Guests:
Cat Self, Principal Adversary Emulation Engineer, MITRE [@MITREcorp]
On Linkedin | https://www.linkedin.com/in/coolestcatiknow/
On Twitter | https://twitter.com/coolestcatiknow
Kate Esprit, Senior Cyber Threat Intelligence Analyst at MITRE [@MITREcorp]
On Linkedin | https://www.linkedin.com/in/kate-e-2b262695/
____________________________
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast and Audio Signals Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
This Episode’s Sponsors
Island.io | https://itspm.ag/island-io-6b5ffd
____________________________
Episode Notes
In this new Chats on the Road to Black Hat USA 2023 on the ITSPmagazine Podcast Network, hosts Sean and Marco are joined by Cat and Kate from MITRE to discuss the world of adversary emulation and its importance in improving cybersecurity. The conversation covers MITRE's role as an industry thought leader and their focus on making the cyber world a safer place. They explain how MITRE ATT&CK, a framework based on observations from blue and red engagements, led to the development of ATT&CK evaluations, which aim to raise the standard of the industry and provide transparency.
The hosts and guests emphasize the need for transparency in adversary emulation and how MITRE releases their methodology, results, and code to make the practice more accessible.
The group also discusses the challenges faced in aligning emulation plans with the diverse and unique solutions deployed by different vendors and the importance of maintaining the integrity of what the adversaries would actually do.
The conversation also touches on the differences between adversary emulation and simulation. While emulation replicates the actions and techniques of specific adversaries, simulation allows for more flexibility and blends different components of multiple adversaries.
The hosts and guests also explore the power and responsibility that comes with conducting adversary emulation, drawing parallels to superheroes like Batman and Spider-Man.
About the session — Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations
Batman once said, "you either die a hero or live long enough to see yourself become the villain." What if there was a way to become a cyber villain for the greater good? For the last 5 years, the MITRE ATT&CK Evaluations team has been improving the industry by "becoming the villain." We study some of the world's most advanced threat actors, develop a scenario, build malware and tools, then execute the operations against major EDR vendors. And the best part? Not only do we get the business justification of becoming a villain to advance defenders, but our code is also open-sourced.
Using a Latin American APT as our real-world villain, this talk will showcase how to merge CTI and red development capabilities for adversary emulation.
First, our cyber threat intelligence team (CTI) demonstrates how to evaluate reports with the sufficient technical data needed to emulate the adversary's usage of particular techniques. We will build a scenario, create CTI diagrams based on our analysis, address gaps in data, and create alternative attack methods for the red team.
Next, the red team enters the scene to collaborate with the CTI team. They begin building malware, tools, and infrastructure. Translating approved open-source CTI reporting into code, we will walk through process injection, persistence, hands-on-keyboard discovery, and lateral movement for the emulation. Finally, it is time to launch the attack and see how our defenders respond, discern where to search for clues, and help them uncover our plot.
To coincide with this presentation, our code, research, and emulation plans will be publicly released. We hope this empowers the community to use our "become the villain" methodology to improve defenses. Helping defenders discern where to look for our footprints is how we justify our villainous acts.
Subscribe to our podcast, share it with your network, and join us in pondering the questions this conversation raises. Be part of the ongoing dialogue around this pressing issue, and we invite you to stay tuned for further discussions in the future.
Stay tuned for all of our Black Hat USA 2023 coverage: https://www.itspmagazine.com/bhusa
____________________________
Resources
Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations: https://www.blackhat.com/us-23/briefings/schedule/index.html#becoming-a-dark-knight-adversary-emulation-demonstration-for-attck-evaluations-33209
For more Black Hat USA 2023 Event information, coverage, and podcast and video episodes, visit: https://www.itspmagazine.com/black-hat-usa-2023-cybersecurity-event-coverage-in-las-vegas
Are you interested in telling your story in connection with our Black Hat coverage? Book a briefing here:
👉 https://itspm.ag/bhusa23tsp
Want to connect you brand to our Black Hat coverage and also tell your company story? Explore the sponsorship bundle here:
👉 https://itspm.ag/bhusa23bndl
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/podcast-series-sponsorships