 Hello, everyone, and welcome to my presentation. My name is Samuel Kimmons, and my talk is titled, Look at Me, I'm the Adversary Now, An Introduction to Adversary Emulation and Its Place in Security Operations. Before I jump into the overview, I just wanted to give a big shout out to the adversary village. I'm very excited to speak to you all and all of you attending today. All right, so a quick overview of what I'm going to cover in my presentation. I'll go through the typical introduction of the who am I slide. I'll jump into an introduction to adversary emulation and the types of emulation. And yes, I believe there are more than one type of emulation. And then I'll jump into where adversary emulation fits into security operations. And we'll talk about threat intelligence place in adversary emulation. We'll talk about emulation for detection testing and purple teaming, and then emulation as a training tool. And of course, I'll finish this up by giving you some resources so that you can get started with adversary emulation today. And then we'll cover the conclusion. All right, so who am I? My name is Samuel Kimmins, as I mentioned earlier. I'm currently a red teamer at an organization called Cognizant. I was formerly at a company called Recon Infosec where I focused 100% on adversary emulation. So replicating TTPs, malware and C2. I like to consider myself purple teamer and adversary emulator at hearts. And before Recon Infosec, I was in the United States Air Force, started out as a CIS admin, helped us type person, moved up to SOC analyst, and then on to pin tester and red teaming and adversary emulation. And so where I kind of got tuned in on adversary emulation and where it could fit into security operations was my time in between SOC analyst and red teaming. I started to really kind of dig into the TTPs of how they infected an environment and what kind of behaviors we could look for and from the offensive side of how could I replicate these behaviors to help my organization. And so you could find me on Twitter at Valkan underscore K or on GitHub at Valkan slash K. And the quick disclaimer that everyone has to throw out, thoughts and opinions expressed by me in this talk are my own and do not represent those of my employer. Okay, so let's jump into adversary emulation and what it actually is. So you might be thinking, isn't that just red teaming? Well, hint it isn't. It may be performed by red teams or pin testing teams depending on what your organization has, but I feel like adversary emulation falls under that broader umbrella of offensive security, meaning that it has its place, but different teams may conduct those types of operations. And to me, the active adversary emulation is being as true as possible to the threat intelligence when conducting offensive operations because without threat intelligence, you don't really have adversary emulation because at that point you're doing kind of threat emulation or your standard adversary simulation. And you're gonna hear me throughout this talk constantly repeat, threaten, tell, threaten, tell, threaten, tell because it's very important to this topic. So the two primary types of emulation that I consider to be important. So of course we have adversary emulation where we're replicating unknown threat actors, TTPs or behaviors. And of course this is based on threat intelligence. And an interesting thing I like to bring up is something I saw on a blog post from the former red team lead at Walmart was that we were essentially just copycats, because we can only emulate a threat actor to a certain degree. And that's typically because we only have a certain amount of threat intelligence on a threat actor's behaviors. And this isn't uncommon, right? Unless you have a view into an adversary's entire kill train, you're probably not gonna be able to replicate it to 100%. And to be honest, that's okay. Because as long as you're getting a benefit out of the TTPs or the behaviors that you're able to replicate in your specified scenario. And so the other one, threat emulation. This one is kind of one of my favorites too because you're not really focused on a particular threat actor. You're more focused on emulating TTPs. So let's say we go to a minor attack matrix and we select one, we wanna select W make for lateral movements and we wanna replicate that TTP in our environment. So, you know, determine if our detections are capable of detecting that or preventing that type of activity. And so it's cool because it's not tied to a specific threat actor. Several threat actors may use this technique. And in that case, you know, a cluster of threat actors may use it, but they're not really important to us. When we talk about adversary emulation and threat intelligence, we're usually doing that because this threat actor has been known to target our organization. So we want to be able to replicate what they can do in our own environment. So where does it fit into security operations? So in my mind, you know, it fits into the processes and people side of security ops. And typically you would see sec ops broken down into three pieces, right? So processes, people and technology. But like I mentioned, I'm going to focus on the processes and the people side because honestly, the technology changes, but the people and the processes not necessarily remain the same, but those grow and continue to change with time as well. But it should be the methodologies that are solid from one tool to the other. So from a defensive perspective, regardless of what type of log analysis tool you're using, like a Splunk or a different scene, you should be able to still look for the same types of behavior just using different syntax. So the methodologies are there, it's just the tools change. So on the processes side of security. So processes need development, testing and refining. And you may be thinking, where does adversary relation fit into this portion of sec ops? In my mind, it fits into purple teaming perfectly because you're able to test those response procedures and also train your folks against specific TTPs, specific adversarial TTPs. And this is great, especially anyone ranging from tier one sock analyst all the way up to your tier three sock engineer or threat hunter. Everyone needs that exposure to these types of TTPs. And we can do that through purple teaming. And so I kind of bled into the people side of security ops when I was talking about processes because you don't have the processes without the people. And so people need ways to improve and test their skills. And I believe that training throughout the simulation exercises is one of the best ways to do this. Now you may be thinking, what about your traditional red versus blue exercises? Typically those are objective focused, right? Like the red team has an objective that they're trying to accomplish. And it may not necessarily be to train the blue team. Sure, overall it's to make the security posture of the organization better, but that may not be their primary objectives. And so when you throw in the adversary emulation exercise they become even more natural sparring partners where they're working in tandem to improve each other's skillset while improving the overall security posture of the organization. So which type of emulation is the right one? To me, you follow the simple formula for success. First we'll need to determine if this will be for the processes or the people side of security ops and ask yourself the following three questions. Number one, are you trying to detect or defend against a specific threat actor's TTPs or behaviors? And now in my mind, this is leaning more towards adversary emulation because we're focused on a specific threat actor, their TTPs and their behaviors. Onto number two, are you simply wanting to improve your detections against general TTPs? Now we're leaning more towards that threat emulation adversarial simulation side of offensive security where we're focused on improving the detections of our detection and response team as opposed to trying to stop or detect a specific threat actor. And these kind of go back and forth, right? So we can apply adversary emulation to this one as well, but we're more focused on the TTP rather than who the threat intel says it's tied to. In number three, are you wanting to train your defenders? If so, you can apply a variation of the previous questions to the scenario. So for example, we could say that we want to emulate a specific threat actor because we want our defenders to have exposure to that threat actor because they're known to target, for example, our organization, a finance organization. But we're also testing our detections against TTPs. Sure, they may not be specific to that threat actor that we're trying to detect, but by combining these two, we can actually have a pretty great exercise where we're benefiting both the processes and the people because we're testing those response procedures and we're improving the skills of our defenders. And you may be wondering, I keep mentioning threat intelligence for adversary emulation. What does it fit into these questions? Well, when we look at number one, without threat intelligence, we don't have adversary emulation. And even on number two, sure we're talking about just detecting general TTPs. But if we look at something like Red Canary's report on the top TTPs, we can see that several threat actors are using these TTPs and that's based on threat intelligence collected, found in the field or in their organizations that are defending. But where does it fit into adversary emulation? I mentioned this several times, you can't accurately replicate a threat actor without threat intelligence. Threat intelligence allows us to get as true as possible to an adversary's actions. And then I said early on in the first two or three slides that you may not be able to get to the 100% mark, right? And that's okay because if we're aiming at replicating a threat actor's C2, we might be able to do that with open source tools or custom develop tools. But if we're talking about endpoint analytics, we can probably replicate those to generate those types of logs or events. We may not be able to replicate the exact programming language that a threat actor uses if we don't have that threat intelligence and that's okay too. But emulating an adversary who is known to target your organization is much more valuable than standard threat emulation. And that goes for adversary simulation as well, that your typical red team would do and that's okay because they're focusing on specific objectives. They may not be tying in threat intelligence to their operations, but they may happen to cover some of those TTPs a threat actor might use. But if it's not tied to one that might target your organization that could throw off the importance of the findings. So let's talk about emulation for detection testing and purple teaming. But first I'm gonna cover kind of my view on the purple team methodology and I'm sure it's a pretty common one out there. So first we'll start out by selecting a TTP or an adversary TTP. See, we can apply both threat emulation and adversary emulation to this purple team engagement. Formulate a plan of action, that means all parties involved will formulate a plan of action, they will execute their plan of action, they will validate their findings and they'll move on to the final step, but it's not a final step because it's a continuous process. So if there's no detection, they will either tune or create and start again. So let's take a look at a more detailed version of the purple team methodology. So we'll start out with the TTP. We're gonna select lateral movement via WMIC because APTX uses this method and they just so happen to target our organization. So we wanna be able to detect and possibly prevent that type of activity. During the development stage, both the offensive and defensive team will develop their capabilities. So the offensive team will develop a CTP based on threat intelligence. The defensive team will develop a signature based on threat intelligence, if one is available. And the testing, this is key because all teams need to execute their plan of actions because if the offensive team executes their plan of action and there's no response from the defensive team, we may be in trouble, so we may need to go back to the beginning of our wheel and redevelop our plan. And so on the validation stage, this is really important because it goes several ways. So the offensive team will either determine if they were successfully able to execute their task or was the blue team or the defensive team able to successfully detect it. Those are very important to keep in mind when doing purple teaming with adversary emulation. And so if it was detected, we can move on to the next TTP. But if it wasn't detected, we can start the cycle from the beginning where the detection team can develop or tune the signature. And you're probably wondering, this seems like a lot of work and very resource and process and intensive. And it can be depending on what you're trying to replicate from a specific adversary or a specific tool set or a specific piece of malware. And yes, it can be automated. It will take a little bit of development or purchasing a specific tool that allows you to automate it. I won't name any because there are plenty out there. But using the local resources you have, even the offensive team could add this payload or add this technique to a script, a PowerShell script, if we're in a Windows environment. And then the defensive team can execute it whenever they'd like to improve that detection technique or the TTP. And it can go both ways, right? We can automate a lot of the defensive piece using a tool like a SOAR. So once the offensive team develops that TTP, they feed it into the SOAR. So then we have another method of automating it. So to break down kind of the threat intelligence piece to developing this purple team for our adversary emulation exercise. So we're starting out with WMIC for lateral movement and that is technique T1047 from Mitre Attack Matrix. And you can see the link on screen. What do you know? Not Petya, the malware happens to use this. So it may not be tied to a specific threat actor and that's okay. Could be we're covering a pretty broad technique, one of the top methods for lateral movement. And then we see on number three that the new ransomware variant, Netia also compromises systems worldwide and happens to use this technique. If we look into the threat intelligence available in Mitre Attack, a blog from Talos Intelligence shows us the exact command that this malware or threat actor uses to execute commands remotely on another system. And so this is great. This type of intelligence is great for adversary emulation for both the offensive and defensive side. So the offensive side, we already have the command ready to go. We may need to do a little bit of development so it runs in our specific environment. And then the defensive side is also ready to go because they can build signatures around these specific command line parameters. And there may be some obfuscation that can take place, but that's why that continuous loop happens for the purple team engagements with adversary emulation because we can feed that back through and build new signatures or look for those detections. So when you're first starting out with doing adversary emulation for purple teaming, it can be tough to keep track of the signatures or the TTPs you want to signatureize. And honestly, a simple spreadsheet like this can help you get started. Documenting the TTP, do we have a signature for it? Have we tested it? Is this a high or a low priority? Is there any relevant threat intelligence key? Adversary emulation, relevant threat intelligence. And do we have a date that we would like to test this on? And honestly, this is as basic as it gets, low resource intensive, and it helps you keep track of what you need to test. So adversary emulation as a training tool, and this flings more on the people side of security ops. So I've mentioned this several times because it's really important, getting your defenders, getting them exposure to threat actor TTPs and their behaviors is very important because when they do in a training situation like you can with some of these public and private trainings and then they happen to see that type of activity in their own networks that really helps them clue in on what to pivot on or okay, I'm familiar with what comes after this TTP normally that a threat actor would. So for example, once a threat actor drops a payload, they start enumerating active directory, they might be looking to move laterally. So if we catch it at that point from a defensive standpoint, we can say, okay, let's look for lateral movement techniques. Oh, what do you know? We just talked about one using WMIC. So let's look at that for potential movement across the network. And so I mentioned there's public and private trainings for this, a lot of them are happening at DEF CON and Black Hat and other conferences or you can talk to those companies individually. But on the free side, free as in free to attend, but you might have to pay for a conference to get in, CTFs like Open Sock. So I'm a little biased because I used to work at recon and do a lot of development on the Open Sock CTF which is ran at DEF CON every year. That's one of the best ways to get exposure to real adversary emulation because when I was doing it, I had to actually develop the same exact payloads and malware that the threat actor might use. And then we move over to Boss of the Sock from Splunk. Obviously the Splunk tool is in free, but there is a free-ish version you can get to use for Boss of the Sock. The dataset that's available, but that threat research team that puts that out is amazing. They put a lot of content out there to give you the exposure to real-world TTPs. And while it may be focused on using their tool sets, like I mentioned before, it's the methodologies that are key and not the tools. So you can take those same concepts and bring them over to Greylog or another tool. And then we have something like Net Wars from Sands. Cost a little bit to try it out, but it is a great exposure to a general amount of TTPs, not really specifically tied to a threat actor, but it's great if you're first starting out and you wanna kinda get exposure to those or you wanna try out some of those offensive TTPs yourself. And then there are hundreds of CTFs that go on every year. Check out CTFTime.org. There's probably one going on every single weekend this year. And while a lot of them are focused on, just hacking specifically into a crazy puzzle, it's a great way to get you familiar with the tool sets and the methodologies of conducting exploitation or moving laterally. And then you can take those and apply those to your actual offensive engagements where necessary or where possible. So my favorite slide in the talk is because this is where I give you the resources so you can get started. So let's talk about labs. So the labs can be a controversial thing because it's either you have a lot of resources to build one or you have very minimal resources. And so try to choose a good range of things that could be done on multiple types of systems with resources limitations in mind. So Detection Lab, that one's more on the higher resources because it'll pull down several images, a DC, I believe they even put in a SQL server on there recently within last year. I think of the developers even trying to work on the Print Nightmare one as well, putting that exploit in there so you can actually exploit and test and see what it looks like. And that's cool thing about Detection Lab is it allows you to spin up that environment, look at the logs, do some detection engineering or getting familiar with different attacks and that environment. Keep in mind that it's download several images, ISO files that take quite a while depending on your internet connection. So keep that in mind and your hard drive space. And then we move on to Splunk's attack range. The Splunk team does an amazing job of developing different TTPs. They have a way of incorporating atomic red team from Red Canary. It's a great way to get exposure to new techniques that are out there or you wanna help build your own detections if your company happens to use Splunk. But as I mentioned before, using Splunk isn't the end all be all because those same methodologies will move over to a different analysis tool or a different data analysis tool. And then the best place to start if you're just getting started or you wanna simply test something before you run an operation is a few virtual machines and a log analysis tool. So a Windows 10 box set up a help server from Simon Wardog, very minimal. I think there's a four gig configuration you can run to feed those logs into an Elk stack so you can actually analyze what your activity is doing in an environment. And that's like the most basic way. I think you can get away with maybe like eight gigs of memory across those potentially two or three OSs running at the same time. So keep that in mind when you're building out a server or a system so that you can do this type of testing on your own, this type of adversary emulation testing. So let's talk more about the tools to help you feed into those labs or that custom lab you happen to build. So we mentioned atomic red team from Red Canary. The developers on that are super active and they're all amazing. I suggest you go check out their Slack channel and of course their GitHub repo. They seem to be always adding new TTPs to their tool set. And I really suggest you wanna take that, throw it in your lab, get familiar with different TTPs, different MITRE attack techniques. And especially if you're on the defensive or the detection engineering side, this is a great way to get exposure without having to worry about getting your hands on the latest and greatest C2 tool or latest and greatest malware, right? Because when it comes down to it, they're just replicating specific TTPs and you can do that with atomic red team. If you wanna get a little more adventurous, you can look at something called Caldera from MITRE. Recently they started putting in more development time to it. It's becoming a great tool. It's kind of like a pseudo red team tool. It allows you to build a payload, a binary payload, throw it on a target host, execute commands through that payload, just like you would with C2 tools like Cobalt Strike or PowerShell Empire, those kinds of things or Mythic is another one. And then the other option is custom development. So I mentioned that in earlier slide where I was talking about, can this be automated? Yes, using custom development, we can have our offensive team, even if it's your pin testing team and you don't have a red team, you can have the pin testing team or the offensive team develop custom tools or custom scripts to run these adversary emulation exercises in your lab or in your production environment. Obviously, you're smart about what you're doing, but you can run them in your detection environment so that you can build detections or help refine those processes using that purple team methodology we talked about. And so on my GitHub, I actually put a script on there that will help you automate a lot of the stuff if you're going for that simple, few virtual machines set up like a Windows 10, an Ubuntu server for logging and maybe a Cali for an attack host. This script will basically download Sysmon, Winlog Beat, it'll help you set up forwarding all the logs and then also to download atomic red team. So you're good to go. All you have to do is type in the atomic red team, invoke atomic red team, run the TTP you wanna run and now you have logs shipping to your help or your elk stack, depending on what you decide to set up and keep in mind the resources can be intensive depending on what you're trying to do. And some great references to help you get started with looking at threat intelligence for adversary emulation is first off, MITRE attack, MITRE attack, you'll cure it probably all day, every day at every conference you go to or every blog post you see, but it's very important, right? Because it's got a way of breaking down TTPs in a readable manner. And they're also great about including threat intelligence to back up those TTPs. And that's a great point when it comes to threat research, that's your pivot point, right? So I found my TTP, I found relatable intelligence, I'm gonna go keep searching for that type of Intel or these types of threat actors that might actually use these TTPs or these tools. And so my favorite one is, it's not really a MITRE attack matrix style website, but it's called Nalpedia, right? And it's one of my favorite places for threat intelligence gathering is because you simply search the type of malware or C2 or a threat actor that you're interested in, right? So for this one, I looked up Petia, right? And I came up with the eternal Petia, it can show you which types of families it's a part of, it'll link different blog posts, different reports from different vendors, the open source ones that you can get access to without paying for a subscription. And it's an amazing place, I don't believe it's easy to get an account on there, but a lot of the stuff is free, you just simply go to their search page and start typing away. I used to use it all the time and I still use it all the time when I'm interested in finding out how to replicate a specific threat actor. Because a lot of the times when you go to something like MITRE attack matrix, they'll have four or five possible references at the bottom, right? But honestly, that's not enough when you're building out a full campaign or you wanna build out a full purple team operation using adversary emulation, or simply when you want to train your defenders against a multitude of a threat actor's TTPs. One report from MITRE attack matrix might give you one or two TTPs, you come over to Malpedia and you'll probably find 10 to 15 different articles or blog posts about a specific threat actor and information surrounding their objectives. And that's something else I didn't mention is, when you're doing adversary emulation, you wanna be objective focused just like you are with RIT team engagements because the adversary has an objective. It's, you know, it could be to gain access just simply to sell access or they want to gain access to ransomware your data or collect your data and sell it somewhere else. There's always an objective in mind and it's most likely financially motivated. So keep that in mind when you're doing your research. Okay, so my favorite part in addition to the resources slide is how can you get started? So I gave you the resources to get started on a lab, to get started with some pseudo adversary activity using Red Canary's atomic red team and MITRE's Caldera and then of course custom development because I always encourage that that's the best way to learn is to get your hands on the code and start writing these TTPs yourself even if it's simply WMIC, you know, process call create on the target host. That's enough to get started. So the three steps I like to include when I'm doing adversary emulation or I'm building out an adversary emulation scenario is first off threat intelligence is key. I mentioned that several times because it is key. You don't have adversary emulation without threat intelligence. Well, you don't have successful adversary emulation without threat intelligence. So step one, we're going to select our threat actor and our relevant threat intel. So we're gonna pick ABTX, we're gonna go to MITRE, we're gonna look at the specific references they have, what TTPs they happen to use, we'll hop over to Malpedia, look for subsequent articles or blog posts about interactions with these types of threat actors in different environments, what they do when they're in the environments, what their objectives are. They'll move on to step two. So this is the most resource intensive part depending on what you're trying to replicate. If you're trying to replicate a threat actor specific malware or C2 depending on the capabilities of your team, this could be resource intensive. So but in this step, we're gonna develop and replicate those TTPs. If it's a simple command line action, that's easy, that's straight from the threat intel, we just need to modify it a little bit. If it's an actual payload, that may take some time. So keep that in mind when you're doing this type of development, if you're trying to be time sensitive. And then step three, we're going to execute our actions. And depending on how we went, if we went specifically for a purple team operation or simply just giving our defenders exposure to these actions, this is the final step. And so when you add all three of these together, you get successful adversary emulation. And I'm gonna mention it again, because it's very important. Threat intelligence is the key to successful adversary emulation. Okay, so I just wanted to give another big shout to adversary village, all of the people watching today. Thank you so much for attending my talk. And my final parting thoughts on adversary emulation. So adversary emulation can help you improve the overall security posture of your organization through testing, validating capabilities or simply improving the people behind the processes. Because when it comes down to security ops or the defensive side of security and even the offensive side, the people are the most important and they need to be able to refine those processes that help them defend their organizations. So once again, thank you so much.