Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Transforming Adversary Emulation Into a Data Analysis Question

From MITRE ATT&CKcon Power Hour October 2020

By Matan Hart, Co-Founder & CEO Cymptom @machosec

Adversary emulation is commonly used to validate security controls and is considered one of the most popular use-cases for the ATT&CK framework. However, emulating adversary TTPs on production environments is often very limited in testing scope and frequency, and such practice may cause unwanted business disruption. In this talk from the MITRE ATT&CKcon Power Hour session on October 9, 2020, Hart presents a different approach to testing controls against ATT&CK. He demonstrates how it is possible to provide data-based methods to evaluate the exploitability of ATT&CK techniques by gathering information from the network, endpoint, and services; this unique approach does not emulate any sort of malicious action, thus reducing the potential of causing business disruption to the minimum. Hart also outlines a new open-source guideline based on ATT&CK mitigations, that security teams can use to assess their security posture non-intrusively and at scale.

  • Be the first to comment

  • Be the first to like this

Transforming Adversary Emulation Into a Data Analysis Question

  1. 1. Transforming Adversary Emulation Into a Data Analysis Question : @machosec: matanhart
  2. 2. Who Am I Co-Founder, CEO @ Cymptom Security Researcher Speaker - Black Hat, BSides, etc. Content inspired by true events... During COVID...
  3. 3. Source: Adversary Emulation Tests how defenses fare against a specific threat Atomic testing cycle with ATT&CK
  4. 4. Adversary Emulation Does Not Scale Nor was it intended to...
  5. 5. Determining Exploitability By Detection Mitigation Capabilities
  6. 6. Validate Select Conclude Analyze ATT&CK technique and list mitigations effectiveness of each mitigation technique exploitability applicability of each mitigation The Methodology
  7. 7. Unbiased, Adversary-driven Prioritization Based on the no. of attack paths and the no. of attack techniques (steps) involved Test Case: Pass The Hash (T1550.002)
  8. 8. Unbiased, Adversary-driven Prioritization
  9. 9. Analyzing Exposure By Mitigation Mitigation What Where Effectiveness Privileged Account Management Credentials overlap SAM, LAPS, PAM solutions Mitigates all PtH scenarios Update Software KB2871997 patch existence Endpoint, WSUS, VM solutions Mitigates local non- administrative accounts PtH User Account Control Domain user is admin on both computers GPO, AD Mitigates domain user PtH User Account Management PtH UAC restrictions enabled Registry, GPO Mitigates local PtH except of built-in Administrator (RID 500) Great read:
  10. 10. Defensive Gap Analysis Using ATT&CK Matrix
  11. 11. Coverage Safety The real thing Test people & processes Adversary Emulation Data Analytics Pros and Cons x Business disruption x Resource intensive x Miss detective controls x Miss processes
  12. 12. Adversary Emulation is essential but should be practiced cautiously Takeaways Data Analytics is better for assessing defensive coverage can be assessed using ATT&CK mitigations Defensive Coverage
  13. 13. : matanhart : @machosec : Let's Talk!
  14. 14. Brandon Levene Head of Applied Intelligence Google