Adversary Emulation is a type of ethical hacking engagement where the Red Team emulates how an adversary operates, leveraging the same tactics, techniques, and procedures (TTPs), against a target organization. The goal of these engagements is to train and improve people, process, and technology. This is in contrast to a penetration test that focuses on testing technology and preventive controls. Adversary emulations are performed using a structured approach following industry methodologies and frameworks (such as MITRE ATT&CK) and leverage Cyber Threat Intelligence to emulate a malicious actor that has the opportunity, intent, and capability to attack the target organization. Adversary Emulations may be performed in a blind manner (Red Team Engagement) or non-blind (Purple Team) with the Blue Team having full knowledge of the engagement. In this talk, we will learn about APT29 “Cozy Bear”, how they operate and what their objectives are. We will create an adversary emulation plan using C2 Matrix to pick the best command and control framework that covers the most TTPs. We will spend at least half the talk live demoing the attack with various tools that emulate the adversary behaviors and TTPs.

1. @JORGEORCHILLES
Cuddling the Cozy Bear
Emulating APT29
@JorgeOrchilles

2. @JORGEORCHILLES
T1033 - System Owner/User Discovery
● Chief Technology Officer - SCYTHE
● C2 Matrix Co-Creator
● 10 years @ Citi leading offensive security team
● Certified SANS Instructor: SEC560, SEC504
● Author SEC564: Red Team Exercises and Adversary Emulation
● CVSSv3.1 Working Group Voting Member
● GFMA: Threat-Led Pen Test Framework
● ISSA Fellow; NSI Technologist Fellow
2

3. @JORGEORCHILLES
Agenda
● What is Adversary Emulation
● Bear Pictures
● Cyber Threat Intelligence
● Cozy Bear + Pictures
● Adversary Emulation Plan
● Bear Pictures
● Live Demo - pray to the demo bears
● MOAR Bear Pictures
● Defending against Bears + Pictures
● Cuddling with Bears
3

4. @JORGEORCHILLES
Red Team
● Definition:
○ “The practice of looking at a problem or
situation from the perspective of an
adversary”
– Red Team Journal
● Goal:
○ Make Blue Team better
○ Test and measure people, process, and
technology
○ Test assumptions
4
https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
● Effort:
○ Manual
○ Many tools (C2 Matrix)
● Frequency:
○ Intelligence-led (new exploit, tool, or TTP)
● Customer:
○ Blue Teams

5. @JORGEORCHILLES
Red Teams
Internal Red Teams
● Repeated engagements
○ Remediation retesting
● Use privileged/insider knowledge
● Sparring partner
External Red Teams
● Offers new perspective
○ May have other industry
experience
● “Snapshot” engagements
5

6. @JORGEORCHILLES
Adversary Emulation
● Definition:
○ A type of Red Team exercise where the Red Team emulates how an adversary operates,
following the same tactics, techniques, and procedures (TTPs), with a specific objective similar
to those of realistic threats or adversaries.
● Goal:
○ Emulate an adversary attack chain or scenario
○ Understand organization’s preparedness if under a real, sophisticated attack
● Effort:
○ Manual
● Customer:
○ Entire organization
6
https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988

7. @JORGEORCHILLES
TOWARD A PURPLE TEAM

8. @JORGEORCHILLES
Purple Team Exercises
8
● Virtual, functional team where teams work together to
measure and improve defensive security posture
○ CTI provides threat actor with capability, intent, and opportunity to
attack
○ Red Team creates adversary emulation plan
○ Tabletop discussion with defenders about the attacker tactics,
techniques, and procedures (TTPs) and expected defenses
○ Emulation of each adversary behavior (TTP)
○ Blue Team look for indicators of behavior
○ Red and Blue work together to create remediation action plan
● Repeat exercises to measure and improve people,
process, and technology

9. @JORGEORCHILLES
Did you say Purple?
9

10. @JORGEORCHILLES
Framework & Methodology
10
● Cyber Kill Chain – Lockheed Martin
● Unified Cyber Kill Chain – Paul Pols
● Financial/Regulatory Frameworks
○ CBEST Intelligence Led Testing
○ Threat Intelligence-Based Ethical Red Teaming
○ Red Team: Adversarial Attack Simulation
Exercises
○ Intelligence-led Cyber Attack Simulation Testing
○ A Framework for the Regulatory Use of
Penetration Testing in the Financial Services
Industry
● Testing Framework:

11. @JORGEORCHILLES
MITRE ATT&CK
https://attack.mitre.org/
11

12. @JORGEORCHILLES
ATT&CK Evaluations
12
https://attackevals.mitre.org/

13. @JORGEORCHILLES
Threat Intelligence
13
David Bianco: http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

14. @JORGEORCHILLES
Cozy Bear
● Threat group that has been attributed to the
Russian government
● Reportedly compromised the Democratic
National Committee in 2015
● Commitment to stealth and sophisticated
implementations of techniques via an arsenal
of custom malware
Source: https://attackevals.mitre.org/APT29/
14Thanks MITRE!! https://twitter.com/MITREattack

15. @JORGEORCHILLES
Types of Bears
15
Thanks Jamie!! https://twitter.com/jamieantisocial

16. @JORGEORCHILLES
ATT&CK Navigator
16

17. @JORGEORCHILLES
Planning
● Goals and Objectives
● Red Team or Purple Team Exercise?
○ Blue Team has full knowledge or no knowledge?
● Exercise Coordinator/Project Manager
● Assume Breach or Full End-to-End?
○ Initial Access takes time
○ Infinite ways in
○ Moving target
● Rules of Engagements
● Attack Infrastructure
17Thanks Alex!! https://twitter.com/_sailfinn

18. @JORGEORCHILLES
Determine Tools to Use - C2 Matrix
● Google Sheet of C2s
● https://www.thec2matrix.com/
● Find ideal C2 for your needs
● SANS Slingshot C2 Matrix VM
● https://howto.thec2matrix.com
● Follow @C2_Matrix
18

19. @JORGEORCHILLES
Adversary Emulation Plan
Split in 2 days; 20 Steps:
● Initial Access via Phishing
○ Broad & Targeted
● Day 1: Smash-and-Grab
○ Pupy & Metasploit/Meterpreter
● Day 2: Stealth (low and slow)
○ PoshC2 and Powershell
● Resources:
○ https://attackevals.mitre.org/APT29/operational-flow.html
○ https://github.com/mitre-attack/attack-arsenal/tree/master/
adversary_emulation/APT29/Emulation_Plan
19

20. @JORGEORCHILLES
Track your work! Use VECTR
20

21. @JORGEORCHILLES
DEMO
21

22. @JORGEORCHILLES
Defending against Cozy Bear
22
Results: https://attackevals.mitre.org/evaluations.html?round=APT29

23. @JORGEORCHILLES
Want MOAR! Follow #ThreatThursday
● Weekly blog post with a chosen adversary
○ Introduce Adversary
○ Consume CTI and map to MITRE ATT&CK
○ Present Adversary Emulation Plan
■ Share the plan on SCYTHE Github
■ https://github.com/scythe-io/community-threats/
○ Emulate Adversary
○ How to defend against adversary
● Published Posts
○ APT19: https://www.scythe.io/library/threatthursday-apt19
○ Buhtrap: https://www.scythe.io/library/threatthursday-buhtrap
○ APT33: https://www.scythe.io/library/threatthursday-apt33
○ Cozy Bear: https://www.scythe.io/library/threatthursday-cozy-bear
23
Thanks Tim! https://twitter.com/malcomvetter

24. @JORGEORCHILLES
VECTR Webcast
24Register: http://sans.org/u/14IR

25. @JORGEORCHILLES
References
25
● Definitions: https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
● Purple Team Exercises: https://www.youtube.com/watch?v=Ard7c-79X84
● ATT&CK Evaluations: https://attackevals.mitre.org/ & https://attackevals.mitre.org/APT29/
● C2 Matrix: https://thec2matrix.com/ & https://howto.thec2matrix.com/c2/poshc2
● Emulation Plan: https://github.com/mitre-attack/attack-arsenal/tree/master/adversary_emulation/APT29/Emulation_Plan
● PoshC2:
○ https://labs.nettitude.com/blog/introducing-poshc2-v6-0/
○ https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/
● VECTR: https://vectr.io/
● #ThreatThursday: https://www.scythe.io/library/
● SANS VECTR Webcast: http://sans.org/u/14IR

26. @JORGEORCHILLES@JORGEORCHILLES
Thank you!
Questions?
26

27. @JORGEORCHILLES
SCYTHE
● Enterprise-Grade platform for Adversary Emulation
○ Creating custom, controlled, synthetic malware
○ Can be deployed on-premises or cloud
● Emulate known threat actors against an enterprise network
○ Consistently execute adversary behaviors
○ Continually assess security tool configuration
○ Decreased evaluation time of security technologies
○ Identify blind spots for blue teams,
○ Force-multiplier for red team resources
○ Measure and improve response of people and controls
27

28. @JORGEORCHILLES
Features & Capabilities
● Trivial installation - for real, see the
video
● Automation
○ Build cross-platform synthetic malware
via dashboard
○ Synthetic malware emulates chosen
behaviors consistently
● Delivery medium: web (drive-by)
and email
28
● Reports
○ HTML Report, CSV Report,
Executive Report and Technical
Report
○ Mapped to MITRE ATT&CK
● Integrations
○ PlexTrac - automated report writing
and handling
○ Integrated with SIEMs (Splunk and
Syslog)
○ Red Canary’s Atomic Red Team test
cases
○ RedELK and VECTR integration in
progress

29. @JORGEORCHILLES
What’s Next?
● SCYTHE v3
○ Virtual File System
○ Threat Automation language
■ Structured Data out of Unstructured Data
■ Use results of one action for the next action
● Module SDK
○ Native and Python SDK
○ In-memory loading techniques
● Marketplace
○ Ecosystem of third party contributors
○ Create custom modules
○ Request custom modules - TTP Bounty
29

30. @JORGEORCHILLES
Architecture
30