Introducing Adversary Emulation

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
8 hours 5 minutes
Difficulty
Intermediate
CEU/CPE
9
Video Transcription
00:00
>> We're now on Lesson 1.2 Introducing Adversary Emulation.
00:00
During this lesson, we're going to
00:00
focus on two key objectives.
00:00
Beginning with Lesson 1,
00:00
we're going to identify
00:00
common cybersecurity assessment problems.
00:00
Basically those issues,
00:00
and conditions that resulted in
00:00
the creation of adversary emulation in the first place.
00:00
With Objective 2,
00:00
we're going to make a gentle introduction
00:00
to adversary emulation.
00:00
Basically talking about what
00:00
is adversary emulation at a high level?
00:00
How does it help us address
00:00
those common cybersecurity assessment problems?
00:00
After completing this lesson,
00:00
you'll have a general understanding
00:00
of adversary emulation,
00:00
and you'll be primed for deeper instruction,
00:00
and discussions that follow in the next lesson.
00:00
As we get started, I want to first explore
00:00
those enduring problems that really resulted in
00:00
the creation of the adversary emulation discipline.
00:00
We'll start by talking about common assessment problems.
00:00
Now, you can talk to nearly any network owner,
00:00
and you'll find that there are always interested in
00:00
better understanding their cybersecurity effectiveness.
00:00
Some common things that
00:00
network owners usually want to know
00:00
include: Are our people trained and alert?
00:00
Are our internal processes effective?
00:00
Is our technology properly configured?
00:00
Is it the right technology,
00:00
and is it delivering appropriate value?
00:00
Now these questions are so common that they've supported
00:00
an entire industry built
00:00
around cybersecurity assessments.
00:00
We have Red Team Engagements, Vulnerability Assessments.
00:00
There's Penetration Tests, and more.
00:00
Now all of these assessments help network owners
00:00
better understand their security and make improvements.
00:00
Yet here we are at MITRE ATT&CK Defender,
00:00
offering adversary emulation as
00:00
yet another flavor of assessment.
00:00
Why do we need another one?
00:00
The reality is that while
00:00
these other assessments are good things to do,
00:00
they are not always representative of real-world threats.
00:00
For example, traditional penetration
00:00
tests and vulnerability assessments,
00:00
they often focus overwhelmingly on
00:00
identifying and mitigating initial access vectors,
00:00
which is to say very little about the hundreds of
00:00
post exploitation TTPs spanning the ATT&CK matrix.
00:00
So the fact is the way that
00:00
real-world adversaries operate is fundamentally
00:00
different than how we operate
00:00
during traditional cybersecurity assessments.
00:00
Here's another significant problem you
00:00
commonly see in Red Teams and Penetration Tests.
00:00
Red and Blue Teams are often
00:00
disincentivized from working together.
00:00
For example, Red Teams may be
00:00
hesitant to fully disclose their TTPs to Blue Team.
00:00
Because if they do, Blue Team will make
00:00
signatures and mitigations that
00:00
renders the Red Team less effective,
00:00
and likewise, Blue Team doesn't want to fully reveal
00:00
their TTPs either because
00:00
Red Team will figure out how to
00:00
circumvent their defenses.
00:00
This problem is made worse
00:00
because Red Team's success is often
00:00
perceived as Blue Team failure, and the reverse is true.
00:00
Blue Team success is often perceived as Red Team failure.
00:00
I personally been on engagements where
00:00
Blue Team's only goal was to keep me,
00:00
the Red Team from succeeding.
00:00
As a result, the Blue Team threw up
00:00
artificial barriers that really
00:00
made for an unproductive engagement.
00:00
Now it's because of these enduring problems
00:00
that the discipline of adversary emulation was created.
00:00
So let's take a moment to discuss
00:00
what is adversary emulation,
00:00
and how does it help address these issues?
00:00
At its absolute simplest,
00:00
adversary emulation entails executing
00:00
real-world adversary TTPs to
00:00
assess and improve cybersecurity.
00:00
But how does adversary emulation help
00:00
address some of these problems we discussed?
00:00
Recall, we talked about how cyber assessments are
00:00
not always representative of real-world threats.
00:00
While the entire premise of
00:00
adversary emulation is to model real-world threats.
00:00
In that way, we're assessing our defenses against threats
00:00
we actually care about enabling impactful improvements.
00:00
Also recall how we talked about Red Teams and
00:00
Blue Teams being disincentivized from working together.
00:00
With adversarial emulation,
00:00
there's no reason for Red Teams to withhold TTPs because
00:00
their activities are based on
00:00
adversary activity that is
00:00
actually occurring in the world.
00:00
Because the Red Team activities
00:00
are based in real-world events,
00:00
there's a greater sense of urgency to fix issues.
00:00
You'll also find that we teach
00:00
adversary emulation using ATT&CK, so in that way,
00:00
we have a common language to communicate between
00:00
Red and Blue Teams and network owners
00:00
to improve communication and collaboration.
00:00
So that brings us to the end of Lesson 1.2.
00:00
We talked at length about those problems that
00:00
resulted in the creation of adversary emulation.
00:00
Namely, cyber assessments are
00:00
not always representative of real-world threats,
00:00
and Red and Blue Teams are commonly
00:00
disincentivized from working together.
00:00
We've given you a general understanding
00:00
of adversary emulation,
00:00
which entails executing real-world adversary TTPs
00:00
to assess and improve cybersecurity.
00:00
We talked about how basing our activities on
00:00
real-world events and using
00:00
ATT&CK helps us foster collaboration,
00:00
communication, and understanding between Red Teams,
00:00
Blue Teams, and network owners.
00:00
In our next lesson,
00:00
we'll revisit the definition of
00:00
adversary emulation in greater detail,
00:00
and we'll discuss its key qualities,
00:00
characteristics, and use cases.
Up Next