Planning Overview
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
8 hours 5 minutes
Difficulty
Intermediate
CEU/CPE
9
Video Transcription
00:00
>> Hello, and welcome to Module 3
00:00
of Attack Adversary Emulation.
00:00
This module is titled Adversary Emulation Planning.
00:00
We're presently on Lesson 3.1, planning overview.
00:00
In this module, we're going to talk to you about
00:00
a critical component of adversary emulation,
00:00
and that is engagement planning.
00:00
Now, planning isn't the most exciting topic.
00:00
Unfortunately, we're not executing
00:00
any adversary TTPs in this module.
00:00
However, I cannot emphasize how important planning
00:00
is to a successful adversary emulation engagement.
00:00
We'll talk about why in detail throughout this module.
00:00
But for now it's enough to know that
00:00
proper planning is really what makes the difference
00:00
between a professional adversary emulation engagement
00:00
and one that can get you in significant trouble.
00:00
We're going to spend this module teaching you how
00:00
to effectively plan adversary emulation engagements.
00:00
Now this module is fairly short.
00:00
We have two lessons.
00:00
We're presently in Lesson 3.1.
00:00
In Lesson 3.2,
00:00
we will take a deeper look at defining
00:00
scope rules of engagement and other related topics.
00:00
Here are Lesson 3.1 objectives.
00:00
We're going to start by explaining
00:00
the importance of planning
00:00
adversary emulation activities.
00:00
We'll then list
00:00
the adversary emulation planning components.
00:00
Finally, we'll examine the
00:00
adversary emulation planning template.
00:00
Why does planning matter? If you think about it,
00:00
adversary emulation fundamentally entails
00:00
executing malicious cyber behaviors,
00:00
or stated differently, conducting cyber attacks.
00:00
Of course, we're practicing
00:00
adversary emulation to assess and improve cybersecurity.
00:00
The problem is that these attacks can
00:00
cause significant problems for the network owners.
00:00
To give you some examples.
00:00
You might be responsible for disclosing private data,
00:00
think user credentials, PII, and so on.
00:00
Maybe you destroy sensitive data
00:00
while emulating a ransomware attack.
00:00
Or maybe you cause unexpected downtime.
00:00
What happens if you've thrown exploiting and
00:00
accidentally knock out a critical production server?
00:00
It's because of these inherent risks that you have to get
00:00
explicit written permission to
00:00
conduct adversary emulation activities.
00:00
If you fail to do so
00:00
and you cause some of these problems,
00:00
you can expect to get in some very serious trouble,
00:00
whether it's professional, legal, or even criminal.
00:00
As long as we're in the business
00:00
of emulating adversary attacks,
00:00
we must effectively plan
00:00
our engagements to ensure success.
00:00
On this slide, we introduced
00:00
the adversary emulation key planning components.
00:00
Now the purpose of these components is to
00:00
document all the unnecessary things that
00:00
you need to discuss with network owners while
00:00
planning an adversary emulation engagement.
00:00
Now, these components include
00:00
engagement objectives, scope, schedule,
00:00
rules of engagement, getting
00:00
explicit written permission to execute the engagement,
00:00
and also defining your communications plan.
00:00
Now, we'll actually explore each of these components
00:00
in greater detail in our next lesson.
00:00
But for now, it's enough to know
00:00
that these are the components, and in general,
00:00
discussing these topics with the network owners will
00:00
support professional and
00:00
impactful adversary emulation engagements.
00:00
Now one caveat I want to add is
00:00
that this is not an exhaustive list.
00:00
You do run into unique challenges in the field.
00:00
To give you some examples,
00:00
if you're doing adversary emulation as
00:00
a commercial service offering, well,
00:00
obviously you have to be aware of things like cost,
00:00
contracts, and the like if you want to stay in business.
00:00
For some other examples,
00:00
maybe you're performing targeted phishing or
00:00
social engineering attacks against company employees,
00:00
you probably want to talk to HR and
00:00
legal to get their blessing
00:00
and make sure you stay out of trouble.
00:00
Also, throughout that, sometimes you
00:00
need extra support for procurement.
00:00
For example, maybe you're trying to obtain restricted or
00:00
controlled technology for security testing.
00:00
This is something we sometimes encounter regarding
00:00
space or nuclear technology as some examples.
00:00
Now, these are all special case situations,
00:00
you might very well run into others.
00:00
The bottom line is,
00:00
if you encounter any of these circumstances,
00:00
definitely bring in a local expert
00:00
to help you work through that.
00:00
As we go forward,
00:00
we'll focus more on discussing
00:00
those key planning components we just listed as
00:00
those are what you'll likely be directly
00:00
involved in when you're
00:00
planning these out with network owners.
00:00
On this slide, we provide you
00:00
an adversary emulation planning template.
00:00
This document can be used to
00:00
walk in-network owner through
00:00
the adversary emulation planning components.
00:00
In practice, I tend to have
00:00
this document in front of me when I'm
00:00
engaging in network owner trying to
00:00
plan and get an engagement off the ground.
00:00
If you were to look at this, you'll find
00:00
that it tries to guide you through
00:00
the planning components and lists
00:00
different questions that you'd
00:00
want to ask the network owner,
00:00
it gives you tips for
00:00
different things you want to be aware of.
00:00
I just want you to be aware that this is
00:00
a resource available for your use.
00:00
You can find it on our GitHub repository
00:00
along with our other course resources.
00:00
I will offer one disclaimer however,
00:00
if you do end up using this operationally,
00:00
I strongly recommend that you first get this document
00:00
blessed by your organization's legal counsel.
00:00
While I have used this document quite successfully,
00:00
be aware that MITRE is a non-profit organization.
00:00
We tend to operate differently than
00:00
your average business so you definitely want to get
00:00
this blessed off by your organization and
00:00
legal counsel before you start using it operationally.
00:00
That was Lesson 3.1.
00:00
During this lesson, we established
00:00
that planning is essential for
00:00
professionalism and safety while
00:00
conducting adversary emulation activities.
00:00
We also introduced the key planning components,
00:00
such as engagement objectives,
00:00
scope, schedule, and so on.
00:00
Finally, we offered
00:00
an adversary emulation planning template,
00:00
which is available for your reference and study
00:00
and you can find it on our GitHub repository.
00:00
In the next lesson, we're going to take a deeper look at
00:00
the adversary emulation key planning components
00:00
so that you better understand what they are and how to
00:00
communicate them when working
00:00
with network owners to plan an engagement.
Up Next
Planning TTP Implementations (Lab 4.1 Overview)
10m
Planning TTP Implementations (Lab 4.1 Walkthrough)
30m
