Introducing the Adversary Emulation Plan

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
8 hours 5 minutes
Difficulty
Intermediate
CEU/CPE
9
Video Transcription
00:00
>> We're now on our final lesson in Module 1,
00:00
Introducing the Adversary Emulation Plan.
00:00
Now I'm excited to share this lesson with you because
00:00
we're going to introduce you to a key resource,
00:00
the adversary emulation plan.
00:00
As we go forward,
00:00
we'll discuss what it is,
00:00
why we use it and that will bring us to,
00:00
two Hands-on Labs immediately after this lesson.
00:00
Let's go ahead and kick things off,
00:00
beginning with our lesson objectives.
00:00
We're first going to explain
00:00
the purpose of the adversary emulation plan.
00:00
We're then going to list the components commonly found in
00:00
emulation plans, and lastly,
00:00
we'll gain familiarity with
00:00
the Center for Threat Informed
00:00
Defense adversary emulation library.
00:00
You'll see that this library contains
00:00
example emulation plans for
00:00
you to explore and practice with.
00:00
What is an adversary emulation plan exactly?
00:00
At it's simplest, it's a collection of resources that
00:00
enables operators to emulate adversary TTPs.
00:00
It often contains step-by-step instructions
00:00
and commands, in that way,
00:00
you can just follow the instructions in the plan
00:00
and that will help you emulate adversary TTPs.
00:00
Now, emulation plans also include supporting resources,
00:00
everything from compiled programs and
00:00
scripts to diagrams and ATT&CK navigator layers.
00:00
Summarizing this,
00:00
adversary emulation plans contain the resources needed
00:00
for us to emulate
00:00
adversary TTPs in a realistic and repeatable manner.
00:00
We understand that an adversary emulation plan is
00:00
a collection of resources to emulate adversary TTPs,
00:00
but what specific components
00:00
go into an emulation plan exactly.
00:00
On this slide, we provide a list,
00:00
these are the components we at MITRE
00:00
commonly include in our emulation plans.
00:00
Now, this is not to say that
00:00
these components are all required, really,
00:00
this is just a guideline for you to follow
00:00
and adapt to your particular use case.
00:00
With that out of the way, let's
00:00
step through these components
00:00
one at a time and explain them in greater detail.
00:00
Often, we include
00:00
an adversary overview into our emulation plans.
00:00
The adversary overview describes the adversaries,
00:00
objectives, targets, and tools at a high level.
00:00
I find this can be helpful in quickly getting up to
00:00
speed with how a particular adversary operates.
00:00
Next, we have CTI.
00:00
We tend to cite the specific CTI sources
00:00
that we use to generate our emulation plan content.
00:00
In that way, we can demonstrate exactly how
00:00
RTTPs are representative of real-world threats.
00:00
We then have diagrams.
00:00
Everything from ATT&CK navigator
00:00
layers to operations flow diagrams,
00:00
and I find that these can provide
00:00
helpful visualizations,
00:00
either to get you oriented to
00:00
a particular adversary or to
00:00
include in presentations and reports.
00:00
We also have written procedures.
00:00
These enable you to execute
00:00
emulation plans in a step-by-step manner,
00:00
you'll find that they include setup instructions and
00:00
the actual scenarios with written procedures for HTTP.
00:00
We then have our supporting resources.
00:00
Basically all the tools,
00:00
binaries and scripts we need to
00:00
execute the emulation plan end-to-end.
00:00
Finally, we often like to include mitigations.
00:00
Basically those artifacts, observables, signatures,
00:00
basically rules that you can give to
00:00
network owners so that they can better prevent,
00:00
detect, and respond to
00:00
the different adversary TTPs under test.
00:00
You may have noticed in the last few slides,
00:00
we showed you examples of
00:00
different adversary emulation plan components.
00:00
All those components actually came from
00:00
the Center for Threat Informed
00:00
Defense adversary emulation library.
00:00
Now this is a freely available project and it contains
00:00
a library of pre-made adversary emulation plans.
00:00
In that way, you're free to study
00:00
the content and structure of these plans,
00:00
and of course use them in
00:00
your own day-to-day adversary emulation activities.
00:00
Now, as we get into our next two labs,
00:00
we'll actually spend some time touring
00:00
the adversary emulation library in detail,
00:00
and this will enable you to better
00:00
understand it's contents,
00:00
and will also develop your hands-on skills by actually
00:00
executing one of the adversary emulation plans
00:00
featured in the library.
00:00
That was Lesson 1.6.
00:00
During this lesson, we talked about
00:00
the adversary emulation plan in detail.
00:00
We established that it's a collection of resources that
00:00
enables operators to emulate adversary TTPs.
00:00
We talked about the different components that
00:00
make up an adversary emulation plan,
00:00
such as adversary descriptions,
00:00
CTI, written procedures, and other resources.
00:00
Finally, we introduced you to
00:00
these CTID adversary emulation library,
00:00
which is a freely available resource that you can
00:00
use in your own adversary emulation activities.
Up Next
Lab: Touring the CTID Adversary Emulation Library
1h
Optional Lab: Setting up Your Own Lab Environment
1h
Executing the FIN6 Adversary Emulation Plan (Lab 1.3)
45m
Adversary Emulation - Welcome to Module 2
4m