Events Add an event Speakers Talks Collections
 
Duration 40:01
16+
Play
Video

Adversary Simulation: Close the Gaps in Your Security Posture

Don Murdoch
Senior Security Engineer at Blue Cross Blue Shield Association
  • Video
  • Table of contents
  • Video
RSAC 2021
May 20, 2021, Online, USA
RSAC 2021
Request Q&A
RSAC 2021
From the conference
RSAC 2021
Request Q&A
Video
Adversary Simulation: Close the Gaps in Your Security Posture
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Add to favorites
47
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About speaker

Don Murdoch
Senior Security Engineer at Blue Cross Blue Shield Association

D, James Murdoch, GSE #99, MSISE, MBA is a seasoned IT/InfoSec leader with over 20 years of multidisciplinary IT, management, security architecture/engineering, and Incident Response experience. Don is currently leveraging that experience at the Regent University Cyber Range to raise up the next generation of blue team defenders and evaluating products for best fit. Don is the author of the Blue Team Handbook: Incident Response edition, #3 of 100 Best Cyber Security Books of All Time on bookauthority.com and BThB: SOC, SIEM, and Threat Hunting, a 5 star book changing SOC's worldwide. BTHb:SOCTH is adopted by many SOC teams and is reshaping how those teams conduct business. The first half of Don’s career emphasized software development, network and systems management, and database administration. At his career midpoint, he worked as the Information Systems Security Officer for Old Dominion University in Virginia, where he spent most of his days in the Wild, Wild West of academic computing and put most of his SANS education to the test. For the remainder of his career, Don has worked in computer, network, and information security as the lead Security Engineer/Security Architect, and then Director for the Strategy and Planning team for the Infrastructure division within a Fortune 500 Medicaid focused Insurance company, and lastly as the Director of a MSSP organization where his team developed, deployed, and managed a 24/7 SOC for numerous clients.

View the profile

About the talk

Don Murdoch, Senior Principal Engineer, RSA Need to validate a security posture and assess network resilience against an adversary? Looking for techniques to develop and measured adversary simulation or Purple Team program? This session will demonstrate how to use proven Purple Teaming techniques, evaluate security and process apparatus, and build a continually evolving program to better protect the enterprise.

Share

Ringleader gentleman, this is Dominic. And I'm going to be doing a talk, this afternoon here at the RSA conference on adversary simulation. We're going to go to this process and what we want to be able to do throughout this presentation, help you close the gaps in your security posture. So, by way of introduction, I have been in it for well over 25 years about 17 years and information security. And I, I received what I would effectually, call my digital combat training in the wild wild west of academic, getting over that 17 year. I spent several years in there and we had a brief stint

out about your post. I cry. Just try to do you planning for a large organization, lot of experience in commercial defense nonprofit and I ran a cyber range for a major university has structure. And also I'm the author of something. You may have heard call The Blue Team handbook, a kind of a well-known information security book out there and the space. I barely functioning as a principal security architect for rsf. The first thing I want to go over. Is what is your value chain? And this is not the typical it security

topic. I wanted it begin with this discussion because we need to be business relevant in the ICU security space and the business owners. The people that we work for Senior Management, really want to understand how each one of their departments are being business relevant. So by definition of formal definition, I put this here to kind of focus and its value chain, or whatever, the activities that your organization does in a specific industry in order to either, transform raw materials into a good service or or have the right staff in the right service offerings. In order to offer

this service in your industry. In the market, on Michael quarter is the creator of this term. So, why do we care away? Why we starting off with a business specific term? First and foremost, if you understand your value chain, it's a ready-made catalog of the possible points of exposure in your organization. It also gives you a roadmap for the for the systems that interact with the value chain, the systems that store the data, and the value chain. And perhaps it today, especially where the value chain interacts with other organizations through some kind of web service or information

exchange, anything like that. What do you understand? And you can do things that understand the value chain, you're proving that you're being relevant to your business or your big business relevant. And lastly. It also really tells you as you look in your environment of the symptoms that you're going to perform adversary simulation on or with what you can absolutely not adversely affect it helps you to Define. If you are a manufacturing firm that has some Automation in your manufacturing space, a robotics or something along those lines. You would want to know that that industrial control

equipment is, probably not a good safe Target for your adversary, simulation activity. So remember that The Blue Team defense it will the red team. Anyways, the tax we tried to do these things every single day. Where can you get some of this information? Your business continuity team is a great partner in understanding the components of your value chain and application and asset priority. Your Disaster Recovery. He probably has a lot of those details to help you. So always start with value chain. Our security architecture and what we're going to be testing or exercising for an adversary

simple. Simulation process protects that value chain, you have to think like it had a red team where to find sweats and you have to act blue to design and test the defenses. He'll see this in a few times in my pocket, by the way has, as I'm going through this, I forgot to mention as you have questions, please make sure that you are at those questions in the chat cuz I'll be able to answer them for you real time during the talk and when it's given why people and processes in your adversary simulation process. You may really want to find out, are you crazy? Are people or process

that you're going to test? Or is there a lot of technology that you're going to test? You could look at this and say, no one of the processes that we have is pretty exercice tickets for application access it. Maybe I could get my adversary simulation, perhaps, I'm doing an Insider threat, adversary simulation activity. Maybe I actually want to test the ability to Access Control request and possibly gain access to a system that way rather than using a technical excellent. The other half of the security architecture that protects our value chain are all the technologies that we use proxies

DNS protection detection and response agency application firewalls application-aware, firewalls power networks are built what's in our class. So these things protective value chain and they're all in scope for performing for integrating into an adversary simulation. Historically. A lot of these activities were really perform in isolation today. We tend to integrate when were performing these activities. You have red team performing an offensive operation. I tend to do that and isolation and Shiloh. While Blue teams are defending. You'll see a lot of these activities every week on

purple TV today. That's kind of the in Vogue term. So purple theme, think it's where you perform a red action and a blue action, right? After it, with the goal of looking at attack defense. Can you detect? Can you use, can you prove his defenses on a particular track and it's very short cycle. Definition. You'll also see here, two things. I put in yellow to call out. We have to understand. But today Packers thinking grass and Defenders thinking, lift. We have the defense side. Think about the list of resources to list of networks, a list of

elevated account. The list of of users who we have to protect attackers. Don't think that way they gained some kind of a toehold. And when they have that to hold to figure out where they can go from that tow haul and if it's so they go to system. A pictures of a talk to supposed to be supposed to be can talk a c d and e and they have to match your network out there. Remember that we think differently and that should be incorporated. What are you a formal definition and this is from a colleague of mine at Jake Williams. Run Spanish and infosec an adversary simulation were for a red team,

member or designated attack. Unapproved is conducting some kind of assessment. And making every effort to try to use the tools and techniques by a specific adversary named adversary. Someone with a, we have some description of out there. This is different than spread emulation red team. They could use anything. They want their adversary emulation and simulation is behaving like a particular attack or probably some organization. It is specifically targeting register. I'm in purple. If it's a different ball of wax. I just wanted to make sure that we had these definitions cuz

you'll see them a lot and they found some similar took you break it down, you know, are now and is our opponent and that helps us to focus our attention in a dispute. An antagonist. Someone coming against us. If you are a government military organization on your listening to stalk you have obviously they are governmental organizations in military set would be in opposition to your foreign policy. If you're a commercial entity that maybe another organization in your commercial sector and it to emulate, to is a verb to strive to be equal. So therefore, you think

red test blue actblue is if you're simultaneously attacking and defending the network. I will brief diversion here for the term, reach and attack simulation software. Would you read about these things? You may come across Bas software applications out. There is not true. Adversary simulation any of these tools that UPS or preaching at Exit, nice exercise of particular, part of your active security apparatus. So if you think about fishing testing and fishing techniques testing work, where there's a number of vendors that have tools, that will test your your your anti-phishing defenses,

or test your staff, or see if your antivirus things to pick stuff up, those are mission-specific too. So they're not specific to humans behaving. Like red gates, just be aware of that as you're going and doing research at determining how to build your program out. So you have to have a plant. First thing is your plan, when you build an adversary simulation event. Think about a learning outcome. You want to test and have a use case where your testing an Insider threat or an enemy of a company in opposition to you, who may gain action, who wants to steal the secret sauce. If you are Pepsi,

maybe you could pretend to be Coke or vice a versa. Or if you're an architectural company, maybe another architectural company, they plan to invade your network, but you have to have some kind of an outline and a plan. So we want to achieve an outcome when I'm proven knowledge of our environment to improve the skills of our staff and a group that proved the ability of the red team to perform tactical attacks and the blue team to defend technical talks. So we have very specific outcomes. It is really worth it to think about your writing a big picture lab for a big lab come up with

your scenario right? At the objectives. Do the outline figure out what controls our car going to be tested while you're right now. Comes our make sure that you have a scoring vehicle. Did the red team perform all 20 30 40 steps? Do they gain the expected result that The Blue Team detect? All 40 steps. Maybe they only detect 10 which made maybe that meant that the red team was very effective. Unless of course, they have to have been the first 10 and a blue team is actually bothering. You just don't wear blue team, and gauges is also something that you want to achieve an understanding when

you're done. You should include some things ahead of time. You're on Fearless dollar skills and abilities assessment. Do you have enough knowledge to do this? Do you need to go get some more help and you took up an adversary simulation. And it is a third-party to actually conducted who may have more technical skill, then even doing this. Since we're two things more often and fearlessly looked at your people processing technology. Start small to don't think about for our first Aguila adversary simulation product. We're going to try and then come up with something really Grand. Yes. Just start.

Small are these are skills and muscles that you're going to develop another Point here. I wanted to point out is that sometimes these things are not as simple as you would think. So if you can kind of compare this to adult education, maybe you're creating us a complex, security course, you want to have a really great adversary lab, if you will, there's a lot of professional education organizations to tell us to develop a solid hour of adult content and lab exercise. Best liquor with that, could be anywhere from 23 to 143 labor hours, to make that meth lab exercise. A really useful one.

So that's kind of something that we can kind of use. When are in our planning and thinking about how much time we have to connect. If you are an organization that uses timesheets. It really might be a good idea to actually have a time she charged for this way. You can know how much one of these things take place. I would, where do you start for? The first thing that you want to understand is the fighter attack framework well-known provides a really good outline for us in a really good structure. Process to understand the attacks in exploring, a network, finding attempted privilege,

escalation. All those were two things. Then next thing from that is you have to have an emulation plant and I'm going to show you the the miter apt3 plan which they provide on their website. So the plan is a Excel document and when Look at this particular plan. They give you in the plan Commandment that it's this particular adverse, a group runs and a sense of order and there's different ways to perform these types of giving you a commercial tool, Cobalt strike. They've given you a command to use an open-source, will cold medicine at this point. I'm sorry,

and built-in window. There's a description on the right hand side and there's quite a bit of information in here. It goes on and on and on privilege escalation. What were they do? Prudential theft would have kind of things this particular Taproot does. And then we've got this last one here maintaining, for sew-in understanding, what's going on. This is a very, very useful tool for you and it's a great place to start. What you did on some kind of a plan. Are you going to gain support for doing that? First and foremost. As you build an exercise and adversary simulation plan,

you're going to end up maximizing your security spend. And you're going to be able to test lots of things in your security. Spent well-structured of that should not exceed exercise. Most of the security in a technology stack. All of your stakeholders are brought together your defensive teams, right? Esport your internal red team functions. Your application security teams for your apps that folks your vulnerability management. They can all be brought together to one of these exercises. You want to ensure that all of your controls? No process, technical sock, monitoring Blue Team. All

those operational controls are working, are they can figured well, you want to find errors and weaknesses before anyone else finds. Those are some weaknesses, especially if that person who could be finding your weakness or attacking your network is in fact, an Insider on empty. A real thing doesn't happen as much as as as we think, but it it's it's common enough to have an inside of it. Having an Insider threat emulation scenario. Would be very, very useful. I created one of these for a company recently and we ran the exercise and we actually had a willing partner in the organization

to pretended to be the manager of a of an intern. And we had the scenario that we've heard an interview. We don't know them too. Well, maybe if there are bad apples and they came into the organization, tell me to text him early. And how would we go about finding the internal? Where is the internal? So we took a a person in? Organization and we got them to help us out. It's kind of an Insider Threat by to provide a solid framework. Other thing. I want to tell you is that with a little bit of documentation. If you can create some really nice new auditor compliance

reporting artifact, many of the audit class standards out there and the auditing process is looking to determine is your organization, improving. Its security patch for every year or I got a year-over-year basis. Did you do something to to tester incident-response plan? Going down? One of these program has to be very, very help with that. So if you want to run an ad set project, what is it? What's the next thing that you need to know if you have to have the rolls? Happened. I was playing red, white blue, green willing, partners are very helpful. Define. The use cases. Look at miter,

attack is a good example. Figure out what skills need to develop whether or not you don't have to lie knowledge. Is there something that you're going to retire in your organization? If you want to test it or you're going to retire. Something is so group of technical controls. So do you want to know that the firewall works? For instance, is really good. Example, been a next-generation firewall today. Now, can you have the capability to detect a DNS exfiltration with a variety of this Friday to look at do that? So, you would actually want to say is a proof of technical control. We want to

expose trade data using a number of different. DNS exploration tools. Does this actually work and did our tool text back if you got it on the right hand side that I wanted to bring out here until SWOT analysis. SWOT analysis is something that we do for business, I'd really good whatever, whatever it is. We want to work on it whether it's a market or developing a new product. We try to identify organization strength. You want to identify organizations weaknesses? What are the opportunities that we can exploit? And what is a fret? So a little bit of SWOT analysis and the

adversary situation while you can fly this way. Our team is really, really good with using that ET Archuleta put a place last year. So maybe we need to figure out some other way of getting out of the network. Maybe there's an opportunity there. And when it's machines are covered with the ER to see if we get our established our initial foothold and we don't do anything really bad, but we gained access to a Linux machine because we don't have any Dr. Tool there. That might be a great way for us to gain further access to our Network. So you thought a little bit of a big fan of

isolated labs for doing these activities to text and lab is what is a great tool. As an example, with just one script. You can install a variety of tools about a day later. You get a pretty good environment. I'm security onion has a really nice detection tool set for you doesn't cost hardly anything to install and it's well-supported if you want a commercial support for that, too. You have to think of these things as you know, your scenario and your information will flow during your scenario that you're right. You want to be as repeatable and reusable so you can use the

simulation next year. And approve, record-keeping is really important using a team of to approach to make sure that as things per one. Person makes note of things notes. The time, that's there for those are very important for beating your scenario objectives. Also, if you if you list it out say we use that apt 3 play, never tried to exercise all. I think it's 80 or 90 items in that plan. Did you actually try later and ID or 80 or 90 detected, and when did you try the? So making notes and youth activities just really, really good. He also see on the charm of phrase there to Beware of the

investigation. Labyrinth. Each step in The Blue Team defense process Verizon natural. Pivot point for the investigator. What a my college in the in the field Crusaders have done a lot of research in this space and what he's found is after absorbing a lot of security analyst is people that pitted to packet capture data or what we call data on The Wire Arctic 40% longer to close a case than people that use other data sources when they're investigating a case. So that it's a natural tendency

is to use the richest contextual data that we can and I texted me packet, capture data. Categorically that takes longer to solve the case. Instead, people who naturally fitted to other sources about it. Whether a single event of interest is or is not an actual contributing component to the, to the simulation. They proved that out. Yes or no, it helped us folks. Determine if something is or is not an issue or readily and end up there at the time. So your folks that are doing the defensive side of these things need to be really aware of cognitive

bias. And it's one of those things that really hurts the blue thing. So you want to make sure that the blue can control that case and understand the thought processes that they're coming. You may Implement a change. As a result of this to containment breach of the attack. You may have to make sure that it when you're going through your adversary situation. If you have a material change to your network for a v, d ate something that may require a change control of that. So you in terms of planning ahead of time. Do you aware that? That's something that you want to do? Have planned for. I'm

sorry, make sure at the end of you can perform some are root cause analysis and often times for these aren't for these events. You want to produce a formal cap or corrective action plan. Those are usually measurable targets of things that you need to do. I'm in your organization. A couple of axioms here that we want to think about when we're measuring the success of a product, what cannot be measured. Cannot be managed. If you're trying to assess an aspect of your of your program and you don't have a way to measure it. You really can't manage it. And that other thing is

not everything. That counts can be counted. You may think that there's a particular aspect of how your organization your operator that you're fooling yourself how they work at that DVD, for a very difficult to measure to just going to be aware that walking into the end of the scenario. I have a variety of metrics and a blue team handbook. I thought I'd give you some of these were going to steal some of these out in a few minutes. One of the things that kind of really important to test every time you do an adversary, simulation activity, is your time to sweep the Enterprise and that really

is testing your network. If you Are capable of delivering a binary to an end user system. You want to know how hard or how quickly can we search every single computer on a network for that particular Viner. That particular file, if that's something that you want to be improving. Every time you say, you're in an organization that you have 2,000 nodes in your network. I maybe 200 servers 9th 1,800 workstations, or maybe 1,700 workstations and five shared rooms that are used for training or something like that and it the composition of all of

your network change. How long does it take you to check all those machines? How long does it take you to check machines that went out of the network and came back into Network for that for that test, that particular by know that you're searching for? So these are out of variety of metrics and I kind of wanted to highlight time to sweep the Enterprise because every time you're forming an adversary simulation event, you want to exercise that there's a couple of key things you want to measure the MTD. That is all other people. Also, save me time to detection. That usually very

small because, you know, we have some platforms all tell us things. You can measure that if you wanted to, but the meantime, the decision is how long it takes an analyst or a sock for our sake, analyst, some other person involved in defense to take any of that. Could be an alarm, could be a bigger piece of Tres data and determine if that's true, meaning of something to pay attention to. Or it's a false positive. How long do this decision to take the next thing that you want to be able to measure? Is how long does it take to actually compromised a box? From the minute that your red team

activity initiate or start your attack, the how long they're capable of actually compromising an end Target? If they're coming in from the web. It may take them several hours to actually find an intro to the network. That could be very long time. It could be 2 minutes. So we want to know that these are measures and we want to know how long these things took. Because as a result of this, we can figure out if we need to approve this message, then next thing you have it. It kind of makes a difference is meantime to privilege, escalation. So how long does it actually take someone when they gain

some kind of a toehold and go all the way to full compromise where they have elevated access to a car. This is not necessarily immediate when we when you put pop a box you don't necessarily get. Made administrative rights or membership enough elevated group. So you do want to be aware. That that's a measure that you want to retain. There's a number of prerequisites. You have to have to successfully measure your program. Make sure that you have good centralized login, so that he may or may not have that. But if you're going to test a particular control, our particular, techno technical

system, they actually got that turned on and it works cuz you do want to know We do want to avoid what we call the coffee. Breaks them by iCarly. Justin Henderson talks about this. It's a great phrase for the kind of security platform where you instrument of search and then you push the button to go start the search. So you're looking for something over the last 24 hours, and you do behavioral, you have enough time to walk down to the other end of the building, get a cup of joe, doctored up with the appropriate amount of Splenda, the pink stuff for sugar and creamer. Couple of stores. Say

hi to somebody to water cooler and come back. If it takes your scent that long to give you that answer. That's something that you want to work. and in avoid that kind of figure out what you could do to the salt that You may or may not have a work shirt of a DDR play. Misirlou organization does but there's some really great tool for Microsoft would have come out that you can use to better instrument to text you on your way to spy for the smartest that tool as a lot of great visibility. And if you if you don't own me, the AR platform, one of the great things you could do is use Windows of a

collection or what does it at forwarding and Microsoft respond to go to centrally collect some data under a central system. So you do have to be aware that your endpoint individual workstation. Your Windows machine will probably need some extra instrumentation to give you a really good view of what actually happened on the on a machine. Network device. Lock. If you if you don't have a perimeter packet capture system, Zeke is an open source tool. You can play it on a medium class machine with a, with a mirror for a clutch, really good data. After you have permitted, it is or not. Those

are two things. You got to have people power. One of the things that you need to make these programs really successful as a lot of Natural Curiosity, people have to be kind of inquisitive. You want to have a lot of patients that person has to be patient. Not every red team to Laura, tactical works correctly every single time. And if you think that's the case, you probably haven't you sent up, sometimes they work only half the time. Sometimes they only were 10% of the time that you have to have patience. You also have to question yourself. Is this technique working or not working?

Am I actually detecting what I think I'm protecting. How can I in the moment and bruised? But is it better to text it? So I think Chloe go really for personal power. Attention to detail, makes a lot of difference in the blue thing. One of my colleagues, John Hubbard mentioned that his best blue team ever in the sock that he ran was a librarian. Because she had great attention to detail that very structured thinking, and a solid, IT background is also very, very Text the other half of Performing. The attack is is exercising. The defense can be aware that there's a variety of services

that the sock will hopefully engage in this process is as you look at this list. There's a few of these that a, cause a financial opportunity for you. If part of your incident-response plan is to always capture a machine or capture machine. If the attack looks like it's going to be particularly successful and perform a forensic analysis. That could be a significant amount of Labor. If you've outsourced forensics and say, your have your willing partner as a dependent defense, team comes up and grabs his laptop. Just there's something suspicious, we

have to go and they take that laptop, and I'm going to send it off to a forensics company. Geely. You may or may not want to achieve that as part of your adversary simulation cuz I could be an expense as you're looking at the at this list. These are typical Security operation Services. Be aware of what you're actually going to be exercising and know if there's something that they have a cost upon it, cuz you may want to head that off. As your program mature, as many as you've done your first second, third fourth test, and make sure that you use the right, adversary group data, and make sure

that you can map your Effectiveness against the fighter attack process. And I'm going to show you one of these a group structures right now. So lighters put together, a lot of information on various groups empirically, they figured a lot of things out. If they've been doing this for quite some time. And for this particular one, this is the apt to be at goes hand-in-hand with the spreadsheet. I showed you think about the check Geeks that they used. This is what what's been observed by this particular attack group. You can look at it at an individual tool and say what what does that cup

organization use for software packing? And do I want to build that into my plan, so you can click on software package and see what are examples of it who uses it and what types of tools are out there and see if there's a mitigation or defense. This is another really useful tool that matter is put together when we're helping to design. We can use this tool to help design. Our our adversary has a number of candidates for your coolant, but I'm going to I'm going to swap to the next slide and show you which art and I'm going to come back to this with the folks at pentest. It maintain a

pretty good list of some of the major tools out there and they can tell you which tool actually goes with, which part of the Mitre Tech process. I'm going to go back to your side. So what are some candidates apt simulator? Microsoft Caldera, really good tools, Atomic red team, red. Team automation RTA dumpster fire. There's a lot of these fools out there, and there's a lot more Red Team Tools than there are Blue Team Tools. There's a couple of detection tools, though that you should be aware of and really should use in your apparatus. If you don't have a, a packet capture or an

analysis tool, or a network of trees to text baby or a small shop security, onion is a phenomenal package. I'm going to I'll show you what some of the out and about looks like when I show you the example tool that I hope they're going to show you at the end of the presentation care of your building buyer, beware that you do have to have a variety of things, shut up and you don't want to be doing this reduction. So detection, lab is a is a nice tool that you can get Chris Long created it at the strip that runs and it builds an active directory for you. Set up a server at set up a couple of

Windows clients, download the miter, Caldera, tools and implements OS. So, it's basically a all-in-one tool set. So if you want to try to test out a tick on a Windows machine, against an active directory domain or something like that, you have most of the things that you would need and it becomes a disposable rerun the strip light for 5 hours later. You'll have a new Turbo fast and power cell. And I I mentioned this before earlier. Game day. You've got everything you figured out, you got your support. You're going to go ahead and actually unit to your attack, right? Make sure you

have air cover. You're probably going to use adversary simulation in a, in a contained environment, where you're going to be authorized to do it. You've gone to your viqi. You're authorizing party or so, you've given him or her your plan. They've approved it up and you want to make sure that you you're capable of telling that that authorizer approver. We rehearse, this we run the stuff, we could do this under control and we know what we're doing. A picture that you have a willing partner, is a phenomenal useful tool. I think I mentioned earlier, that the intern example, we came for for

Insider threat scenario are willing partner was really good at that because our week, we had our willing partner. I'm just responding to your text message and he was kind of playing dumb on our behalf. So I really sent the blue came through the loop figuring out. What is this kid doing, you know, make sure the record results for the full-time staff, your blue team. Are you going to announce the adversary simulation activity or not be aware of the Hawthorne effect. The Hawthorne effect. Another business is is a study that was done in. Basically the study of found out that even win.

People were not being directly observe. If they thought that they were being observed, they behaved in a better manner, any more productive manner. So that the study goes that they were doing out here trying to determine how to make a particular environment better. And they told staff members. What they were doing was observing the amount of light in the room and it's kind of big manufacture date. They had folks on a catwalk walk and just because people thought they were being observed, they perform differently than they do in regular circumstances. So he'll be aware that

Jimmy Behavior changes if they are knowing that they're making sure. You probably want to do this in an unannounced fashion. Make sure that you're your normal processes are working at your detection event. If you want to make sure that your your eye, our commander is not really aware that you're doing an incident response that there's to be an adversary simulation activity. So they're trying to behave and collect the data. And they don't get laxidasical. Realize that an outcome from your blue team, should be the actual end product report. Did David Green Team, a green team

or some people call? The white team? The green team is actively listening at observing. If you were to do this in conjunction with your internal audit division, may or may not want to do that. They would be the Observer. Their goal is to protect the Integrity of the event. They will gray both teams at producing. How come briefing for you. That's kind of what the green tea. You have an after-action event, information exchange. Make sure that you have objected criteria for your grading and your timeline. Make sure people know what they did. People wrote down their observations and writing. It's

really good to have taken our make some notes. Because if you need to not, not in your memory, they can test them. If they took, I are very much. It's no response. Very much like a tree with anybody different approaches of many different branches. And what what I did Viber Ranch stuffed with wheatgrass. Folks, at the University. I probably had easily, you know, hundred fifty two hundred people go through a variety of scenarios. I rarely had two people saw the scenario in the same way an incident response is a very much, a team sport. This is the other side of the adversary that

this is the blue tube defects. I'd make sure your document as you go template, makes different. You can choose our format. You can follow the Sands format. Which going to pick on a roll. Preparation identification, containment erratic every lesson. Florida, you could use more of an executive, a business, type format of nature, executive executive summary, upfront, describe the case, regular root, cause of the time, I dated. But what's important is that you have a template to follow it. You do want to you to make sure that your, your after-action is blameless and encourage everyone

to contribute and talk. You may have some folks may not be happy with her performance. So you may have to cut a cheese that matter, records sent to talk and share their experience. You wear for my human behavior perspective. You may have to be up a really good facility in the outcome. Another thing that you want to think about her. Is this a really good activity for these adversaries simulations. This was an Article II picked up and doing research this and test magazine. The Story Goes, But they're doing an activity and because the blue team had access to a red team 10 test

person and they were dealing with a case. They brought the red team her in. And they said, this is what's going on. We have this event and the red chamber in the moment. Look at that. Look at the live attack and kind of made a plan and what the team did was in real time that red Timur that pen tester did a scan because they saw over the attacker was first going, they found that weakness. They coordinated a change that The Blue Team been put in place with emergency Change Control. I would an hour there at adversary, was actually attempting the very same thing that the red team red. So, it

may be 8, interesting thing for your adversary, simulation exercise to bring in a pen test person that an injected into stare at me, and they give you an interesting Dynamic. So we have some takeaways here. I want to hit before I show you a tool that may be helpful for you. That's a very low-cost tool. First thing is think, 30 days, identify your value check talk to your business, continuity to your people and performance analysis. That should really help to inform your simulations. I determine what you're going to do that. What you have and what you can't break. I took pork 60

days. You should have enough of an environment to build out stage through some testing. I guess things that look like your environment. Maybe if you use the section lab model, you could then go pull all of your policies from your active directory, domain and use that in the active. Directory, in a detection, lab environment. Today, your Windows PC. They're going to use an instrument exactly the same. As your production. Tell me, you got to think about your cue like that. You really do want to talk plan, your event practice makes perfect. It is a very much of Truth. And then do you want to make

sure that you have your air cover and line that up? I should go as an aspirational goal. Think about performing, one of these activities once a quarter or four times a year. If you could think you could do that. On your game day, you run the simulation, observe your blue team, great folks, to tell me what you're doing. Remember you want to move the needle. So I want to end with a, we noticed early due to a really good idea to give you an example of one of the tools that could be right effect. If it's an inexpensive tool, you can integrate this very easy to implement

register, pulled out the API key. It's got a few tools built into it that generator real packet data for you on the network, as a way to make things look like their malicious by handling, a has traditionally very low-risk. It's very low risk because it's python code. And as of a better sport, like user interface, so you your adversary simulation tried a similar using best plate in a set. Your Alehouse option. Generate the python could get the output and then what you can do is go get that python code, run that particular agent. And if I thought you can run

it out of Windows at the libraries are there you can run it on Linux. You can instrumented a variety of ways on Linux box. Like you could add it to install package. You could put it in a Cron job, get a lot of flexibility cuz if I thought I've mentioned security. I need this is another tool that it would on your network to detect that particular activity. So here we be picking tool tested at Old determine if we can actually detect the tool. So we have a detection mechanism. If you're looking and seeing what this tool produces longitudinally a record of time, I ran a simulation with a couple

of machines. We got a variety of events that happened and if you look at what happens when you run the scoreboard, are you generic 31000 minutes? I want to thank you for your time here with this presentation, and I really hope that I have helped you. Move the needle for your adversary simulation program.

Cackle comments for the website

Buy this talk

Access to the talk “Adversary Simulation: Close the Gaps in Your Security Posture”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Ticket

Get access to all videos “RSAC 2021”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Ticket

Similar talks

Don Murdoch
Senior Security Engineer at Blue Cross Blue Shield Association
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Christopher Crowley
Independent consultant at Montance® LLC
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Richard White
SVP at Flushing Bank
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Buy this video

Video

Access to the talk “Adversary Simulation: Close the Gaps in Your Security Posture”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
816 conferences
32658 speakers
12329 hours of content