Presentation slides presented by Cody Thomas and Christopher Korban at x33fcon 2018 about how to jumpstart your purple teaming with the MITRE ATT&CK framework, and accompanying Adversary Emulation Plans
Offensive security and Ethical Hacking is about providing business value. One of the most efficient and effective ways to improve security is through Adversary Emulation Purple Team Exercises. Adversary Emulation is a type of ethical hacking engagement where the Red Team emulates how an adversary operates, leveraging the same tactics, techniques, and procedures (TTPs), against a target organization. The goal of these engagements is to train and improve people, process, and technology. This is in contrast to a penetration test that focuses on testing technology and preventive controls. Adversary emulations are performed using a structured approach following industry methodologies and frameworks (such as MITRE ATT&CK) and leverage Cyber Threat Intelligence to emulate a malicious actor that has the opportunity, intent, and capability to attack the target organization. Adversary Emulations may be performed in a blind manner (Red Team Engagement) or non-blind (Purple Team) with the Blue Team having full knowledge of the engagement. In this talk, we will cover how to run a high-value adversary emulation through a Purple Team Exercise.
https://www.scythe.io/library/threatthursday-apt33
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
Presentation at DEF CON Red Team Village - Mayhem Virtual Summit 2020
Adversary Emulation - Red Team emulating APT19 with Empire3 and Starkiller
Connect:
https://twitter.com/jorgeorchilles
https://twitter.com/c2_matrix
References:
https://mitre-attack.github.io/attack-navigator/enterprise/
https://attack.mitre.org/groups/G0073/
https://www.thec2matrix.com/
https://howto.thec2matrix.com/slingshot-c2-matrix-edition
https://howto.thec2matrix.com/c2/empire#red-team-village-mayhem-demo-of-apt19
https://vectr.io/
https://www.scythe.io/
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
Purple Team exercises are an efficient and effective method of adversary emulation leading to the training and improvement of people, process, and technology. Red Teams and Blue Teams work together in a live production environment, emulating a selected adversary that has the capability, intent, and opportunity to attack the target organization provided by Cyber Threat Intelligence. Purple Team exercises are ‘hands on keyboard’ exercises where Red and Blue teams work together with an open discussion about each attack procedure and how to detect and alert against it.
Purple Team Exercise Framework #PTEF: https://www.scythe.io/ptef
Ethical Hacking Maturity Model: https://www.scythe.io/library/scythes-ethical-hacking-maturity-model
Definitions: https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
#ThreatThursday: https://www.scythe.io/threatthursday
#C2Matrix: https://thec2matrix.com/
Atomic Purple Team: https://github.com/DefensiveOrigins/AtomicPurpleTeam
SCYTHE Playbooks: https://github.com/scythe-io/community-threats
#ThreatHunting Playbooks: https://threathunterplaybook.com/introduction.html
VECTR: https://vectr.io/
Unicon: https://www.scythe.io/unicon2020
MITRE ATT&CK framework is about the framework that is followed by Threat Hunters, Threat Analysts for Threat Modelling purpose, which can be use for Adversary Emulation and Attack Defense. Cybersecurity Analyst widely use it for framing the attack through its various used Tactics and Techniques.
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
Join Jorge Orchilles and Phil Wainwright as they cover how to show value during Red and Purple Team exercises with a free platform, VECTR. VECTR is included in SANS Slingshot C2 Matrix Edition so you can follow along the presentation and live demos.
VECTR is a free platform for planning and tracking of your red and purple team exercises and alignment to blue team detection and prevention capabilities across different attack scenarios. VECTR provides the ability to create assessment groups, which consist of a collection of Campaigns and supporting Test Cases to simulate adversary threats. Campaigns can be broad and span activity across the kill chain or ATT&CK tactics, from initial access to privilege escalation and lateral movement and so on, or can be a narrow in scope to focus on specific defensive controls, tools, and infrastructure. VECTR is designed to promote full transparency between offense and defense, encourage training between team members, and improve detection, prevention & response capabilities across cloud and on-premise environments.
Common use cases for VECTR are measuring your defenses over time against the MITRE ATT&CK framework, creating custom red team scenarios and adversary emulation plans, and assisting with toolset evaluations. VECTR is meant to be used over time with targeted campaigns, iteration, and measurable enhancements to both red team skills and blue team detection capabilities. Ultimately the goal of VECTR is to help organizations level up and promote a platform that encourages community sharing of CTI that is useful for red teamers, blue teamers, threat intel teams, security engineering, any number of other cyber roles, and helps management show increasing maturity in their programs and justification of whats working, whats not, and where additional investment might be needed in tools and team members to bring it all together.
Offensive security and Ethical Hacking is about providing business value. One of the most efficient and effective ways to improve security is through Adversary Emulation Purple Team Exercises. Adversary Emulation is a type of ethical hacking engagement where the Red Team emulates how an adversary operates, leveraging the same tactics, techniques, and procedures (TTPs), against a target organization. The goal of these engagements is to train and improve people, process, and technology. This is in contrast to a penetration test that focuses on testing technology and preventive controls. Adversary emulations are performed using a structured approach following industry methodologies and frameworks (such as MITRE ATT&CK) and leverage Cyber Threat Intelligence to emulate a malicious actor that has the opportunity, intent, and capability to attack the target organization. Adversary Emulations may be performed in a blind manner (Red Team Engagement) or non-blind (Purple Team) with the Blue Team having full knowledge of the engagement. In this talk, we will cover how to run a high-value adversary emulation through a Purple Team Exercise.
https://www.scythe.io/library/threatthursday-apt33
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
Presentation at DEF CON Red Team Village - Mayhem Virtual Summit 2020
Adversary Emulation - Red Team emulating APT19 with Empire3 and Starkiller
Connect:
https://twitter.com/jorgeorchilles
https://twitter.com/c2_matrix
References:
https://mitre-attack.github.io/attack-navigator/enterprise/
https://attack.mitre.org/groups/G0073/
https://www.thec2matrix.com/
https://howto.thec2matrix.com/slingshot-c2-matrix-edition
https://howto.thec2matrix.com/c2/empire#red-team-village-mayhem-demo-of-apt19
https://vectr.io/
https://www.scythe.io/
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
Purple Team exercises are an efficient and effective method of adversary emulation leading to the training and improvement of people, process, and technology. Red Teams and Blue Teams work together in a live production environment, emulating a selected adversary that has the capability, intent, and opportunity to attack the target organization provided by Cyber Threat Intelligence. Purple Team exercises are ‘hands on keyboard’ exercises where Red and Blue teams work together with an open discussion about each attack procedure and how to detect and alert against it.
Purple Team Exercise Framework #PTEF: https://www.scythe.io/ptef
Ethical Hacking Maturity Model: https://www.scythe.io/library/scythes-ethical-hacking-maturity-model
Definitions: https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
#ThreatThursday: https://www.scythe.io/threatthursday
#C2Matrix: https://thec2matrix.com/
Atomic Purple Team: https://github.com/DefensiveOrigins/AtomicPurpleTeam
SCYTHE Playbooks: https://github.com/scythe-io/community-threats
#ThreatHunting Playbooks: https://threathunterplaybook.com/introduction.html
VECTR: https://vectr.io/
Unicon: https://www.scythe.io/unicon2020
MITRE ATT&CK framework is about the framework that is followed by Threat Hunters, Threat Analysts for Threat Modelling purpose, which can be use for Adversary Emulation and Attack Defense. Cybersecurity Analyst widely use it for framing the attack through its various used Tactics and Techniques.
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
Join Jorge Orchilles and Phil Wainwright as they cover how to show value during Red and Purple Team exercises with a free platform, VECTR. VECTR is included in SANS Slingshot C2 Matrix Edition so you can follow along the presentation and live demos.
VECTR is a free platform for planning and tracking of your red and purple team exercises and alignment to blue team detection and prevention capabilities across different attack scenarios. VECTR provides the ability to create assessment groups, which consist of a collection of Campaigns and supporting Test Cases to simulate adversary threats. Campaigns can be broad and span activity across the kill chain or ATT&CK tactics, from initial access to privilege escalation and lateral movement and so on, or can be a narrow in scope to focus on specific defensive controls, tools, and infrastructure. VECTR is designed to promote full transparency between offense and defense, encourage training between team members, and improve detection, prevention & response capabilities across cloud and on-premise environments.
Common use cases for VECTR are measuring your defenses over time against the MITRE ATT&CK framework, creating custom red team scenarios and adversary emulation plans, and assisting with toolset evaluations. VECTR is meant to be used over time with targeted campaigns, iteration, and measurable enhancements to both red team skills and blue team detection capabilities. Ultimately the goal of VECTR is to help organizations level up and promote a platform that encourages community sharing of CTI that is useful for red teamers, blue teamers, threat intel teams, security engineering, any number of other cyber roles, and helps management show increasing maturity in their programs and justification of whats working, whats not, and where additional investment might be needed in tools and team members to bring it all together.
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
Katie and John from the MITRE ATT&CK team present "ATT&CKing the Status Quo: Improving Threat Intelligence and Cyber Defense with MITRE ATT&CK" at BSidesLV 2018.
Presentation talks about introduction to MITRE ATT&CK Framework, different use cases, pitfalls to take care about.. Talk was delivered @Null Bangalore and @OWASP Bangalore chapter on 15th February 2019.
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansChristopher Korban
Talk about the evolution of security posture assessments, solving red team problems with ATT&CK-based Adversary Emulation Plans.
Conference: Art into Science - A Conference on Defense 2018
MITRE’s ATT&CK is a community-driven knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s life cycle and the platforms they are known to target. By scoping the wide breadth of the MITRE ATT&CK matrix to focus initially on the techniques used by threat actors you specifically care about, you can help the defenders create more useful and impactful detections first. Once you start emulating the appropriate threat actors, you can practice your defenses in a scenario that’s more realistic and applicable without the need for an actual intrusion. The speakers are providing a process and a case study of APT3 - a China-based threat group - for how to go from finding threat intelligence, sifting through it for actionable techniques, creating emulation plans, discovering how to emulate different techniques... to actually operating on a network. They are also providing a beginning "cheat sheet" for this actor to give a starting point for red and blue teams to accomplish these techniques in their own environment without the need to build their own tooling.
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
Purple Teaming is the idea of using a Red Team exercise with clear training objectives for the Blue Team.
Great exercises should not just be focused on testing a product, they should also test your active Blue Team members and their skills. But how does one start to think about a Purple Team exercise, how does one go about running one and what does it look like?
In this talk we will explain what, why and how, to plan an effective purple team exercise and give some examples. Most enterprise networks are Windows heavy so examples will heavily lean on this.
Testing Assumptions, gaps, blind spots is what being proactive is all about. This talk is both for the console folks and non-console folks.
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
Katie Nickels and Adam Pennington presented "Turning intelligence into action with MITRE ATT&CK™" at the FIRST CTI Symposium in London on 20 March 2019.
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
From ATT&CKcon 3.0
By Jason Wood and Justin Swisher, CrowdStrike
When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.
Using IOCs to Design and Control Threat Activities During a Red Team EngagementJoe Vest
The term Red Team or Red Teaming has become more prevalent in the security industry. Both commercial and government organizations conduct "Red Team Exercises". What does this mean? What is a Red Team engagement? How is it different that other security tests? Isn't current penetration and vulnerability security testing enough?
Red Teaming share many of the fundamentals of other security testing types, yet focuses on specific scenarios and goals that are used to evaluate and measure an organization's overall security defense posture.
Organizations spend a great deal of time and money on the security of their systems. Red Teams have a unique goal of testing an organization's ability to detect, respond to, and recover from an attack. When properly conducted, Red Team activities can significantly contribute to the improvement an organization's security controls, help hone defensive capabilities, and measure the effectiveness of security operations.
This presentation introduces the Red Teaming concept of IOC management, how a Red Team operator can use specific IOCs to blend in to a target, and how to design specific scenarios to test a Blue Team's defensive posture.
Red Teaming is hot right now. Many people want to get into it just because it sounds cool. While I tend to agree, there are many things to consider. There is way more to red teaming than just "getting in" to organizations. Join us for this one hour webcast where we cover what red team is, why you may want to be a red teamer, and how to become a red teamer.
Adversary emulation involves leveraging your Red Teams to use real world adversary tactics, techniques and procedures (TTPs), alongside attack frameworks such as MITRE ATT&CK to: Identify control gaps (and weaknesses); Validate your monitoring, detection and response capabilities; Prioritising your security investments towards mitigating any shortcoming that may be observed using this approach.
Adversary Emulation is a type of Red Team Exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective (similar to those of realistic threats or adversaries). Adversary emulations are performed using a structured approach, which can be based on a kill chain or attack flow. Methodologies and Frameworks for Adversary Emulations are covered. Adversary Emulations are end-to-end attacks against a target organization to obtain a holistic view of the organization’s preparedness for a real, sophisticated attack.
Threat Hunting Procedures and Measurement MatriceVishal Kumar
This document will provide the basics of Cyber Threat Hunting and answers of some Q such as; What is Threat Hunting?, What is the Importance of Threat Hunting, and How it can be start....Bla..Bla..Bla...
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksMauricio Velazco
After obtaining an initial foothold, adversaries will most likely target or abuse Active Directory across the attack lifecycle to achieve operational success. It is essential for Blue Teams to design and deploy proper visibility & detection strategies for AD-based attacks and executing Adversary Simulation/Purple Team exercises can help. This talk will introduce the Active Directory Purple Team Playbook, a library of documented playbooks that describe how to simulate different adversary techniques targeting Active Directory. The playbooks can help blue teams measure detection coverage and identify enhancement opportunities. After this talk, attendees will be able to run purple team exercises against development or production Active Directory environments using open source tools.
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
Slides presented at the 2019 RH-ISAC Retail Cyber Intelligence Summit by Adam Pennington in Denver, CO on "Leveraging MITRE ATT&CK™ for Detection, Analysis & Defense"
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
Downloadable slides presented at the 2019 RH-ISAC Retail Cyber Intelligence Summit by Adam Pennington in Denver, CO on "Leveraging MITRE ATT&CK™ for Detection, Analysis & Defense"
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
Katie and John from the MITRE ATT&CK team present "ATT&CKing the Status Quo: Improving Threat Intelligence and Cyber Defense with MITRE ATT&CK" at BSidesLV 2018.
Presentation talks about introduction to MITRE ATT&CK Framework, different use cases, pitfalls to take care about.. Talk was delivered @Null Bangalore and @OWASP Bangalore chapter on 15th February 2019.
Evolution of Offensive Testing - ATT&CK-based Adversary Emulation PlansChristopher Korban
Talk about the evolution of security posture assessments, solving red team problems with ATT&CK-based Adversary Emulation Plans.
Conference: Art into Science - A Conference on Defense 2018
MITRE’s ATT&CK is a community-driven knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s life cycle and the platforms they are known to target. By scoping the wide breadth of the MITRE ATT&CK matrix to focus initially on the techniques used by threat actors you specifically care about, you can help the defenders create more useful and impactful detections first. Once you start emulating the appropriate threat actors, you can practice your defenses in a scenario that’s more realistic and applicable without the need for an actual intrusion. The speakers are providing a process and a case study of APT3 - a China-based threat group - for how to go from finding threat intelligence, sifting through it for actionable techniques, creating emulation plans, discovering how to emulate different techniques... to actually operating on a network. They are also providing a beginning "cheat sheet" for this actor to give a starting point for red and blue teams to accomplish these techniques in their own environment without the need to build their own tooling.
Talk on Kaspersky lab's CoLaboratory: Industrial Cybersecurity Meetup #5 with @HeirhabarovT about several ATT&CK practical use cases.
Video (in Russian): https://www.youtube.com/watch?v=ulUF9Sw2T7s&t=3078
Many thanks to Teymur for great tech dive
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE - ATT&CKcon
With the development of the MITRE ATT&CK framework and its categorization of adversary activity during the attack cycle, understanding what to hunt for has become easier and more efficient than ever. However, organizations are still struggling to understand how they can prioritize the development of hunt hypothesis, assess their current security posture, and develop the right analytics with the help of ATT&CK. Even though there are several ways to utilize ATT&CK to accomplish those goals, there are only a few that are focusing primarily on the data that is currently being collected to drive the success of a hunt program.
This presentation shows how organizations can benefit from mapping their current visibility from a data perspective to the ATT&CK framework. It focuses on how to identify, document, standardize and model current available data to enhance a hunt program. It presents an updated ThreatHunter-Playbook, a Kibana ATT&CK dashboard, a new project named Open Source Security Events Metadata known as OSSEM and expands on the “data sources” section already provided by ATT&CK on most of the documented adversarial techniques.
Purple Teaming is the idea of using a Red Team exercise with clear training objectives for the Blue Team.
Great exercises should not just be focused on testing a product, they should also test your active Blue Team members and their skills. But how does one start to think about a Purple Team exercise, how does one go about running one and what does it look like?
In this talk we will explain what, why and how, to plan an effective purple team exercise and give some examples. Most enterprise networks are Windows heavy so examples will heavily lean on this.
Testing Assumptions, gaps, blind spots is what being proactive is all about. This talk is both for the console folks and non-console folks.
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
Katie Nickels and Adam Pennington presented "Turning intelligence into action with MITRE ATT&CK™" at the FIRST CTI Symposium in London on 20 March 2019.
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
From ATT&CKcon 3.0
By Jason Wood and Justin Swisher, CrowdStrike
When it comes to understanding and tracking intrusion tradecraft, security teams must have the tools and processes that allow the mapping of hands-on adversary tradecraft. Doing this enables your team to both understand the adversaries and attacks you currently see and observe how these adversaries and attacks evolve over time. This session will explore how a threat hunting team uses MITRE ATT&CK to understand and categorize adversary activity. The team will demonstrate how threat hunters map ATT&CK TTPs by showcasing a recent interactive intrusion against a Linux endpoint and how the framework allowed for granular tracking of tradecraft and enhanced security operations. They will also take a look into the changes in the Linux activity they have observed over time, using the ATT&CK navigator to compare and contrast technique usage. This session will provide insights into how we use MITRE ATT&CK as a powerful resource to track intrusion tradecraft, identify adversary trends, and prepare for attacks of the future.
Using IOCs to Design and Control Threat Activities During a Red Team EngagementJoe Vest
The term Red Team or Red Teaming has become more prevalent in the security industry. Both commercial and government organizations conduct "Red Team Exercises". What does this mean? What is a Red Team engagement? How is it different that other security tests? Isn't current penetration and vulnerability security testing enough?
Red Teaming share many of the fundamentals of other security testing types, yet focuses on specific scenarios and goals that are used to evaluate and measure an organization's overall security defense posture.
Organizations spend a great deal of time and money on the security of their systems. Red Teams have a unique goal of testing an organization's ability to detect, respond to, and recover from an attack. When properly conducted, Red Team activities can significantly contribute to the improvement an organization's security controls, help hone defensive capabilities, and measure the effectiveness of security operations.
This presentation introduces the Red Teaming concept of IOC management, how a Red Team operator can use specific IOCs to blend in to a target, and how to design specific scenarios to test a Blue Team's defensive posture.
Red Teaming is hot right now. Many people want to get into it just because it sounds cool. While I tend to agree, there are many things to consider. There is way more to red teaming than just "getting in" to organizations. Join us for this one hour webcast where we cover what red team is, why you may want to be a red teamer, and how to become a red teamer.
Adversary emulation involves leveraging your Red Teams to use real world adversary tactics, techniques and procedures (TTPs), alongside attack frameworks such as MITRE ATT&CK to: Identify control gaps (and weaknesses); Validate your monitoring, detection and response capabilities; Prioritising your security investments towards mitigating any shortcoming that may be observed using this approach.
Adversary Emulation is a type of Red Team Exercise where the Red Team emulates how an adversary operates, following the same tactics, techniques, and procedures (TTPs), with a specific objective (similar to those of realistic threats or adversaries). Adversary emulations are performed using a structured approach, which can be based on a kill chain or attack flow. Methodologies and Frameworks for Adversary Emulations are covered. Adversary Emulations are end-to-end attacks against a target organization to obtain a holistic view of the organization’s preparedness for a real, sophisticated attack.
Threat Hunting Procedures and Measurement MatriceVishal Kumar
This document will provide the basics of Cyber Threat Hunting and answers of some Q such as; What is Threat Hunting?, What is the Importance of Threat Hunting, and How it can be start....Bla..Bla..Bla...
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksMauricio Velazco
After obtaining an initial foothold, adversaries will most likely target or abuse Active Directory across the attack lifecycle to achieve operational success. It is essential for Blue Teams to design and deploy proper visibility & detection strategies for AD-based attacks and executing Adversary Simulation/Purple Team exercises can help. This talk will introduce the Active Directory Purple Team Playbook, a library of documented playbooks that describe how to simulate different adversary techniques targeting Active Directory. The playbooks can help blue teams measure detection coverage and identify enhancement opportunities. After this talk, attendees will be able to run purple team exercises against development or production Active Directory environments using open source tools.
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
Slides presented at the 2019 RH-ISAC Retail Cyber Intelligence Summit by Adam Pennington in Denver, CO on "Leveraging MITRE ATT&CK™ for Detection, Analysis & Defense"
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
Downloadable slides presented at the 2019 RH-ISAC Retail Cyber Intelligence Summit by Adam Pennington in Denver, CO on "Leveraging MITRE ATT&CK™ for Detection, Analysis & Defense"
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
Experts from Symantec and MITRE explore the latest research and best practices for detecting targeted ransomware in your environment.
Watch on-demand webinar here: https://symc.ly/2L7ESFI.
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsSBWebinars
Research shows that 25% of organizations have cryptojacking activity in their AWS, Azure, and GCP environments. Is yours one of them? While S3 buckets continue to dominate headlines, cryptojacking and other threats lay quietly behind the scenes. Learn about the latest cloud threats and arm yourself with effective countermeasures.
Do you know the internal signs of a compromise? This deck takes you through the process our Mandiant services teams go through to help discover if an organization has been compromised. You can also view the full webinar here: https://www.brighttalk.com/webcast/10703/187133?utm_source=SS
Application Asset Management with ThreadFixDenim Group
Too many organizations have an incomplete picture of their application portfolios. Because you are unable to protect attack surfaces that you don’t know about, this leaves them vulnerable. In this webinar, we will cover the capabilities that ThreadFix has to allows security teams to manage their application asset portfolios. We will also take a deeper dive into several tools such as nmap and OWASP Amass that can help security analysts better enumerate all of the applications in their organization’s portfolio.
SignaturesAreDead Long Live RESILIENT SignaturesDaniel Bohannon
Slides from presentation: $SignaturesAreDead = "Long Live RESILIENT Signatures" wide ascii nocase originally released at SANS DFIR Summit 2018.
For more information: http://www.danielbohannon.com/presentations/
Proactive cyber defence through adversary emulation for improving your securi...idsecconf
Organization using Adversary Emulation plan to develop an attack emulation and/or simulation and execute it against enterprise infrastructure. These activities leverage real-world attacks and TTPs by Threat Actor, so you can identify and finding the gaps in your defense before the real adversary attacking your infrastructure. Adversary Emulation also help security team to get more visibility into their environment. Performing Adversary Emulation continuously to strengthen and improve your defense over the time.
IntroductionThe capstone project is a �structured walkthrough� pen.pdffantasiatheoutofthef
Introduction
The capstone project is a structured walkthrough penetration test of a fictional
company, Artemis, Incorporated (Artemis). A structured walkthrough is an
organized procedure for a group of peers to review and discuss the technical
aspects of various IT, IT Security, and IT Audit work products. The major objectives
of a structured walkthrough are to find errors and to improve the quality of the
product or service to be delivered.
This document provides a comprehensive overview of the project and the expected
deliverables.
Overview
You work for a firm specializing in cybersecurity consulting, namely penetration tests,
vulnerability assessments, and regulatory compliance. Artemis has hired your firm to
perform an external penetration test. In preparation for this engagement, you must lead
your team of new pen-testers in a structured walkthrough of the entire test so that:
a) Everyone on the team knows what to do.
b) The amount of time allotted for the actual test is utilized as efficiently as
possible.
c) The clients expectations are met or exceeded.
To accomplish this task, you must perform the following five phases:
1. Perform simulated reconnaissance of the client.
2. Simulate target identification and scans against the external network.
3. Simulate the identification of vulnerabilities.
4. Based on the above, assess the threats and make recommendations.
5. Create two mock reports for the client: An Executive Summary for the clients
senior management, and a Detailed Technical Report for the clients IT staff.
This project is an excellent addition to your portfolio as it demonstrates your
understanding of critical security issues and your skills in identifying and analyzing
threats and vulnerabilities. The project also allows you to speak knowledgeably about
the entire process of performing a pen test, using your project as a reference point.
Each phase will include its own deliverable(s). A full description of what is required can
be found under each phase.
Directions
When planning penetration tests, consulting firms always sit down with the clients key
stakeholders to confirm scope and approach, identify the clients concerns, and set
expectations regarding the outcome. To this end, you have been provided with an
overview of the client and an overview of the clients IT environment. This information is
critical because all risks must be evaluated within their context. The example below
illustrates this concept:
Technically Accurate Artemis web application does not restrict or filter user uploads
by file type. This is a vulnerability that could allow threat actors to connect remotely,
execute arbitrary code, and then elevate their privileges within the application.
With context Artemis RFQ/RFP web application does not restrict or filter user uploads
by file type. This is a vulnerability that could allow threat actors to connect remotely,
execute arbitrary code, and then elevate their privileges within the application. In this
instan.
IPTC Rights Working Group Toronto October 2018Stuart Myles
Why is rights metadata necessary for modern news and media organizations? How does IPTC's RightsML help solve those requirements? What are the opportunities to work with Google, Europeana, MINDS or other organizations to make progress with addressing the challenge of rights for news and media?
A red team or team red are a group that plays the role of an enemy or competitor to provide security feedback from that perspective.A red-team assessment is similar to a penetration test, but is more targeted.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
So, what can we do to address all of the issues Chris pointed out? We can start doing more purple teaming.
What is purple teaming? Red and blue are working together for the same goal - making a network more secure.
This ‘win/lose’ mentality between red and blue causes a lot of strife, without any benefit.
Blue tries to keep red in the dark (security through obscurity), and red reports vague findings so they can make sure they ‘win’ again next year.
You need both sides of the picture (red and blue) to make a really effective defense, so there needs to be benefits for a heightened level of transparency.
So, what does this new cycle look like?
Red and blue need to be working together more often throughout the security process.
For an internal red team, this blending of efforts can happen every stage of the way.
For an external red team though, this most likely means an extra week or so at the end of an engagement to sit down with the blue team and have a mini purple team
We do a similar process for development - unit testing of code. We tend to not do this for operations though. The best time to have red input into defenses is in design!
The main process for purple teaming through is that it’s a quick, iterative, and collaborative workflow that benefits most from blending all parts of red and blue, but can be done at any portion.
As red and blue start working more closely together, they need a common way to talk about things that’s one step above Windows Event IDs and command lines.
What is needed for this kind of language to work well for purple teaming?
It means that red and blue need to be able to communicate effectively to articulate what happened in a test and the results
It means that there needs to be a way to talk about what was done during a test so that it’s repeatable
And it means that the language needs some way to measure improvement between tests
We like to use ATT&CK for purple teaming.
ATT&CK is Adversary Tactics, Techniques, and Common Knowledge
We have a small sample of it here. There are currently 11 Tactics across the top - each one refers to a ‘goal’ of the attacker. This equates to the reason why an attacker is doing any given technique.
Down each column are different techniques that achieve that tactic. These techniques equate to what the adversary is doing (creating services, using WMI for persistence, dumping credentials, etc).
If you just glance across the different techniques we have listed, you’ll notice something start to jump out - these are descriptions of adversary behaviors, not indicators of compromise. The same holds true for the information we capture about different threat groups on ATT&CK - we tie everything back to behaviors.
We focus on adversary TTPs and behaviors because that’s the hardest thing for an adversary to change.
If you look at David Bianco’s pyramid of pain, you’ll see that it’s trivial for an adversary to change IoCs (like IP addresses, domain names, file names, hashes, etc), a bit harder for them to change tooling (but still feasible), but becomes a lot harder to change how they operate (their TTPs).
If we dive into the details for a given technique … (next slide)
We get something like this. There’s a few main sections here across this slide and the next one.
There’s a high level description of the technique (what it does normally and how it’s abused by the attacker).
There are examples of how we’ve seen this technique used in the wild. This is an important one because ATT&CK focuses on techniques that are actually seen in use by adversaries in the wild (and cited to their respective threat intel reports). There are a few exceptions to this of course (hence the ‘Common Knowledge’) part of ATT&CK. Some techniques are known to be used by Red Teams but for some reason or another, we haven’t seen in threat intel reports. So, in an effort to make sure we’re providing the most useful information, we do include some techniques that are not backed by threat intel yet.
On the right hand side you’ll see some tactic-specific information such as what the permissions are before/after executing the technique or which defenses are being evaded.
On the next slide …
We include mitigations and detections opportunities for each technique. We try to refrain from mentioning specific vendor tools, and instead try to talk to the broader capabilities that are needed for mitigation and detection.
Ok, so we talked about a common language to use, but ATT&CK is getting pretty big! We’ve scoped the realm of the possible down to the realm of the probable, but can we start to prioritize a bit more from there? We sure can! This is where we start doing Adversary Emulation, or sometimes called Threat-based Red Teaming.
In our case, we don’t want to just look like advanced adversaries, we want to look like a very specific adversary. We want to look like the adversary you’re most likely going to face (based on your industry, your company, your past incidents, etc) so that we can prioritize working on defenses for those techniques first.
Remember, this is a prioritization mechanism to help frame where you should start working on defenses and forcing your offense and defense to work together to build stronger behavior-based defensive measures.
Ok, this is cool, but how can I do this adversary emulation thing you describe?
We like ATT&CK, so we do this adversary emulation thing with ATT&CK (and we already have one example here for you).
More emulation plans to come, and we welcome all community additions or edits to the emulation plans (email attack@mitre.org)
As with lots of red teaming work, part of the initial process is a rules of engagement. Adversary emulation is no exception. We also are scoping what we’re able to do by a few different variables:
How much time is allotted for the test. This can of course dictate how many techniques you’re able to use
Threat intelligence abundance/quality. If you can’t get the threat intel to determine which category of actors are likely to target you or what kinds of techniques they use, it’ll be hard to prioritize defenses in this way.
And lastly is capability. It’s entirely possible that the adversary you’re wanting to emulate is too sophisticated for you to emulate without a lot of development.
You might be thinking: “I’m hamstrung from doing technique X, which would get me Domain Admin. That’s not realistic, right?” Remember why we’re doing this. We want red and blue working together to solve a shared problem. We’re using red to help scope blue. We’re prioritizing which defenses we bolster first based on prior threat intelligence. This does not guarantee that you’ll be protected from all APTX in the future. This is looking at a snapshot in time in the past, and even that can be muddied a bit based on the quality of your threat intel. However, the prioritization is still extremely useful. This also helps with a coherent story for what defenders are spending money on and can help mitigate that ‘shiny object’ syndrome from higher level management.
You might be wondering though, how do I go about this whole process?
The two big pieces of developing an adversary emulation plan are getting the threat intel and then getting the right data from that intel.
For our emulation plans, since we wanted to make sure we could release them to the public, we stuck exclusively to open source data.
We scoured public threat intel feeds and used some google-fu to get a big list of reports relating to APT3.
Part of this involves pulling threads, so we also looked for campaigns tied to APT3 and reports on APT3’s tooling (even if they don’t call out APT3 by name)
From here, we mapped APT3’s techniques and the capabilities of their tools to ATT&CK. If they had a capability that wasn’t in ATT&CK, we added it.
After reading all of these reports, we were able to come up with a general MO for APT3 and a phased approach to emulating them on a network.
What you see here is the phased approach to our emulation prototype that tries to keep everything generally at the ATT&CK Tactic level
After you get this information …
You can take it one step further and start providing a possible ordering to techniques. Unfortunately, due to the kind of threat intel reports that are out there and when IR teams tend to get called in, there is some information that’s just not captured. We do our best to fill in these gaps just based on prior red teaming and threat intel reporting knowledge. With this, we come up with a possible technique flow (on the right). Our mapping of tool capabilities to ATT&CK techniques is here on the left. You can also see that for the sake of helping operators and defenders, we take this one step further and provide examples of doing the same ATT&CK technique with built-in commands, cobalt strike commands, and Metasploit. There are of course a lot of different frameworks that can be leveraged and a lot of different implementations of how to do these ATT&CK behaviors, but at this stage, we keep it light weight.
Now that you have an idea for the kinds of things that the adversary is capable of, you need to determine if you can do it as well.
This involves looking through open source and commercial tools to see if they have the capabilities (natively or with some configuration/scripting) to do the same ATT&CK techniques as your adversary.
Sometimes this is easy, but other times the technique you’re trying to emulate is extremely specific. In these cases, you might have to create your own tool.
You need some diversity in this area because you want to make sure that the defense isn’t signaturing your tool or the way your tool works instead of detecting the malicious behavior.
An artifact of going through these phases is the creation of an adversary emulation field manual for the adversary you’re targeting.
This breaks out very specific command lines, scripts, and tooling configurations needed to do the ATT&CK techniques you selected.
This is where you start breaking out many different implementations for ATT&CK techniques to hone in on the behavior of what’s bad instead of tailoring a defense to a single implementation.
The goal would be that you can even get more junior red teamers or even defenders able to pick up the field manual and start operating for testing purposes.
At this point, you’re almost ready to actually emulate the adversary on the network.
You need to adjust your generic APTX emulation plan to match any restrictions placed on the engagement, and you need to setup your offensive infrastructure to match your emulation plans. When adjusting your emulation plan is where you’ll take into account this specific “rules of engagement” which will limit target users, machines, groups, etc.
When you start using tools for the evaluation, remember to change the defaults!
Ok, so you emulated an adversary for a customer (or internally). Now what? What was the output of that? Remember, this is a prioritization mechanism. You can get a planning matrix like the one above. Clearly this matrix doesn’t include enough information to really tell a defender what exactly is detected, what the alerts were based on, if IoCs were involved, or anything beyond a very high level planning view. Once we start diving into this, you’ll see that there are actually many other dimensions to this that take into account the specific implementations that were used, how robust the detections/mitigations were, how noisy the collection is, etc.
This planning aid’s application is described in the next slide …
This is where we go from adversary emulation to purple teaming (it’s a blurry line). Now that you have some, high level idea of what your coverage is for the subset of techniques that adversary uses, it’s time to dig into them a bit more. This is something you’ll do for all colors of the matrix, but probably prioritized red, yellow, green, grey (yes, even green). The real purple teaming cycle comes into effect to start throwing many different implementations at the defenses to see what all is detected, what isn’t, why, how that can be updated, and continue trying.
When do you stop? No guaranteed stop point. Are you ever 100% sure you detect all possible implementations of a behavior? You can get to a point where you’re confident you detect it and accept the risk for not doing more testing.