SlideShare une entreprise Scribd logo

Adversary Emulation using CALDERA

Télécharger en tant que PPTX, PDF
Erik Van Buggenhout
Erik Van Buggenhout

Presentation at BrucON 2019

Business
1  sur  45
www.nviso.eu MITRE Caldera Automated Adversary Emulation using Caldera BruCON 10 October 2019
A few words about myself www.nviso.eu | 2 Why are assembly developers usually wet?
Agenda for today 1 What is adversary emulation? 2 Tools of the trade 3 MITRE Caldera 4 Demo: Caldera plugins
Agenda for today 1 What is adversary emulation? 2 Tools of the trade 3 MITRE Caldera 4 Demo: Caldera plugins
This is not adversary emulation www.nviso.eu | 5 Adversary emulation using Nessus? Vulnerability Scans Vulnerability Scans + Metasploit “Creative” Red Teams
So what is it? www.nviso.eu | 6 Defining adversary emulation Adversary emulation is an activity where security experts emulate how an adversary operates. The ultimate goal, of course, is to improve how resilient the organization is versus these adversary techniques. Both red and purple teaming can be considered as adversary emulation. Adversary activities are described using TTPs (Tactics, Techniques & Procedures). These are not as concrete as, for example, IOCs, but they describe how the adversary operates at a higher level. Adversary emulation should be based on TTPs. As such, a traditional vulnerability scan or internal penetration test that is not based onTTPs should not be considered adversary emulation. TTP Adversary emulation should be performed using a structured approach, which can be based on a kill chain or attack flow. MITRE ATT&CK is a good example of such a standard approach. ATT&CK
Penetration Test vs Adversary Emulation www.nviso.eu | 7 Knowing the difference PENETRATIONTEST Identify and exploit vulnerabilities on a (series of) system(s) to assess security Focused on a specific scope (typically an application or network range) ADVERSARY EMULATION Assess how resilient an organization is versus a certain adversary / threat actor Focused on the execution of a scenario (typically defined by a number of flags) VS Typically tests both prevention & detection (so is less valuable if there is no blue team) Primarily tests prevention, typically less focus on detection
Red Team vs Purple Team www.nviso.eu | 8 Knowing the difference RedTeam A red team involves emulation of a realistic threat actor (usingTTPs) In a typical red team, interaction with the blue team is limited (red vs blue) PurpleTeam A purple team involves emulation of a realistic threat actor (usingTTPs) In a typical purple team, interaction with the blue team is maximized (collaboration) VS The goal of the purple team is to improve how well the blue team prevents & detects The goal of the red team is to assess how well the blue team prevents & detects
MITRE ATT&CK www.nviso.eu | 9 Defining a common language "MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.” – MITRE ATT&CK website Tactics are used to describe high-levels attack steps used by an adversary. These can be compared to the “steps” in the Lockheed Martin Cyber Kill Chain © Tactics & Techniques MITRE ATT&CK assumes breach and thus the “first” tactic is initial intrusion. Any activity performed before is covered by the PRE-ATT&CK framework. How a certain tactic is executed is described by a variety of techniques. For every technique, MITRE ATT&CK includes a description, detection & prevention recommendations and known threat actors who use the technique.
MITRE ATT&CK www.nviso.eu | 10 Tactics & Techniques TACTICS TECHNIQUES
Zooming in on a specific technique www.nviso.eu | 11 What level of detail is offered? Known adversaries that use the technique General Info High-Level Description
Zooming in on a specific technique www.nviso.eu | 12 What level of detail is offered? How to prevent? How to detect?
ATT&CK is the common language we should all speak www.nviso.eu | 13 Leveraging MITRE ATT&CK in your organization
Common ATT&CK pitfalls www.nviso.eu | 14 How to not do MITRE ATT&CK #1 Consider all ATT&CK techniques equal Given the size of the ATT&CK matrix, it’s impossible to (a) prevent or (b) detect all techniques.You only have limited resources and should thus prioritize! #2 Misjudge your coverage Most ATT&CK techniques are not “Boolean”. It’s possible that you detect or block certain variations of a technique, but others not. Scoring should thus be fine-grained. #3 Consider ATT&CK as the “holy trinity” ATT&CK is a valuable tool, but it’s not a silver bullet. Recognize that, for some use cases,ATT&CK is not perfect. Furthermore, not everything is documented!
Common ATT&CK pitfalls www.nviso.eu | 15 Technique 1003 – Credential Dumping
Technique Prioritization www.nviso.eu | 16 How to prioritize? Criteria #1 Overall popularity of the technique The overall popularity of an ATT&CK technique is a good indicator of how important it is to cover it (using either preventive or detective controls). In January 2019, MITRE & Red Canary released a presentation where they highlighted 7 key techniques! Furthermore, many vendors provide “ATT&CK Heat Maps” where they describe what techniques they most frequently observe. Criteria #2 Relevance of threat actors for your organization Next to the overall “popularity” of a technique,there is of course another factor: Is the technique known to be used by an adversary that is interested in your organization? ATT&CK has information on what techniques are used by what actors. In order to figure out what threat actors are relevant for your industry or organization, it helps to follow up on threat intelligence reports.
ATT&CK for adversary emulation www.nviso.eu | 17 Operationalizing MITRE ATT&CK
Building an emulation plan www.nviso.eu | 18 Let’s start building! What threat actors (and related adversary techniques) are relevant to the organization? What techniques does the organization believe are covered by security controls? What techniques does the organization believe are detected by monitoring use cases? How much time & effort will be spent during the engagement? Building a good adversary emulation plan is crucial to success.The emulation plan should mimic an actual adversary and can include distinct phases. In MITRE’s APT3 emulation plan, the following phases are distinguished: 1. Set up adversary infrastructure (e.g. C2) and obtain initial execution (Initial Access) 2. Internal discovery, privilege escalation and lateral movement (Lateral movement) 3. Collection, staging and exfiltration (Action on Objectives) So what techniques should you select as part of your plan?There’s a few criteria to take into account;
Example of an emulation plan www.nviso.eu | 19 Emulating our Russian friends EMULATION PLAN FOR APT-28 PHASE 1 PHASE 2 PHASE 3 Initial Access T1192 - Spearphishing Link Execution T1086 - PowerShell Persistence T1122 - COM Hijacking Privilege Escalation T1078 -Valid Accounts Defense Evasion T1107 - File Deletion Lateral Movement T1075 – PassThe Hash Not every plan needs to cover every single tactic! Improvise! Exfiltration T1041 - Exfil over C&C
Agenda for today 1 What is adversary emulation? 2 Tools of the trade 3 MITRE Caldera 4 Demo: Caldera plugins
Adversary Emulation Stack www.nviso.eu | 21 Tools of the trade Adversary emulation can typically take two different forms: • Automated / scripted emulation of a (number of) specific MITRE ATT&CK techniques • Manual, full-stack emulation according to an adversary emulation plan Different tools exist that can help emulate the two objectives listed above! Automated / scripted emulation Manual, full-stack, emulation METTA
Atomic Red Team www.nviso.eu | 22 Quick and dirty! When trying to “quickly” test detection of specifics techniques, we can use Atomic RedTeam to emulate certain ATT&CK techniques.All Atomic RedTeam tests are portable and light- weight and allow for easy execution!
Uber METTA www.nviso.eu | 23 Leveraging VirtualBox and Vagrant Uber Metta leveragesYML files andVagrant to spin up virtual machines and execute commands!
Infection Monkey www.nviso.eu | 24 Time for some Monkey Business!
Infection Monkey | 25 Time for some Monkey Business! www.nviso.eu
Covenant | 26 Leveraging VirtualBox and Vagrant www.nviso.eu Adversary Sliver DNS C2 Unique Binary Each binary is equipped with plaintext canary DNS tokens. BlueTeam $ strings $ nslookup canary.c2.adversary.org
Covenant | 27 Following up on Empire Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers. HTTPS://GITHUB.COM/COBBR/COVENANT www.nviso.eu
Agenda for today 1 What is adversary emulation? 2 Tools of the trade 3 MITRE Caldera 4 Demo: Caldera plugins
Caldera | 29 What is Caldera? www.nviso.eu Caldera is a tool built by MITRE, with the express purpose of doing adversary emulation. It requires a bit of setup (as a server and clients need to be installed), it will actively "attack" target systems by deploying custom backdoors. Caldera’s attack steps are fully linked to the ATT&CK framework techniques! Local MITRE ATT&CK Caldera Attack GUI
A quick Caldera walkthrough | 30 Abilities www.nviso.eu
A quick Caldera walkthrough | 31 Groups www.nviso.eu
A quick Caldera walkthrough | 32 Adversaries www.nviso.eu
A quick Caldera walkthrough | 33 Operations www.nviso.eu
Getting up and running | 34 “Infecting” a system www.nviso.eu Win dows Groups A newly infected host, by the Sandcat plugin, joins a predefined group.
But you use PowerShell? | 35 OMFG www.nviso.eu Script Block Logging Constrained Language Mode AMSI Microsoft ”cleaned shop” and implemented several PowerShell controls (for prevention AND detection) over the past few years! The point is to detect ATT&CK techniques, not the Caldera agent!
Group Structure | 36 How Caldera is organised www.nviso.eu Adversary P1 Ability I Ability II P2 Ability III P3 Ability IV AbilityV Foo Bar Windo ws OS X Linux Ability PowerShell OS X Shell Linux Shell Operation Groups
Running a quick operation | 37 Praying to the demo gods… www.nviso.eu
Agenda for today 1 What is adversary emulation? 2 Tools of the trade 3 MITRE Caldera 4 Developing Caldera Plugins
Caldera development | 39 Abilities & plugins www.nviso.eu Using built-in adversaries Building adversaries with existing abilities Developing custom abilities Developing custom plugins
Developing custom abilities | 40 Abilities www.nviso.eu Abilities are easy to create from examples such as the one here…
Developing custom Caldera plugins | 41 Step 1 - Creating file & folder structure www.nviso.eu Adding a Caldera plugin requires us to interact with the Caldera folder structure. Inside Caldera's root folder we can find two interesting folders: conf and plugins.While the former will be used at a later stage to enable our plugin, the plugins folder will be our plugin's parent location. Creating the structure on the left is the first step in building our Caldera plugin. caldera +---conf | ---local.yml ---plugins ---brucon ---hook.py
Developing custom Caldera plugins | 42 Step 2 - Enable the plugin in the conf folder www.nviso.eu Enabling a plugin requires us to modify the caldera configuration.ThisYAML file is located under the Caldera conf folder. # [...] plugins: - caltack - ssl - stockpile - sandcat - gui - chain - caldex - brucon # Add our plugin's directory name to the collection # [...
Demo – Let’s do some of this stuff! | 43 Praying to the demo gods… www.nviso.eu
Conclusions | 44 Putting it all together www.nviso.eu Caldera is an amazing tool than be highly customized and further extended! Tools like Caldera do not replace a proper RedTeam… Tools like Caldera help the BlueTeam test techniques themselves and continuously improve
www.nviso.eu Want to get hacked? Reach us during business hours: +32 (0)2 318 58 31 info@nviso.eu Already hacked? Reach us 24/7: +32 (0)2 588 43 80 csirt@nviso.eu NVISO-BE/ caldex NVISO-BE/ caldera-abilities Coming soon, give us few more days to clean our code 

Recommandé

Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshopprithaaash
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE - ATT&CKcon
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 

Recommandé

Adversary Emulation using CALDERA
Adversary Emulation using CALDERAAdversary Emulation using CALDERA
Adversary Emulation using CALDERAErik Van Buggenhout
 
Adversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEAdversary Emulation and Red Team Exercises - EDUCAUSE
Adversary Emulation and Red Team Exercises - EDUCAUSEJorge Orchilles
 
Adversary Emulation Workshop
Adversary Emulation WorkshopAdversary Emulation Workshop
Adversary Emulation Workshopprithaaash
 
8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 Matrix8.8 Las Vegas - Adversary Emulation con C2 Matrix
8.8 Las Vegas - Adversary Emulation con C2 MatrixJorge Orchilles
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...MITRE - ATT&CKcon
 
Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Adversary Emulation - Red Team Village - Mayhem 2020
Adversary Emulation - Red Team Village - Mayhem 2020Jorge Orchilles
 
Purple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConPurple Team Exercises - GRIMMCon
Purple Team Exercises - GRIMMConJorge Orchilles
 
Adversary Emulation - DerpCon
Adversary Emulation - DerpConAdversary Emulation - DerpCon
Adversary Emulation - DerpConJorge Orchilles
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Digit Oktavianto
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixJorge Orchilles
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookMITRE ATT&CK
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKMITRE ATT&CK
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
Transforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionTransforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionMITRE - ATT&CKcon
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksMauricio Velazco
 
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...MITRE - ATT&CKcon
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE - ATT&CKcon
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesJorge Orchilles
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Introduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsAj MaChInE
 

Contenu connexe

Tendances

Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Jorge Orchilles
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Digit Oktavianto
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchMITRE - ATT&CKcon
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixJorge Orchilles
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMITRE ATT&CK
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideMITRE ATT&CK
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookMITRE ATT&CK
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKMITRE ATT&CK
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKKatie Nickels
 
Transforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionTransforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionMITRE - ATT&CKcon
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksMauricio Velazco
 
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...MITRE - ATT&CKcon
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFJorge Orchilles
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE - ATT&CKcon
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesJorge Orchilles
 

Tendances (20)

Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...Adversary Emulation and Its Importance for Improving Security Posture in Orga...
Adversary Emulation and Its Importance for Improving Security Posture in Orga...
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and ResearchUsing MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
 
Adversary Emulation and the C2 Matrix
Adversary Emulation and the C2 MatrixAdversary Emulation and the C2 Matrix
Adversary Emulation and the C2 Matrix
 
Mapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE ActivitiesMapping ATT&CK Techniques to ENGAGE Activities
Mapping ATT&CK Techniques to ENGAGE Activities
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
 
ATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue DivideATT&CKing the Red/Blue Divide
ATT&CKing the Red/Blue Divide
 
The ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT PlaybookThe ATT&CK Latin American APT Playbook
The ATT&CK Latin American APT Playbook
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
 
ATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CKATT&CK Updates- Defensive ATT&CK
ATT&CK Updates- Defensive ATT&CK
 
Threat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CKThreat-Based Adversary Emulation with MITRE ATT&CK
Threat-Based Adversary Emulation with MITRE ATT&CK
 
Transforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionTransforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis Question
 
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team PlaybooksSANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
SANS Purple Team Summit 2021: Active Directory Purple Team Playbooks
 
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
MITRE ATT&CKcon 2.0: Alertable Techniques for Linux Using ATT&CK; Tony Lamber...
 
Purple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEFPurple Team Exercise Framework Workshop #PTEF
Purple Team Exercise Framework Workshop #PTEF
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation ExercisesPurple Team - Work it out: Organizing Effective Adversary Emulation Exercises
Purple Team - Work it out: Organizing Effective Adversary Emulation Exercises
 

Similaire à Adversary Emulation using CALDERA

Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Introduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsAj MaChInE
 
(SACON) Wayne Tufek - chapter five - attacks
(SACON) Wayne Tufek - chapter five - attacks(SACON) Wayne Tufek - chapter five - attacks
(SACON) Wayne Tufek - chapter five - attacksPriyanka Aash
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementJoe Vest
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...idsecconf
 
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...Jennifer Burns
 
RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_ConclaveNSConclave
 
Huntpedia
HuntpediaHuntpedia
HuntpediaJc Sv
 
huntpedia.pdf
huntpedia.pdfhuntpedia.pdf
huntpedia.pdfCecilSu
 
MITRE ATT&CK framework and Managed XDR Position Paper
MITRE ATT&CK framework and Managed XDR Position PaperMITRE ATT&CK framework and Managed XDR Position Paper
MITRE ATT&CK framework and Managed XDR Position PaperMarc St-Pierre
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academyamallblitz0
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academyananthakrishnansblit
 
Dealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of DetailDealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of DetailMITRE ATT&CK
 
Outpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teamingOutpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teamingOutpost24
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationIBM Security
 
Flag4 CTF
Flag4 CTFFlag4 CTF
Flag4 CTFijtsrd
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf
 

Similaire à Adversary Emulation using CALDERA (20)

Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
 
Introduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation ToolsIntroduction to Adversary Evaluation Tools
Introduction to Adversary Evaluation Tools
 
(SACON) Wayne Tufek - chapter five - attacks
(SACON) Wayne Tufek - chapter five - attacks(SACON) Wayne Tufek - chapter five - attacks
(SACON) Wayne Tufek - chapter five - attacks
 
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team EngagementUsing IOCs to Design and Control Threat Activities During a Red Team Engagement
Using IOCs to Design and Control Threat Activities During a Red Team Engagement
 
Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...Proactive cyber defence through adversary emulation for improving your securi...
Proactive cyber defence through adversary emulation for improving your securi...
 
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
Using ATT&CK® for Containers to Level Up your Cloud Defenses - Jen Burns, fwd...
 
RED-TEAM_Conclave
RED-TEAM_ConclaveRED-TEAM_Conclave
RED-TEAM_Conclave
 
Red Team P1.pdf
Red Team P1.pdfRed Team P1.pdf
Red Team P1.pdf
 
Huntpedia
HuntpediaHuntpedia
Huntpedia
 
huntpedia.pdf
huntpedia.pdfhuntpedia.pdf
huntpedia.pdf
 
MITRE ATT&CK framework and Managed XDR Position Paper
MITRE ATT&CK framework and Managed XDR Position PaperMITRE ATT&CK framework and Managed XDR Position Paper
MITRE ATT&CK framework and Managed XDR Position Paper
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academy
 
Cyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz AcademyCyber security course in kerala | C|PENT | Blitz Academy
Cyber security course in kerala | C|PENT | Blitz Academy
 
Dealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of DetailDealing With ATT&CK's Different Levels Of Detail
Dealing With ATT&CK's Different Levels Of Detail
 
Outpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teamingOutpost24 webinar - Improve your organizations security with red teaming
Outpost24 webinar - Improve your organizations security with red teaming
 
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent OrchestrationHow to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
How to Build a Faster, Laser-Sharp SOC with Intelligent Orchestration
 
Flag4 CTF
Flag4 CTFFlag4 CTF
Flag4 CTF
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
idsecconf2023 - Mangatas Tondang, Wahyu Nuryanto - Penerapan Model Detection ...
 

Dernier

Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentationuneakwhite
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptxnandhinijagan9867
 
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165meghakumariji156
 
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...meghakumariji156
 
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)Adnet Communications
 
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All TimeCall 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Timegargpaaro
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsIndeedSEO
 
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...NadhimTaha
 
CROSS CULTURAL NEGOTIATION BY PANMISEM NS
CROSS CULTURAL NEGOTIATION BY PANMISEM NSCROSS CULTURAL NEGOTIATION BY PANMISEM NS
CROSS CULTURAL NEGOTIATION BY PANMISEM NSpanmisemningshen123
 
Power point presentation on enterprise performance management
Power point presentation on enterprise performance managementPower point presentation on enterprise performance management
Power point presentation on enterprise performance managementVaishnaviGunji
 
Mckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for ViewingMckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for ViewingNauman Safdar
 
Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel
 
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Falcon Invoice Discounting
 
New 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck TemplateNew 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck TemplateCannaBusinessPlans
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizharallensay1
 
Falcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business PotentialFalcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business PotentialFalcon investment
 
Buy Verified TransferWise Accounts From Seosmmearth
Buy Verified TransferWise Accounts From SeosmmearthBuy Verified TransferWise Accounts From Seosmmearth
Buy Verified TransferWise Accounts From SeosmmearthBuy Verified Binance Account
 

Dernier (20)

Uneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration PresentationUneak White's Personal Brand Exploration Presentation
Uneak White's Personal Brand Exploration Presentation
 
Phases of Negotiation .pptx
Phases of Negotiation .pptx Phases of Negotiation .pptx
Phases of Negotiation .pptx
 
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabiunwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
unwanted pregnancy Kit [+918133066128] Abortion Pills IN Dubai UAE Abudhabi
 
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
Lucknow Housewife Escorts by Sexy Bhabhi Service 8250092165
 
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
Escorts in Nungambakkam Phone 8250092165 Enjoy 24/7 Escort Service Enjoy Your...
 
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
Lundin Gold - Q1 2024 Conference Call Presentation (Revised)
 
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All TimeCall 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
Call 7737669865 Vadodara Call Girls Service at your Door Step Available All Time
 
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 MonthsSEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
SEO Case Study: How I Increased SEO Traffic & Ranking by 50-60% in 6 Months
 
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
joint cost.pptx COST ACCOUNTING Sixteenth Edition ...
 
CROSS CULTURAL NEGOTIATION BY PANMISEM NS
CROSS CULTURAL NEGOTIATION BY PANMISEM NSCROSS CULTURAL NEGOTIATION BY PANMISEM NS
CROSS CULTURAL NEGOTIATION BY PANMISEM NS
 
Power point presentation on enterprise performance management
Power point presentation on enterprise performance managementPower point presentation on enterprise performance management
Power point presentation on enterprise performance management
 
Mckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for ViewingMckinsey foundation level Handbook for Viewing
Mckinsey foundation level Handbook for Viewing
 
HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024HomeRoots Pitch Deck | Investor Insights | April 2024
HomeRoots Pitch Deck | Investor Insights | April 2024
 
!~+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUD...
!~+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUD...!~+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUD...
!~+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUD...
 
Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024Marel Q1 2024 Investor Presentation from May 8, 2024
Marel Q1 2024 Investor Presentation from May 8, 2024
 
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
Unveiling Falcon Invoice Discounting: Leading the Way as India's Premier Bill...
 
New 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck TemplateNew 2024 Cannabis Edibles Investor Pitch Deck Template
New 2024 Cannabis Edibles Investor Pitch Deck Template
 
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al MizharAl Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
Al Mizhar Dubai Escorts +971561403006 Escorts Service In Al Mizhar
 
Falcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business PotentialFalcon Invoice Discounting: Unlock Your Business Potential
Falcon Invoice Discounting: Unlock Your Business Potential
 
Buy Verified TransferWise Accounts From Seosmmearth
Buy Verified TransferWise Accounts From SeosmmearthBuy Verified TransferWise Accounts From Seosmmearth
Buy Verified TransferWise Accounts From Seosmmearth
 

Adversary Emulation using CALDERA

  • 1. www.nviso.eu MITRE Caldera Automated Adversary Emulation using Caldera BruCON 10 October 2019
  • 2. A few words about myself www.nviso.eu | 2 Why are assembly developers usually wet?
  • 3. Agenda for today 1 What is adversary emulation? 2 Tools of the trade 3 MITRE Caldera 4 Demo: Caldera plugins
  • 4. Agenda for today 1 What is adversary emulation? 2 Tools of the trade 3 MITRE Caldera 4 Demo: Caldera plugins
  • 5. This is not adversary emulation www.nviso.eu | 5 Adversary emulation using Nessus? Vulnerability Scans Vulnerability Scans + Metasploit “Creative” Red Teams
  • 6. So what is it? www.nviso.eu | 6 Defining adversary emulation Adversary emulation is an activity where security experts emulate how an adversary operates. The ultimate goal, of course, is to improve how resilient the organization is versus these adversary techniques. Both red and purple teaming can be considered as adversary emulation. Adversary activities are described using TTPs (Tactics, Techniques & Procedures). These are not as concrete as, for example, IOCs, but they describe how the adversary operates at a higher level. Adversary emulation should be based on TTPs. As such, a traditional vulnerability scan or internal penetration test that is not based onTTPs should not be considered adversary emulation. TTP Adversary emulation should be performed using a structured approach, which can be based on a kill chain or attack flow. MITRE ATT&CK is a good example of such a standard approach. ATT&CK
  • 7. Penetration Test vs Adversary Emulation www.nviso.eu | 7 Knowing the difference PENETRATIONTEST Identify and exploit vulnerabilities on a (series of) system(s) to assess security Focused on a specific scope (typically an application or network range) ADVERSARY EMULATION Assess how resilient an organization is versus a certain adversary / threat actor Focused on the execution of a scenario (typically defined by a number of flags) VS Typically tests both prevention & detection (so is less valuable if there is no blue team) Primarily tests prevention, typically less focus on detection
  • 8. Red Team vs Purple Team www.nviso.eu | 8 Knowing the difference RedTeam A red team involves emulation of a realistic threat actor (usingTTPs) In a typical red team, interaction with the blue team is limited (red vs blue) PurpleTeam A purple team involves emulation of a realistic threat actor (usingTTPs) In a typical purple team, interaction with the blue team is maximized (collaboration) VS The goal of the purple team is to improve how well the blue team prevents & detects The goal of the red team is to assess how well the blue team prevents & detects
  • 9. MITRE ATT&CK www.nviso.eu | 9 Defining a common language "MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.” – MITRE ATT&CK website Tactics are used to describe high-levels attack steps used by an adversary. These can be compared to the “steps” in the Lockheed Martin Cyber Kill Chain © Tactics & Techniques MITRE ATT&CK assumes breach and thus the “first” tactic is initial intrusion. Any activity performed before is covered by the PRE-ATT&CK framework. How a certain tactic is executed is described by a variety of techniques. For every technique, MITRE ATT&CK includes a description, detection & prevention recommendations and known threat actors who use the technique.
  • 10. MITRE ATT&CK www.nviso.eu | 10 Tactics & Techniques TACTICS TECHNIQUES
  • 11. Zooming in on a specific technique www.nviso.eu | 11 What level of detail is offered? Known adversaries that use the technique General Info High-Level Description
  • 12. Zooming in on a specific technique www.nviso.eu | 12 What level of detail is offered? How to prevent? How to detect?
  • 13. ATT&CK is the common language we should all speak www.nviso.eu | 13 Leveraging MITRE ATT&CK in your organization
  • 14. Common ATT&CK pitfalls www.nviso.eu | 14 How to not do MITRE ATT&CK #1 Consider all ATT&CK techniques equal Given the size of the ATT&CK matrix, it’s impossible to (a) prevent or (b) detect all techniques.You only have limited resources and should thus prioritize! #2 Misjudge your coverage Most ATT&CK techniques are not “Boolean”. It’s possible that you detect or block certain variations of a technique, but others not. Scoring should thus be fine-grained. #3 Consider ATT&CK as the “holy trinity” ATT&CK is a valuable tool, but it’s not a silver bullet. Recognize that, for some use cases,ATT&CK is not perfect. Furthermore, not everything is documented!
  • 15. Common ATT&CK pitfalls www.nviso.eu | 15 Technique 1003 – Credential Dumping
  • 16. Technique Prioritization www.nviso.eu | 16 How to prioritize? Criteria #1 Overall popularity of the technique The overall popularity of an ATT&CK technique is a good indicator of how important it is to cover it (using either preventive or detective controls). In January 2019, MITRE & Red Canary released a presentation where they highlighted 7 key techniques! Furthermore, many vendors provide “ATT&CK Heat Maps” where they describe what techniques they most frequently observe. Criteria #2 Relevance of threat actors for your organization Next to the overall “popularity” of a technique,there is of course another factor: Is the technique known to be used by an adversary that is interested in your organization? ATT&CK has information on what techniques are used by what actors. In order to figure out what threat actors are relevant for your industry or organization, it helps to follow up on threat intelligence reports.
  • 17. ATT&CK for adversary emulation www.nviso.eu | 17 Operationalizing MITRE ATT&CK
  • 18. Building an emulation plan www.nviso.eu | 18 Let’s start building! What threat actors (and related adversary techniques) are relevant to the organization? What techniques does the organization believe are covered by security controls? What techniques does the organization believe are detected by monitoring use cases? How much time & effort will be spent during the engagement? Building a good adversary emulation plan is crucial to success.The emulation plan should mimic an actual adversary and can include distinct phases. In MITRE’s APT3 emulation plan, the following phases are distinguished: 1. Set up adversary infrastructure (e.g. C2) and obtain initial execution (Initial Access) 2. Internal discovery, privilege escalation and lateral movement (Lateral movement) 3. Collection, staging and exfiltration (Action on Objectives) So what techniques should you select as part of your plan?There’s a few criteria to take into account;
  • 19. Example of an emulation plan www.nviso.eu | 19 Emulating our Russian friends EMULATION PLAN FOR APT-28 PHASE 1 PHASE 2 PHASE 3 Initial Access T1192 - Spearphishing Link Execution T1086 - PowerShell Persistence T1122 - COM Hijacking Privilege Escalation T1078 -Valid Accounts Defense Evasion T1107 - File Deletion Lateral Movement T1075 – PassThe Hash Not every plan needs to cover every single tactic! Improvise! Exfiltration T1041 - Exfil over C&C
  • 20. Agenda for today 1 What is adversary emulation? 2 Tools of the trade 3 MITRE Caldera 4 Demo: Caldera plugins
  • 21. Adversary Emulation Stack www.nviso.eu | 21 Tools of the trade Adversary emulation can typically take two different forms: • Automated / scripted emulation of a (number of) specific MITRE ATT&CK techniques • Manual, full-stack emulation according to an adversary emulation plan Different tools exist that can help emulate the two objectives listed above! Automated / scripted emulation Manual, full-stack, emulation METTA
  • 22. Atomic Red Team www.nviso.eu | 22 Quick and dirty! When trying to “quickly” test detection of specifics techniques, we can use Atomic RedTeam to emulate certain ATT&CK techniques.All Atomic RedTeam tests are portable and light- weight and allow for easy execution!
  • 23. Uber METTA www.nviso.eu | 23 Leveraging VirtualBox and Vagrant Uber Metta leveragesYML files andVagrant to spin up virtual machines and execute commands!
  • 24. Infection Monkey www.nviso.eu | 24 Time for some Monkey Business!
  • 25. Infection Monkey | 25 Time for some Monkey Business! www.nviso.eu
  • 26. Covenant | 26 Leveraging VirtualBox and Vagrant www.nviso.eu Adversary Sliver DNS C2 Unique Binary Each binary is equipped with plaintext canary DNS tokens. BlueTeam $ strings $ nslookup canary.c2.adversary.org
  • 27. Covenant | 27 Following up on Empire Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers. HTTPS://GITHUB.COM/COBBR/COVENANT www.nviso.eu
  • 28. Agenda for today 1 What is adversary emulation? 2 Tools of the trade 3 MITRE Caldera 4 Demo: Caldera plugins
  • 29. Caldera | 29 What is Caldera? www.nviso.eu Caldera is a tool built by MITRE, with the express purpose of doing adversary emulation. It requires a bit of setup (as a server and clients need to be installed), it will actively "attack" target systems by deploying custom backdoors. Caldera’s attack steps are fully linked to the ATT&CK framework techniques! Local MITRE ATT&CK Caldera Attack GUI
  • 30. A quick Caldera walkthrough | 30 Abilities www.nviso.eu
  • 31. A quick Caldera walkthrough | 31 Groups www.nviso.eu
  • 32. A quick Caldera walkthrough | 32 Adversaries www.nviso.eu
  • 33. A quick Caldera walkthrough | 33 Operations www.nviso.eu
  • 34. Getting up and running | 34 “Infecting” a system www.nviso.eu Win dows Groups A newly infected host, by the Sandcat plugin, joins a predefined group.
  • 35. But you use PowerShell? | 35 OMFG www.nviso.eu Script Block Logging Constrained Language Mode AMSI Microsoft ”cleaned shop” and implemented several PowerShell controls (for prevention AND detection) over the past few years! The point is to detect ATT&CK techniques, not the Caldera agent!
  • 36. Group Structure | 36 How Caldera is organised www.nviso.eu Adversary P1 Ability I Ability II P2 Ability III P3 Ability IV AbilityV Foo Bar Windo ws OS X Linux Ability PowerShell OS X Shell Linux Shell Operation Groups
  • 37. Running a quick operation | 37 Praying to the demo gods… www.nviso.eu
  • 38. Agenda for today 1 What is adversary emulation? 2 Tools of the trade 3 MITRE Caldera 4 Developing Caldera Plugins
  • 39. Caldera development | 39 Abilities & plugins www.nviso.eu Using built-in adversaries Building adversaries with existing abilities Developing custom abilities Developing custom plugins
  • 40. Developing custom abilities | 40 Abilities www.nviso.eu Abilities are easy to create from examples such as the one here…
  • 41. Developing custom Caldera plugins | 41 Step 1 - Creating file & folder structure www.nviso.eu Adding a Caldera plugin requires us to interact with the Caldera folder structure. Inside Caldera's root folder we can find two interesting folders: conf and plugins.While the former will be used at a later stage to enable our plugin, the plugins folder will be our plugin's parent location. Creating the structure on the left is the first step in building our Caldera plugin. caldera +---conf | ---local.yml ---plugins ---brucon ---hook.py
  • 42. Developing custom Caldera plugins | 42 Step 2 - Enable the plugin in the conf folder www.nviso.eu Enabling a plugin requires us to modify the caldera configuration.ThisYAML file is located under the Caldera conf folder. # [...] plugins: - caltack - ssl - stockpile - sandcat - gui - chain - caldex - brucon # Add our plugin's directory name to the collection # [...
  • 43. Demo – Let’s do some of this stuff! | 43 Praying to the demo gods… www.nviso.eu
  • 44. Conclusions | 44 Putting it all together www.nviso.eu Caldera is an amazing tool than be highly customized and further extended! Tools like Caldera do not replace a proper RedTeam… Tools like Caldera help the BlueTeam test techniques themselves and continuously improve
  • 45. www.nviso.eu Want to get hacked? Reach us during business hours: +32 (0)2 318 58 31 info@nviso.eu Already hacked? Reach us 24/7: +32 (0)2 588 43 80 csirt@nviso.eu NVISO-BE/ caldex NVISO-BE/ caldera-abilities Coming soon, give us few more days to clean our code 