilities
25. Classification: Internal
Operational Level
| 25
Mapping the adversary’s techniques to the Kill Chain
Initial Foothold
(Compromised System)
Network Propagation
(Internal Network)
Access
Action on Objectives
(Critical Asset Access)
_
Tactic: Lateral Movement
Technique: Pass the hash
Tactic: Info Gathering
Technique: Active
scanning
Tactic: Data Collection
Technique: Input Capture
26. Classification: Internal
Kill Chain Comparison
| 26
One adversary is not like the other
Tactic
Initial Access
Technique
Hardware Add-on
Tactic
Credential Access
Techniques
LLMNR Poisoning
Credential Dump
Tactic
Lateral Movement
Techniques
Pass-The-Hash
Tactic
Initial Access
Technique
Spear Phishing
Tactic
Credential Access
Techniques
Kerberoast
Tactic
Lateral Movement
Techniques
RDP
APT 28
Turla
Crown
Jewel
Crown
Jewel
27. Classification: Internal
Detailed Kill Chain
| 27
Tactic
Initial Access
Techniques
Hardware add-on
Insufficient physical
protection
Lack of network access
control
Tactic
Discovery
Techniques
System discovery
Service scanning
Improper network
segregation
SMB signing disabled
Tactic
Credential Access
Techniques
LLMNR poisoning
Credential dump (SAM)
Local name resolution
enabled
Admin privileges assigned
to regular accounts
Tactic
Lateral Movement
Techniques
Pass-the-hash
Orange-Tier objective
reached:
Local Admin on Server
29. Classification: Internal
(Si|E)mulation
Does it even matter?
| 29
Simulate - verb [ T ] /ˈsɪm.jə.leɪt/
To produce something that is not real but has the
appearance of being real.
For analysis and study
Emulate - verb [ T ] /ˈem.jə.leɪt/
To behave in the same way as someone or something
else.
For usage as a substitute
30. Classification: Internal
Adversary (Si|E)mulation
| 30
There is a difference
Simulation
―Based on the Red Team’s experience
―Based on environment at hand
―Based on global technique popularity
Emulation
―Based on threat intelligence
―TTPs of adversaries that will target you
―Based on a previous simulation
Impersonate
APT-28
Simulate an
adversary that is
not real
34. Classification: Internal
TIBER-EU
A European initiative to structure Red Teaming
―Require most important financial institutions to perform TIBER testing
―Guide institutions with procurement
―Follow-up on the testing together with White Team
“TIBER tests mimic potential attacks by real high level threat groups …”
“… without the foreknowledge of the organisation’s defending Blue Team.”
| 34
36. Classification: Internal
Zooming in on the Red Team Test Plan
― Align test objectives with the goals of each of the actors
― Map onto one or more Critical Function-supporting systems;
― Provide a background to the tradecraft of the actor that is mimicked in the attack
― Adapt the attack methodology to replicate the real-life attack scenarios
― Provide creative elements of TTPs that deviate from the original scenario to respond to
changing circumstances, e.g. combining techniques of relevant threat actors
― Scenario X: “The RT provider could deploy creative and innovative TTPs, stretching itself to its
absolute limits. The RT provider can leverage its full range of professional knowledge, research,
expertise and tools to build forward-looking scenarios based on TTPs that have not yet been
seen but are expected in the future.”
| 36
Key transition point between the Threat Intelligence and the Red Team phases, containing attack scenarios that:
37. Classification: Internal
Zooming in on the Red Team Test Plan
― Align test objectives with the goals of each of the actors
― Map onto one or more Critical Function-supporting systems;
― Provide a background to the tradecraft of the actor that is mimicked in the attack
― Adapt the attack methodology to replicate the real-life attack scenarios
― Provide creative elements of TTPs that deviate from the original scenario to respond to
changing circumstances, e.g. combining techniques of relevant threat actors
― Scenario X: “The RT provider could deploy creative and innovative TTPs, stretching itself to its
absolute limits. The RT provider can leverage its full range of professional knowledge, research,
expertise and tools to build forward-looking scenarios based on TTPs that have not yet been
seen but are expected in the future.”
| 37
Strategic
Level
Key transition point between the Threat Intelligence and the Red Team phases, containing attack scenarios that:
Red Tier
CEF 1
CEF 2
CEF 3
38. Classification: Internal
Zooming in on the Red Team Test Plan
― Align test objectives with the goals of each of the actors
― Map onto one or more Critical Function-supporting systems;
― Provide a background to the tradecraft of the actor that is mimicked in the attack
― Adapt the attack methodology to replicate the real-life attack scenarios
― Provide creative elements of TTPs that deviate from the original scenario to respond to
changing circumstances, e.g. combining techniques of relevant threat actors
― Scenario X: “The RT provider could deploy creative and innovative TTPs, stretching itself to its
absolute limits. The RT provider can leverage its full range of professional knowledge, research,
expertise and tools to build forward-looking scenarios based on TTPs that have not yet been
seen but are expected in the future.”
| 38
Strategic
Level
Key transition point between the Threat Intelligence and the Red Team phases, containing attack scenarios that:
Tactical /
Operational
Level
Tactical /
Operational
Level
39. Classification: Internal
Zooming in on the Red Team Test Plan
― Align test objectives with the goals of each of the actors
― Map onto one or more Critical Function-supporting systems;
― Provide a background to the tradecraft of the actor that is mimicked in the attack
― Adapt the attack methodology to replicate the real-life attack scenarios
― Provide creative elements of TTPs that deviate from the original scenario to respond to
changing circumstances, e.g. combining techniques of relevant threat actors
― Scenario X: “The RT provider could deploy creative and innovative TTPs, stretching itself to its
absolute limits. The RT provider can leverage its full range of professional knowledge, research,
expertise and tools to build forward-looking scenarios based on TTPs that have not yet been
seen but are expected in the future.”
| 39
Strategic
Level
Adversary
Emulation
Key transition point between the Threat Intelligence and the Red Team phases, containing attack scenarios that:
Tactical /
Operational
Level
Tactical /
Operational
Level
40. Classification: Internal
Zooming in on the Red Team Test Plan
― Align test objectives with the goals of each of the actors
― Map onto one or more Critical Function-supporting systems;
― Provide a background to the tradecraft of the actor that is mimicked in the attack
― Adapt the attack methodology to replicate the real-life attack scenarios
― Provide creative elements of TTPs that deviate from the original scenario to respond to
changing circumstances, e.g. combining techniques of relevant threat actors
― Scenario X: “The RT provider could deploy creative and innovative TTPs, stretching itself to its
absolute limits. The RT provider can leverage its full range of professional knowledge, research,
expertise and tools to build forward-looking scenarios based on TTPs that have not yet been
seen but are expected in the future.”
| 40
Strategic
Level
Adversary
Emulation
Adversary
Simulation
Key transition point between the Threat Intelligence and the Red Team phases, containing attack scenarios that:
Tactical /
Operational
Level
Tactical /
Operational
Level
41. Classification: Internal
TIBER Roles & Responsibilities
| 41
Entity Authority TI Provider RT Provider
Ensure TIBER-EU requirements are followed R A R R
Preparation (procurement & scoping) A C I I
End-to-end test A C R R
Threat Intelligence Execution A C R C
Targeted Threat Intel Report A C R C
Handover Session TI & RT Providers A C R C
Red Team Test Plan A C C R
Red Team Execution A C C R
Red Team Report A I / R
Closure (replay, remediation plan, summary
report)
A C C C
Closure (360° feedback session) C A C C
The main participants in a
TIBER-EU test are assigned
to one of five different
teams:
― Entity (White Team)
― Authority (TIBER Cyber
Team)
― Threat Intelligence
Provider
― Red Team Provider
― Blue Team
42. Classification: Internal
Roles & Responsibilities
| 42
Without the blue team, is there even a red team?
―So far, we’ve focused on the offensive side and
red team goals: test detection capabilities,
human aspect, process improvements.
―Blue team involvement:
―Blue team report, which maps the BT’s
actions alongside the RT actions
―Replay workshop
Me: *Discuss adversary emulation
without including the blue team*
The blue team:
44. Classification: Internal
The Blue Team
Roles & Responsibilities
Improve Security Posture
Implement preventive controls
Security monitoring & threat hunting
Incident response
45. Classification: Internal
The Blue Team
Roles & Responsibilities
Improve Security Posture
Implement preventive controls
Security monitoring & threat hunting
Incident response Red team failure = blue team success
46. Classification: Internal
The Red Team
Roles & Responsibilities
Improve Security Posture
Vulnerability identification &
exploitation
Social engineering
Detection evasion
47. Classification: Internal
The Red Team
Roles & Responsibilities
Blue team failure = Red team success
Improve Security Posture
Vulnerability identification &
exploitation
Social engineering
Detection evasion
aRe YoU DoMaIn AdMiN yEt?
48. Classification: Internal
How it could be
| 48
What about some of the following actions?
Share TTPs of new threat actors
Help with vulnerability management and
prioritize most critical issues
Test Red Team techniques
Share monitoring tactics, playbooks, and
alerting
50. Classification: Internal
The best of both worlds
| 50
An example approach
Threat-
Intelligence
Based
Ethical Red
Team
“Classic”
Red Team
Emulation
Replay & align
Red
Blue
Continuous
improvement
Periodic assessment
51. Classification: Internal
Tracking improvement
| 51
All about those metrics
MITRE ATT&CK Navigator
Detected
Logs Available
Not Detected
Not Tested
―Time to
Initial foothold
Network propagation
Objectives
―Time to detection
―Time to remediation
―Successful/Prevented TTPs
―Kill Chain and corresponding TTPs
―Reached Objectives
53. Classification: Internal
Parting Words
Adversary emulation might be the final destination,
but don’t forget the journey.
A realistic attack should be based on TTPs.
When red & blue work together, great things can be
achieved.