Selecting the Emulated TTPs

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
8 hours 5 minutes
Difficulty
Intermediate
CEU/CPE
9
Video Transcription
00:00
>> We're now on Lesson 2.4, Selecting Emulated TTPs.
00:00
As we get started with this lesson,
00:00
our first objective will be to list
00:00
factors that influence TTP selection decisions.
00:00
In other words, what are those key things we need to
00:00
think about when selecting TTPs to emulate?
00:00
Next, we're going to share with you our process for
00:00
TTP selection so you can make
00:00
purposeful decisions about which TTPs
00:00
to implement and execute.
00:00
While following this process we'll utilize
00:00
the ATT&CK knowledge base to
00:00
guide our selection decisions.
00:00
Now by this point, we should know two things.
00:00
We should know our engagement objectives,
00:00
and we should know which threat we're emulating and why.
00:00
With that information, we are now ready to
00:00
identify the TTPs we will emulate.
00:00
Now you might recall from our last lesson,
00:00
we used ATT&CK to research and
00:00
inform emulated threat selection.
00:00
We will continue to use ATT&CK in
00:00
this manner this time focusing
00:00
more on gaining a deeper understanding
00:00
of the emulated actors' TTPs.
00:00
Now, this is a very important part
00:00
of adversary emulation because
00:00
the TTPs we select
00:00
drive a lot of the follow-on activities.
00:00
To give you some examples,
00:00
defining rules of engagement.
00:00
What TTPs should be in scope and why?
00:00
Then there's the TTP implementations.
00:00
How should we implement
00:00
a TTP to faithfully emulate the adversary?
00:00
Then there's the operations flow.
00:00
Basically, how should the TTPs be executed?
00:00
Should they be run in a rapid scorched
00:00
earth operation similar to not
00:00
pay up or maybe low and slow espionage similar to APT 29?
00:00
What are some things we should think about when
00:00
selecting TTPs for adversary emulation?
00:00
I have four key questions to help drive the decision.
00:00
First, does emulating
00:00
the TTP support the engagement objectives?
00:00
A strong answer to this question helps justify
00:00
why a TTP should be in scope for the engagement.
00:00
To give you an example, suppose you're
00:00
assessing a customer's data loss prevention solution,
00:00
does it sound reasonable to emulate
00:00
collection or data exfiltration TTPs?
00:00
In this case, I would argue, yes.
00:00
Because you want to validate that a DLP solution
00:00
can detect things like data exfiltration and collection.
00:00
What about emulating registry Runkeeper assistance?
00:00
Now it's possible that this could be a value,
00:00
but it's really not aligned with
00:00
the engagement objectives in this case.
00:00
That raises the question,
00:00
why are you emulating TTPs if they
00:00
aren't supporting your engagement objectives?
00:00
The next question I ask is,
00:00
is the CTI credible?
00:00
This helps ensure your emulation
00:00
is representative of real-world threats.
00:00
This is another important thing because we know
00:00
that if it's based on real-world activities,
00:00
it hedges against challenges that maybe
00:00
red team's activities are
00:00
theoretical or would never occur in the wild.
00:00
The third question I ask is,
00:00
how complex is the TTP?
00:00
This specifically has to deal with you as
00:00
the adversary emulation engineer,
00:00
somebody who has to implement these TTPs.
00:00
Because the complexity will directly influence how
00:00
long and how much effort is
00:00
required for you to implement a given TTP.
00:00
The final question I ask is,
00:00
can you understand the TTP with enough detail that
00:00
you can explain its potential impact to customer systems?
00:00
Now it's a bit wordy, but this is
00:00
a very important question.
00:00
You'll find that network owners generally disapprove of
00:00
TTPs that can result in
00:00
unscheduled downtime or data loss.
00:00
Stated differently,
00:00
network owners generally don't want you
00:00
running ransomware emulations in
00:00
their environment without at least some controls
00:00
or mitigations in place to keep things from going crazy.
00:00
All that is to say the onus is on you,
00:00
the adversary emulation engineer,
00:00
to explain to the network owner exactly how
00:00
your TTPs will affect customer systems.
00:00
These are the TTP selection factors.
00:00
Now that we understand these,
00:00
let's shift gears and walk through
00:00
our process for selecting emulated TTPs.
00:00
On this slide, we show you our process
00:00
for selecting emulated TTPs.
00:00
We'll start by giving you an overview of this process,
00:00
and then we will examine each of these steps
00:00
individually in greater detail.
00:00
We start by gaining
00:00
a general understanding of the adversary's TTPs.
00:00
This can be as simple as skimming
00:00
the ATT&CK page for your actor or
00:00
threat and quickly identifying
00:00
TTPs you know are relevant for your project.
00:00
Next, we focus on gaining
00:00
a detailed understanding of
00:00
TTPs that are relevant to the project.
00:00
This is usually where we're tracing
00:00
a TTP to its original CTI sources.
00:00
In that way, we can better understand
00:00
how the behavior occurred in the wild.
00:00
Once we have this information,
00:00
we're usually ready to select emulated TTPs.
00:00
We then capture those TTPs in a scenario outline,
00:00
which will provide the foundation for us to implement
00:00
TTPs and ultimately create an adversary emulation plan.
00:00
That is the general process for selecting emulated TTPs.
00:00
Let's now talk about what it means to gain
00:00
a general TTP understanding in greater detail.
00:00
When we talk about gaining a general TTP understanding,
00:00
really what we're trying to do is quickly become
00:00
familiar with the emulated adversary's TTPs.
00:00
We already know a little bit about
00:00
the adversary because we did
00:00
enough research to select them
00:00
for emulation in the first place,
00:00
but we don't know exactly
00:00
which TTPs we should emulate as part of our engagement.
00:00
To inform these decisions,
00:00
we start by gaining
00:00
a general understanding of the adversary's TTPs.
00:00
How do we do this exactly?
00:00
Well, the first thing I do is simply read through
00:00
the ATT&CK page for my adversary focusing on their TTPs.
00:00
As an example, if I selected APT 29,
00:00
I'm going to go through the APT 29 page.
00:00
As I go through their TTP,
00:00
I'm trying to gain a general understanding
00:00
of how this actor operates.
00:00
I'm also trying to prioritize TTPs based on
00:00
if they seem relevant to the engagement objectives.
00:00
As I go through this process,
00:00
I also commonly pivot back and forth to
00:00
the ATT&CK navigator to
00:00
visualize how many TTPs I have to work with.
00:00
Now after gaining a general understanding,
00:00
we go a layer deeper,
00:00
and we work to develop
00:00
a detailed understanding of relevant adversary TTPs.
00:00
Usually, by this point,
00:00
you'll have identified some TTPs
00:00
that seem particularly relevant to your project.
00:00
A logical next step is to follow
00:00
the ATT&CK descriptions to the original CTI sources.
00:00
In that way, you can gain a deeper understanding about
00:00
the TTP as it was observed and reported in the wild.
00:00
To give you an example, on this slide,
00:00
you can see how we start with an ATT&CK TTP.
00:00
Specifically, this is scheduled
00:00
task persistence from APT 29.
00:00
You could see that they've used the scheduler
00:00
and sketch tasks to
00:00
create new tasks on
00:00
remote hosts as part of lateral movement.
00:00
We then follow the TTP to its original CTI source.
00:00
In this case, it's an article by Volexity.
00:00
Now, this article describes how
00:00
APT 29 scheduled task TTP works in detail.
00:00
You can see that they provide
00:00
detailed syntax and commands for executing this TTP.
00:00
With this information, you gain
00:00
a detailed understanding for how that TTP works,
00:00
and you can then start deciding if you should
00:00
emulate this TTP as part of your project.
00:00
Now that we have a detailed understanding
00:00
of the adversary's TTPs,
00:00
we are ready to make an informed decision about
00:00
which TTPs we will
00:00
implement and emulate in our engagement.
00:00
As we make this decision,
00:00
we should reflect on our TTP selection factors.
00:00
Does emulating the TTP support engagement objectives?
00:00
Is the CTI credible?
00:00
How complex is the TTP knowing
00:00
that will directly affect our level of effort?
00:00
Can we understand the TTP with enough detail to
00:00
explain its potential impact to the customer systems?
00:00
Provided you've gone through these factors,
00:00
you should be able to come to
00:00
a purposeful and sensible decision
00:00
when you're talking to network owners
00:00
about what TTPs should be in scope and
00:00
also how you should implement the TTPs going forward.
00:00
Once you've selected the TTPs you want to emulate,
00:00
the next step is to document them in a scenario outline.
00:00
We're going to explore the scenario outline
00:00
in detail in our next lesson.
00:00
For now, it's enough to know that
00:00
the scenario outline lists the TTPs you want to emulate.
00:00
It also provides contextual descriptions
00:00
and sources taken from ATT&CK.
00:00
This outline will later be used to help
00:00
define our rules of engagement and
00:00
also to guide your development tasks as you
00:00
start implementing TTPs for your engagement.
00:00
That brings us to the Lesson 2.4 summary.
00:00
During this lesson, we explored
00:00
the TTP selection process.
00:00
We showed how you can use ATT&CK to gain
00:00
a detailed understanding of TTPs,
00:00
and we discussed the TTP selection factors,
00:00
which you can use to inform your TTP selection decisions.
00:00
In the next lesson,
00:00
we'll revisit this scenario outline discussing
00:00
what it is and why we use it in greater detail.
Up Next