 Okay, we are live great. Thank you. Good evening red team village My name is Adam Pennington and tonight. I'm going to be talking about emulating an adversary with imperfect intelligence So before I get into content, I wanted to start off with a little bit about who am I? So I'm the lead of a project called MITRE attack. I'm guessing some of you are probably familiar with it Several of the other talks in the red team village. You've been leveraging it I've been with MITRE for about 12 years now If you're not familiar with MITRE we're a not-for-profit who primarily runs federally funded research and development centers for the federal government and Does work in the public interest in things similar to attack that we're putting out there for people to use? My principal focuses are on threat intelligence and deception, but I've been working with adversarial emulation teams for years on Looking at what sorts of intelligence they're pulling together and how well the profiles they're building up look like real adversaries Most of our time today is spent on MITRE attack But I've been an operational defender as well as a cyber threat intelligence analyst. I've spent time in multiple security operation centers I've been a part of attack for quite a while. So I've been around since there was a spreadsheet with no ampersand Dak originally was an Excel spreadsheet and Helped gather a lot of the intelligence that we use to create attack in the first place Where I was at MITRE I was at Carnegie Mellon for 11 years trying to collect all of the degrees I'm also a scuba diver. I'm certified for technical diving. So decompression rebooter diving And I've spent time as a professional Life sound engineer which might explain some of my taste in home audio equipment I've been around DEF CON for quite a while. Obviously first one from home like all the rest of you Some of the key points I wanted to get to today So I'm gonna be looking at a very Intelligence-focused approach to adversary emulation. I want to start off by setting the stage in adversary emulation getting into the definition I'm using Now I'm not expecting that that people here haven't heard of adversary emulation I really just want to make sure that we're on the same page using the same definition Because adversary emulation is something that I've seen mean different things to different people Gonna talk about gathering and extracting the intelligence necessary to do adversary emulation where do we find it? How do we pull it together? And I'm going to talk about some of the flaws in that Intel So what's what's wrong with it? How do we recognize some of those imperfections? And then how do we deal with it? How do we find the gaps in our Intel? Fill them in and leverage those to create a complete plan that we can use to actually emulate an adversary So I said I was going to start with the definition This is the definition of adversary emulation that I'm using for the rest of this talk Adversary emulation is a type of red team engagement that mimics a known threat to an organization By leveraging threat intelligence to influence what actions and behaviors the red team does Pretty straightforward leveraging threat Intel Trying to use that to influence what we're going to do So what's different? Now the big one is that it's driven by threat intelligence. So it's driven by how the adversary actually looks There's a good chance we're going to use that threat intelligence to scope things more than we might in normal engagement So we want things to look like an actual threat And so there are things we might not do and and take out of our playbooks in order to stick to that There's a good chance it follows a constructed scenario in order to Stick to what a real adversary looks like we might ahead of time create the set of activities The set of behaviors that we plan to do so that we can keep to that And the hope with all of this is that we're getting some idea Of how our defenses might fare against a given adversary It's still not the real threat. It's still not going to be the same But we're hoping to get close enough to start to get some ideas So there's a bunch of new challenges that emulation brings in around intelligence And I'm going to be covering several of these in my talk tonight The first the most basic one the need for intelligence in the first place so needing to know what an adversary looks like We might not have enough intelligence out there on an adversary That's in a form we can use it might not describe the sorts of activities that we need as an adversary emulation team To go out and look like the adversary The adversary want to emulate there may just not be enough intel on we may not know about them And so we might need to fill in the picture a little bit more to be able to really emulate them And finally, you know, we're pulling all this intel We need to be able to turn it into a workable scenario So my team has an adversary emulation process that we've used in several other places and presentations as well as documents But it originally comes from a presentation a few years ago by the attack team members Katie Nichols and Cody Thomas And the process we work from is to first gather threat intelligence So figure out who your adversaries are and start to pull in all the information you can find on The the adversary you pick to emulate Extract techniques from that intelligence. So start to look at what the behaviors are in that intelligence So that we can pull them together into a plan to be able to look like those behaviors Analyze and organize that intelligence So taking those behaviors Looking at what's what's there. What isn't there filling in any gaps and then pulling that in together into a plan. We can actually use Develop tools So we need not malware utilities and other things to be able to operate with and Then finally do the emulation So I'm a threat intel guy. I'm gonna cover the most threat Intel focused Pieces of this process and so what I'm going to focus on today is the first three steps in this process So start with the first step gather threat intelligence So we're going to need to choose an adversary and then pull in information that we can find about them So before we can start gathering data, we need to identify the adversary Cover two ways to do this and looking at gaps that we're hoping to assess in Our environment and considering who is is targeting us in the first place I'll then go through a couple of processes for gathering data on that adversary So pulling in information on things that they do after they break into environments. That's likely to be most of the space of our engagement and Beyond behaviors. There are some things to think about beyond just what techniques they do So what tools are adversaries using? What other groups are associated with them? So what other names might we have that are describing some of the act same activity as well as an adversaries campaigns? so at series of intrusions that are happening in a time period that are attributed to the same actor and On top of all this we probably want to think about the time frame Some of the actors we might want to emulate Might have been in this business a very long time. So I'll be using an actor later who is Thought to have been around since at least 2004 What they looked like in 2004 is probably a little bit different than what they look like today So there are a lot of ways that you can find lists of adversaries, you know information on starting points for who it is you want to emulate I've got my biases. I'm going to leverage attack, but you don't have to and but a decent number of red teams we have seen using it for adversary emulation So some other options instead of attack If you have a internal threat intelligence team that is tracking on groups that are you know hitting your own Organization that might be your best source of threat intelligence So they know about the threats that matter most to your organization You know, they May have the best picture of the techniques that are really relevant to you. So that could be a really good place to start there are people that might be able to sell this information to you so they're commercial threat intelligence providers where You know for a fee you can get information on different adversaries. You might be interested in Or you can go to the same well that we do so everything that we're pulling into attack is coming from open source threat intelligence reporting And so you can go out and look at some of the same sorts of reports we do ourselves Because I'm going to be using attack for the rest of this talk I'm just going to quickly get into a few of the specific aspects of it that I'm going to be leveraging here So I'm not going to get into, you know, all the defensive use cases things like that Just sort of the basics of the framework structure and then the groups information that we're going to be pulling from it So I think probably a lot of you have already heard of attack, but at its core attack is a knowledge base of adversary behaviors It's like an encyclopedia of things that real actors have been seen to do in the wild so not just Things a red team has done not just theoretical, but it's it's actual adversary behaviors It's freely available Everything I'm going to be talking about today every resource. I'm using is is out there for free and if its code is open source So let's talk about structural here. This is the view most people use of of attack. It's what we call the matrix It's it's a layout of different activities that adversaries do the way it's organized is across the top here We have what we call tactics This is the adversaries broad technical goals. So it's something like initial access the adversary is trying to get into my network or Exfiltration adversaries sending stuff that they've stolen out of my environment or something a little different like impact where an adversary is trying to cause destruction or disruption to systems or my environment Under each of these tactics we have we call techniques Those are how the technical goals are achieved And these are sort of the basic unit of attack. I've seen a bunch of techniques So cheerio was just using several technique IDs in her talk And so these are getting down to more Specific ways so instead of initial access we now have something like phishing the adversaries sending a malicious email That's kind of an exciting talk for me because this is the first time I've given a talk in years That I've been able to fit the matrix on a single slide So we recently did a fairly big refactoring of attack and going from just tactics and techniques to tactics techniques and sub techniques So there's now a no layer of abstraction under a lot of the techniques Tech sub techniques are just more specific techniques. So instead of phishing We have something like spear phishing attachment or spear phishing link. So it's again getting more specific These techniques have all these sub techniques have all the same properties behind them as techniques They have all the same mitigations detections everything else. It's just a deeper level of specificity and they have a parent technique Finally getting all the way down to detail. We've got procedures These are specific adversary implementations of techniques and sub techniques So instead of spear phishing attachment, we might have the APD 12 that sent emails with malicious office documents and PDFs attached Okay, our goal was to find out stuff about groups Something else that attack has is profiles on a number of different threat actors over a hundred of them It's just what a group page looks like we've got a brief text description of the group itself some metadata associated with it Way of what we call associated group descriptions Different companies different threat intelligence providers use different names to describe the same or closely related groups And this is natural in these organizations have their own definitions of these groups They may not be quite the same. That's one of the reasons we call it associated groups instead of what we used to call it Which is aliases? We keep track of what techniques are used So we've taken open source threat intelligence reporting gone through and figured out what those reports say that the adversary has been doing Similar to our groups pages. We also have software pages those keep track of Different pieces of software and adversaries using everything from utilities to things that they've custom written As well as all of the techniques that that particular piece of software is able to do And finally, there's references for all of it. You can go back. You can check our work You can see the original references and Make sure that you believe what we say about it People use attack for a lot of different things. I'm only touching on adversary emulation tonight It's kind of a good use case for attack though. So it turns out that Adversary emulation is what attack was created for in the first place The reason we originally created attack was that we had a red team Who wanted to look like some specific actors? Wanted to create playbooks create plans Operate and then wanted to be able to compare notes of the blue team and see if they saw the same things that the adversary had done Okay so If I want to actually start to pick out an actor from all this set, you've got a hundred actors So we can start by looking at how Specific actors aligned with some of the gaps that we think we might have in our defenses So this is coming from APD 28 everything in blue here is Techniques that we've identified from multiple open source threat intelligence reports. It's not using any commercial or government reporting It's just things that you also have access to I'm gonna be showing a bunch of diagrams that look like this. This is basically the same matrix layout I showed in the introduction a second ago. I do have a number of the sub techniques expanded out to show a bit more the detail But you're probably not going to be able to read the labels at least over on on Twitter YouTube But all these diagrams I'm creating using a tech navigator, which is an open source tool we provided That's a URL to actually work with it yourself And I'll release the slides for this right after the talk and work on getting the navigator layers out. I'm using So if we're looking at the techniques that APT 28 has used We can then compare that with Our own defenses. So if we take the same Tech navigator We lay out where we think that our defenses can catch or not catch an adversary So what's in red here is notional gaps in the defenses for an organization So what I think that I can't detect today Okay, so if I take that eight that adversary I add the gaps to it I can then create something that looks like this so I now have The APT 28 and blue our gaps in red and the green here is You know where we think we might not might have gaps So again without the slides probably not going to be able to see which individual techniques are highlighted But we can see you know, maybe APT 28 isn't the best match for us. You know, they've only got Maybe 10 techniques that overlap with things that we think are gaps. So, okay What else can we look for? We're gonna also look at adversaries who are targeting us, especially if we've got our own internal Threat intelligence team to help us They may be able to help us prioritize here because hopefully they know who it is who's been coming after us And again, there's a couple different ways that we can prioritize based on this So we can start with an adversary who targets us regularly You know, maybe we've got some actor who the first Monday of every month like clockwork sends us a spearfish You know, maybe maybe they're not the best We don't you know, maybe that we think that our defenses are pretty good about them But they may be of a lot of interest to us just because they're trying so regularly They're they're definitely a persistent threat We look at adversaries who have targeted others like us So if we've got some actor who's tried to break into every other peer in our industry And you know has succeeded in places. Well, we're probably somewhere on their priority list You know, we're in their priority intelligence requirements for who they should be breaking into So I might want to understand how it is that we might face against them Finally, you might want to pick an adversary who doesn't target us very much or we've never actually seen but they might But has a high skill level, you know, the the actor who keeps us up at night Because now we think that if they came after us, they'd probably succeed. You know, they've got the high skill set So the episode I'm leveraging today for a lot of organizations probably more fits into this last group The the keep you up at night adversary So I'm sorry, I'm gonna leverage for the rest of this talk is Turla Turla is been has been attributed to Russian state activity They've been around for quite a while. They've been seen since at least 2004 I Kind of like this group and that they're cross-platform so they don't just stick to Windows systems What they've been known to to go after macOS and Linux and they they use some interesting techniques that we don't see a lot of actors use And so everything in attack has been seen somewhere by some actor But there are techniques that there are really only, you know, a certain number of high-end adversaries that are getting into them So we've picked her actor It's time to start gathering data on them. So if I'm not using attack as my data source I'm gonna want to probably go out there and start gathering Intel and so, you know I can start looking through open source publicly available threat intelligence reports There are quite a lot of them out there these days They really want that many when attack started, but we do have quite a wealth out there of reporting now Yeah, or I can leverage the the version of a lot of these techniques that's in attack So we're going through some of these exact same reports Trying to find what behaviors and techniques are in there and then we're putting out that same information in attack So it's information you already have access to just in a digested form So you've got this Intel if we're going from our own Sources if we're bringing in open source threat intelligence reporting ourselves We're going to need to go through a process of extracting techniques And internally we tend to call this mapping so the the quick process that you're going to go through in these reports is something along the lines of First finding the behaviors in the report. So figuring out. What is it that? You know our activities that the adversary did you know the things that we're going to want to later be doing ourselves Figure out the tactics so it takes a little bit of experience in understanding what you're reading with adversary behavior But what is the adversary's goal for each of those behaviors? Move down to more specifics move down those columns of attack So go from the tactic to a technique or even better all the way down into a sub technique I would recommend doing this as a team You know everyone has their own biases and preconceptions and how they read Intel something I'll talk about a bit more in a minute, but the comparing notes can be super effective for Canceling out different issues you might have So I'm really going to be briefly talking about how to do this But my funding former attack teammate Katie Nichols and I released training earlier this year on how to do this mapping in much more detail The URL for it's available in the slides again. I'll release the slides later And it's completely free the videos for it are up on YouTube so this process of Mapping attack techniques and this little snippet of reporting has quite a few of them in it in the way that we would Interpret a open source threat intelligence report So first we're going through we're identifying each of the behaviors So this is the highlighted in yellow bits where they're either describing something an adversary did or you know They're using a tool where it's relatively clear. What the behavior is that they're they're using it for We're going through we're getting down into tactics and getting down into techniques So instead of create batch scripts we're interpreting that into attack for Windows command shell t 10 59 0 0 3 So the windows run key we now have registry run keys start up folder so t 15 74001 And we're just going through the entire document repeating this process over and over again and pulling out the full set of Techniques that we're able to find So once you've pulled out all those techniques Need to structure Intel and so I'm again using the attack navigator This is the full set of Turla techniques that I've extracted from attack pulled out of their page It's in there again. Everything that's here is only based on open source threat intelligence reporting So it has the limitations of that and so that's This is the sum total of all of those threat intelligence reports we mapped with Turla Okay, so we've got a pile of Intel What do we what do we actually do with it? You know, is this any good? Do we have a picture of the adversary yet? and so we're going to need to go through some more work to Figure out what we've got, you know, what the adversary is trying to do And do we even have enough of a picture to be able to make a plan here? so the first two steps i'm going to work through are Establishing the adversary's goal. So what is it that they're trying to do understand their modus operandi? a little bit better in terms of what we're later going to want to operate like And an important point to remember is that this goal is probably not technical The adversary is probably not focused on getting domain administrator or stealing a particular password. They're probably interested in fulfilling a Intelligence requirement, you know, they they have some piece of information That they want to steal from your environment So the goal is likely to be something more like data theft Or to stop you from operating then You know hack the gibson or you know brick a particular computer After you've determined that goal is you need to look at what the gaps are between an adversary getting in And reaching that goal. So what is it? I don't know about the middle that would let me Look like that adversary So to go through those first two steps of it So establishing an adversary goal Um, you could take a look at which tactics the adversary is using so we can see that that turla has Some stuff in collection and exaltation. They've got nothing in impact But instead i'm going to go back to the original reporting So this is a kaspersky report on turla And so they talk about how turla went through they're searching for emails They were specifically looking for emails related to nato energy dialogue And then shortly afterwards and the report talks about them x filling the information. It's okay They're stealing information around particular topics Uh similarly an e-set report They're going through they're getting into the victim's uh microsoft sql database Pulling documents out of it and again x filling and taking specific information So we've we've got a relatively clear picture and we can look at other reports and see the same thing We're over and over and over again Turla is is stealing information. So it looks like they're focused on theft of information and and x filtration so Said that we need to then Examine gaps between access and goal I'm going to cover for a few minutes first. Why are there gaps? So, you know, we've we've got this intel. It's an attack. It's all out there You know, why isn't that enough for us to to be able to work with? Open source intelligence likely doesn't paint a complete picture of an adversary Frankly commercial enclosed intelligence probably doesn't either So there are biases in the information in how it's gathered and what information is gathered As well as nobody has perfect visibility It's very rare that you have intelligence That tells you everything an adversary does from the point when a victim clicks To the point when they actually are stealing information And by putting it into attack we add our own problems. So group intelligence and attack Is subject to our own biases some of them are very similar And you know, we're adding on to the biases that are coming from this open source intelligence So and some of that is from how we map from these intelligence reports and what it is we actually choose to come in Now bias is usually a negative word in the english language. It sounds bad, you know, sounds like Um, you know, we may not like certain intelligence, but in threat intelligence We accept that all sources in intelligence Have biases and limitations And so we work to understand those and what they are so that we can account for them So some of why we have these biases in our reporting Any reporting source is going to have a visibility bias There are only certain types of information that a given Source is going to have You know, they might only have certain types of sensors an incident response from may only come in and have access to Forensics and whatever sensors were in the environment at the time You know, whereas things that can only be seen in real time So maybe decoded command and control traffic or Registry monitoring other things that don't really leave much of a forensic trace Might not be in their visibility So there's novelty bias So I'm I'm kind of a bear snob, you know in in normal pre-covid times I walk into a good beer bar. I look at the taps that are there and I see Bunch of stuff I've had before it's been on my own tapped list for You know years now and I I see the one tap that was the thing I've wanted to try for a while But reporting can be a lot like that. So, you know, I've got my reports I've got my You know apt 1338 report where I've got a new actor. We've never seen him before. They're doing something new And I've got my apt elite report. I'm going to put out the one that's that's brand new You know, it's more likely to make a headline And so our intel is biased by this where some reports are more likely to come out than others As people are creating the intelligence in the first place. They have availability bias availability bias is a classic cognitive bias I have some things that I am more familiar with That I'm more used to seeing that I'm more likely to recognize So somebody who's done a ton of incident response They've seen, you know, power shell over and over again They might be more likely to notice the power shell activity And not notice that, you know, say the adversary got into the bios over here or something super novel Victim bias, so there are some victims where there is more likely for reporting to come out than others So there are only certain firms that can afford some of the companies that are putting out a lot of this Thought intelligence reporting Some victims are also in industries where they're a lot more likely to allow reports to come out Now there may be issues with regulators if there's any information about them having been hacked And so who the victim is is going to matter a lot for if we ever hear about it And finally in terms of open source biases, we have production bias So some sources write more reports than others If, you know, one company is writing, you know, dozens and dozens of reports that all have Actor behaviors in them and another company is just putting out a couple Oh, then, you know, we're going to have more information to work with from another And so I said we compounded So we add our own biases to these and the types of sources we select And so a lot of the stuff I've been talking about is in terms of information from security vendors and threat intelligence firms So 92 of the reports that we have an attack As a point when I made this slide are coming from security vendors 3% are coming from government reports is the things like public indictments and other public available government reports And a few are coming from press reports, you know, some sometimes there's a Article and wired or the register that describes, you know, really good unique adversary activity We have our own availability bias. So, you know, that mapping process of going through reports We've reduced the number of of techniques and attack a little bit recently But there's still over 160 of them And so there's it's hard for us to keep a working set of of all of those techniques And so we've got the techniques that we remember in there and are at the tip of our tongue and then we have the techniques in attack like Hidden file system that we almost never see in reporting We have our own novelty bias. So we've we've got, you know, dozens and dozens of reports on fuzzy deck using power shell But we've got this one brand new report on apt elite using transmitted data manipulation fairly new technique Yeah, we're probably going to go for the shiny new report And so if you're using intel from attack, there's a couple other caveats to realize So our reporting that we've got in there on a given group page Is from all different time periods combined There's some reasons why we do this Reporting frequently doesn't say when the activity happened So report we might have a date on the report itself Not always and a pox on people that put out threat intelligence reports of updates But we don't even know necessarily when the intrusion happened and I've seen reporting Where I know the intrusion that they were talking about was four or five years old Where it sounded like they were talking about something recent Some new reports might only talk about a small range of activity So some why we end up adding the stuff together Is so that we can talk enough about a single actor to paint a picture So finally of one report with you know, 10 techniques in it It's probably not telling me the range of activity that an actor can do Our group pages only include behaviors that are directly tied to actor activity So our standards for what we're adding into those pages is that the reporting says that the actor did it And so that doesn't include behaviors of software that adversaries use So if there is a Now analysis report out there that we're putting an attack That's going on those software pages And we're not including that into the activity of the given adversary And finally the reporting we're using doesn't always agree on attribution And so we we're sometimes left trying to figure out What the heck group we should be even putting this into and hopefully in most cases it's accurate So that sounds awful, you know, so what do we what do we do about it? You know, I've talked about this as our source of intel and now I've talked about all these problems with it So the important part is to understand that There are these types of limitations and biases in the intel that we're using to do this emulation Once we know that there are these limitations and gaps are there We can start to determine where the gaps are in our specific intelligence And so we we don't just throw up our hands and say I don't know anything You know, I'm just going back to run the red teaming we need to account for these gaps and Fill them in as we build our adversary emulation plan So that was a long aside away from turla But let's start to look at how we might spot gaps in our specific adversary picture So taking turla as as an example How might we see some evidence that our information on turla isn't perfect? I can first look for missing dependencies So, um, my colleague Amy Applebaum wrote a blog post a couple years back On on trying to find related attack techniques So both dependencies where in order to do one technique, you might need this other technique first Or techniques that are very often seen together And so that could be a useful source for for doing this But I'm going to zoom in on a couple places in our profile of turla So let's look at initial access. So we've got some, you know, pretty simple techniques here To that drive by compromise We have phishing spear phishing attachment phishing spear phishing link Okay, relatively germane But if they're doing each of these things and these all do come from successful intrusions There are actions that need to follow that for the intrusion to have been successful as it was So I know I take a look at our execution for turla And I look at, you know, I've got user execution malicious link So the center malicious spear phishing link we clicked on it Okay They sent us a spear phishing attachment I don't actually have an execution technique for that So there's there's collie gap here It's something we probably need to fix but it There's I would expect there to be here either user execution malicious file or You know, potentially if they're being really ninja exploitation for client execution So, you know, maybe they're maybe it's a user clicking on the attachment Or maybe they're popping the outlook But you know, something is missing here We can also look for hints of dependencies, you know, and so we're we're trying to create something In the style of an adversary not necessarily exactly what they did But so I can look at something like lateral movement So, okay, we see them doing lateral to transfer tool transfer And samba windows admin shares Windows admin shares if if they're doing this technique It's usually something where they're being driven by operating system crunches to get around the network So, okay, there's something that should be in here as a credential access so that they've got the creds to do that Well, what I've got here is is brute force, which they they could be using to do OS credentials credentials from password stores is usually other types of credentials rather than operating system And so I'd really expect there to be something more like OS credential dumping or You know something with Kerberos tickets, so you know domain authentication here So as a sign that I might have another gap that I need to deal with Less, you know less dependable But you know another way that we might be able to see signs of this is looking for things like unusually sparse tactics So in the case of turla, you know, we've got an adversary who's been around since at least 2004 as they said in the beginning of this Um, most adversaries over time are definitely developing multiple techniques to do a given tactic that's that's important to them In the case of turla all we've got here for exfiltration is exfiltration of cloud storage And another reason why that's a little bit suspicious for turla Is that turla is older than cloud storage at least in the sense that we would generally mean by it And so there's there's some signs that you know, there might be another gap here in our picture at turla Okay, so if there are gaps and you know, we don't have necessarily everything we need to get from They have to start getting into achieving their goal So look at some ways of filling these in in a logical fashion That sticks to the spirit of the adversary as much as possible I'm going to go over four techniques for filling in gaps First is is adding techniques from the software that the adversary is using I'm going to fill in some of those dependencies that I just identified And add those in Going to take a look at peer adversaries So, you know, maybe we're still not able to get enough intelligence on stuff that's directly related To the the one we've chosen Let's look at their peers. Let's look at people who are operating like them And we can we can borrow from as well And finally if all of that fails Let's look at what lots of adversaries are doing. You know, might be something that they're doing as well So if I go back to the attack group page, this is all the software that we've associated with turla There's a mix of different types of things in here For starters, we have what I'm going to call utilities So these are tools that are in every case, but ps exec built into windows ps exec obviously being part of sys internals So something that they they've probably downloaded over the course of the intrusion But it's a general purpose tools that anyone's going to have access to it Next we've got public tools. So our public offensive tools Turla like a lot of actors out there is a user of mini cats as well as empire And so this is something that, you know, it's not just specific to turla We see tons of different adversaries using But turla has a lot of possibly unique software So these are pieces of software we have listed for no other adversary but turla We think that maybe they were written for them or written by them But we at least don't have evidence of them being used elsewhere And so fulfilling in software i'm going to start with just as possibly unique to turla's set And i've got a couple reasons i'm going to do that So the first is that some of the other tools that were there like Mini cats empire or if they've been using something like cobalt Those tools have a ton of functionality I've taught my head. I think cobalt we've got over 65 techniques mapped to And so it starts to just color in the entire matrix not necessarily The pieces that turla is actually using Something i've seen is that adversaries have a tendency to use more of the functionality of their own tools too Than general purpose they're using and that that makes a lot of sense that You know, if if you are commissioning these or buying these tools You're probably not going to ask for a lot of functionality that you never use So if I take all of the techniques that are associated with each of these tools add them together I get something that looks like this And again, I'll release the slides so that you can zoom in a bit better Right now i'm just more showing sort of the shape of the coloring You can see that this adds an activity across a lot of different tactics So we've we've got a much much more material here And if I go back and then add my turla profile back into that I've now got quite a bit more there So blue was what we already had with turla red is what we just added in with the software that they're using And greens the overlap so green is is what we already had And so I pointed out exfiltration was kind of thin in the original profile Well, so adding in the software they're using has has helped fill that in a bit So we've now got something like is just not not just cloud storage But also exfiltration over command and control channel And so some more options for us to be able to work with too So I've still got some of those missing dependencies though, even even with the software added in So the next thing I'm going to go through is filling the missing dependencies I didn't actually find a lot of those in turla specifically But there are definitely actors where there are more of these that you'll find And so I'm going to take the fairly simple step with the missing dependencies I'd found to simply fill them in so, you know, we're trying to stick into the sphere of the adversary They probably did these things in order to accomplish those other techniques or after those other techniques So I'm going to bring those into our profile So that now gives me A relatively well fleshed out adversary profile So this also isn't coloring in quite as much of the attack matrix as it might appear here I have only expanded out sub techniques where there are techniques selected in them So again, I'm trying to keep the slides You're trying to keep the matrix actually fitting on a slide But it there are quite a few sub techniques that are still tucked in here that are not selected by turla So this is still keeping us to A scoping that is is in the spirit of turla So I I think we're good here. You know, I think for turla itself This is is probably sufficient for us to work with in in any scenario we want to create But you know, what if I was working in an actor where where I couldn't do that? So the next thing I could do is start examining pure adversaries Turla is attributed to be a russian state actor that likes to steal information So who else in attack do we have that looks like that? Uh, the the ones that that jump out are apt 28 and 29 These are the two groups that were attributed by the u.s. Government to be behind the dnc hacks a couple years ago They've been very prolific And they do a wide range of their own activities So, you know, this is just taking those two actors combining them together I could use them like this where I'm just taking every technique from both Mashing them together using it or or maybe I just want to use it as a way of seeing what's popular for them. So the Uh green techniques are where there's overlap between these two adversaries Lastly, you know, so if the peers aren't enough Maybe I can just look at what techniques are common out there So a number of companies over the past couple years have started publishing annual reports on What attack techniques that they've seen over the past year And so looking at a couple companies reports on what techniques they saw in 2019 We can start to use those to fill in gaps So first one I'm going to use is red canary. So they put out a report. It's actually got top 20 in it, but You can actually read the text on this one So it is going through and it's in order But it's important to understand Again, what this means This is the top 10 techniques That they saw in the places that they have Sensing in and compared with their actual detectors So it's not necessarily the 10 most popular techniques. It's the 10 most popular techniques they saw And one way you can see it is so pulling in recorded future Another company who put out top 20 techniques this year. I'm again cutting them down to 10 for the slide But you'll note that the only overlap between these two lists is process injection So we may want to combine a couple of these together in order to see where the overlaps are Yeah, add their data But these are giving us some ideas of things that we know at least have been out there in the wild a bunch in the past year So it doesn't tell us that turla did these it doesn't tell us that you know 28 or 29 did these But a bunch of people did them somewhere And so adding them into our profile, you know, maybe Still sticking to a a realistic abt profile And again, wouldn't do this unless I wasn't able to get it directly from the threat intelligence on the actor So we've filled in some gaps. We've got, you know, a lot of things colored in now, you know, we've got our pretty picture So what do we do with it? You know, so how do we actually turn this into more of a profile So I talked about a couple gap techniques that I didn't use and so going back to my turla profile that is Turla plus the software that appears to be unique to them Plus filling in those dependencies So I'm going to want to do something like this So I've got my techniques. I've got my tactics And I'm going to want to start to carve down to the techniques. I want to actually use And those techniques have a flow to them So I've talked a teeny bit about dependencies like where one technique is going to require another There are often spaces where one tactic is generally going to require another one too Attack is not ordered Obviously, yes Things off to the left an attack often happen before things to the right an attack But there is no strict ordering to it. It is not a kill chain and so Tactics may happen in different orders. They may not appear at all in the intrusion But we are going to want to force some ordering on them For operation so that we can actually build up a plan So here what I've done Is I've started with Initial access. So I've got the adversary breaking into the environment Follow-up execution. So the the code actually getting run So that's that's also got the most file in here that I filled in using dependencies From execution, they're going to be doing both discovery and privilege escalation So I'm going to be able to do a lot of my discovery without needing extra extra privileges At the same time, I'm going to be building up so that I can do my defense evasion credential access and persistence Some of Terla's defense evasion does require Privilege escalation. So they do things like hidden file systems, which is a fairly unusual technique And then, you know, so from my credential access, I'll then be able to do lateral movement I've got my OS credential dumping, which lets me do my samba windows administrative shares And the arrow is supposed to loop around from one side to the other back to execution and start it all over again So in order to bring this even closer to to something I can operate with The final organizational step I'm going to do is to organize technique flow into plan phases So everything I've talked about here has started at initial access and so that's using What's in enterprise attack today? But obviously there are some steps that an adversary as well as a Adversary emulator is going to need to do before they get into the environment. So that's this phase one Uh, and so you might not be familiar with the tactics reconnaissance and resource development And that's because they won't be in attack for another few months, but stay tuned We actually are extending attack to match the scope of the Cyber coaching and activities that come before you break into an environment Phase two, um, I've got the adversary operating setting down their footprint Expanding out and getting into all the systems that they want to be in And then instead of collecting in parallel, I've got this particular adversary Doing their collection exaltation at the end. So they've got the footprint and then they steal the information And so I'm putting these in order so that we can use them for operations This isn't going to be perfect But a lot of these techniques and tactics have required ordering to them So the pieces i'm i'm not really going to cover today, but just a few thoughts on making sure that we're applying intel as we go through the entire process So we're going to want to develop tools to be able to do this You know want to be able to think can we do this with cots for open source? Are those reasonable for the given actor? You know, so in some cases we may have an actor who's using empire cobalt. So, you know, it's it's the answer to that is fairly obvious If we have an actor that's doing nothing, but the spoke tool development and using techniques that aren't really supported by Much that's out there in public. You know, we may need to do some custom work But wherever regardless, you know trying to keep those payloads inspired by the apt So you're looking at how they're they're packing and everything else trying to stick to that intelligence And finally as you actually operate Obviously, you're going to have to set up all the infrastructure test it out and get it going But once you're emulating the adversary You know try to think about the modus operandi that we thought about earlier Adversary is trying to steal targeted information Now the goal is is not to Get into get into the domain controller, right? I saw somebody on discord like that. I said hack the gibson Um, you know think about your goal throughout this and where is it you're actually trying to get to And then think about pacing. So, you know, how is it that the adversary actually operates? Are they somebody that is slow In in methodical and how they're spreading out? Are they doing a smashing grab? Um, and so so think about that as much as possible So in closing, you know, some of the things I hope take away from this Is pick your adversary wisely So there are a lot of things you can actually think about to leverage intel In the selection of an adversary in the first place The intel on your adversary isn't going to be perfect doesn't matter if you're getting it from attack from original sources or wherever But you know, it it is not going to be perfect But you can still emulate an adversary with imperfect intel So this is you know, something you can pull off Even though you're not going to know absolutely everything about an adversary So I'll post my slides, but uh, some of the links to resources I used in here between attack navigator and attack itself We've put out a couple of emulation plans where we've used laws as process and how we've actually done it Um, and we've got our own, uh, red team Automated tool caldera that we've actually ported at least the apc 29 emulation plan over to And I'm I'm reachable in a couple different venues via attack via twitter whatever And that's it for me, uh, and so I'm I'm going to be answering questions in discord after this But a couple I did catch scroll by that I'll take on now So I I saw somebody saying Am I talking about the pre attack stuff? Yes, so we're undergoing a merger right now of the information that's in pre attack We are refactoring it down to just Information that is is technical things that some defender somewhere can see so some of the Intelligence planning steps are going to be going away And we're refactoring that into two new tactics Reconnaissance and resource development So that's something can expect to see in the next release of attack And with that, um, I will be answering questions in discord and thank you for attending my talk Thank you so much adam And thank you for supporting not only the the community and the def con but the red team village as well amazing talk And for those of you that are watching in twitch youtube periscope There should be a link in the bottom of the screen That's where you actually can get access to the discord server adam was mentioning And we're gonna go in a brief break and the next presentation will start in just