Adversary Emulation Overview
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
8 hours 5 minutes
Difficulty
Intermediate
CEU/CPE
9
Video Transcription
00:00
>> This is Lesson 1.3: Adversary Emulation Overview.
00:00
In our previous lesson,
00:00
we discussed those problems that resulted in
00:00
the creation of the adversary emulation discipline.
00:00
We also explained the purpose of
00:00
adversary emulation at a high level.
00:00
We're now going to spend this lesson discussing
00:00
adversary emulation in greater detail
00:00
to give you a deeper understanding.
00:00
Let's talk about our learning objectives.
00:00
We're first going to explain
00:00
the purpose of adversary emulation.
00:00
This will be done in greater detail
00:00
that you saw in the previous lesson.
00:00
We're then going to describe
00:00
adversary emulations key characteristics,
00:00
basically those things that make the discipline unique.
00:00
Lastly, we'll talk about
00:00
adversary emulations, common use cases.
00:00
Basically, why would you
00:00
want to practice the discipline?
00:00
After going through this lesson,
00:00
you'll have a deeper understanding of what
00:00
adversary emulation means and why we practice it.
00:00
One of the challenges when discussing
00:00
adversary emulation is that it really does
00:00
not have a standard term or definition.
00:00
For example, in industry,
00:00
you're likely to hear the term threat emulation
00:00
instead of adversary emulation.
00:00
Sometimes you'll hear the term simulation
00:00
used instead of emulation.
00:00
Now, Raphael Mudge wrote a blog in
00:00
2014 that I think is still
00:00
applicable in describing this problem.
00:00
Raphael states, "There's no standard definition
00:00
for adversary simulation yet.
00:00
It doesn't even have an agreed upon term.
00:00
I've heard threat emulation, purple teaming,
00:00
and attack simulation to
00:00
discuss roughly the same concept.
00:00
I feel like several of us are wearing blindfolds,
00:00
feeling around our immediate vicinity,
00:00
and we're working to describe an elephant to each other."
00:00
We have all these different terms and they
00:00
seem to describe roughly the same concept,
00:00
and this causes confusion.
00:00
You'll find that some people use
00:00
these terms interchangeably,
00:00
other people in part very specific meaning to
00:00
these terms. Which is it?
00:00
What terminology should we use?
00:00
Over the next few slides,
00:00
we will try to answer those questions by exploring
00:00
several different definitions that
00:00
you'll see in industry.
00:00
On this slide, we're going to look at
00:00
three definitions for adversary emulation.
00:00
These definitions were published by
00:00
prominent thought leaders recognized
00:00
in the adversary emulation community.
00:00
By going through these definitions,
00:00
you'll gain a broader understanding
00:00
of different viewpoints,
00:00
perspectives and commonality with
00:00
respect to adversary emulation.
00:00
Our first definition, is offered
00:00
by Jorge Orchilles from Scythe.
00:00
He states, "Adversary emulation
00:00
is a type of red team exercise
00:00
where the red team emulates how
00:00
an adversary operates following the same tactics,
00:00
techniques and procedures with
00:00
a specific objective like
00:00
those of a realistic adversary."
00:00
What I like most about this definition
00:00
is Jorge specifically says,
00:00
we're emulating adversary TTPs,
00:00
and that will be a common theme throughout this course.
00:00
Next, we have a definition from Tim MalcolmVetter.
00:00
Now Tim's viewpoint is quite different.
00:00
He argues that adversary emulation means
00:00
duplicating adversary behavior
00:00
with precision and exactness.
00:00
He instead favors using the term simulation,
00:00
which applies greater freedom to be
00:00
different from the original adversary behaviors.
00:00
Our last definition is from
00:00
Jonas Bauters from NVISO Labs.
00:00
Jonas states, "Based on threat intelligence,
00:00
you determined that APT28
00:00
is most likely to target your organization.
00:00
To emulate this adversary,
00:00
you mimic the TTPs they use in your environment."
00:00
Now what I really like about
00:00
Jonas's definition is he specifically calls out
00:00
using CTI to emulate
00:00
threats of salient interests to the organization.
00:00
We've looked at these three definitions.
00:00
It's fair to say that there is general agreement
00:00
that adversary emulation means executing adversary TTPs.
00:00
What is usually debated,
00:00
is how precise do you have to be to
00:00
the original adversary implementation?
00:00
That is a question that we will
00:00
explore throughout this course.
00:00
Let's revisit that original question
00:00
of what terminology should we use?
00:00
Is it emulation or simulation?
00:00
Are we emulating a threat or an adversary?
00:00
Now, I would argue that in the majority of cases,
00:00
people tend to use these terms
00:00
interchangeably to mean the same thing.
00:00
However, you should be aware that some people impart
00:00
precise meaning to these terms
00:00
and they may challenge you if they
00:00
disagree with your usage.
00:00
Now in the interest of simplicity and consistency,
00:00
we will use the term adversary emulation
00:00
exclusively throughout this course.
00:00
With that, let's offer
00:00
a formal definition so
00:00
that when we say adversary emulation,
00:00
it is explicitly clear what we're talking about.
00:00
Adversary emulation is an intelligence-driven discipline
00:00
that entails researching, modeling,
00:00
and executing cyber adversary tactics,
00:00
techniques and procedures to
00:00
assess and improve cybersecurity.
00:00
Now we feel that definition clearly
00:00
explains what adversary emulation is and why we do it.
00:00
However, recognize that adversary emulation
00:00
means different things to different people.
00:00
Regardless of what you prefer to call it,
00:00
use the terminology that works for
00:00
your organization and do so consistently.
00:00
Now we have a definition for adversary emulation.
00:00
Let's now talk about its key characteristics.
00:00
Basically those things that make it
00:00
distinct from other disciplines.
00:00
We'll start with primary characteristics.
00:00
Basically, those qualities that are
00:00
germane to adversary emulation.
00:00
The first primary characteristic is
00:00
that adversary emulation is based on real-world threats.
00:00
You'll see in later lessons that we use attack in CTI as
00:00
our primary information sources
00:00
to ensure that the TTPs we
00:00
emulate are representative of
00:00
adversary behaviors commonly seen in the world.
00:00
This characteristic ensures that we're assessing and
00:00
tuning or defenses around real-world threats.
00:00
The next key characteristic is
00:00
adversary emulation, is behavior-focused.
00:00
We focus on executing
00:00
adversary TTPs towards the top
00:00
of David Bianco's pyramid of pain.
00:00
In that way, we're tuning
00:00
our defenses around behaviors that are really
00:00
difficult for adversaries to alter as opposed
00:00
to tuning around fragile signatures like hash values,
00:00
IP addresses, and so on.
00:00
On this slide, we present
00:00
secondary characteristics for adversary emulation.
00:00
These are characteristics that are not
00:00
necessarily germane to adversarial emulation,
00:00
but we use them to support
00:00
professional and impactful engagements.
00:00
Now adversary emulation is typically transparent,
00:00
meaning we fully disclose what the red team did in as
00:00
much detail needed for
00:00
the network defenders to improve their defenses.
00:00
Adversary emulation is also collaborative,
00:00
meaning we work with
00:00
defenders to effect positive improvements.
00:00
Finally, we use automation to support
00:00
repeatable testing and make it easier for
00:00
network defenders to practice continuous assessment.
00:00
We talked about adversary emulations definition
00:00
and its key characteristics.
00:00
But what are some common adversary emulation use cases?
00:00
In general, most adversary emulation
00:00
activities are practiced to
00:00
assess and improve cybersecurity.
00:00
This can have different areas of focus,
00:00
such as training or exercising personnel,
00:00
assessing cybersecurity processes,
00:00
we're evaluating new technology, just to name a few.
00:00
Adversary emulation is also
00:00
great for capability development.
00:00
For example, you can use knowledge of adversary TTPs to
00:00
create new and effective tools and
00:00
these can apply to both red teamers and blue teamers.
00:00
Finally, adversary emulation can
00:00
be great for professional development.
00:00
By following the processes we teach in this course,
00:00
you'll improve your knowledge of attack and
00:00
adversary behaviors and this will
00:00
have the effect of making you a better
00:00
cybersecurity practitioner regardless of your role.
00:00
This is the end of Lesson 1.3.
00:00
We defined adversary emulation as
00:00
an intelligence-driven discipline
00:00
that entails researching,
00:00
modeling, and executing cyber adversaries
00:00
TTPs to assess and improve cybersecurity.
00:00
We then talked about adversary emulations
00:00
primary and secondary characteristics,
00:00
namely, that the discipline is based on
00:00
real-world threats and it is behavior focused.
00:00
Finally, we talked about adversary
00:00
emulation common use cases,
00:00
including exercising or training personnel,
00:00
assessing processes, evaluating technology, and so on.
00:00
In the next lesson,
00:00
we're going to talk about
00:00
the adversary emulation framework,
00:00
which is our process for
00:00
high-quality adversary emulation activities.
Up Next
Lab: Touring the CTID Adversary Emulation Library
1h
Optional Lab: Setting up Your Own Lab Environment
1h
