Threat Emulation
Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Time
1 hour
Difficulty
Beginner
CEU/CPE
2
Video Transcription
00:00
>> Welcome to Module 3,
00:00
Lesson 3, threat emulation.
00:00
In this lesson, we will explore
00:00
my personal favorite application of
00:00
attack, emulating threats,
00:00
and appreciate how threat emulation
00:00
can use known adversary behaviors,
00:00
such as those documented within attack to assess,
00:00
measure, and eventually improve our defenses.
00:00
This lesson will focus on
00:00
what we call intelligence-driven
00:00
emulation or Red Teams mimicking known threats.
00:00
This process allows us to
00:00
operationalize intelligence we discussed in Lesson 1.
00:00
Specifically, we can use CTI to scope and
00:00
prioritize what threats and
00:00
behaviors as Red Teams we evaluate.
00:00
At the end of the day, this
00:00
allows us to observe and evaluate
00:00
our defenses from the perspective that
00:00
matters that of our adversaries.
00:00
Let's look back at the detection
00:00
>> analytic from Lesson 2.
00:00
>> As you recall, this analytic is targeting,
00:00
detecting adversaries,
00:00
dumping credentials via LSASS memory.
00:00
But the question arises after
00:00
developing and deploying this analytic,
00:00
what's the next step as a defender?
00:00
Do we wait for an adversary to
00:00
trigger or potentially bypass this analytic?
00:00
We can look back at attack and compare
00:00
this analytic to documented procedures.
00:00
We can also triage new CTI,
00:00
which may pose new questions such as,
00:00
are we safe against
00:00
these unknown or previously undocumented procedures?
00:00
This is where threat-informed assessments comes in.
00:00
As you can see what the example
00:00
adversary emulation plane below.
00:00
We can use intelligence to build out
00:00
real-world adversary TTPs into Red Team scenarios.
00:00
This process allows us to
00:00
actually build out a team TTPs that
00:00
provide outputs that are more quantitative and
00:00
closely measure how we
00:00
fare against real adversary behaviors.
00:00
Here's another example of using CTI to build out
00:00
Red Team scenarios and
00:00
behaviors that we can execute for better assessments.
00:00
With that, we've reached
00:00
our knowledge check for Lesson 3.
00:00
True or false? There's a limit to
00:00
the number of different ways
00:00
a single behavior can be emulated.
00:00
Please pause the video and take a second to
00:00
think of the correct answer before proceeding.
00:00
In this case, the correct answer is false.
00:00
Similar to procedures, there is no limit to the number of
00:00
ways a single behavior can be
00:00
emulated or executed by an adversary.
00:00
With that, we've reached the end of Lesson 3.
00:00
In summary, their emulation isn't offensive assessment
00:00
making particular adversary behaviors
00:00
such as those documented within attack.
00:00
We can use threat emulation to
00:00
address the unlimited number of procedures or
00:00
variations of how adversary techniques can be
00:00
executed by adversaries or at Red Teams.
00:00
Finally, we can use this threat emulation process to
00:00
understand how our defenses
00:00
fare against specific threats and their behaviors.
Up Next
Similar Content
