SlideShare una empresa de Scribd logo

Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans

Descargar como PPTX, PDF
C
Christopher Korban

Talk about the evolution of security posture assessments, solving red team problems with ATT&CK-based Adversary Emulation Plans. Conference: Art into Science - A Conference on Defense 2018

Ciencias
1 de 16
Frank Duff Christopher Korban 1/31/2018 Evolution of Security Posture Assessments Approved for Public Release; Distribution Unlimited. Case Number 18-0179 ©2018 The MITRE Corporation. All Rights Reserved
Endpoint Detect and Respond Case Study  Convergence of cyber endpoint technologies offering varying combos of protect / detect / respond / contain / alert – Malware Detection, Behavioral Detection, Incident Response , DLP Technology, App Isolation Technologies, Deception for Detection  Capitalize on ATT&CK and post-exploit detection expertise to declutter the space for MITRE’s sponsors – To evaluate cyber defense, emulate cyber offense. •Cyber threat analysis •Research •Industry reports Adversary Behavior •Adversary model (APT3, APT29, etc.) •Post-compromise techniques ATT&CK •Data sources •Analytics •Prioritization FMX ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
Traditional Offensive Testing Workflow Intel Gathering Vulnerability Assessment Target Acquisition Exploitation Privilege Escalation Lateral Movement Persistence Exfiltration Report Findings Collect Protect Detect Triage Investigate Coordinate Remediate  Typical Red vs Blue event flow ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
Improved Offensive Testing Workflow Intel Gathering Protect/Defend Vulnerability Assessment Protect/Defend Target Acquisition Protect/Defend Exploitation Protect/Defend Privilege Escalation Protect/Defend Lateral Movement Protect/Defend Persistence Protect/Defend Exfiltration Protect/Defend Traditional Red Team Traditional Blue Team  After a traditional Red vs Blue event start blended retesting: Slide inspired by Chris Gates’ and Chris Nickerson’s presentation “Building a Successful Internal Adversarial Simulation Team”: https://goo.gl/R3yglm ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
Need Common Criteria  Articulate – To vendors and US government customers  Repeat – To verify results and retest  Measure – Gauge improvement attack.mitre.org ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
Bianco’s Pyramid of Pain Source: David Bianco https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
Adversary Emulation Using ATT&CK  Create Emulation plans using ATT&CK  Helps focus testing on individual patterns of behavior – Identify if existing detection mechanisms, analytics, mitigations work – Gaps in visibility, data, tools, process, hardening discovered – Address gaps within defenses by improving system – Re-test regularly using varied behavior and objectives Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control Accessibility Features Accessibility Features Binary Padding Brute Force Account Discovery Application Deployment Software Command-Line Automated Collection Automated Exfiltration Commonly Used Port AppInit DLLs AppInit DLLs Bypass User Account Control Credential Dumping Application Window Discovery Exploitation of Vulnerability Execution through API Clipboard Data Data Compressed Communication Through Removable Media Basic Input/Output System Bypass User Account Control Code Signing Credential Manipulation File and Directory Discovery Logon Scripts Graphical User Interface Data Staged Data Encrypted Custom Command and Control Protocol Bootkit DLL Injection Component Firmware Credentials in Files Local Network Configuration Discovery Pass the Hash PowerShell Data from Local System Data Transfer Size Limits Custom Cryptographic Protocol Change Default File Handlers DLL Search Order Hijacking DLL Injection Exploitation of Vulnerability Local Network Connections Discovery Pass the Ticket Process Hollowing Data from Network Shared Drive Exfiltration Over Alternative Protocol Data Obfuscation Component Firmware Exploitation of Vulnerability DLL Search Order Hijacking Input Capture Network Service Scanning Remote Desktop Protocol Rundll32 Data from Removable Media Exfiltration Over Command and Control Channel Fallback Channels DLL Search Order Hijacking Legitimate Credentials DLL Side-Loading Network Sniffing Peripheral Device Discovery Remote File Copy Scheduled Task Email Collection Exfiltration Over Other Network Medium Multi-Stage Channels Hypervisor Local Port Monitor Disabling Security Tools Two-Factor Authentication Interception Permission Groups Discovery Remote Services Service Execution Input Capture Exfiltration Over Physical Medium Multiband Communication Legitimate Credentials New Service Exploitation of Vulnerability Process Discovery Replication Through Removable Media Third-party Software Screen Capture Scheduled Transfer Multilayer Encryption Local Port Monitor Path Interception File Deletion Query Registry Shared Webroot Windows Management Instrumentation Peer Connections Logon Scripts Scheduled Task File System Logical Offsets Remote System Discovery Taint Shared Content Windows Remote Management Remote File Copy Modify Existing Service Service File Permissions Weakness Indicator Blocking on Host Security Software Discovery Windows Admin Shares Standard Application Layer Protocol New Service Service Registry Permissions Weakness Indicator Removal from Tools System Information Discovery Windows Remote Management Standard Cryptographic Protocol Path Interception Web Shell Indicator Removal on Host System Owner/User Discovery Standard Non-Application Layer Protocol Redundant Access Legitimate Credentials System Service Discovery Uncommonly Used Port Registry Run Keys / Start Folder Masquerading Web Service Scheduled Task Modify Registry Security Support Provider NTFS Extended Attributes Service File Permissions Weakness Obfuscated Files or Information Service Registry Permissions Weakness Process Hollowing Shortcut Modification Redundant Access Web Shell Rootkit Windows Management Instrumentation Event Subscription Rundll32 Winlogon Helper DLL Scripting Software Packing Timestomp©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
Successful Adversary Emulation Make it real: Use the same techniques, tools, methods and goals of an attacker End-to-End: Don’t just look for holes or perform small attacks. Start from the initial compromise and go until objectives are accomplished Repeatable: Be repeatable, so that your detection and prevention improvement (or degradation) can be measured over time ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
 Adversary Emulation Process: – Threat Intelligence Acquisition – Extract Actionable Techniques – Develop Tools and Analyze Adversary Modus Operandi – Setup Infrastructure and Emulate Adversary Constraining the Test Intel Technical Capability Time ATT&CK Techniques in Scope (Partial Matrix – APT3) ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
APT Emulation Plan – Plan Phases ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
Actionable Emulation Plan ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
A Common Scorecard Grey - APT3 techniques not tested, Green - tested and detected, Yellow - tested and weren't detected but could have been Red - sensor gaps ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
Frequency of Offensive Testing Time Atomic Testing Adversary Emulation Red Teaming Knowledge Base ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
Automating where possible  Takes care of the simple to allow you to focus on the difficult.  Several options to actuate your plans: – Custom, roll-your-own methods – Automated Breach Simulation vendors:  AttackIQ, SafeBreach, Verodin, etc.. – MITRE CALDERA ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
MITRE Adversary Emulation Resources  ATT&CK – Adversarial Tactics, Techniques, and Common Knowledge, a knowledgebase and adversary behavioral model for describing how adversaries operate across their lifecycle  Adversary Emulation Playbooks – Open source threat intel and ATT&CK-based adversary group profiles that describe how to emulate a specific group  CALDERA – An automated adversary emulation system built off of ATT&CK that is useful for emulating pre-programed sets of behavior – Open source: https://github.com/mitre/caldera – Closed source research version available to sponsors LETS@MITRE.ORG – ATTACK@MITRE.ORG ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
 Helps smaller shops run APT-style red-teams but, more importantly, paves the way for real-world, data-driven red teams  Highlight the type of intel we can use, e.g., move IR reports away from Indicators of Compromise and toward behaviors. – The intel would be immediately useful  Provides a good “sellable” back-story, especially if in an affected industry  Enables apples-to-apples comparisons  Lowers the bar to “offensive testing,” empowering blue teams with the ability to run checks themselves  Creating emulation plans identifies what is unavoidable when performing a certain TTPs and what is. – For what is avoidable, run the gamut for the different permutations and actuations of a TTP – For what is not avoidable, defenders should focus on the “pinch point” to quell all possibilities to the right, hamstringing the TTP category as a whole sometimes. Reasons to Release and Focus on Adversary Emulation Plans ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179

Recomendados

Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceChristopher Korban
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 

Recomendados

Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™Katie Nickels
 
ATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceATT&CKing with Threat Intelligence
ATT&CKing with Threat IntelligenceChristopher Korban
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoBSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status QuoKatie Nickels
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...JamieWilliams130
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework👀 Joe Gray
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE - ATT&CKcon
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Adam Pennington
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsMITRE ATT&CK
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Robert Brandel
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 

Más contenido relacionado

La actualidad más candente

RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...JamieWilliams130
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE - ATT&CKcon
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Chris Gates
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Adam Pennington
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsSergey Soldatov
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsMITRE ATT&CK
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 

La actualidad más candente (20)

RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
ATT&CKing Your Adversaries - Operationalizing cyber intelligence in your own ...
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMCon
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
Red Team Framework
Red Team FrameworkRed Team Framework
Red Team Framework
 
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITREMITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
MITRE ATT&CKcon 2.0: State of the ATT&CK; Blake Strom, MITRE
 
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
Building a Successful Internal Adversarial Simulation Team - Chris Gates & Ch...
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
Anomali Detect 19 - Nickels & Pennington - Turning Intelligence into Action w...
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
ATT&CK Updates- Campaigns
ATT&CK Updates- CampaignsATT&CK Updates- Campaigns
ATT&CK Updates- Campaigns
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
 

Similar a Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans

Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Robert Brandel
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...Adam Pennington
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKAdam Pennington
 
MITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdfMITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdfAisyiFree
 
Best Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting BreachesBest Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting BreachesSplunk
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfReZa AdineH
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) MITRE ATT&CK
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Big Data For Threat Detection & Response
Big Data For Threat Detection & ResponseBig Data For Threat Detection & Response
Big Data For Threat Detection & ResponseHarry McLaren
 
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...MohamedOmerMusa
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPrime Infoserv
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsSBWebinars
 
Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's AdvantageRaffael Marty
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkSqrrl
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsIBM Security
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Cybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisCybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisJim Kaplan CIA CFE
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of CompromiseFireEye, Inc.
 
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingAsegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingSoftware Guru
 

Similar a Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans (20)

Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
Slideshare.net rh-isac summit 2019 - adam pennington - leveraging mitre at ta...
 
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
RH-ISAC Summit 2019 - Adam Pennington - Leveraging MITRE ATT&CK™ for Detectio...
 
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CKSymantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
Symantec Webinar | How to Detect Targeted Ransomware with MITRE ATT&CK
 
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CKPennington - Defending Against Targeted Ransomware with MITRE ATT&CK
Pennington - Defending Against Targeted Ransomware with MITRE ATT&CK
 
MITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdfMITRE_ATTACK_Enterprise_11x17.pdf
MITRE_ATTACK_Enterprise_11x17.pdf
 
Best Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting BreachesBest Practices for Scoping Infections and Disrupting Breaches
Best Practices for Scoping Infections and Disrupting Breaches
 
MITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdfMITRE-Module 1 Slides.pdf
MITRE-Module 1 Slides.pdf
 
Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?) Automation: The Wonderful Wizard of CTI (or is it?)
Automation: The Wonderful Wizard of CTI (or is it?)
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Big Data For Threat Detection & Response
Big Data For Threat Detection & ResponseBig Data For Threat Detection & Response
Big Data For Threat Detection & Response
 
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
Trial Course - CertMaster Learn and CertMaster Labs for Security+ (Exam SY0-6...
 
PaloAlto Enterprise Security Solution
PaloAlto Enterprise Security SolutionPaloAlto Enterprise Security Solution
PaloAlto Enterprise Security Solution
 
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud ThreatsBeyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
Beyond S3 Buckets - Effective Countermeasures for Emerging Cloud Threats
 
Exploring the Defender's Advantage
Exploring the Defender's AdvantageExploring the Defender's Advantage
Exploring the Defender's Advantage
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
 
Automation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOpsAutomation: Embracing the Future of SecOps
Automation: Embracing the Future of SecOps
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSE
 
Cybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log AnalysisCybersecurity Series SEIM Log Analysis
Cybersecurity Series SEIM Log Analysis
 
The Internal Signs of Compromise
The Internal Signs of CompromiseThe Internal Signs of Compromise
The Internal Signs of Compromise
 
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration TestingAsegurarme de la Seguridad?, Un Vistazo al Penetration Testing
Asegurarme de la Seguridad?, Un Vistazo al Penetration Testing
 

Último

PSYCHOSOCIAL NEEDS. in nursing II sem pptx
PSYCHOSOCIAL NEEDS. in nursing II sem pptxPSYCHOSOCIAL NEEDS. in nursing II sem pptx
PSYCHOSOCIAL NEEDS. in nursing II sem pptxSuji236384
 
(May 9, 2024) Enhanced Ultrafast Vector Flow Imaging (VFI) Using Multi-Angle ...
(May 9, 2024) Enhanced Ultrafast Vector Flow Imaging (VFI) Using Multi-Angle ...(May 9, 2024) Enhanced Ultrafast Vector Flow Imaging (VFI) Using Multi-Angle ...
(May 9, 2024) Enhanced Ultrafast Vector Flow Imaging (VFI) Using Multi-Angle ...Scintica Instrumentation
 
Selaginella: features, morphology ,anatomy and reproduction.
Selaginella: features, morphology ,anatomy and reproduction.Selaginella: features, morphology ,anatomy and reproduction.
Selaginella: features, morphology ,anatomy and reproduction.Silpa
 
COMPUTING ANTI-DERIVATIVES (Integration by SUBSTITUTION)
COMPUTING ANTI-DERIVATIVES (Integration by SUBSTITUTION)COMPUTING ANTI-DERIVATIVES (Integration by SUBSTITUTION)
COMPUTING ANTI-DERIVATIVES (Integration by SUBSTITUTION)AkefAfaneh2
 
GBSN - Biochemistry (Unit 1)
GBSN - Biochemistry (Unit 1)GBSN - Biochemistry (Unit 1)
GBSN - Biochemistry (Unit 1)Areesha Ahmad
 
CURRENT SCENARIO OF POULTRY PRODUCTION IN INDIA
CURRENT SCENARIO OF POULTRY PRODUCTION IN INDIACURRENT SCENARIO OF POULTRY PRODUCTION IN INDIA
CURRENT SCENARIO OF POULTRY PRODUCTION IN INDIADr. TATHAGAT KHOBRAGADE
 
Conjugation, transduction and transformation
Conjugation, transduction and transformationConjugation, transduction and transformation
Conjugation, transduction and transformationAreesha Ahmad
 
Locating and isolating a gene, FISH, GISH, Chromosome walking and jumping, te...
Locating and isolating a gene, FISH, GISH, Chromosome walking and jumping, te...Locating and isolating a gene, FISH, GISH, Chromosome walking and jumping, te...
Locating and isolating a gene, FISH, GISH, Chromosome walking and jumping, te...Silpa
 
Digital Dentistry.Digital Dentistryvv.pptx
Digital Dentistry.Digital Dentistryvv.pptxDigital Dentistry.Digital Dentistryvv.pptx
Digital Dentistry.Digital Dentistryvv.pptxMohamedFarag457087
 
Use of mutants in understanding seedling development.pptx
Use of mutants in understanding seedling development.pptxUse of mutants in understanding seedling development.pptx
Use of mutants in understanding seedling development.pptxRenuJangid3
 
Exploring Criminology and Criminal Behaviour.pdf
Exploring Criminology and Criminal Behaviour.pdfExploring Criminology and Criminal Behaviour.pdf
Exploring Criminology and Criminal Behaviour.pdfrohankumarsinghrore1
 
Climate Change Impacts on Terrestrial and Aquatic Ecosystems.pptx
Climate Change Impacts on Terrestrial and Aquatic Ecosystems.pptxClimate Change Impacts on Terrestrial and Aquatic Ecosystems.pptx
Climate Change Impacts on Terrestrial and Aquatic Ecosystems.pptxDiariAli
 
Grade 7 - Lesson 1 - Microscope and Its Functions
Grade 7 - Lesson 1 - Microscope and Its FunctionsGrade 7 - Lesson 1 - Microscope and Its Functions
Grade 7 - Lesson 1 - Microscope and Its FunctionsOrtegaSyrineMay
 
Human genetics..........................pptx
Human genetics..........................pptxHuman genetics..........................pptx
Human genetics..........................pptxSilpa
 
Molecular markers- RFLP, RAPD, AFLP, SNP etc.
Molecular markers- RFLP, RAPD, AFLP, SNP etc.Molecular markers- RFLP, RAPD, AFLP, SNP etc.
Molecular markers- RFLP, RAPD, AFLP, SNP etc.Silpa
 
Velocity and Acceleration PowerPoint.ppt
Velocity and Acceleration PowerPoint.pptVelocity and Acceleration PowerPoint.ppt
Velocity and Acceleration PowerPoint.pptRakeshMohan42
 
POGONATUM : morphology, anatomy, reproduction etc.
POGONATUM : morphology, anatomy, reproduction etc.POGONATUM : morphology, anatomy, reproduction etc.
POGONATUM : morphology, anatomy, reproduction etc.Silpa
 
Module for Grade 9 for Asynchronous/Distance learning
Module for Grade 9 for Asynchronous/Distance learningModule for Grade 9 for Asynchronous/Distance learning
Module for Grade 9 for Asynchronous/Distance learninglevieagacer
 
development of diagnostic enzyme assay to detect leuser virus
development of diagnostic enzyme assay to detect leuser virusdevelopment of diagnostic enzyme assay to detect leuser virus
development of diagnostic enzyme assay to detect leuser virusNazaninKarimi6
 

Último (20)

PSYCHOSOCIAL NEEDS. in nursing II sem pptx
PSYCHOSOCIAL NEEDS. in nursing II sem pptxPSYCHOSOCIAL NEEDS. in nursing II sem pptx
PSYCHOSOCIAL NEEDS. in nursing II sem pptx
 
(May 9, 2024) Enhanced Ultrafast Vector Flow Imaging (VFI) Using Multi-Angle ...
(May 9, 2024) Enhanced Ultrafast Vector Flow Imaging (VFI) Using Multi-Angle ...(May 9, 2024) Enhanced Ultrafast Vector Flow Imaging (VFI) Using Multi-Angle ...
(May 9, 2024) Enhanced Ultrafast Vector Flow Imaging (VFI) Using Multi-Angle ...
 
Selaginella: features, morphology ,anatomy and reproduction.
Selaginella: features, morphology ,anatomy and reproduction.Selaginella: features, morphology ,anatomy and reproduction.
Selaginella: features, morphology ,anatomy and reproduction.
 
COMPUTING ANTI-DERIVATIVES (Integration by SUBSTITUTION)
COMPUTING ANTI-DERIVATIVES (Integration by SUBSTITUTION)COMPUTING ANTI-DERIVATIVES (Integration by SUBSTITUTION)
COMPUTING ANTI-DERIVATIVES (Integration by SUBSTITUTION)
 
GBSN - Biochemistry (Unit 1)
GBSN - Biochemistry (Unit 1)GBSN - Biochemistry (Unit 1)
GBSN - Biochemistry (Unit 1)
 
Clean In Place(CIP).pptx .
Clean In Place(CIP).pptx .Clean In Place(CIP).pptx .
Clean In Place(CIP).pptx .
 
CURRENT SCENARIO OF POULTRY PRODUCTION IN INDIA
CURRENT SCENARIO OF POULTRY PRODUCTION IN INDIACURRENT SCENARIO OF POULTRY PRODUCTION IN INDIA
CURRENT SCENARIO OF POULTRY PRODUCTION IN INDIA
 
Conjugation, transduction and transformation
Conjugation, transduction and transformationConjugation, transduction and transformation
Conjugation, transduction and transformation
 
Locating and isolating a gene, FISH, GISH, Chromosome walking and jumping, te...
Locating and isolating a gene, FISH, GISH, Chromosome walking and jumping, te...Locating and isolating a gene, FISH, GISH, Chromosome walking and jumping, te...
Locating and isolating a gene, FISH, GISH, Chromosome walking and jumping, te...
 
Digital Dentistry.Digital Dentistryvv.pptx
Digital Dentistry.Digital Dentistryvv.pptxDigital Dentistry.Digital Dentistryvv.pptx
Digital Dentistry.Digital Dentistryvv.pptx
 
Use of mutants in understanding seedling development.pptx
Use of mutants in understanding seedling development.pptxUse of mutants in understanding seedling development.pptx
Use of mutants in understanding seedling development.pptx
 
Exploring Criminology and Criminal Behaviour.pdf
Exploring Criminology and Criminal Behaviour.pdfExploring Criminology and Criminal Behaviour.pdf
Exploring Criminology and Criminal Behaviour.pdf
 
Climate Change Impacts on Terrestrial and Aquatic Ecosystems.pptx
Climate Change Impacts on Terrestrial and Aquatic Ecosystems.pptxClimate Change Impacts on Terrestrial and Aquatic Ecosystems.pptx
Climate Change Impacts on Terrestrial and Aquatic Ecosystems.pptx
 
Grade 7 - Lesson 1 - Microscope and Its Functions
Grade 7 - Lesson 1 - Microscope and Its FunctionsGrade 7 - Lesson 1 - Microscope and Its Functions
Grade 7 - Lesson 1 - Microscope and Its Functions
 
Human genetics..........................pptx
Human genetics..........................pptxHuman genetics..........................pptx
Human genetics..........................pptx
 
Molecular markers- RFLP, RAPD, AFLP, SNP etc.
Molecular markers- RFLP, RAPD, AFLP, SNP etc.Molecular markers- RFLP, RAPD, AFLP, SNP etc.
Molecular markers- RFLP, RAPD, AFLP, SNP etc.
 
Velocity and Acceleration PowerPoint.ppt
Velocity and Acceleration PowerPoint.pptVelocity and Acceleration PowerPoint.ppt
Velocity and Acceleration PowerPoint.ppt
 
POGONATUM : morphology, anatomy, reproduction etc.
POGONATUM : morphology, anatomy, reproduction etc.POGONATUM : morphology, anatomy, reproduction etc.
POGONATUM : morphology, anatomy, reproduction etc.
 
Module for Grade 9 for Asynchronous/Distance learning
Module for Grade 9 for Asynchronous/Distance learningModule for Grade 9 for Asynchronous/Distance learning
Module for Grade 9 for Asynchronous/Distance learning
 
development of diagnostic enzyme assay to detect leuser virus
development of diagnostic enzyme assay to detect leuser virusdevelopment of diagnostic enzyme assay to detect leuser virus
development of diagnostic enzyme assay to detect leuser virus
 

Evolution of Offensive Testing - ATT&CK-based Adversary Emulation Plans

  • 1. Frank Duff Christopher Korban 1/31/2018 Evolution of Security Posture Assessments Approved for Public Release; Distribution Unlimited. Case Number 18-0179 ©2018 The MITRE Corporation. All Rights Reserved
  • 2. Endpoint Detect and Respond Case Study  Convergence of cyber endpoint technologies offering varying combos of protect / detect / respond / contain / alert – Malware Detection, Behavioral Detection, Incident Response , DLP Technology, App Isolation Technologies, Deception for Detection  Capitalize on ATT&CK and post-exploit detection expertise to declutter the space for MITRE’s sponsors – To evaluate cyber defense, emulate cyber offense. •Cyber threat analysis •Research •Industry reports Adversary Behavior •Adversary model (APT3, APT29, etc.) •Post-compromise techniques ATT&CK •Data sources •Analytics •Prioritization FMX ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 3. Traditional Offensive Testing Workflow Intel Gathering Vulnerability Assessment Target Acquisition Exploitation Privilege Escalation Lateral Movement Persistence Exfiltration Report Findings Collect Protect Detect Triage Investigate Coordinate Remediate  Typical Red vs Blue event flow ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 4. Improved Offensive Testing Workflow Intel Gathering Protect/Defend Vulnerability Assessment Protect/Defend Target Acquisition Protect/Defend Exploitation Protect/Defend Privilege Escalation Protect/Defend Lateral Movement Protect/Defend Persistence Protect/Defend Exfiltration Protect/Defend Traditional Red Team Traditional Blue Team  After a traditional Red vs Blue event start blended retesting: Slide inspired by Chris Gates’ and Chris Nickerson’s presentation “Building a Successful Internal Adversarial Simulation Team”: https://goo.gl/R3yglm ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 5. Need Common Criteria  Articulate – To vendors and US government customers  Repeat – To verify results and retest  Measure – Gauge improvement attack.mitre.org ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 6. Bianco’s Pyramid of Pain Source: David Bianco https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 7. Adversary Emulation Using ATT&CK  Create Emulation plans using ATT&CK  Helps focus testing on individual patterns of behavior – Identify if existing detection mechanisms, analytics, mitigations work – Gaps in visibility, data, tools, process, hardening discovered – Address gaps within defenses by improving system – Re-test regularly using varied behavior and objectives Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Execution Collection Exfiltration Command and Control Accessibility Features Accessibility Features Binary Padding Brute Force Account Discovery Application Deployment Software Command-Line Automated Collection Automated Exfiltration Commonly Used Port AppInit DLLs AppInit DLLs Bypass User Account Control Credential Dumping Application Window Discovery Exploitation of Vulnerability Execution through API Clipboard Data Data Compressed Communication Through Removable Media Basic Input/Output System Bypass User Account Control Code Signing Credential Manipulation File and Directory Discovery Logon Scripts Graphical User Interface Data Staged Data Encrypted Custom Command and Control Protocol Bootkit DLL Injection Component Firmware Credentials in Files Local Network Configuration Discovery Pass the Hash PowerShell Data from Local System Data Transfer Size Limits Custom Cryptographic Protocol Change Default File Handlers DLL Search Order Hijacking DLL Injection Exploitation of Vulnerability Local Network Connections Discovery Pass the Ticket Process Hollowing Data from Network Shared Drive Exfiltration Over Alternative Protocol Data Obfuscation Component Firmware Exploitation of Vulnerability DLL Search Order Hijacking Input Capture Network Service Scanning Remote Desktop Protocol Rundll32 Data from Removable Media Exfiltration Over Command and Control Channel Fallback Channels DLL Search Order Hijacking Legitimate Credentials DLL Side-Loading Network Sniffing Peripheral Device Discovery Remote File Copy Scheduled Task Email Collection Exfiltration Over Other Network Medium Multi-Stage Channels Hypervisor Local Port Monitor Disabling Security Tools Two-Factor Authentication Interception Permission Groups Discovery Remote Services Service Execution Input Capture Exfiltration Over Physical Medium Multiband Communication Legitimate Credentials New Service Exploitation of Vulnerability Process Discovery Replication Through Removable Media Third-party Software Screen Capture Scheduled Transfer Multilayer Encryption Local Port Monitor Path Interception File Deletion Query Registry Shared Webroot Windows Management Instrumentation Peer Connections Logon Scripts Scheduled Task File System Logical Offsets Remote System Discovery Taint Shared Content Windows Remote Management Remote File Copy Modify Existing Service Service File Permissions Weakness Indicator Blocking on Host Security Software Discovery Windows Admin Shares Standard Application Layer Protocol New Service Service Registry Permissions Weakness Indicator Removal from Tools System Information Discovery Windows Remote Management Standard Cryptographic Protocol Path Interception Web Shell Indicator Removal on Host System Owner/User Discovery Standard Non-Application Layer Protocol Redundant Access Legitimate Credentials System Service Discovery Uncommonly Used Port Registry Run Keys / Start Folder Masquerading Web Service Scheduled Task Modify Registry Security Support Provider NTFS Extended Attributes Service File Permissions Weakness Obfuscated Files or Information Service Registry Permissions Weakness Process Hollowing Shortcut Modification Redundant Access Web Shell Rootkit Windows Management Instrumentation Event Subscription Rundll32 Winlogon Helper DLL Scripting Software Packing Timestomp©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 8. Successful Adversary Emulation Make it real: Use the same techniques, tools, methods and goals of an attacker End-to-End: Don’t just look for holes or perform small attacks. Start from the initial compromise and go until objectives are accomplished Repeatable: Be repeatable, so that your detection and prevention improvement (or degradation) can be measured over time ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 9.  Adversary Emulation Process: – Threat Intelligence Acquisition – Extract Actionable Techniques – Develop Tools and Analyze Adversary Modus Operandi – Setup Infrastructure and Emulate Adversary Constraining the Test Intel Technical Capability Time ATT&CK Techniques in Scope (Partial Matrix – APT3) ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 10. APT Emulation Plan – Plan Phases ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 11. Actionable Emulation Plan ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 12. A Common Scorecard Grey - APT3 techniques not tested, Green - tested and detected, Yellow - tested and weren't detected but could have been Red - sensor gaps ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 13. Frequency of Offensive Testing Time Atomic Testing Adversary Emulation Red Teaming Knowledge Base ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 14. Automating where possible  Takes care of the simple to allow you to focus on the difficult.  Several options to actuate your plans: – Custom, roll-your-own methods – Automated Breach Simulation vendors:  AttackIQ, SafeBreach, Verodin, etc.. – MITRE CALDERA ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 15. MITRE Adversary Emulation Resources  ATT&CK – Adversarial Tactics, Techniques, and Common Knowledge, a knowledgebase and adversary behavioral model for describing how adversaries operate across their lifecycle  Adversary Emulation Playbooks – Open source threat intel and ATT&CK-based adversary group profiles that describe how to emulate a specific group  CALDERA – An automated adversary emulation system built off of ATT&CK that is useful for emulating pre-programed sets of behavior – Open source: https://github.com/mitre/caldera – Closed source research version available to sponsors LETS@MITRE.ORG – ATTACK@MITRE.ORG ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179
  • 16.  Helps smaller shops run APT-style red-teams but, more importantly, paves the way for real-world, data-driven red teams  Highlight the type of intel we can use, e.g., move IR reports away from Indicators of Compromise and toward behaviors. – The intel would be immediately useful  Provides a good “sellable” back-story, especially if in an affected industry  Enables apples-to-apples comparisons  Lowers the bar to “offensive testing,” empowering blue teams with the ability to run checks themselves  Creating emulation plans identifies what is unavoidable when performing a certain TTPs and what is. – For what is avoidable, run the gamut for the different permutations and actuations of a TTP – For what is not avoidable, defenders should focus on the “pinch point” to quell all possibilities to the right, hamstringing the TTP category as a whole sometimes. Reasons to Release and Focus on Adversary Emulation Plans ©2018 The MITRE Corporation. All Rights Reserved. Approved for Public Release; Distribution Unlimited. Case Number 18-0179

Notas del editor

  1. Excerpt of flow chart and tools table from the APT Emulation Plan recently released from this project on attack.mitre.org