Selecting the Emulated Threat
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Transcription
00:00
>> Hello. We are now on lesson 2.3,
00:00
Selecting the Emulated Threat.
00:00
Now we have one objective for this lesson.
00:00
We are going to describe key factors
00:00
that influence emulated threat selection.
00:00
We're going to talk about what
00:00
are those important details
00:00
we should consider when selecting a threat to emulate?
00:00
By this point in the adversary emulation framework,
00:00
we know our engagement objectives.
00:00
We also have a general understanding of
00:00
cyber threats that are relevant to the organization.
00:00
It's now time to put this information to use and
00:00
select the adversary or threats that we will emulate.
00:00
When we are selecting an emulated threat,
00:00
there are a number of
00:00
factors that influence our decision.
00:00
We have to think about relevance, available CTI,
00:00
TTP complexity, available resources, just to name a few.
00:00
We call these our threat selection key factors.
00:00
Really the point of these is to be aware of and consider
00:00
those factors that can significantly impact
00:00
the success of your adversary emulation project.
00:00
Now as we go forward,
00:00
we're going to step through each of
00:00
these key factors one-by-one
00:00
and discuss how they can influence
00:00
your threat selection decisions.
00:00
Our first key factor is relevance.
00:00
When you're selecting an emulated threat,
00:00
you want to pick the one that best aligns with
00:00
your engagement objectives and more broadly,
00:00
the organizations cyber-security goals.
00:00
Here's some questions to consider.
00:00
What organizations is the threat known to target?
00:00
Does the threat have the means and
00:00
motivation to harm your organization?
00:00
If so, what is the likelihood and severity of compromise?
00:00
To illustrate, suppose you're supporting
00:00
a government organization that is
00:00
concerned about cyber espionage.
00:00
All things being equal,
00:00
would it be better to emulate an actor like
00:00
APT 29 who is known to target
00:00
governments for intelligence gathering or
00:00
would it be better to emulate an actor like Finn Seven,
00:00
who historically is targeted
00:00
hospitality sectors for financial theft?
00:00
In this example, APT 29 would probably be more relevant.
00:00
Summarizing this, you really
00:00
want to select a threat that is
00:00
relevant to the organization and
00:00
aligned with your engagement objectives.
00:00
Another threat selection factor is available CTI.
00:00
You want to ask yourself,
00:00
is there enough CTI to support
00:00
a robust adversary emulation plan?
00:00
Because the simple fact is,
00:00
we cannot emulate TTPs we don't know about.
00:00
In other words, we need some level of
00:00
CTI to base our emulation on.
00:00
You might find yourself asking,
00:00
how do we know when there is enough CTI to work with?
00:00
In general, I use ATT&CK as my baseline.
00:00
On this slide, you can see
00:00
the ATT&CK page for threat actor called Threap.
00:00
They've been known to target satellite communications,
00:00
telecoms and defense contractors.
00:00
It's surface, this might be
00:00
a very relevant threat for some organizations.
00:00
But look at the number of references cited in ATT&CK.
00:00
In this case, there's just one.
00:00
Also there aren't a lot of TTP is referenced.
00:00
In this example,
00:00
there's a minimal amount of CTI to work with so this
00:00
probably isn't a good actor for
00:00
a robust adversary emulation plan.
00:00
The next slide shows APT 29 for comparison.
00:00
Note that in this example,
00:00
there are 32 unique sources.
00:00
While I'm only showing a sampling of TTP's,
00:00
there are a lot.
00:00
In this case, APT 29 has significantly more CTI to
00:00
work with and this would lend itself well
00:00
for a robust adversary emulation plan.
00:00
The next threat selection factor is TTP Complexity.
00:00
How complex are the TTP you would likely emulate?
00:00
In general, emulation plans tend to take
00:00
longer to create for complex adversaries.
00:00
To illustrate, you'll find that
00:00
many adversaries use
00:00
common red team tools and frameworks.
00:00
This could be Metasploit,
00:00
Cobalt Strike or as shown on
00:00
this slide, PowerShell empire.
00:00
In those cases, complexity
00:00
is lowered because you can just
00:00
use off the shelf tools to
00:00
emulate the same adversary behaviors.
00:00
But often for sophisticated adversaries,
00:00
there are no public tools
00:00
available to emulate those behaviors.
00:00
For example, there's
00:00
a really great CTI article published by Kaspersky.
00:00
This article talks about how Turla hijacks
00:00
satellite communication links for
00:00
covert command and control.
00:00
Those are some really interesting TTPs
00:00
and you might want to emulate them.
00:00
But in this example,
00:00
it would clearly exceed the complexity
00:00
of simply downloading off the shelf tools.
00:00
In this case, you'd likely need specialized expertise
00:00
and resources in order to emulate those behaviors.
00:00
Next, we need to consider our available resources.
00:00
These include those finite resources
00:00
like budget, time, and personnel.
00:00
Now, none of this is unique to adversarial emulation.
00:00
Typically all projects have to deal with these resources.
00:00
But the fact is, if there's no funding,
00:00
no time or personnel,
00:00
your adversary emulation project is dead in the water.
00:00
You need to be cognisant of these resources
00:00
and try to balance them in a way
00:00
that enables you to achieve
00:00
your adversary emulation engagement objectives.
00:00
Now that we've gone through
00:00
these threats selection factors,
00:00
I just want to share some key takeaways.
00:00
First, we know that
00:00
many factors drive emulated threat selection.
00:00
All of these factors yield benefits and trade-offs.
00:00
This means that it's
00:00
unlikely you'll find a perfect solution.
00:00
In reality, you just need to pick
00:00
the best option with the information that you have.
00:00
As you go forward, I encourage you to think
00:00
critically about what adversary
00:00
you're going to select for emulation.
00:00
I also encourage you to get feedback.
00:00
Talk to the network owners,
00:00
talk to your colleagues,
00:00
and propose which adversaries
00:00
or threats you're considering.
00:00
Usually through this dialogue,
00:00
you'll talk about the various threat selection factors,
00:00
benefits, and trade-offs.
00:00
This often leads to an understanding
00:00
about what threat you
00:00
should select for emulation for your particular project.
00:00
That was lesson 2.3.
00:00
We talked about the threat selection
00:00
key factors in detail.
00:00
These included relevance, available CTI,
00:00
TTP complexity, and available resources.
00:00
In our next lesson,
00:00
we're going to move on to the next step,
00:00
which is selecting emulated TTPs.
Up Next
