Defining Engagement Objectives

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
8 hours 5 minutes
Difficulty
Intermediate
CEU/CPE
9
Video Transcription
00:00
>> Welcome to Lesson 1.5, Defining Engagement Objectives.
00:00
Now, this lesson is unique because it
00:00
marks a transition point in this course.
00:00
You now have a general understanding
00:00
of the adversary emulation framework.
00:00
As we go forward,
00:00
we're going to visit each step of
00:00
the adversary emulation framework in greater detail.
00:00
That starts with defining engagement objectives,
00:00
which is the subject of this lesson.
00:00
We're going to start this lesson by explaining
00:00
why defining engagement objectives is necessary.
00:00
We'll then discuss the purpose of
00:00
engagement objectives in greater detail.
00:00
Lastly, we'll talk about how you can help
00:00
network owners define good engagement objectives.
00:00
You'll see this is done by asking questions to
00:00
better understand the network owners
00:00
needs and priorities.
00:00
Why exactly do we start
00:00
the adversary emulation framework
00:00
by defining engagement objectives?
00:00
When you start thinking about planning
00:00
an adversary emulation engagement,
00:00
you're likely going to have a lot of questions.
00:00
For example, what adversary will we emulate?
00:00
Should we pick APT 29 or maybe fin seven, why?
00:00
After you selected your adversary,
00:00
you might ask what TTPs will we implement?
00:00
Are we trying to model collection and
00:00
exfiltration or should we emulate impact ATPs?
00:00
How will we execute these TTPs exactly?
00:00
Will we use publicly available tools
00:00
or maybe right or wrong.
00:00
You can see we have a lot of non-trivial questions.
00:00
If we make arbitrary decisions,
00:00
we likely won't be aligned with
00:00
the organization's security goals.
00:00
That really undermines
00:00
the effectiveness of adversary emulation.
00:00
We tried to address that issue right at
00:00
the beginning of the adversary emulation framework.
00:00
You'll see that by defining good engagement objectives,
00:00
we can have purposeful answers to these questions.
00:00
That ensures that we are aligned with
00:00
the organization's security goals.
00:00
Now, you understand why
00:00
engagement objectives are necessary.
00:00
Let's now talk about
00:00
what engagement objectives are in greater detail.
00:00
Now, prior to all adversary emulation activities,
00:00
we usually have a meeting with the network owners to
00:00
define our high-level engagement objectives.
00:00
Specifically, we're trying to answer the question,
00:00
what are we trying to achieve with
00:00
adversary emulation and why?
00:00
The answer to this question
00:00
drives all follow-on activities,
00:00
such as selecting an adversary,
00:00
researching CTI, implementing TTPs, and so on.
00:00
Now, on this slide,
00:00
I've listed examples of
00:00
engagement objectives that we
00:00
commonly receive from network owners.
00:00
The first example says we would like to emulate
00:00
APT 29 TTPs to exercise our SOC staff.
00:00
This is a pretty good objective to start with.
00:00
We have a task, emulate
00:00
APT 29 TTPs and the purpose is fairly clear.
00:00
We're trying to exercise the SOC staff.
00:00
The next example is a little less specific.
00:00
We would like to emulate adversary TTPs
00:00
to evaluate our EDR solution.
00:00
In this example, we would want
00:00
to work with the network owners to
00:00
figure out what threats are they concerned about?
00:00
What additional details can we
00:00
learn about their EDR solution?
00:00
The last example is a little bit silly,
00:00
but believe me when I say we see this in the wild.
00:00
Sometimes network owners want
00:00
an adversary emulation engagement,
00:00
but they really struggle to articulate why.
00:00
In that case, you have to work with
00:00
the network owners to guide them towards
00:00
defining good adversary emulation objectives.
00:00
How do we help network owners
00:00
provide good engagement objectives?
00:00
Well, it starts with asking
00:00
questions to learn more about their concerns,
00:00
their problems, and their priorities.
00:00
On this slide, I've listed
00:00
several questions that I usually
00:00
ask as a jumping-off point
00:00
towards defining good objectives.
00:00
Usually, I start with, why do you
00:00
want an adversary emulation engagement?
00:00
Sometimes I'll ask what
00:00
cyber threats are you concerned about?
00:00
What attack TTPs can you detect?
00:00
Then we just continue the discussion until we've
00:00
slowly worked our way towards
00:00
having good engagement objectives.
00:00
Now, as you go through this process,
00:00
you should be cognizant of
00:00
the organization security goals and maturity.
00:00
Consider that adversary emulation
00:00
may not be appropriate for all use cases.
00:00
As an example, you might have a network owner that is
00:00
trying to get ready for a PCI DSS audit.
00:00
In that case, adversary emulation
00:00
probably isn't the best approach.
00:00
Instead, you would want to focus on preparing
00:00
for those items that will be audited.
00:00
Also, consider that
00:00
some organizations may not
00:00
be ready for adversary emulation.
00:00
We sometimes see network owners
00:00
who don't have an up-to-date asset inventory.
00:00
They don't know what's on their network.
00:00
They don't have change control,
00:00
they don't even have monitoring in place.
00:00
In those circumstances,
00:00
I usually explain that while we could
00:00
proceed with an adversary emulation engagement,
00:00
if they don't have foundational security in place,
00:00
the results of the engagement will likely be
00:00
of minimal value to the organization.
00:00
The bottom line is you want to work
00:00
with the network owners to shape
00:00
this project so that you
00:00
have clear engagement objectives.
00:00
If adversary emulation isn't
00:00
a good fit at that particular time,
00:00
work with them to get them on the right track.
00:00
During this lesson, we discussed why
00:00
defining engagement objectives is necessary.
00:00
That is because the engagement objectives
00:00
drive all follow-on activities,
00:00
and they also ensure that we are aligned
00:00
with the organization's security goals.
00:00
We also talked about the purpose
00:00
of engagement objectives,
00:00
which is to define what are we trying
00:00
to achieve with adversary emulation and why.
00:00
Finally, we discussed approaches for asking
00:00
the network owner questions to guide them
00:00
towards articulating clear objectives.
00:00
In the next lesson,
00:00
we're going to introduce a key capability
00:00
and adversary emulation,
00:00
and that is the adversary emulation plan.
Up Next
Lab: Touring the CTID Adversary Emulation Library
1h
Optional Lab: Setting up Your Own Lab Environment
1h
Executing the FIN6 Adversary Emulation Plan (Lab 1.3)
45m
Adversary Emulation - Welcome to Module 2
4m