Developing An Adversary Emulation Plan

hey guys hack exploit here back again with another video Welcome Back to the adversary emulation series um in this video we're going to be taking a look at how to develop an adversary emulation plan so in the previous uh two videos we got an introduction to adversary emulation and then we also took a look at AP groups um and you know the reason as to why that's important um I already explained in those videos so if you are new definitely check um the last two pre uh the last two videos out they're going to be in the red team playlist on the channel uh but uh this video is going to be very important because in the next video we're going to be getting started with um the Practical stuff so we're actually going to be doing stuff in a lab uh on the Cyber ranges platform so um the the reason this is uh an important video within this series will become apparent so let's not waste any more time um you know what does developing an adverse ulation plan entail well you know generally speaking um when I introduced you to adverse reul I sort of explained uh what it is what the objectives were uh and you know with that being said it sort of goes without saying that you need a plan just like U you know a pentest or red team uh operation or engagement so the first step in creating an adverse ulation plan is of course deciding which threat actor you'll be emulating now if the organization that has contracted you uh to perform a red team operation more specifically an adversary emulation campaign has not you know given you an adversary to um to essentially emulate or want to use as a basis for your emulation um this uh specific um technique will apply or this process will apply however uh if you already know uh generally speaking um what types of adversaries or AP groups uh you know the you probably want to emulate based on the organization's uh geographic location or the sector or industry they operate in um so the the bottom line is that regardless of whatever info you have regarding what um AP group or you're going to emulate um there's a couple of considerations that you need to keep in mind right so um firstly does the um does the AP group or um the actual adversary do they target a specific industry uh do they target organizations in a specific geographical location uh and more importantly is there sufficient CTI cyber threat intelligence available on that specific AP group that can um essentially be used to develop your um adverse regulation uh plan or I should say campaign so is there enough TTP information on the ttps uh you know that have been attributed to this particular group um and then I wouldn't say um an added importance or you know uh a consideration with added importance and that is uh you know whether or not you have access to private CTI or commercial CTI um and this could either be provided by the organization stuff like that now um to contextualize everything let's say you know I've been hired to perform um an adversary emulation campaign or you know red team operation for all intents and purposes but the company has told me hey uh we don't we're not going to give you any AP uh or we don't really know what AP is likely to Target us can you based on um where we're located uh geographically and based on what industry we operate in can you identify actors that are again quite active or likely to Target organizations like ours within Geographic locations uh that we uh operate in and uh that's one scenario right the other scenario is that the organization is fairly experienced from a security perspective and they tell you hey we want you to emulate apt29 uh based on these factors so uh you know I was sort of making the point earlier it doesn't really matter where you start or what info you have these considerations are very very important or very these are very important questions to be asking yourself so one important note here is that you know the organization you're performing the adversary emulation uh campaign for uh may have closed Source CTI from prior attack so if the organization is fairly mature from a security perspective and actually uh they do have a blue team or a CTI Department uh they may have CTI or ioc's from previous attacks that they've encountered and if that c is available

to you and there is sufficient detail or it is of sufficient detail uh that the threat actor would like um you know then you would essentially use that particular threat actor or the data from that particular attack or you know from the organization itself as part of your UL adversary emulation campaign uh but of course this is something that they would ask you to do or to consider so let's start off by you know understanding how to find threat actors that are targeting a specific industry so let's say uh the organization that you have been hired um you know operates within the financial services or you know biotechnology industry well what do you do well the easiest starting point and we'll go through this practically is uh you know the most common or well-known CTI source and that's the um you know might attack uh more specifically under the CTI section there's going to be a section on groups right so once you're in there you can easily just perform a quick search on the web page and uh search for specific uh Industries so for example as shown in the screenshot uh if I look for biotechnology um these will give us groups that um you know this will give us adversaries or AP groups that Target biotechnology organizations right now this is not a fail safe uh method or one that I would recommend it's just a great starting point so um you know on the might attack group page you know we can see a listing of many threat actors with a brief description uh related to their behaviors and targets which is again exactly what we want to begin with right and then you can search for your industry on this page um and yeah so moving on um after you've identified a list of threat actors that Target a specific industry uh you can check to see which ones uh have targeted uh your geographic location I'm speaking now you know the first person but if you're performing this for an organization then you'd find threat actors that Target you know the organization specific um geographical location or region that they operate in in the case of the slides I've just used an example here of bronze Butler that targets Japanese organizations right and as I covered in the previous video I would highly recommend that you also use the additional resources referenced in um the AP groups and operations spreadsheet um but also the spreadsheet itself but there's also a couple of links uh or um services and resources that are listed within that spreadsheet if you're not familiar with this spreadsheet take a look at the previous video uh the one just before this one if you're watching uh this series sequentially um so you can see in this case I've sort of compiled um three key bits of information right I've uh sort of highlighted the uh you know the group's origin so bronze Butler where is it from China That's from the AP groups and operations spreadsheet I then using um the MIT attack framework identified right over here the tool set or malware that they are known to use and then right over here just an example of the attack kill chain that they typically follow uh in the operations or what has been established so uh you know the initial access obtained from an um an infected website where the targeted user you know visits that website and then a file is downloaded uh there's um you know I wouldn't say a file it's a payload that then um you know drops another backd door Trojan and then that initiates a connection to a command and control server so you know very basic this is not actually specific to bronze Butler uh but quite important for you to understand so we then move on to you know selecting the threat actor adversary to emulate uh in this case I know based on the example in the slides I've sort of gone with bronze Butler but uh you know you'd obviously assume that you know depending on the geographic location that the company iside you operates in uh or the industry they operate in you're going to have um I would say not a sizable list but a list nonetheless so more than one right and you know based on the considerations I outlined in the first slide you know you essentially filter through or trim your list um of certain actors that you know may be interested in targeting you know the organization uh that you're performing the adverse regulation campaign for and you know you can then based on the data you've col you've collected up to this point select the one that best serves your requirements or your needs and that's sort of the most important right um and I would say the most important criteria that you should be concerned with is how much CTI is available so if you want to emulate an AP group

successfully or quite thoroughly or rigorously if you will or I should say realistically in the sense that the company uh that you're performing the adversary emulation campaign for actually gets a realistic understanding of what they're likely to face or what issues they currently have within you know the the security of the infrastructure um you should essentially find an AP uh group or a threat actor that again you have essentially filtered or you you've gone through the process of selecting but one key determining factor that I've seen is the amount of CTI that you have available so if you don't know much about the group but you know it falls within the list of groups that uh again meet your initial requirements um you know but there's not a lot known about that particular group then you would obviously want to choose one that you know quite a bit of CTI is available on so in this case or for the sake of this example we're going to assume that we do not have access to private CTI so we'll look for we'll only look for what is publicly available and uh in this case just following along with the example we can examine the public or you know freely accessible CTI uh to start off um you know we we can kick off by taking a look at what is directly available and that's on the MIT attack uh groups page so when you click on a particular group at the bottom you're going to have a set of references that's uh again very basic but this is the initial starting point so in this case the group bronze butam has a fair amount of publicly available CTI and that you know there are many techniques listed for the group along with um Associated software in such an instance selecting a threat actor could be done either based on any of the um other criteria relevant to the organization you're performing the campaign for arbitrarily or you know both could be emulated so it's quite Dynamic the bottom line is it's all going to come down to what the organization has asked you to do whether they have any specific requirements stuff like this and as I mentioned you can find references in the um references section for a particular group on the MIT attack website um and then obviously you move on to selecting the ttps to emulate so I'm now you know we're now assuming that you've selected the group you want to emulate now you need to select the ttps uh luckily for us in most cases uh all groups cataloged or index on the might attack website under the group section have a an attack M attack Navigator layer if you're not familiar with the attack Navigator take a look at um the uh the video that introduces you to the MIT attack framework as well as the Navigator um within this playlist the red team playlist um it covers exactly how you can use the Navigator layer to you know map AP ttps and also do you know a few uh more interesting or useful things essentially how to operationalize it um and uh yeah so you you'll be able to get the dtps but you know this is not this is still not a plan so uh touching specifically on you know the process of creating a plan you know in general an emulation plan should include most if not all of the post compromise tactics including initial access techniques um can also add value to the emulation plan but of course if the organization tells you that hey we don't want you to do any initial um initial compromise just perform a post just perform or emulate post compromise ttps then you know you would need to adapt accordingly so very important to keep in mind so this is an example of bronze Butler or you know the bronze Butler ttps on the M attack Navigator uh which will go through an example in a few seconds just to rehash your memory um and then of course we have the attack kill chain now this will require a you know quite extensive uh analysis of uh the AP group you're trying to emulate uh the campaigns or you know attacks that it has been involved in and this is where very good CTI comes into play because analysis papers uh performed on the group um can be very insightful in giving you an understanding of uh when um when how uh when and how you know the threat group or adversary or AP group uh implements specific ttps so on the might attack Navigator uh page you know for a specific um AP group it just gives you a list of the ttps right however how do you know how do you tell uh which technique is executed first because you may see three or four initial axis techniques that are you know attributed to the group based on different campaigns you know uh you need to tailor that but then post compromise if you see like three privilege escalation techniques uh you know you need to have an understanding of the typical sequence that they follow and this is where the attack kill chain you know this is where

it comes into play so while adversaries often follow a similar path of attack there can be significant differences that set them apart from each other obviously uh and to emulate the adversary as closely as possible or as accurately as possible we should try to determine the path of attack our chosen threat actor has been known to follow fortunately for us there are often sources that report on you know the attack path um and sometimes these are presented you know in the form of clean visuals like so uh at you know in other times you'll need to dig through the various CTI reports on the on the group and sort of put together a diagram I always find that using an attack kill chain diagram um you know I find it to be quite useful in understanding you know the different steps what happens so on and so forth and then of course you know just uh the final step is converting the ttps into an emulation plan so there's a couple of important considerations here firstly some tactics may be repeated within the attack path for example an adversary May perform remote Discovery immediately following initial compromise to understand the network topology or to perform local enumeration on the network right uh they may then move on to performing local Discovery to discover files of Interest after lateral movement and the result of this is that you know it'll obviously from your perspective this will create some complexity in assigning techniques to the attack path or to understand the sequence as I mentioned uh in the previous slide but uh you know this can be solved um with additional considerations and research um it may also be appropriate to perform the same technique in multiple um phases of the emulation or you may see certain uh ttps being used by the same group but in different um in different parts so there's going to be an overlap so this is very important because while the attack path is represented in a linear format adversary behaviors are often cyclical right adversary campaigns can be very lengthy and it is expected behavior for adversaries to attempt to gather information through Discovery credential access and collection for most if not all machines they gain access to throughout their Campaign which may uh again be followed by further lateral movement so what does this mean uh let's say an APD group um you know let's take bronze Butler I'm not saying this is the case but let's take it as um as an example you may see that uh within Discovery they're using quite a few techniques however they may be using um local enumeration or discovery techniqu techniques um you know that are different for one type of system let's say they've targeted an active directory domain uh and for standard workstations they may have one set of uh you know local Discovery or not local Discovery but Discovery or local enumeration um techniques but then when they move on to a domain controller it changes up obviously and so you need to keep this in mind right now not all of the techniques that you found may fit neatly within the attack path that you've gener generated and you know that's perfectly fine it is not vital to strictly follow the attack path some deviation is acceptable and alternatively if the technique does not fit neatly or logically in any part of the attack path it may also be appropriate to leave it out entirely so this comes now into some of the more advanced aspects of adverse ulation and you know specific AP groups that let's say have quite a complex infrastructure and let's say you don't want to emulate uh the infrastructure the the attack infrastructure you know with that much um complexity so it's not going to be a one toone match uh the key thing is that you emulate the known ttps right and uh you know if you're assuming a post compromise scenario you can begin your emulation after initial axis so you may not need to factor that in um and you know once you have the attack path developed you can start fitting the techniques you've already gathered into this path and yeah so basically that's the process of developing a plan or an adversary emulation plan of course we'll take a look at a fully fleshed out plan in the next video when we get started with the Practical stuff and we'll be taking a look at emulating fin six uh we'll go through you know pretty much doing everything or emulating fin 6 and then we'll move on to a more advanced adversary like apt29 we'll also emulate it both manually and automatically or we'll have two emulation um emulation plans one will require us to do stuff like developing payloads manually and uh the other will be automated so this is going to be quite extensive um so I just want to go through a quick demo session here where I go through what I explained in the slides just to contextualize everything so I'm going to switch over into my uh C Linux system and uh yeah I'll just see you guys there all right so I'm back on my Cali Linux system and I've just uh you know just come up with a quick exercise of what you typically expect so you know an organization could tell you hey or the organization you're performing

the um the red team opo adversary emulation campaign for operates in the financial sector and they currently reside in North America so we're supposed to use this information to identify threat actors that a uh Target you know organizations within North America but more importantly uh you know Target Financial or you know organizations or companies within the financial sector so we have two criteria so you know starting point as I mentioned is the attack website or the might attack website here uh under CTI you head over into groups and you can begin your basic search here now as I said this is not uh you know I would not recommend just using the attack website um and you know just selecting AP groups that way or adversaries that way but you know we start here so I'm going to say North America to find groups and in this case the first match is ap39 but we can see that the their objectives or the target organizations are you know really not um what we want in that you can see that they've targeted travel Hospitality academic and Telecommunications Industries in Iran and also North America as well as I would say pretty much all the continents or most of the continents so let's go to the next one here uh we have fin 10 which you know based on the previous video where I introduced you to AP groups Finn the abbreviation Finn meets mean it means it is a financially Mo motivated group right and this one looks like a good match you can see it's a fin group so financially motivated thread group that has targeted organizations in North America uh since at least 2013 to 2016 so it may not be relevant um in this particular case but we can keep on we also have uh Fox kitten which is Iranian are not really uh doesn't really Target organizations within you know the industry that you know we specified in the case of this example so we can proceed to the next one we have uh this one right over here uh no Financial um nothing in the financial sector there we have muddy water um nothing here let's go to the next one we have play um this is a ransomware group um okay so you can see we haven't we've been able to find quite a few but none of them meets both our criteria except Finn 10 but let's uh try and turn this um let's try and search for the uh sector first so right over here we have quite a few and uh there we are we have the fin groups here we can actually take a look at fin six given that that's the one we're going to emulate um you can see right over here it says finix is a cyber crime group there that has stolen payment cost data and sold it for profit on underground marketplaces so if the organization that you're performing the campaign for you know does um does perform you know or you know does store you know uh card data and stuff like this that could be another way of um you know fine-tuning your list um so when you click on a group again just as an example um you can see the associated groups uh so Mage card group six uh skeleton spider and then um you can take a look at uh the techniques used so right over here you would have the attack Navigator layer for the group that lists out all the ttps uh you know that are known or have been attributed to this particular group we'll give that a few seconds and you can scroll down right of you have the software that they use and the techniques that it has been used for so ad finded quite common we'll actually be taking a look at that so how to do how to utilize ad finded one will be emulating and six Cobalt strike that seems to be the their primary C2 uh you know Grim agent uh mimik cats obviously and then right over here you have references um and this is the best starting point for CTI or for you to understand you know the attack kill chain for example um so you know for you know right over here we have some uh I would say quite useful vendors or reports by vendors like fire ey uh I'm not sure that's working okay no problem there uh we can also try a couple of these others like uh this one that's a crowd Strike Global threat report so probably not relevant or specific to that um let's try and open up this one here that's fire ey as well and uh these are essentially the starting points right over here in attack uh let me open up the layer control sorry uh one second uh right over here I'm just going

to collapse them all so these are the known ttps you can see initial access they start off with valid accounts uh command and scripting interpreter they use JavaScript pow shell Windows command shell uh wmi um and then valid accounts for persistence privilege escalation uh valid accounts as well access token manipulation so you know fairly standard um so right over here you can see uh you know this is one example of uh the references here or you know it can essentially help you understand more about the group understand how they actually perform their attacks um so I mentioned in the slides that the AP groups and operation spreadsheet which are link to the um the description section of this video is a great starting point so I would highly recommend you take a look at the AP notes uh GitHub repo where you can um essentially I'm just going to wait you can essentially search for groups uh based on campaigns or attacks so you know if I say Finn uh six right over here uh let's see fin 7 we have stuff on fin 7 let's try some of the other known names um now we can say Finn six okay uh nothing there can also go through it by here so this I see quite a few operations have been having been performed by the script in 2018 um so this one looks interesting may not be related to fin 6 actually it is there we are so fin six and you can see it here uh and this I know is quite a good report because I've seen it before this is by fire ey um so you can see it sort of outlines how they they go about targeting organizations and more importantly initial access stuff like this um so that's the first resource I would also recommend taking a look at um uh cyber campaigns I don't think works actually I think it works but uh um the one I would recommend taking a look at is this one here this GitHub repo here which is AP cyber criminal campaign collections um so we can just navigate there and then also um the search functionality so let me just show you this here uh malp is a great place for M we'll probably take a look at it uh later or at a later Point uh but there should be a search option here but there we are this is AP and cyber criminals campaign collection where you can now go through it uh Again by uh by year or you can also just try and search for the stuff you're looking for manually so in this case you can see we have the fin finix uh reference here and this is essentially you know publicly available CTI so we have one here by Trend Micro um and there we are we have an attack path or you know kill chain as well as an analysis of the attack and this where you can start getting into stuff like the ioc's stuff like this um but one of the resources which I believe is highlighted in this GitHub repo is AP search um and by the way I'll put a link to all of these and these are allow you to perform a quick search for a particular AP group so I can say Finn six here um and I can then start finding out you know references or you know pretty much CTI you know on the group to learn more about it and uh huh that's weird it said there were five pages search for fin six again go to page two um and uh yeah so you know there's a lot U there's a lot of stuff you can get into so I i' highly recommend you take a look at the AP notes GitHub repo and um this repo right over here um they sort of have links out to some of the other resources that I've um I've already shown you but uh with that being said that's going to be it for this video and I'll be seeing you guys in the next video when we'll be taking a look at the fin 6 emulation plan so I'll see you guys there