SlideShare a Scribd company logo

NVISO - A Journey Through Adversary Emulation - Jonas Bauters

NVISO
NVISO

This document discusses adversary emulation methodologies used for red team assessments. It describes mapping adversary tactics, techniques, and procedures (TTPs) to different abstraction levels - strategic, tactical, and operational. The strategic level involves mapping adversary objectives to a kill chain model. The tactical level maps adversary phases and the operational level maps specific techniques. It discusses the differences between emulating known adversaries versus simulating new threats. TIBER-EU methodology is summarized, which structures red team assessments for financial institutions. Key roles like the red team, blue team, and different authorities are defined. The importance of including the blue team response is highlighted to fully test an organization's security posture.

Business
1 of 53
Download to read offline
Classification: Internal A Journey Through Adversary Emulation Jonas Bauters DEFCON Red Team Village May’hem Summit 16/05/2020
Classification: Internal Contents | 2 The journey is more important than the destination Our Methodology Realistic Attack Penetration Testing & Red Teaming Simulation & Emulation TIBER Purple Teaming1 2 3 4 5 6
Classification: Internal Penetration Testing & Red Teaming
Classification: Internal Offensive Testing | 4 Vulnerability scanning & penetration testing Vulnerability Scans Penetration Test “Creative” Pentest
Classification: Internal There is more | 5 What a traditional pentest will not cover Exposure to a realistic threat that is targeting your critical systems On top of vulnerability identification, assess detection capability Testing of the human reaction and user awareness Repeatable, structured process that provides key areas for improvement
Classification: Internal A Realistic Attack | 6 This is where the red team comes in Process People Technology Pentest A Pentest B Assess resilience Improve resilienceTTPs
Classification: Internal Penetration Test vs. Red Team | 7 Key differences Penetration Test Red Team​ Objective Gain insight in system/network vulnerabilities Test resilience against a realistic attack in terms of protection, detection, and response Scope Limited​ with focus on technical Broad​, including people, processes, technology Approach Vulnerability focused, breadth first Objective focused, depth first User awareness​ No​ Yes​ Detection tested No​ Yes​ Response tested No​ Yes​ Methodology Reconnaissance and exploitation​ Tactics, techniques, procedures (TTPs)
Classification: Internal Outputs & Metrics | 8 What results can you expect from each type of test? ―Time to Initial foothold Network propagation Objectives ―Time to detection ―Time to remediation ―Successful/Prevented TTPs ―Kill Chain and corresponding TTPs ―Reached Objectives ―Results within a specific context and scope ―#Vulnerabilities and risk ratings (Total, Stats per system, etc.) ―Ad-hoc remediations
Classification: Internal Summarizing the most important differences | 9 In conclusion Penetration Test Identify and exploit vulnerabilities on a (series of) system(s) to assess security Focused on a specific scope, breadth-first (application, system, subnet) Red Team Assess how resilient an organization is versus a realistic threat Focused on objectives (flags) through the execution of certain scenarios, depth-first VS Assess people, processes, and technology in terms of prevention, detection, and response Assess technology in terms of preventive controls
Classification: Internal Objective-Based Penetration Test | 10 Something in between Penetration Test Identify and exploit vulnerabilities on a (series of) system(s) to assess security Focused on a specific scope, breadth-first (application, system, subnet) Red Team Assess how resilient an organization is versus a realistic threat Focused on objectives (flags) through the execution of certain scenarios, depth-first VS Assess people, processes, and technology in terms of prevention, detection, and response Assess technology in terms of preventive controls Objective-based Penetration Test
Classification: Internal Keeping it Real ―Tactics, Techniques & Procedures ―Describe adversary activities
Classification: Internal Realistic Attack
Classification: Internal A realistic threat | 13 Introducing Tactics, Techniques & Procedures Source: http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html by David Bianco
Classification: Internal MITRE ATT&CK | 14 Tactics & Techniques TACTICS TECHNIQUES
Classification: Internal What does a realistic attack look like? | 15 The Cyber Kill Chain™ Reconnaissance Delivery Installation Action on Objectives Weaponization Exploitation Command & Control The Cyber Kill Chain™, created by Lockheed Martin in 2011, is a sequence of steps that describes how adversaries operate.
Classification: Internal What does a realistic attack look like? | 16 Cyber Kill Chain™ limitations Reconnaissance Delivery Installation Action on Objectives Weaponization Exploitation Command & Control Even though it’s highly useful and has been widely adopted, there are some limitations.
Classification: Internal The Unified Kill Chain (UKC) | 17 Improving the Cyber Kill Chain™ Initial Foothold (Compromised System) Network Propagation (Internal Network) Access Action on Objectives (Critical Asset Access) Source: https://www.csacademy.nl/images/scripties/2018/Paul-Pols---The-Unified-Kill-Chain.pdf
Classification: Internal Our Methodology
Classification: Internal The Unified Kill Chain | 19 You’re only as solid as what you build on Initial Foothold (Compromised System) Network Propagation (Internal Network) Access Action on Objectives (Critical Asset Access)
Classification: Internal Abstraction Levels | 20 Emulating the adversary on multiple levels Strategic Tactical Operational ―Definition of flags/objectives ―“Why” ―Sequence of phases aimed to achieve strategic objectives ―Grouping of related techniques ―“What” ―Specific techniques & procedures ―Execution and completion of tactical phases ―“How”
Classification: Internal Abstraction Levels | 21 A metaphor Operational Strategic Tactical
Classification: Internal Strategic Level | 22 Mapping the adversary’s objectives to the Kill Chain Initial Foothold (Compromised System) Network Propagation (Internal Network) Access Action on Objectives (Critical Asset Access) Yellow Tier Confidential data online External server or website compromise Access to internal network Credentials obtained via phishing Orange Tier Local server admin Local workstation admin Domain Administrator Red Tier Crown Jewel Sensitive Data Critical Asset
Classification: Internal Strategic Level | 23 Mapping the adversary’s objectives to the Kill Chain Initial Foothold (Compromised System) Network Propagation (Internal Network) Access Action on Objectives (Critical Asset Access) Yellow Tier Confidential data online External server or website compromise Access to internal network Credentials obtained via phishing Orange Tier Local server admin Local workstation admin Domain Administrator Red Tier Crown Jewel Sensitive Data Critical Asset
Classification: Internal Tactical Level | 24 Mapping the adversary’s tactical phases to the Kill Chain Execution Credential Access Lateral Movement Data Collection Initial Foothold (Compromised System) Network Propagation (Internal Network) Access Action on Objectives (Critical Asset Access) Information Gathering Weakness Identification Build Capabilities
Classification: Internal Operational Level | 25 Mapping the adversary’s techniques to the Kill Chain Initial Foothold (Compromised System) Network Propagation (Internal Network) Access Action on Objectives (Critical Asset Access) _ Tactic: Lateral Movement Technique: Pass the hash Tactic: Info Gathering Technique: Active scanning Tactic: Data Collection Technique: Input Capture
Classification: Internal Kill Chain Comparison | 26 One adversary is not like the other Tactic Initial Access Technique Hardware Add-on Tactic Credential Access Techniques LLMNR Poisoning Credential Dump Tactic Lateral Movement Techniques Pass-The-Hash Tactic Initial Access Technique Spear Phishing Tactic Credential Access Techniques Kerberoast Tactic Lateral Movement Techniques RDP APT 28 Turla Crown Jewel Crown Jewel
Classification: Internal Detailed Kill Chain | 27 Tactic Initial Access Techniques Hardware add-on Insufficient physical protection Lack of network access control Tactic Discovery Techniques System discovery Service scanning Improper network segregation SMB signing disabled Tactic Credential Access Techniques LLMNR poisoning Credential dump (SAM) Local name resolution enabled Admin privileges assigned to regular accounts Tactic Lateral Movement Techniques Pass-the-hash Orange-Tier objective reached: Local Admin on Server
Classification: Internal Emulation or Simulation Does it even matter?
Classification: Internal (Si|E)mulation Does it even matter? | 29 Simulate - verb [ T ]​ /ˈsɪm.jə.leɪt/ To produce something that is not real but has the appearance of being real. For analysis and study Emulate - verb [ T ] ​ /ˈem.jə.leɪt/ To behave in the same way as someone or something else. For usage as a substitute
Classification: Internal Adversary (Si|E)mulation | 30 There is a difference Simulation ―Based on the Red Team’s experience ―Based on environment at hand ―Based on global technique popularity Emulation ―Based on threat intelligence ―TTPs of adversaries that will target you ―Based on a previous simulation Impersonate APT-28 Simulate an adversary that is not real
Classification: Internal Adversary Simulation | 31 Simulating a threat by using the TTPs that work for that target/environment
Classification: Internal Adversary Emulation | 32 Emulating a specific adversary’s TTPs
Classification: Internal TIBER-EU
Classification: Internal TIBER-EU A European initiative to structure Red Teaming ―Require most important financial institutions to perform TIBER testing ―Guide institutions with procurement ―Follow-up on the testing together with White Team “TIBER tests mimic potential attacks by real high level threat groups …” “… without the foreknowledge of the organisation’s defending Blue Team.” | 34
Classification: Internal TIBER-EU Process Overview GTI Preparation Testing Closure Targets Threats Targeted Threat Intel Report Red Team Test Plan Threat Intelligence Red Team Generic Threat Intelligence & | 35
Classification: Internal Zooming in on the Red Team Test Plan ― Align test objectives with the goals of each of the actors ― Map onto one or more Critical Function-supporting systems; ― Provide a background to the tradecraft of the actor that is mimicked in the attack ― Adapt the attack methodology to replicate the real-life attack scenarios ― Provide creative elements of TTPs that deviate from the original scenario to respond to changing circumstances, e.g. combining techniques of relevant threat actors ― Scenario X: “The RT provider could deploy creative and innovative TTPs, stretching itself to its absolute limits. The RT provider can leverage its full range of professional knowledge, research, expertise and tools to build forward-looking scenarios based on TTPs that have not yet been seen but are expected in the future.” | 36 Key transition point between the Threat Intelligence and the Red Team phases, containing attack scenarios that:
Classification: Internal Zooming in on the Red Team Test Plan ― Align test objectives with the goals of each of the actors ― Map onto one or more Critical Function-supporting systems; ― Provide a background to the tradecraft of the actor that is mimicked in the attack ― Adapt the attack methodology to replicate the real-life attack scenarios ― Provide creative elements of TTPs that deviate from the original scenario to respond to changing circumstances, e.g. combining techniques of relevant threat actors ― Scenario X: “The RT provider could deploy creative and innovative TTPs, stretching itself to its absolute limits. The RT provider can leverage its full range of professional knowledge, research, expertise and tools to build forward-looking scenarios based on TTPs that have not yet been seen but are expected in the future.” | 37 Strategic Level Key transition point between the Threat Intelligence and the Red Team phases, containing attack scenarios that: Red Tier CEF 1 CEF 2 CEF 3
Classification: Internal Zooming in on the Red Team Test Plan ― Align test objectives with the goals of each of the actors ― Map onto one or more Critical Function-supporting systems; ― Provide a background to the tradecraft of the actor that is mimicked in the attack ― Adapt the attack methodology to replicate the real-life attack scenarios ― Provide creative elements of TTPs that deviate from the original scenario to respond to changing circumstances, e.g. combining techniques of relevant threat actors ― Scenario X: “The RT provider could deploy creative and innovative TTPs, stretching itself to its absolute limits. The RT provider can leverage its full range of professional knowledge, research, expertise and tools to build forward-looking scenarios based on TTPs that have not yet been seen but are expected in the future.” | 38 Strategic Level Key transition point between the Threat Intelligence and the Red Team phases, containing attack scenarios that: Tactical / Operational Level Tactical / Operational Level
Classification: Internal Zooming in on the Red Team Test Plan ― Align test objectives with the goals of each of the actors ― Map onto one or more Critical Function-supporting systems; ― Provide a background to the tradecraft of the actor that is mimicked in the attack ― Adapt the attack methodology to replicate the real-life attack scenarios ― Provide creative elements of TTPs that deviate from the original scenario to respond to changing circumstances, e.g. combining techniques of relevant threat actors ― Scenario X: “The RT provider could deploy creative and innovative TTPs, stretching itself to its absolute limits. The RT provider can leverage its full range of professional knowledge, research, expertise and tools to build forward-looking scenarios based on TTPs that have not yet been seen but are expected in the future.” | 39 Strategic Level Adversary Emulation Key transition point between the Threat Intelligence and the Red Team phases, containing attack scenarios that: Tactical / Operational Level Tactical / Operational Level
Classification: Internal Zooming in on the Red Team Test Plan ― Align test objectives with the goals of each of the actors ― Map onto one or more Critical Function-supporting systems; ― Provide a background to the tradecraft of the actor that is mimicked in the attack ― Adapt the attack methodology to replicate the real-life attack scenarios ― Provide creative elements of TTPs that deviate from the original scenario to respond to changing circumstances, e.g. combining techniques of relevant threat actors ― Scenario X: “The RT provider could deploy creative and innovative TTPs, stretching itself to its absolute limits. The RT provider can leverage its full range of professional knowledge, research, expertise and tools to build forward-looking scenarios based on TTPs that have not yet been seen but are expected in the future.” | 40 Strategic Level Adversary Emulation Adversary Simulation Key transition point between the Threat Intelligence and the Red Team phases, containing attack scenarios that: Tactical / Operational Level Tactical / Operational Level
Classification: Internal TIBER Roles & Responsibilities | 41 Entity Authority TI Provider RT Provider Ensure TIBER-EU requirements are followed R A R R Preparation (procurement & scoping) A C I I End-to-end test A C R R Threat Intelligence Execution A C R C Targeted Threat Intel Report A C R C Handover Session TI & RT Providers A C R C Red Team Test Plan A C C R Red Team Execution A C C R Red Team Report A I / R Closure (replay, remediation plan, summary report) A C C C Closure (360° feedback session) C A C C The main participants in a TIBER-EU test are assigned to one of five different teams: ― Entity (White Team) ― Authority (TIBER Cyber Team) ― Threat Intelligence Provider ― Red Team Provider ― Blue Team
Classification: Internal Roles & Responsibilities | 42 Without the blue team, is there even a red team? ―So far, we’ve focused on the offensive side and red team goals: test detection capabilities, human aspect, process improvements. ―Blue team involvement: ―Blue team report, which maps the BT’s actions alongside the RT actions ―Replay workshop Me: *Discuss adversary emulation without including the blue team* The blue team:
Classification: Internal Purple Team
Classification: Internal The Blue Team Roles & Responsibilities Improve Security Posture Implement preventive controls Security monitoring & threat hunting Incident response
Classification: Internal The Blue Team Roles & Responsibilities Improve Security Posture Implement preventive controls Security monitoring & threat hunting Incident response Red team failure = blue team success
Classification: Internal The Red Team Roles & Responsibilities Improve Security Posture Vulnerability identification & exploitation Social engineering Detection evasion
Classification: Internal The Red Team Roles & Responsibilities Blue team failure = Red team success Improve Security Posture Vulnerability identification & exploitation Social engineering Detection evasion aRe YoU DoMaIn AdMiN yEt?
Classification: Internal How it could be | 48 What about some of the following actions? Share TTPs of new threat actors Help with vulnerability management and prioritize most critical issues Test Red Team techniques Share monitoring tactics, playbooks, and alerting
Classification: Internal Purple Prerequisites | 49 Purple teaming is the new red teaming, right? ―Central logging platform ―Endpoint visibility ―Network device logs ―SOC, analysts, people
Classification: Internal The best of both worlds | 50 An example approach Threat- Intelligence Based Ethical Red Team “Classic” Red Team Emulation Replay & align Red Blue Continuous improvement Periodic assessment
Classification: Internal Tracking improvement | 51 All about those metrics MITRE ATT&CK Navigator Detected Logs Available Not Detected Not Tested ―Time to Initial foothold Network propagation Objectives ―Time to detection ―Time to remediation ―Successful/Prevented TTPs ―Kill Chain and corresponding TTPs ―Reached Objectives
Classification: Internal 2 Teams, One Dream | 52
Classification: Internal Parting Words Adversary emulation might be the final destination, but don’t forget the journey. A realistic attack should be based on TTPs. When red & blue work together, great things can be achieved.

Recommended

MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
 
Dmz
Dmz Dmz
Dmz
أحلام انصارى
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryTidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
MITRE ATT&CK
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
Bhushan Gurav
 

Recommended

MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
Digit Oktavianto
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval
 
Dmz
Dmz Dmz
Dmz
أحلام انصارى
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0
Michael Gough
 
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR TelemetryTidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
Tidying up your Nest: Validating ATT&CK Technique Coverage using EDR Telemetry
MITRE ATT&CK
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
Bhushan Gurav
 
Network Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsNetwork Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting Tools
Joseph Bugeja
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE - ATT&CKcon
 
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
MITRE ATT&CK
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
MITRE - ATT&CKcon
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
Jorge Orchilles
 
State of the ATTACK
State of the ATTACKState of the ATTACK
State of the ATTACK
MITRE - ATT&CKcon
 
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffersCeh v5 module 07 sniffers
Ceh v5 module 07 sniffers
Vi Tính Hoàng Nam
 
Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) services
Akshay Kurhade
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE - ATT&CKcon
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident Management
Nada G.Youssef
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE - ATT&CKcon
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 Matrix
Jorge Orchilles
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have Changed
MITRE - ATT&CKcon
 
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
Edureka!
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE - ATT&CKcon
 
Security architecture - Perform a gap analysis
Security architecture - Perform a gap analysisSecurity architecture - Perform a gap analysis
Security architecture - Perform a gap analysis
Carlo Dapino
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
MITRE ATT&CK
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General Audience
Tom K
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Joe Vest
 
Penetration Testing Services - Redfox Cyber Security
Penetration Testing Services - Redfox Cyber SecurityPenetration Testing Services - Redfox Cyber Security
Penetration Testing Services - Redfox Cyber Security
Karan Patel
 

More Related Content

What's hot

Network Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsNetwork Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting Tools
Joseph Bugeja
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE - ATT&CKcon
 
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
MITRE ATT&CK
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
MITRE - ATT&CKcon
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
Jorge Orchilles
 
State of the ATTACK
State of the ATTACKState of the ATTACK
State of the ATTACK
MITRE - ATT&CKcon
 
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffersCeh v5 module 07 sniffers
Ceh v5 module 07 sniffers
Vi Tính Hoàng Nam
 
Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) services
Akshay Kurhade
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE - ATT&CKcon
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident Management
Nada G.Youssef
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
Erik Van Buggenhout
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE - ATT&CKcon
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 Matrix
Jorge Orchilles
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have Changed
MITRE - ATT&CKcon
 
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
Edureka!
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE - ATT&CKcon
 
Security architecture - Perform a gap analysis
Security architecture - Perform a gap analysisSecurity architecture - Perform a gap analysis
Security architecture - Perform a gap analysis
Carlo Dapino
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
MITRE ATT&CK
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General Audience
Tom K
 

What's hot (20)

Network Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsNetwork Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting Tools
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
 
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
Civil Society, Pegasus, and Predator: What Sophisticated Spyware Means For Us...
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020
 
State of the ATTACK
State of the ATTACKState of the ATTACK
State of the ATTACK
 
Ceh v5 module 07 sniffers
Ceh v5 module 07 sniffersCeh v5 module 07 sniffers
Ceh v5 module 07 sniffers
 
Vapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) servicesVapt( vulnerabilty and penetration testing ) services
Vapt( vulnerabilty and penetration testing ) services
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
 
Chapter 11: Information Security Incident Management
Chapter 11: Information Security Incident ManagementChapter 11: Information Security Incident Management
Chapter 11: Information Security Incident Management
 
Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERA
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 Matrix
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have ChangedFrom Theory to Practice: How My ATTACK Perspectives Have Changed
From Theory to Practice: How My ATTACK Perspectives Have Changed
 
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
CyberSecurity Certifications | CyberSecurity Career | CyberSecurity Certifica...
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
Security architecture - Perform a gap analysis
Security architecture - Perform a gap analysisSecurity architecture - Perform a gap analysis
Security architecture - Perform a gap analysis
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Cyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General AudienceCyber Kill Chain Deck for General Audience
Cyber Kill Chain Deck for General Audience
 

Similar to NVISO - A Journey Through Adversary Emulation - Jonas Bauters

Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Joe Vest
 
Penetration Testing Services - Redfox Cyber Security
Penetration Testing Services - Redfox Cyber SecurityPenetration Testing Services - Redfox Cyber Security
Penetration Testing Services - Redfox Cyber Security
Karan Patel
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
EnterpriseGRC Solutions, Inc.
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutions
guest609a5ed
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutions
Hannan Ahmed
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
beltface
 
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Core Security
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
Scott Sutherland
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_Conclave
NSConclave
 
FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019
FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019
FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019
Saeid Atabaki
 
Reorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's ThreatsReorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's Threats
Lumension
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs Whitelisting
Invincea, Inc.
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshop
prithaaash
 
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Shakas Technologies
 
Beyond the Surface: Exploring the Depths of Vulnerability Assessment and Pene...
Beyond the Surface: Exploring the Depths of Vulnerability Assessment and Pene...Beyond the Surface: Exploring the Depths of Vulnerability Assessment and Pene...
Beyond the Surface: Exploring the Depths of Vulnerability Assessment and Pene...
Milind Agarwal
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
Hostway|HOSTING
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course Preview
Invensis Learning
 

Similar to NVISO - A Journey Through Adversary Emulation - Jonas Bauters (20)

Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
 
Penetration Testing Services - Redfox Cyber Security
Penetration Testing Services - Redfox Cyber SecurityPenetration Testing Services - Redfox Cyber Security
Penetration Testing Services - Redfox Cyber Security
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016Security assessment isaca sv presentation jan 2016
Security assessment isaca sv presentation jan 2016
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutions
 
V-Empower Services And Solutions
V-Empower Services And SolutionsV-Empower Services And Solutions
V-Empower Services And Solutions
 
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
Seeing Purple: Hybrid Security Teams for the Enterprise - BSides Jackson 2013
 
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
Security Consulting Services - Which Is The Best Option For Me? - Diego Sor, ...
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
 
RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_Conclave
 
FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019
FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019
FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019
 
Reorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's ThreatsReorganizing Federal IT to Address Today's Threats
Reorganizing Federal IT to Address Today's Threats
 
Tech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs WhitelistingTech Throwdown: Secure Containerization vs Whitelisting
Tech Throwdown: Secure Containerization vs Whitelisting
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshop
 
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
Toward Effective Evaluation of Cyber Defense Threat Based Adversary Emulation...
 
Beyond the Surface: Exploring the Depths of Vulnerability Assessment and Pene...
Beyond the Surface: Exploring the Depths of Vulnerability Assessment and Pene...Beyond the Surface: Exploring the Depths of Vulnerability Assessment and Pene...
Beyond the Surface: Exploring the Depths of Vulnerability Assessment and Pene...
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
CRISC Course Preview
CRISC Course PreviewCRISC Course Preview
CRISC Course Preview
 

Recently uploaded

Kirill Klip GEM Royalty TNR Gold Copper Presentation
Kirill Klip GEM Royalty TNR Gold Copper PresentationKirill Klip GEM Royalty TNR Gold Copper Presentation
Kirill Klip GEM Royalty TNR Gold Copper Presentation
Kirill Klip
 
Science Around Us Module 2 Matter Around Us
Science Around Us Module 2 Matter Around UsScience Around Us Module 2 Matter Around Us
Science Around Us Module 2 Matter Around Us
PennapaKeavsiri
 
Prescriptive analytics BA4206 Anna University PPT
Prescriptive analytics BA4206 Anna University PPTPrescriptive analytics BA4206 Anna University PPT
Prescriptive analytics BA4206 Anna University PPT
Freelance
 
High-Quality IPTV Monthly Subscription for $15
High-Quality IPTV Monthly Subscription for $15High-Quality IPTV Monthly Subscription for $15
High-Quality IPTV Monthly Subscription for $15
advik4387
 
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan ChartSatta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results
 
欧洲杯赌球-欧洲杯赌球买球官方官网-欧洲杯赌球比赛投注官网|【​网址​🎉ac55.net🎉​】
欧洲杯赌球-欧洲杯赌球买球官方官网-欧洲杯赌球比赛投注官网|【​网址​🎉ac55.net🎉​】欧洲杯赌球-欧洲杯赌球买球官方官网-欧洲杯赌球比赛投注官网|【​网址​🎉ac55.net🎉​】
欧洲杯赌球-欧洲杯赌球买球官方官网-欧洲杯赌球比赛投注官网|【​网址​🎉ac55.net🎉​】
valvereliz227
 
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan ChartSatta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results
 
Cover Story - China's Investment Leader - Dr. Alyce SU
Cover Story - China's Investment Leader - Dr. Alyce SUCover Story - China's Investment Leader - Dr. Alyce SU
Cover Story - China's Investment Leader - Dr. Alyce SU
msthrill
 
Dpboss Matka Guessing Satta Matta Matka Kalyan panel Chart Indian Matka Dpbos...
Dpboss Matka Guessing Satta Matta Matka Kalyan panel Chart Indian Matka Dpbos...Dpboss Matka Guessing Satta Matta Matka Kalyan panel Chart Indian Matka Dpbos...
Dpboss Matka Guessing Satta Matta Matka Kalyan panel Chart Indian Matka Dpbos...
➒➌➎➏➑➐➋➑➐➐Dpboss Matka Guessing Satta Matka Kalyan Chart Indian Matka
 
Sustainable Logistics for Cost Reduction_ IPLTech Electric's Eco-Friendly Tra...
Sustainable Logistics for Cost Reduction_ IPLTech Electric's Eco-Friendly Tra...Sustainable Logistics for Cost Reduction_ IPLTech Electric's Eco-Friendly Tra...
Sustainable Logistics for Cost Reduction_ IPLTech Electric's Eco-Friendly Tra...
IPLTech Electric
 
2024.06 CPMN Cambridge - Beyond Now-Next-Later.pdf
2024.06 CPMN Cambridge - Beyond Now-Next-Later.pdf2024.06 CPMN Cambridge - Beyond Now-Next-Later.pdf
2024.06 CPMN Cambridge - Beyond Now-Next-Later.pdf
Cambridge Product Management Network
 
AI Transformation Playbook: Thinking AI-First for Your Business
AI Transformation Playbook: Thinking AI-First for Your BusinessAI Transformation Playbook: Thinking AI-First for Your Business
AI Transformation Playbook: Thinking AI-First for Your Business
Arijit Dutta
 
一比一原版(QMUE毕业证书)英国爱丁堡玛格丽特女王大学毕业证文凭如何办理
一比一原版(QMUE毕业证书)英国爱丁堡玛格丽特女王大学毕业证文凭如何办理一比一原版(QMUE毕业证书)英国爱丁堡玛格丽特女王大学毕业证文凭如何办理
一比一原版(QMUE毕业证书)英国爱丁堡玛格丽特女王大学毕业证文凭如何办理
taqyea
 
IMG_20240615_091110.pdf dpboss guessing
IMG_20240615_091110.pdf dpboss guessingIMG_20240615_091110.pdf dpboss guessing
IMG_20240615_091110.pdf dpboss guessing
CALL❾⓿❹⓿❾❻❸❸❺❹ DPBOSS GUESSING FIX PANNA JODI BLAST
 
8328958814KALYAN MATKA | MATKA RESULT | KALYAN
8328958814KALYAN MATKA | MATKA RESULT | KALYAN8328958814KALYAN MATKA | MATKA RESULT | KALYAN
8328958814KALYAN MATKA | MATKA RESULT | KALYAN
➑➌➋➑➒➎➑➑➊➍
 
The Steadfast and Reliable Bull: Taurus Zodiac Sign
The Steadfast and Reliable Bull: Taurus Zodiac SignThe Steadfast and Reliable Bull: Taurus Zodiac Sign
The Steadfast and Reliable Bull: Taurus Zodiac Sign
my Pandit
 
1 Circular 003_2023 ISO 27001_2022 Transition Arrangments v3.pdf
1 Circular 003_2023 ISO 27001_2022 Transition Arrangments v3.pdf1 Circular 003_2023 ISO 27001_2022 Transition Arrangments v3.pdf
1 Circular 003_2023 ISO 27001_2022 Transition Arrangments v3.pdf
ISONIKELtd
 
The Role of White Label Bookkeeping Services in Supporting the Growth and Sca...
The Role of White Label Bookkeeping Services in Supporting the Growth and Sca...The Role of White Label Bookkeeping Services in Supporting the Growth and Sca...
The Role of White Label Bookkeeping Services in Supporting the Growth and Sca...
YourLegal Accounting
 
Unlocking WhatsApp Marketing with HubSpot: Integrating Messaging into Your Ma...
Unlocking WhatsApp Marketing with HubSpot: Integrating Messaging into Your Ma...Unlocking WhatsApp Marketing with HubSpot: Integrating Messaging into Your Ma...
Unlocking WhatsApp Marketing with HubSpot: Integrating Messaging into Your Ma...
Niswey
 
The Most Inspiring Entrepreneurs to Follow in 2024.pdf
The Most Inspiring Entrepreneurs to Follow in 2024.pdfThe Most Inspiring Entrepreneurs to Follow in 2024.pdf
The Most Inspiring Entrepreneurs to Follow in 2024.pdf
thesiliconleaders
 

Recently uploaded (20)

Kirill Klip GEM Royalty TNR Gold Copper Presentation
Kirill Klip GEM Royalty TNR Gold Copper PresentationKirill Klip GEM Royalty TNR Gold Copper Presentation
Kirill Klip GEM Royalty TNR Gold Copper Presentation
 
Science Around Us Module 2 Matter Around Us
Science Around Us Module 2 Matter Around UsScience Around Us Module 2 Matter Around Us
Science Around Us Module 2 Matter Around Us
 
Prescriptive analytics BA4206 Anna University PPT
Prescriptive analytics BA4206 Anna University PPTPrescriptive analytics BA4206 Anna University PPT
Prescriptive analytics BA4206 Anna University PPT
 
High-Quality IPTV Monthly Subscription for $15
High-Quality IPTV Monthly Subscription for $15High-Quality IPTV Monthly Subscription for $15
High-Quality IPTV Monthly Subscription for $15
 
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan ChartSatta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
 
欧洲杯赌球-欧洲杯赌球买球官方官网-欧洲杯赌球比赛投注官网|【​网址​🎉ac55.net🎉​】
欧洲杯赌球-欧洲杯赌球买球官方官网-欧洲杯赌球比赛投注官网|【​网址​🎉ac55.net🎉​】欧洲杯赌球-欧洲杯赌球买球官方官网-欧洲杯赌球比赛投注官网|【​网址​🎉ac55.net🎉​】
欧洲杯赌球-欧洲杯赌球买球官方官网-欧洲杯赌球比赛投注官网|【​网址​🎉ac55.net🎉​】
 
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan ChartSatta Matka Dpboss Kalyan Matka Results Kalyan Chart
Satta Matka Dpboss Kalyan Matka Results Kalyan Chart
 
Cover Story - China's Investment Leader - Dr. Alyce SU
Cover Story - China's Investment Leader - Dr. Alyce SUCover Story - China's Investment Leader - Dr. Alyce SU
Cover Story - China's Investment Leader - Dr. Alyce SU
 
Dpboss Matka Guessing Satta Matta Matka Kalyan panel Chart Indian Matka Dpbos...
Dpboss Matka Guessing Satta Matta Matka Kalyan panel Chart Indian Matka Dpbos...Dpboss Matka Guessing Satta Matta Matka Kalyan panel Chart Indian Matka Dpbos...
Dpboss Matka Guessing Satta Matta Matka Kalyan panel Chart Indian Matka Dpbos...
 
Sustainable Logistics for Cost Reduction_ IPLTech Electric's Eco-Friendly Tra...
Sustainable Logistics for Cost Reduction_ IPLTech Electric's Eco-Friendly Tra...Sustainable Logistics for Cost Reduction_ IPLTech Electric's Eco-Friendly Tra...
Sustainable Logistics for Cost Reduction_ IPLTech Electric's Eco-Friendly Tra...
 
2024.06 CPMN Cambridge - Beyond Now-Next-Later.pdf
2024.06 CPMN Cambridge - Beyond Now-Next-Later.pdf2024.06 CPMN Cambridge - Beyond Now-Next-Later.pdf
2024.06 CPMN Cambridge - Beyond Now-Next-Later.pdf
 
AI Transformation Playbook: Thinking AI-First for Your Business
AI Transformation Playbook: Thinking AI-First for Your BusinessAI Transformation Playbook: Thinking AI-First for Your Business
AI Transformation Playbook: Thinking AI-First for Your Business
 
一比一原版(QMUE毕业证书)英国爱丁堡玛格丽特女王大学毕业证文凭如何办理
一比一原版(QMUE毕业证书)英国爱丁堡玛格丽特女王大学毕业证文凭如何办理一比一原版(QMUE毕业证书)英国爱丁堡玛格丽特女王大学毕业证文凭如何办理
一比一原版(QMUE毕业证书)英国爱丁堡玛格丽特女王大学毕业证文凭如何办理
 
IMG_20240615_091110.pdf dpboss guessing
IMG_20240615_091110.pdf dpboss guessingIMG_20240615_091110.pdf dpboss guessing
IMG_20240615_091110.pdf dpboss guessing
 
8328958814KALYAN MATKA | MATKA RESULT | KALYAN
8328958814KALYAN MATKA | MATKA RESULT | KALYAN8328958814KALYAN MATKA | MATKA RESULT | KALYAN
8328958814KALYAN MATKA | MATKA RESULT | KALYAN
 
The Steadfast and Reliable Bull: Taurus Zodiac Sign
The Steadfast and Reliable Bull: Taurus Zodiac SignThe Steadfast and Reliable Bull: Taurus Zodiac Sign
The Steadfast and Reliable Bull: Taurus Zodiac Sign
 
1 Circular 003_2023 ISO 27001_2022 Transition Arrangments v3.pdf
1 Circular 003_2023 ISO 27001_2022 Transition Arrangments v3.pdf1 Circular 003_2023 ISO 27001_2022 Transition Arrangments v3.pdf
1 Circular 003_2023 ISO 27001_2022 Transition Arrangments v3.pdf
 
The Role of White Label Bookkeeping Services in Supporting the Growth and Sca...
The Role of White Label Bookkeeping Services in Supporting the Growth and Sca...The Role of White Label Bookkeeping Services in Supporting the Growth and Sca...
The Role of White Label Bookkeeping Services in Supporting the Growth and Sca...
 
Unlocking WhatsApp Marketing with HubSpot: Integrating Messaging into Your Ma...
Unlocking WhatsApp Marketing with HubSpot: Integrating Messaging into Your Ma...Unlocking WhatsApp Marketing with HubSpot: Integrating Messaging into Your Ma...
Unlocking WhatsApp Marketing with HubSpot: Integrating Messaging into Your Ma...
 
The Most Inspiring Entrepreneurs to Follow in 2024.pdf
The Most Inspiring Entrepreneurs to Follow in 2024.pdfThe Most Inspiring Entrepreneurs to Follow in 2024.pdf
The Most Inspiring Entrepreneurs to Follow in 2024.pdf
 

NVISO - A Journey Through Adversary Emulation - Jonas Bauters

  • 1. Classification: Internal A Journey Through Adversary Emulation Jonas Bauters DEFCON Red Team Village May’hem Summit 16/05/2020
  • 2. Classification: Internal Contents | 2 The journey is more important than the destination Our Methodology Realistic Attack Penetration Testing & Red Teaming Simulation & Emulation TIBER Purple Teaming1 2 3 4 5 6
  • 4. Classification: Internal Offensive Testing | 4 Vulnerability scanning & penetration testing Vulnerability Scans Penetration Test “Creative” Pentest
  • 5. Classification: Internal There is more | 5 What a traditional pentest will not cover Exposure to a realistic threat that is targeting your critical systems On top of vulnerability identification, assess detection capability Testing of the human reaction and user awareness Repeatable, structured process that provides key areas for improvement
  • 6. Classification: Internal A Realistic Attack | 6 This is where the red team comes in Process People Technology Pentest A Pentest B Assess resilience Improve resilienceTTPs
  • 7. Classification: Internal Penetration Test vs. Red Team | 7 Key differences Penetration Test Red Team​ Objective Gain insight in system/network vulnerabilities Test resilience against a realistic attack in terms of protection, detection, and response Scope Limited​ with focus on technical Broad​, including people, processes, technology Approach Vulnerability focused, breadth first Objective focused, depth first User awareness​ No​ Yes​ Detection tested No​ Yes​ Response tested No​ Yes​ Methodology Reconnaissance and exploitation​ Tactics, techniques, procedures (TTPs)
  • 8. Classification: Internal Outputs & Metrics | 8 What results can you expect from each type of test? ―Time to Initial foothold Network propagation Objectives ―Time to detection ―Time to remediation ―Successful/Prevented TTPs ―Kill Chain and corresponding TTPs ―Reached Objectives ―Results within a specific context and scope ―#Vulnerabilities and risk ratings (Total, Stats per system, etc.) ―Ad-hoc remediations
  • 9. Classification: Internal Summarizing the most important differences | 9 In conclusion Penetration Test Identify and exploit vulnerabilities on a (series of) system(s) to assess security Focused on a specific scope, breadth-first (application, system, subnet) Red Team Assess how resilient an organization is versus a realistic threat Focused on objectives (flags) through the execution of certain scenarios, depth-first VS Assess people, processes, and technology in terms of prevention, detection, and response Assess technology in terms of preventive controls
  • 10. Classification: Internal Objective-Based Penetration Test | 10 Something in between Penetration Test Identify and exploit vulnerabilities on a (series of) system(s) to assess security Focused on a specific scope, breadth-first (application, system, subnet) Red Team Assess how resilient an organization is versus a realistic threat Focused on objectives (flags) through the execution of certain scenarios, depth-first VS Assess people, processes, and technology in terms of prevention, detection, and response Assess technology in terms of preventive controls Objective-based Penetration Test
  • 11. Classification: Internal Keeping it Real ―Tactics, Techniques & Procedures ―Describe adversary activities
  • 13. Classification: Internal A realistic threat | 13 Introducing Tactics, Techniques & Procedures Source: http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html by David Bianco
  • 14. Classification: Internal MITRE ATT&CK | 14 Tactics & Techniques TACTICS TECHNIQUES
  • 15. Classification: Internal What does a realistic attack look like? | 15 The Cyber Kill Chain™ Reconnaissance Delivery Installation Action on Objectives Weaponization Exploitation Command & Control The Cyber Kill Chain™, created by Lockheed Martin in 2011, is a sequence of steps that describes how adversaries operate.
  • 16. Classification: Internal What does a realistic attack look like? | 16 Cyber Kill Chain™ limitations Reconnaissance Delivery Installation Action on Objectives Weaponization Exploitation Command & Control Even though it’s highly useful and has been widely adopted, there are some limitations.
  • 17. Classification: Internal The Unified Kill Chain (UKC) | 17 Improving the Cyber Kill Chain™ Initial Foothold (Compromised System) Network Propagation (Internal Network) Access Action on Objectives (Critical Asset Access) Source: https://www.csacademy.nl/images/scripties/2018/Paul-Pols---The-Unified-Kill-Chain.pdf
  • 19. Classification: Internal The Unified Kill Chain | 19 You’re only as solid as what you build on Initial Foothold (Compromised System) Network Propagation (Internal Network) Access Action on Objectives (Critical Asset Access)
  • 20. Classification: Internal Abstraction Levels | 20 Emulating the adversary on multiple levels Strategic Tactical Operational ―Definition of flags/objectives ―“Why” ―Sequence of phases aimed to achieve strategic objectives ―Grouping of related techniques ―“What” ―Specific techniques & procedures ―Execution and completion of tactical phases ―“How”
  • 21. Classification: Internal Abstraction Levels | 21 A metaphor Operational Strategic Tactical
  • 22. Classification: Internal Strategic Level | 22 Mapping the adversary’s objectives to the Kill Chain Initial Foothold (Compromised System) Network Propagation (Internal Network) Access Action on Objectives (Critical Asset Access) Yellow Tier Confidential data online External server or website compromise Access to internal network Credentials obtained via phishing Orange Tier Local server admin Local workstation admin Domain Administrator Red Tier Crown Jewel Sensitive Data Critical Asset
  • 23. Classification: Internal Strategic Level | 23 Mapping the adversary’s objectives to the Kill Chain Initial Foothold (Compromised System) Network Propagation (Internal Network) Access Action on Objectives (Critical Asset Access) Yellow Tier Confidential data online External server or website compromise Access to internal network Credentials obtained via phishing Orange Tier Local server admin Local workstation admin Domain Administrator Red Tier Crown Jewel Sensitive Data Critical Asset
  • 24. Classification: Internal Tactical Level | 24 Mapping the adversary’s tactical phases to the Kill Chain Execution Credential Access Lateral Movement Data Collection Initial Foothold (Compromised System) Network Propagation (Internal Network) Access Action on Objectives (Critical Asset Access) Information Gathering Weakness Identification Build Capabilities
  • 25. Classification: Internal Operational Level | 25 Mapping the adversary’s techniques to the Kill Chain Initial Foothold (Compromised System) Network Propagation (Internal Network) Access Action on Objectives (Critical Asset Access) _ Tactic: Lateral Movement Technique: Pass the hash Tactic: Info Gathering Technique: Active scanning Tactic: Data Collection Technique: Input Capture
  • 26. Classification: Internal Kill Chain Comparison | 26 One adversary is not like the other Tactic Initial Access Technique Hardware Add-on Tactic Credential Access Techniques LLMNR Poisoning Credential Dump Tactic Lateral Movement Techniques Pass-The-Hash Tactic Initial Access Technique Spear Phishing Tactic Credential Access Techniques Kerberoast Tactic Lateral Movement Techniques RDP APT 28 Turla Crown Jewel Crown Jewel
  • 27. Classification: Internal Detailed Kill Chain | 27 Tactic Initial Access Techniques Hardware add-on Insufficient physical protection Lack of network access control Tactic Discovery Techniques System discovery Service scanning Improper network segregation SMB signing disabled Tactic Credential Access Techniques LLMNR poisoning Credential dump (SAM) Local name resolution enabled Admin privileges assigned to regular accounts Tactic Lateral Movement Techniques Pass-the-hash Orange-Tier objective reached: Local Admin on Server
  • 28. Classification: Internal Emulation or Simulation Does it even matter?
  • 29. Classification: Internal (Si|E)mulation Does it even matter? | 29 Simulate - verb [ T ]​ /ˈsɪm.jə.leɪt/ To produce something that is not real but has the appearance of being real. For analysis and study Emulate - verb [ T ] ​ /ˈem.jə.leɪt/ To behave in the same way as someone or something else. For usage as a substitute
  • 30. Classification: Internal Adversary (Si|E)mulation | 30 There is a difference Simulation ―Based on the Red Team’s experience ―Based on environment at hand ―Based on global technique popularity Emulation ―Based on threat intelligence ―TTPs of adversaries that will target you ―Based on a previous simulation Impersonate APT-28 Simulate an adversary that is not real
  • 31. Classification: Internal Adversary Simulation | 31 Simulating a threat by using the TTPs that work for that target/environment
  • 32. Classification: Internal Adversary Emulation | 32 Emulating a specific adversary’s TTPs
  • 34. Classification: Internal TIBER-EU A European initiative to structure Red Teaming ―Require most important financial institutions to perform TIBER testing ―Guide institutions with procurement ―Follow-up on the testing together with White Team “TIBER tests mimic potential attacks by real high level threat groups …” “… without the foreknowledge of the organisation’s defending Blue Team.” | 34
  • 35. Classification: Internal TIBER-EU Process Overview GTI Preparation Testing Closure Targets Threats Targeted Threat Intel Report Red Team Test Plan Threat Intelligence Red Team Generic Threat Intelligence & | 35
  • 36. Classification: Internal Zooming in on the Red Team Test Plan ― Align test objectives with the goals of each of the actors ― Map onto one or more Critical Function-supporting systems; ― Provide a background to the tradecraft of the actor that is mimicked in the attack ― Adapt the attack methodology to replicate the real-life attack scenarios ― Provide creative elements of TTPs that deviate from the original scenario to respond to changing circumstances, e.g. combining techniques of relevant threat actors ― Scenario X: “The RT provider could deploy creative and innovative TTPs, stretching itself to its absolute limits. The RT provider can leverage its full range of professional knowledge, research, expertise and tools to build forward-looking scenarios based on TTPs that have not yet been seen but are expected in the future.” | 36 Key transition point between the Threat Intelligence and the Red Team phases, containing attack scenarios that:
  • 37. Classification: Internal Zooming in on the Red Team Test Plan ― Align test objectives with the goals of each of the actors ― Map onto one or more Critical Function-supporting systems; ― Provide a background to the tradecraft of the actor that is mimicked in the attack ― Adapt the attack methodology to replicate the real-life attack scenarios ― Provide creative elements of TTPs that deviate from the original scenario to respond to changing circumstances, e.g. combining techniques of relevant threat actors ― Scenario X: “The RT provider could deploy creative and innovative TTPs, stretching itself to its absolute limits. The RT provider can leverage its full range of professional knowledge, research, expertise and tools to build forward-looking scenarios based on TTPs that have not yet been seen but are expected in the future.” | 37 Strategic Level Key transition point between the Threat Intelligence and the Red Team phases, containing attack scenarios that: Red Tier CEF 1 CEF 2 CEF 3
  • 38. Classification: Internal Zooming in on the Red Team Test Plan ― Align test objectives with the goals of each of the actors ― Map onto one or more Critical Function-supporting systems; ― Provide a background to the tradecraft of the actor that is mimicked in the attack ― Adapt the attack methodology to replicate the real-life attack scenarios ― Provide creative elements of TTPs that deviate from the original scenario to respond to changing circumstances, e.g. combining techniques of relevant threat actors ― Scenario X: “The RT provider could deploy creative and innovative TTPs, stretching itself to its absolute limits. The RT provider can leverage its full range of professional knowledge, research, expertise and tools to build forward-looking scenarios based on TTPs that have not yet been seen but are expected in the future.” | 38 Strategic Level Key transition point between the Threat Intelligence and the Red Team phases, containing attack scenarios that: Tactical / Operational Level Tactical / Operational Level
  • 39. Classification: Internal Zooming in on the Red Team Test Plan ― Align test objectives with the goals of each of the actors ― Map onto one or more Critical Function-supporting systems; ― Provide a background to the tradecraft of the actor that is mimicked in the attack ― Adapt the attack methodology to replicate the real-life attack scenarios ― Provide creative elements of TTPs that deviate from the original scenario to respond to changing circumstances, e.g. combining techniques of relevant threat actors ― Scenario X: “The RT provider could deploy creative and innovative TTPs, stretching itself to its absolute limits. The RT provider can leverage its full range of professional knowledge, research, expertise and tools to build forward-looking scenarios based on TTPs that have not yet been seen but are expected in the future.” | 39 Strategic Level Adversary Emulation Key transition point between the Threat Intelligence and the Red Team phases, containing attack scenarios that: Tactical / Operational Level Tactical / Operational Level
  • 40. Classification: Internal Zooming in on the Red Team Test Plan ― Align test objectives with the goals of each of the actors ― Map onto one or more Critical Function-supporting systems; ― Provide a background to the tradecraft of the actor that is mimicked in the attack ― Adapt the attack methodology to replicate the real-life attack scenarios ― Provide creative elements of TTPs that deviate from the original scenario to respond to changing circumstances, e.g. combining techniques of relevant threat actors ― Scenario X: “The RT provider could deploy creative and innovative TTPs, stretching itself to its absolute limits. The RT provider can leverage its full range of professional knowledge, research, expertise and tools to build forward-looking scenarios based on TTPs that have not yet been seen but are expected in the future.” | 40 Strategic Level Adversary Emulation Adversary Simulation Key transition point between the Threat Intelligence and the Red Team phases, containing attack scenarios that: Tactical / Operational Level Tactical / Operational Level
  • 41. Classification: Internal TIBER Roles & Responsibilities | 41 Entity Authority TI Provider RT Provider Ensure TIBER-EU requirements are followed R A R R Preparation (procurement & scoping) A C I I End-to-end test A C R R Threat Intelligence Execution A C R C Targeted Threat Intel Report A C R C Handover Session TI & RT Providers A C R C Red Team Test Plan A C C R Red Team Execution A C C R Red Team Report A I / R Closure (replay, remediation plan, summary report) A C C C Closure (360° feedback session) C A C C The main participants in a TIBER-EU test are assigned to one of five different teams: ― Entity (White Team) ― Authority (TIBER Cyber Team) ― Threat Intelligence Provider ― Red Team Provider ― Blue Team
  • 42. Classification: Internal Roles & Responsibilities | 42 Without the blue team, is there even a red team? ―So far, we’ve focused on the offensive side and red team goals: test detection capabilities, human aspect, process improvements. ―Blue team involvement: ―Blue team report, which maps the BT’s actions alongside the RT actions ―Replay workshop Me: *Discuss adversary emulation without including the blue team* The blue team:
  • 44. Classification: Internal The Blue Team Roles & Responsibilities Improve Security Posture Implement preventive controls Security monitoring & threat hunting Incident response
  • 45. Classification: Internal The Blue Team Roles & Responsibilities Improve Security Posture Implement preventive controls Security monitoring & threat hunting Incident response Red team failure = blue team success
  • 46. Classification: Internal The Red Team Roles & Responsibilities Improve Security Posture Vulnerability identification & exploitation Social engineering Detection evasion
  • 47. Classification: Internal The Red Team Roles & Responsibilities Blue team failure = Red team success Improve Security Posture Vulnerability identification & exploitation Social engineering Detection evasion aRe YoU DoMaIn AdMiN yEt?
  • 48. Classification: Internal How it could be | 48 What about some of the following actions? Share TTPs of new threat actors Help with vulnerability management and prioritize most critical issues Test Red Team techniques Share monitoring tactics, playbooks, and alerting
  • 49. Classification: Internal Purple Prerequisites | 49 Purple teaming is the new red teaming, right? ―Central logging platform ―Endpoint visibility ―Network device logs ―SOC, analysts, people
  • 50. Classification: Internal The best of both worlds | 50 An example approach Threat- Intelligence Based Ethical Red Team “Classic” Red Team Emulation Replay & align Red Blue Continuous improvement Periodic assessment
  • 51. Classification: Internal Tracking improvement | 51 All about those metrics MITRE ATT&CK Navigator Detected Logs Available Not Detected Not Tested ―Time to Initial foothold Network propagation Objectives ―Time to detection ―Time to remediation ―Successful/Prevented TTPs ―Kill Chain and corresponding TTPs ―Reached Objectives
  • 53. Classification: Internal Parting Words Adversary emulation might be the final destination, but don’t forget the journey. A realistic attack should be based on TTPs. When red & blue work together, great things can be achieved.