Documenting Adversary Emulation Activities

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
8 hours 5 minutes
Difficulty
Intermediate
CEU/CPE
9
Video Transcription
00:00
>> Hello and welcome to Lesson 5.3 -
00:00
Documenting adversary emulation activities.
00:00
During this lesson, we're going to
00:00
talk about a really important element of
00:00
adversary emulation and that
00:00
is documenting your engagement activities.
00:00
We'll spend some time explaining
00:00
why it is important to document your activities.
00:00
We'll then describe approaches
00:00
for documenting your activities,
00:00
basically discussing what are the different things you
00:00
want to capture in
00:00
writing as it relates to your engagement.
00:00
At the end of this lesson, you'll
00:00
have a strong understanding
00:00
of how to document your adversary emulation activities.
00:00
I would argue that the most important aspect of
00:00
adversary emulation is documenting
00:00
your activities, findings, and recommendations.
00:00
Why do I say this? Well,
00:00
your documentation provides empirical proof
00:00
showing what was actually
00:00
accomplished during an engagement.
00:00
This data is essentially what
00:00
drives any reports or presentations you
00:00
make and it's this information that
00:00
network owners use to make cybersecurity decisions.
00:00
Stated differently, you might have
00:00
a very successful engagement but if
00:00
the resulting documentation is
00:00
poor then your efforts will likely be of minimal value.
00:00
Now we have a general understanding why
00:00
engagement documentation is important.
00:00
The next question is, what
00:00
exactly should we be documenting?
00:00
Well, in most engagements we
00:00
generally produce three key documents.
00:00
The first is operational notes
00:00
and these are basically notes, screenshots,
00:00
and logs you take or collect as you execute
00:00
TTPs from your adversary emulation plan.
00:00
Second is the engagement report.
00:00
This is usually a technical report
00:00
explaining what TTPs were
00:00
executed as well as findings
00:00
and recommendations resulting from the engagement.
00:00
Finally, we often create a presentation
00:00
and we usually brief this
00:00
typically on the last day of engagements.
00:00
The purpose of this is to summarize
00:00
key findings and takeaways
00:00
often for an executive audience.
00:00
What I would like to do now
00:00
is step through these key documents in
00:00
greater detail beginning with operational notes.
00:00
Very simply, operational notes
00:00
describe your activities taken during an engagement.
00:00
They generally describe who,
00:00
what, when, where, why,
00:00
and how as it pertains
00:00
to your hands-on keyboard activity.
00:00
In other words, your operational notes should
00:00
describe things such as who is the operator,
00:00
what TTP was executed,
00:00
and when and on which host.
00:00
Now I find you can collect much of
00:00
this information using automated command, transcripts,
00:00
and logs but it's perfectly
00:00
acceptable to also make use
00:00
of manual notes and screenshots.
00:00
Now I want to call out the importance
00:00
of screenshots in particular.
00:00
I find that screenshots are really
00:00
essential when you're writing your engagement report,
00:00
why because your screenshots provide empirical evidence
00:00
that you are able to successfully execute TTP.
00:00
They also serve as a useful memory aid
00:00
and that you can often remember
00:00
additional details about how you executed
00:00
a TTP and what you observed while writing a report.
00:00
Date/time stamps is another important thing to capture.
00:00
In particular, date/time stamps can be
00:00
used to help deconflict activity
00:00
and can also be used by defenders to
00:00
verify your activity in their respective logs.
00:00
Finally, you should record
00:00
your observations throughout the engagement.
00:00
For example, if you successfully executed
00:00
a TTP but a network defender detected it immediately,
00:00
you want to call that out and
00:00
give them credit for being effective.
00:00
For most adversary emulation projects
00:00
your primary deliverable will
00:00
be a detailed engagement report.
00:00
The engagement report is
00:00
a formal document that
00:00
captures the purpose of the project,
00:00
what was accomplished,
00:00
and any findings or recommendations you have to offer.
00:00
Now the general format we use for
00:00
engagement report usually includes an executive summary.
00:00
The executive summary tries to communicate
00:00
the key findings and
00:00
recommendations resulting from the engagement,
00:00
usually at about 1-2 pages.
00:00
We usually include an introduction which provides
00:00
necessary context to understand the engagement,
00:00
basically summarizing the objectives,
00:00
scope, rules of engagement, and so on.
00:00
We then include detailed activities and findings.
00:00
This is basically the body of
00:00
your report where you show exactly what
00:00
TTPs were executed and what the result of each test was.
00:00
I'll say your operational notes are key to
00:00
this section primarily to show logs,
00:00
screenshots, and time stamps illustrating
00:00
whether a TTP was successful or not.
00:00
Lastly, we include recommendations for improvement.
00:00
In that way, network owners
00:00
can take the contents of your report
00:00
and make cybersecurity improvements
00:00
based on your findings.
00:00
Now the last document we'll discuss
00:00
is the engagement presentation.
00:00
I typically like to schedule
00:00
the last day of an engagement to have an out brief.
00:00
It's during this out brief that we deliver
00:00
a presentation highlighting the key activities,
00:00
findings, and recommendations
00:00
resulting from the engagement.
00:00
This is yet another reason why having
00:00
good op note is key all those commands,
00:00
screenshots, and timestamps can be
00:00
featured prominently in this presentation.
00:00
Now something else I'll add is
00:00
when you conduct these presentations,
00:00
you really want to know your audience.
00:00
Sometimes we brief these presentations
00:00
to executive audiences,
00:00
think like CISOs,
00:00
CIOs, and so on.
00:00
These individuals typically care about
00:00
big-picture findings and recommendations.
00:00
If on the other hand, you might be
00:00
briefing network defenders, system administrators,
00:00
and engineers and they're often interested in getting to
00:00
great technical detail regarding how
00:00
you executed your TTPs and how they worked.
00:00
The bottom line is the presentation
00:00
can be a great resource to help
00:00
close out an engagement but you
00:00
want to tailor it for your intended audience.
00:00
That brings us to the Lesson 5.3 summary.
00:00
During this lesson, we established that
00:00
your engagement documentation provides
00:00
empirical proof demonstrating what was accomplished.
00:00
We explained that your documentation,
00:00
in particular reports and presentations,
00:00
will be the lasting records that network owners used to
00:00
make decisions regarding cybersecurity improvements.
00:00
Finally, we walked through the three key documents,
00:00
including your operational notes,
00:00
the engagement report,
00:00
and the engagement presentation.
00:00
So now you have a good understanding of
00:00
the documents you will most likely need to
00:00
produce over the course of
00:00
an adversary emulation engagement.
Up Next
Developing an Adversary Emulation Plan (Lab 5.1 Overview)
10m
Developing an Adversary Emulation Plan (Lab 5.1 Walkthrough)
20m