Jorge Orchilles is an experienced red team leader who has led offensive security assessments for large financial institutions. The document discusses adversary emulation, which involves the red team emulating realistic adversary tactics, techniques, and procedures to obtain access to an organization. This helps evaluate an organization's preparedness against sophisticated attacks. It describes measuring how people, processes, and technologies prevent or detect the red team's activities to identify areas for improvement.

1. Adversary
Emulation JORGE ORCHILLES

2. #WHOAMILed offensive security team at large financial for past 10 years
Published industry contributions include:
⑊ Founding member MITRE Engenuity Center
⑊ Co-Author GFMA Threat-led Penetration Testing & Red Team Framework
⑊ SANS Instructor and author of Red Team course: SEC564
⑊ NSI Technologist Fellow; ISSA Fellow
⑊ Common Vulnerability Scoring System (CVSSv3.1)
⑊ Author of Windows 7 Administrators reference (Syngress)
@JORGEORCHILLES

3. 3
VULNERABILITY
SCANNING
VULNERABILITY
ASSESSMENT
PENETRATION
TESTING
RED
TEAM
IN PERSON
PURPLE TEAM
CONTINOUS PURPLE
TEAM
ADVERSARY EMULATION
Definition: A type of Red Team exercise where the Red Team emulates how
an adversary operates, following the same tactics, techniques, and
procedures (TTPs), with a specific objective like those of realistic adversary.
Goal: Emulate an end-to-end attack against a target organization. Obtain a
holistic view of the organization’s preparedness for a real, sophisticated
attack.
@JORGEORCHILLES

4. 4
An end to end assessment of
the entire organization
⑊ Main differentiator from penetration testing
- Tests the defenders not the defenses (detection vs. prevention)
- People, Process, and Technology
- Not a limited scope test targeting just a particular product,
infrastructure, network, application, URL, or domain
⑊ Full Cyber Kill Chain from Recon to Objective
⑊ Often blind, unannounced exercise
⑊ Determine what TTPs would work, undetected if a true attack
occurred and action plan to remediate
@JORGEORCHILLES

5. 5
Measuring the effectiveness of
People, Process, and
Technology
Documented metrics and timeline of entire exercise
⑊ Time and TTPs to obtain initial access
⑊ TTPs that allowed moving laterally
⑊ Identify TTPs not prevented or detected
⑊ Process and time to escalate events into an incident
⑊ Time to contain
⑊ Time to eradicate
⑊ Process to engage hunt team, coordinate communications, alert
leadership and correlate all events and realize sophisticated,
targeted attack
@JORGEORCHILLES

6. 6
ASSUMPTIONS
That attack won’t work here because…
“We applied all patches”
“We have outbound DLP”
“Our users would never open a macro”
“Our applications have MFA”
“Our network is segmented and only way out
is through proxy”
“We have firewalls, AV, and IDS”
Trust but verify
Can the Iranians breach us?
@JORGEORCHILLES

7. 7
Training and improving the Blue Team
⑊ Every Red Team Exercise will result in Blue Team getting better
⑊ As you measure the people, process, and technology you will see
improvements
⑊ Lessons will be learned, and processes improved
⑊ The more you train, the more you improve
@JORGEORCHILLES

8. 8
FRAMEWORK
&
METHODOLOGIES
⑊ Cyber Kill Chain – Lockheed Martin
⑊ Unified Cyber Kill Chain – Paul Pols
⑊ ATT&CK – MITRE
Regulatory
⑊ CBEST Intelligence Led Testing – Bank of England
⑊ Threat Intelligence-Based Ethical Red Teaming – TIBER-EU
⑊ Red Team: Adversarial Attack Simulation Exercises – ABS (Association
of Banks of Singapore)
⑊ intelligence-led Cyber Attack Simulation Testing (iCAST) – HKMA
(Hong Kong Monetary Authority)
⑊ G-7 Fundamental Elements for Threat-Led Penetration Testing
(G7FE-TLPT)
⑊ A Framework for the Regulatory Use of Penetration
Testing and Red Teaming in the Financial Services
Industry – GFMA (Global Financial Markets Association)
@JORGEORCHILLES

9. INITIAL ACCESS EXECUTION PERSISTENCE PRIVILEGE
ESCALATION
DEFENSIVE EVASION CREDENTIAL ACCESS DISCOVERY LATERAL
MOVEMENT
COLLECTION COMMAND AND
CONTROL
EXFILTRATION IMPACT
DRIVE- BY
COMPROMISE
APPLESCRIPT .BASH_PROFULE
AND .BASHRC
ACCESS TOKEN
MANIPULATION
ACCESS TOKEN
MANIPULATION
ACCOUNT
MANIPULATION
ACCOUNT
DISCOVERY
APPLESCRIPT AUDIO CAPTURE COMMONLY USED
PORT
AUTOMATED
EXFILTRATION
DATA DESTRUCTION
EXPLOIT PUBLIC-
FACING
APPLICATION
CMSTP ACCESIBILITY
FEATURES
ACCESIBILITY
FEATURES
BITS JOBS BASH HISTORY APPLICATION
WINDOW
DISCOVERY
APPLICATION
DEPLOYMENT
SOFTWARE
AUTOMATED
COLLECTION
COMMUINICTION
THROUGH
REMOVABLE DATA
DATA COMPRESSED DATA ENCRYPTED
FOR IMPACT
EXTERNAL REMOTE
SERVICES
COMMAND-LINE
INTERFACE
ACCOUNT
MANIPULATION
APPCERT DLLS DINARY PADDING BRUTE FORCE BROWSER
BOOKMARK
DISCOVERY
DISTRUBETED
COMPONENT
OBJECT MODEL
CLIPBOARD DATA CONNECTION PROXY DATA ENCRYPTED DEFACEMENT
HARDWARE
ADDITIONS
COMPILED HTML
FILE
APPCERT DLLS APPINIT DLLS ACCOUNT CONTROL
BYPASS USER
CREDENTIAL
DUMPING
DOMAIN TRUST
DISCOVERY
EXPLOITATION OF
REMOTE SERVICES
DATA STAGE CUSTOM COMMAND
AND CONTROL
PROTOCOL
DATA TRANSFER SIZE
LIMIT
DISK CONTENT WIPE
REPLICATION
THROUGH
REMOVABLE MEDIA
CONTORL PANEL
ITEMS
APPINIT DLLS APPLICATION
SHIMMIMG
CMSTP CREDENTIALS IN
FILES
FILE AND DIRECTORY
DISCOVERY
LOGON SCRIPT DATA FROM
INFORMATION
REPOSITORIES
CUSTOM
CRYPTOGRAPHIC
PROTOCOL
EXFILTRATION OVER
ALTERNATIVE
PROTOCOL
DISK STRUCTURE
WIPE
SPEARPHISHING
ATTACHMENT
DYNAMIC DATA
EXCHANGE
APPLICATION
SHIMMING
BYPASS USER
ACCOUNT CONTROL
CLEAR COMMAND
HISTORY
CREDENTIALS IN
REGISTRY
NETWORK SERVICE
SCANNING
PASS THE HASH DATA FROM LOCAL
SYSTEM
DATA ENCODING EXFILTRATION OVER
COMMAND AND
CONTROL CHANNEL
ENDPOINT DENIAL
OF SERVICE
SPEARPHISHING
LINK
EXECUTION
THROUGH API
AUTHENTICATION
PACKAGE
DLL SEARCH ORDER
HIJACKING
CODE SIGNING EXPLOITATION FOR
CREDENTIAL ACCESS
NETWORK SHARE
DISCOVERY
PASS THE TICKET DATA FROM
NETWORK SHARE
DRIVE
DATA OBFUSCATION EXFILTRATION OVER
OTHER NETWORK
MEDIUM
FIRMWARE
CORRUPTION
MITRE has developed the ATT&CK Matrix as a central repository for adversary TTPs. It
is used by both red and blue teams. It is rapidly gaining traction as a de facto standard!
@JORGEORCHILLES

10. FRAMEWORK
Most organizations will take a hybrid approach
based on the frameworks and methodologies just
introduced
⑊ Threat Intelligence
⑊ Planning
⑊ Testing
⑊ Closure
@JORGEORCHILLES

11. T1086 –
PowerShell
T1068 – Exploitation for
Privilege Escalation
T1003 – Credential
Dumping
S0194 –
PowerSploit
S0192 –
Pupy
S0002 –
Mimikatz
S0129 –
AutoIT
Hash
Value
IP Address
TACTICS | TECHNIQUES | PROCEDURES
https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
@JORGEORCHILLES

12. ATT&CK Navigator

13. @JORGEORCHILLES
Category Description
Description
APT19 is a Chinese-based threat group that has targeted a variety of industries, including defense,
finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal
services.
Goal and Intent
Exist in the network to enumerate systems and information in order to maintain Command and Control
to support future attacks.
Command and Control
Commonly Used Port (T1043) - TCP port 80; Standard Application Layer Protocol (T1071) - HTTP;
Deobfuscate/Decode Files or Information (T1140); Data Encoding (T1132) - used Base64 to encode
communications to the C2 server
Initial Access Spearphishing attachment (T1193); Spearphishing link (T1192)
Execution
PowerShell (T1086); User Execution; Hidden Windows (T1143) - used -W Hidden to conceal PowerShell
windows by setting the WindowStyle parameter to hidden; Obfuscated Files or Information (T1027) -
used Base64 to obfuscate commands and the payload; DLL Side-Loading (T1073)
Discovery
System Owner/User Discovery (T1033); System Information Discovery (T1082) System Network
Configuration Discovery (T1016)
Persistence
Registry Run Keys/ Start up Folder (T1060) - establishes persistence by setting the Registry key
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Defense Evasion
Regsvr32 (T1117); Scripting (T1064) - downloaded and launched code within a SCT file to bypass
application whitelisting techniques

14. 14
TRUSTED AGENTS RULES OF
ENGAGEMENT
ATTACK
INFRASTRUCTURE
o Limited number of people with knowledge of
the exercise
o When players find out about exercise their
behavior changes
o Individuals whose daily roles and
responsibilities put them in a position to
contribute to reducing the risk of causing
unintended impact to production systems
and/or inaccurate senior or external escalation
Establish the responsibility, relationship, and
guidelines between Trusted Agents and Players
o Rules for Blue Team
o Carry out all activity as any other incident
o Trusted Agents will report what incidents
are being investigated
o Do not report exercise related items to
regulators
o Rules for Red Team
o Do not bring down any business process
or operation
o Communicate all actions during daily
brief
Red Team is responsible for setting up
infrastructure to emulate TTPs
o Choose and procure
external hosting
service providers
o Purchase domain
names
o Generate domain
certificates
o Setup mail servers
o Setup phishing and
credential theft sites
o Confirm reputation
and categorization
of all domain and
IPs
o Setup Short and
Long Haul C2
infrastructure
o Configure custom
C2 tooling
o Test external C2
communication
PLANNING @JORGEORCHILLES
White Team or White Cell

15. 15
Matrix of command and control
frameworks for Red Teamers
⑊ Google doc of most C2 frameworks: www.thec2matrix.com
⑊ Documents various capabilities of each framework
⑊ There is no right or wrong, better or worse framework
⑊ Find ideal C2 for your current objective
⑊ Wizard like UI to select which one: ask.thec2matrix.com
⑊ How-To Site for using C2s: howto.thec2matrix.com
⑊ SANS Slingshot C2 Matrix Edition
@JORGEORCHILLES

16. Let’s do it Live!
@JORGEORCHILLES

20. 20

21. 21
VULNERABILITY
SCANNING
VULNERABILITY
ASSESSMENT
PENETRATION
TESTING
RED
TEAM
Emulate APT19 with
Empire3 & Starkiller
https://howto.thec2matrix.com/c2/empire#red-team-village-mayhem-demo-of-apt19
@JORGEORCHILLES

22. 22
⑊ What TTPs were prevented? Why? Document these too!
⑊ What was detected? How long did it take?
- Time to contain
- Time to eradicate
⑊ Where processes followed?
- Process and time to escalate events into an incident
- Process to engage hunt team
- Process to coordinate communications & alert leadership
- Process to corelate all events and realize sophisticated, targeted attack
CLOSURE
@JORGEORCHILLES

24. 24

25. 25

26. Threat
Catalog
Cyber
Threat
Intelligence
Emulation
Plan
C2 Server &
Reports for
the Business
MITRE ATT&CK
Production
Automated Emulation
Initial Access
https://medium.com/@jorgeorchilles/purple-team-exercise-tools-a85187ce341
⑊ Red Team will be
asked to repeat TTPs
⑊ Don’t waste Red Team
Operator time re-
doing the same TTP
while engineers,
operations, and SOC
get detection working

27. Thank you!
Q & A?@JorgeOrchilles
@C2_Matrix
https://www.thec2matrix.com/
https://www.sans.org/sec564