Adversary Emulation Framework
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
8 hours 5 minutes
Difficulty
Intermediate
CEU/CPE
9
Video Transcription
00:00
>> We are now on lesson 1.4;
00:00
the adversary emulation framework.
00:00
Now up to this point, we've talked primarily about
00:00
what adversary emulation is and why we practice it.
00:00
We've stated that adversary emulation is about
00:00
executing adversary TTPs to
00:00
assess and improve cybersecurity.
00:00
But how exactly do we apply
00:00
adversary emulation in our day-to-day work?
00:00
How do we get started?
00:00
What are those key things we need to do to be effective?
00:00
We're going to start answering those questions by
00:00
exploring the adversary emulation framework,
00:00
which is the subject of this lesson.
00:00
In this lesson, we have one key objective.
00:00
We're going to explain
00:00
the adversary emulation framework,
00:00
talking about what it is,
00:00
what does it entail,
00:00
and why do we use it?
00:00
Now here we are, the adversary emulation framework.
00:00
What is this exactly and why do we use it?
00:00
Essentially, the adversary emulation framework is
00:00
an iterative process to guide
00:00
our adversary emulation activities
00:00
in a safe and professional manner.
00:00
Stated more simply, this is the process we
00:00
typically follow for all of
00:00
our professional adversary emulation activities.
00:00
Now, I share with you that this framework
00:00
was created after
00:00
years of practicing adversary emulation for our sponsors.
00:00
As a result, it has
00:00
a few notable characteristics
00:00
that I think are worth calling out.
00:00
First, we've designed this framework to be
00:00
aligned with the organization's cybersecurity goals.
00:00
We're not just doing adversary emulation
00:00
because it's fun.
00:00
We're actually trying to improve cybersecurity,
00:00
and that starts with being aligned with
00:00
the organization's goals and objectives.
00:00
Another key characteristic is that
00:00
this framework is CTI-driven.
00:00
That helps ensure our activities are
00:00
representative of real-world threats.
00:00
You'll see later on that we use
00:00
attack extensively for this purpose.
00:00
Also, be aware that, as we apply
00:00
this framework, we're methodical.
00:00
Fundamentally, adversary emulation
00:00
entails executing the same TTPs as our adversaries.
00:00
We have to be methodical in how we plan and
00:00
execute our activities to
00:00
ensure that we stay out of trouble.
00:00
Now, one disclaimer,
00:00
we present this framework following each step in order.
00:00
That is not to imply that this is a rigid process,
00:00
they must always follow
00:00
all steps in order in all circumstances,
00:00
that is not what we're saying.
00:00
In reality, it is very common to iterate,
00:00
to revisit previous steps
00:00
during a typical adversary emulation engagement.
00:00
As a simple example,
00:00
I tend to research adversary
00:00
TTPs throughout the majority,
00:00
if not all steps of this framework.
00:00
Key takeaway, don't think of this
00:00
as a rigid process, rather,
00:00
think of it as a general guide to structure
00:00
your adversary emulation activities.
00:00
As we go forward, we'll take a look at
00:00
each one of these steps in greater detail.
00:00
Our first step in the adversary emulation framework
00:00
is to define the objective.
00:00
Now, really the goal with this step is to identify
00:00
what specific cybersecurity problems
00:00
does your organization have,
00:00
and where appropriate,
00:00
how can adversary emulation be
00:00
applied to address these problems?
00:00
As a simple example,
00:00
you might have a client that is particularly
00:00
worried about cyber financial crime.
00:00
In that case, you might consider
00:00
building a project around emulating
00:00
actors like FIN6 or
00:00
FIN7 that are known to
00:00
conduct cyber attacks for financial gain.
00:00
On the other hand, maybe your client is more worried
00:00
about espionage and data exfiltration.
00:00
In that case, it might make
00:00
sense to build a project around
00:00
emulating some of our nation-state adversaries.
00:00
Things like APT3 or APT29.
00:00
The idea is during this step,
00:00
you work directly with
00:00
the network owners or maybe also the network defenders.
00:00
Really you're trying to figure out,
00:00
what are their cybersecurity problems
00:00
and how can adversary emulation help?
00:00
Our next step is to research adversary TTP.
00:00
During this step, we're trying to answer the question,
00:00
what adversary TTPs will we emulate?
00:00
We spent time researching
00:00
CTI to better understand the motivations
00:00
and TTPs of the adversaries
00:00
of salient interests to the network owners.
00:00
Now, you'll see in our second module that we use
00:00
attack extensively for this purpose.
00:00
That's because attack, it gives us
00:00
that common language for describing adversary TTPs.
00:00
It offers streamlined descriptions of
00:00
adversary behaviors and you could
00:00
trace them to their original CTI sources.
00:00
Our next step is plan the activity.
00:00
By this point, you already
00:00
know your engagement objectives.
00:00
You also know what adversary TTPs you're emulating.
00:00
Now it's time to work on the finer details.
00:00
For example, scope.
00:00
What IP addresses or host names are
00:00
in scope for this particular
00:00
adversary emulation activity?
00:00
What about the schedule?
00:00
What are the periods authorized for testing
00:00
versus those blackout periods
00:00
where testing should not occur?
00:00
Then there's other things like rules of engagement.
00:00
What TTP are allowed or explicitly disallowed?
00:00
Then there are other things like approving authorities,
00:00
basically who authorizes the engagement?
00:00
Then there's the communications plan.
00:00
How will you communicate
00:00
throughout the engagement and how often?
00:00
Now, if all of these questions seem
00:00
like a lot, don't worry.
00:00
We actually have an entire module
00:00
that teaches you how to plan
00:00
adversary emulation activities and we'll show
00:00
you approaches for answering these questions.
00:00
We're now at one of my favorite steps of
00:00
the adversary emulation framework, implementing TTPs.
00:00
During this step, we're implementing our TTPs
00:00
into a format that is actually
00:00
usable during an engagement.
00:00
This can entail writing custom programs,
00:00
perhaps based on adversary malware.
00:00
It can also be gathering
00:00
public tools known to be used by the adversary.
00:00
We then tie all these resources together
00:00
into an adversary emulation plan,
00:00
which is our procedure for executing adversary TTPs.
00:00
Now as we go through this process
00:00
of implementing our TTPs,
00:00
we're trying to keep our content realistic so that
00:00
the TTP is we implement are
00:00
representative of real-world threats.
00:00
We're also trying to balance project constraints.
00:00
For example, you typically have a finite amount of
00:00
time to implement TTPs before an engagement.
00:00
We have to decide,
00:00
how are we going to implement a given TTP,
00:00
recognizing that we want it to be realistic,
00:00
but we also want to deliver it in a timely manner?
00:00
These are all topics that we'll explore in
00:00
much greater detail in Module 4.
00:00
Our next step in the adversary emulation framework,
00:00
is conduct the activity.
00:00
During this step, you're actually putting hands on
00:00
keyboard and executing
00:00
the TTPs you implemented previously.
00:00
In addition to executing TTPs,
00:00
you're also collecting data.
00:00
Specifically, you're trying to determine,
00:00
was your TTP detected, was it prevented?
00:00
As you make these observations,
00:00
you document and communicate them to the network owners.
00:00
In that way, you're providing actual metrics that can
00:00
be used to demonstrate
00:00
the organization's security effectiveness.
00:00
Our final step in the adversary emulation framework
00:00
is concluding the activity.
00:00
This step typically entails delivering
00:00
any reports or presentations
00:00
produced from the engagement.
00:00
These deliverables typically provide
00:00
recommendations and mitigations based on
00:00
the emulated TTPs and
00:00
your observations of what was prevented,
00:00
what was detected, what was missed.
00:00
Additionally, this step sometimes entails working
00:00
directly with the network owners
00:00
to implement improvements.
00:00
For example, it's common for us to rerun
00:00
TTPs as network owners make and tune corrective changes.
00:00
Last thing to consider,
00:00
is this step is a good opportunity
00:00
to capture lessons learned
00:00
both for the network owners but
00:00
also for your internal use.
00:00
As you practice adversary emulation more and more,
00:00
you can figure out what worked well,
00:00
what could be improved upon going forward.
00:00
We made it to the lesson 1.4 summary.
00:00
During this lesson, we talked
00:00
about the adversary emulation framework.
00:00
We stated that it is
00:00
our iterative process to
00:00
guide adversary emulation activities.
00:00
We also discussed each step at a high level.
00:00
One key point to remember is that
00:00
the adversary emulation framework is not a rigid cycle.
00:00
You can and should feel encouraged to
00:00
deviate based on your projects unique needs.
00:00
As we go forward in this course,
00:00
we're going to zoom into each one of
00:00
these processes and
00:00
the adversary emulation framework in greater detail.
00:00
That brings us to our next lesson,
00:00
where we'll take a deep dive into
00:00
defining the adversary emulation objective.
Up Next
Lab: Touring the CTID Adversary Emulation Library
1h
Optional Lab: Setting up Your Own Lab Environment
1h
Executing the FIN6 Adversary Emulation Plan (Lab 1.3)
45m
