Adversary Emulation is a type of ethical hacking engagement where the Red Team emulates how an adversary operates, leveraging the same tactics, techniques, and procedures (TTPs), against a target organization. The goal of these engagements is to train and improve people, process, and technology. This is in contrast to a penetration test that focuses on testing technology and preventive controls. Adversary emulations are performed using a structured approach following industry methodologies and frameworks (such as MITRE ATT&CK) and leverage Cyber Threat Intelligence to emulate a malicious actor that has the opportunity, intent, and capability to attack the target organization. Adversary Emulations may be performed in a blind manner (Red Team Engagement) or non-blind (Purple Team) with the Blue Team having full knowledge of the engagement.
In this talk, we will learn about APT29 “Cozy Bear”, how they operate and what their objectives are. We will create an adversary emulation plan using C2 Matrix to pick the best command and control framework that covers the most TTPs. We will spend at least half the talk live demoing the attack with various tools that emulate the adversary behaviors and TTPs.
2. @JORGEORCHILLES
T1033 - System Owner/User Discovery
● Chief Technology Officer - SCYTHE
● C2 Matrix Co-Creator
● 10 years @ Citi leading offensive security team
● Certified SANS Instructor: SEC560, SEC504
● Author SEC564: Red Team Exercises and Adversary Emulation
● CVSSv3.1 Working Group Voting Member
● GFMA: Threat-Led Pen Test Framework
● ISSA Fellow; NSI Technologist Fellow
2
3. @JORGEORCHILLES
Agenda
● What is Adversary Emulation
● Bear Pictures
● Cyber Threat Intelligence
● Cozy Bear + Pictures
● Adversary Emulation Plan
● Bear Pictures
● Live Demo - pray to the demo bears
● MOAR Bear Pictures
● Defending against Bears + Pictures
● Cuddling with Bears
3
4. @JORGEORCHILLES
Red Team
● Definition:
○ “The practice of looking at a problem or
situation from the perspective of an
adversary”
– Red Team Journal
● Goal:
○ Make Blue Team better
○ Test and measure people, process, and
technology
○ Test assumptions
4
https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
● Effort:
○ Manual
○ Many tools (C2 Matrix)
● Frequency:
○ Intelligence-led (new exploit, tool, or TTP)
● Customer:
○ Blue Teams
5. @JORGEORCHILLES
Red Teams
Internal Red Teams
● Repeated engagements
○ Remediation retesting
● Use privileged/insider knowledge
● Sparring partner
External Red Teams
● Offers new perspective
○ May have other industry
experience
● “Snapshot” engagements
5
6. @JORGEORCHILLES
Adversary Emulation
● Definition:
○ A type of Red Team exercise where the Red Team emulates how an adversary operates,
following the same tactics, techniques, and procedures (TTPs), with a specific objective similar
to those of realistic threats or adversaries.
● Goal:
○ Emulate an adversary attack chain or scenario
○ Understand organization’s preparedness if under a real, sophisticated attack
● Effort:
○ Manual
● Customer:
○ Entire organization
6
https://medium.com/@jorgeorchilles/ethical-hacking-definitions-9b9a6dad4988
8. @JORGEORCHILLES
Purple Team Exercises
8
● Virtual, functional team where teams work together to
measure and improve defensive security posture
○ CTI provides threat actor with capability, intent, and opportunity to
attack
○ Red Team creates adversary emulation plan
○ Tabletop discussion with defenders about the attacker tactics,
techniques, and procedures (TTPs) and expected defenses
○ Emulation of each adversary behavior (TTP)
○ Blue Team look for indicators of behavior
○ Red and Blue work together to create remediation action plan
● Repeat exercises to measure and improve people,
process, and technology
10. @JORGEORCHILLES
Framework & Methodology
10
● Cyber Kill Chain – Lockheed Martin
● Unified Cyber Kill Chain – Paul Pols
● Financial/Regulatory Frameworks
○ CBEST Intelligence Led Testing
○ Threat Intelligence-Based Ethical Red Teaming
○ Red Team: Adversarial Attack Simulation
Exercises
○ Intelligence-led Cyber Attack Simulation Testing
○ A Framework for the Regulatory Use of
Penetration Testing in the Financial Services
Industry
● Testing Framework:
14. @JORGEORCHILLES
Cozy Bear
● Threat group that has been attributed to the
Russian government
● Reportedly compromised the Democratic
National Committee in 2015
● Commitment to stealth and sophisticated
implementations of techniques via an arsenal
of custom malware
Source: https://attackevals.mitre.org/APT29/
14Thanks MITRE!! https://twitter.com/MITREattack
17. @JORGEORCHILLES
Planning
● Goals and Objectives
● Red Team or Purple Team Exercise?
○ Blue Team has full knowledge or no knowledge?
● Exercise Coordinator/Project Manager
● Assume Breach or Full End-to-End?
○ Initial Access takes time
○ Infinite ways in
○ Moving target
● Rules of Engagements
● Attack Infrastructure
17Thanks Alex!! https://twitter.com/_sailfinn
18. @JORGEORCHILLES
Determine Tools to Use - C2 Matrix
● Google Sheet of C2s
● https://www.thec2matrix.com/
● Find ideal C2 for your needs
● SANS Slingshot C2 Matrix VM
● https://howto.thec2matrix.com
● Follow @C2_Matrix
18
19. @JORGEORCHILLES
Adversary Emulation Plan
Split in 2 days; 20 Steps:
● Initial Access via Phishing
○ Broad & Targeted
● Day 1: Smash-and-Grab
○ Pupy & Metasploit/Meterpreter
● Day 2: Stealth (low and slow)
○ PoshC2 and Powershell
● Resources:
○ https://attackevals.mitre.org/APT29/operational-flow.html
○ https://github.com/mitre-attack/attack-arsenal/tree/master/
adversary_emulation/APT29/Emulation_Plan
19
23. @JORGEORCHILLES
Want MOAR! Follow #ThreatThursday
● Weekly blog post with a chosen adversary
○ Introduce Adversary
○ Consume CTI and map to MITRE ATT&CK
○ Present Adversary Emulation Plan
■ Share the plan on SCYTHE Github
■ https://github.com/scythe-io/community-threats/
○ Emulate Adversary
○ How to defend against adversary
● Published Posts
○ APT19: https://www.scythe.io/library/threatthursday-apt19
○ Buhtrap: https://www.scythe.io/library/threatthursday-buhtrap
○ APT33: https://www.scythe.io/library/threatthursday-apt33
○ Cozy Bear: https://www.scythe.io/library/threatthursday-cozy-bear
23
Thanks Tim! https://twitter.com/malcomvetter
27. @JORGEORCHILLES
SCYTHE
● Enterprise-Grade platform for Adversary Emulation
○ Creating custom, controlled, synthetic malware
○ Can be deployed on-premises or cloud
● Emulate known threat actors against an enterprise network
○ Consistently execute adversary behaviors
○ Continually assess security tool configuration
○ Decreased evaluation time of security technologies
○ Identify blind spots for blue teams,
○ Force-multiplier for red team resources
○ Measure and improve response of people and controls
27
28. @JORGEORCHILLES
Features & Capabilities
● Trivial installation - for real, see the
video
● Automation
○ Build cross-platform synthetic malware
via dashboard
○ Synthetic malware emulates chosen
behaviors consistently
● Delivery medium: web (drive-by)
and email
28
● Reports
○ HTML Report, CSV Report,
Executive Report and Technical
Report
○ Mapped to MITRE ATT&CK
● Integrations
○ PlexTrac - automated report writing
and handling
○ Integrated with SIEMs (Splunk and
Syslog)
○ Red Canary’s Atomic Red Team test
cases
○ RedELK and VECTR integration in
progress
29. @JORGEORCHILLES
What’s Next?
● SCYTHE v3
○ Virtual File System
○ Threat Automation language
■ Structured Data out of Unstructured Data
■ Use results of one action for the next action
● Module SDK
○ Native and Python SDK
○ In-memory loading techniques
● Marketplace
○ Ecosystem of third party contributors
○ Create custom modules
○ Request custom modules - TTP Bounty
29