Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Intelligence Driven Testing with Atomic Red Team

Tony M Lambert
April 13, 2019
Technology
2
390

Intelligence Driven Testing with Atomic Red Team

Time is short, resources are spread thin, and you have the responsibility to ensure your security investments deliver on their promises. Intelligence-driven testing shows how you can prove your controls work against real-world adversary techniques by consuming information and about adversaries and adapting tests for use from the freely-available Atomic Red Team project.

Tony M Lambert

April 13, 2019
Tweet

More Decks by Tony M Lambert

See All by Tony M Lambert
The Wild World of macOS Installers
forensicitguy
0
33
Whitelisting LD_PRELOAD For Fun and No Profit
forensicitguy
0
370
Alertable Techniques for Linux using MITRE ATT&CK
forensicitguy
1
2.2k
Spotting Lateral Movement - BSides Augusta 2019
forensicitguy
1
930
Spotting Lateral Movement with Endpoint Data
forensicitguy
2
580

Other Decks in Technology

See All in Technology
Shopifyアプリ開発における Shopifyの機能活用
sonatard
4
250
アプリエンジニアのためのGraphQL入門.pdf
spycwolf
0
100
Exadata Database Service on Dedicated Infrastructure(ExaDB-D) UI スクリーン・キャプチャ集
oracle4engineer
PRO
2
3.2k
OCI 運用監視サービス 概要
oracle4engineer
PRO
0
4.8k
10XにおけるData Contractの導入について: Data Contract事例共有会
10xinc
6
660
100 名超が参加した日経グループ横断の競技型 AWS 学習イベント「Nikkei Group AWS GameDay」の紹介/mediajaws202411
nikkei_engineer_recruiting
1
170
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
950
[CV勉強会@関東 ECCV2024 読み会] オンラインマッピング x トラッキング MapTracker: Tracking with Strided Memory Fusion for Consistent Vector HD Mapping (Chen+, ECCV24)
abemii
0
230
なぜ今 AI Agent なのか _近藤憲児
kenjikondobai
4
1.4k
Platform Engineering for Software Developers and Architects
syntasso
1
520
【令和最新版】AWS Direct Connectと愉快なGWたちのおさらい
minorun365
PRO
5
760
オープンソースAIとは何か? --「オープンソースAIの定義 v1.0」詳細解説
shujisado
10
1.2k

Featured

See All Featured
Code Review Best Practice
trishagee
64
17k
What's in a price? How to price your products and services
michaelherold
243
12k
Git: the NoSQL Database
bkeepers
PRO
427
64k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
Six Lessons from altMBA
skipperchong
27
3.5k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
250
21k
Building Better People: How to give real-time feedback that sticks.
wjessup
364
19k
Building Applications with DynamoDB
mza
90
6.1k
4 Signs Your Business is Dying
shpigford
180
21k
Measuring & Analyzing Core Web Vitals
bluesmoon
4
130
The World Runs on Bad Software
bkeepers
PRO
65
11k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
44
2.2k

Transcript

  1. Intelligence-Driven Testing With Atomic Red Team

  2. Detection & analysis at Red Canary Recovering sysadmin Loves to

    teach, hates to grade homework Tony Lambert Evil Finder Red Canary @ForensicITGuy $env:UserName

  3. IDEA Anyone can test their own security controls.

  4. ▪ Where are you in control testing? ▪ Problems in

    testing methodology ▪ A better way to test ▪ Atomic Red Team Overview

  5. ▪ Adversary Simulation ▪ Red Teams ▪ Penetration Testing ▪

    Blue Team Maintaining Controls Places in Testing

  6. ▪ Not everyone can afford simulations ▪ Some do compliance

    only ▪ Testing without money to test ▪ Do you improve between tests? Where Are You?

  7. LOLBINS & GTFOBINS Frustrating Tests Malware Zips Random Malicious Binary

  8. Behavioral controls need context for testing!

  9. ▪ Baseline current controls ◦ Simpler is better ▪ Construct

    a chain of adversary behavior ◦ Start with phishing ▪ Inspect your controls ▪ Improve coverage and configurations A Better Way

  10. Baseline Heatmap MITRE ATT&CK Navigator Excel Spreadsheet Start Small

  11. Make it real Start simple with phishing Chain of Behavior

    HTA Email Attachment (T1170) PowerShell to Download Something (T1086) Scheduled Task for Persistence (T1053)

  12. What worked or didn’t? Inspect Controls ▪ HTA Attachment ◦

    Email, AV, Endpoint Monitoring ▪ PowerShell Download ◦ Endpoint Logging ▪ Scheduled Task ◦ Hunts for persistence ◦ Windows Event Logs

  13. ▪ Coverage ◦ Artifacts or hosts ▪ Configuration ◦ Did

    you think you’d catch it? ◦ Opportunity to fix things Improve

  14. Atomic Red Team

  15. ▪ Articles with adversary techniques ◦ Cybereason, Unit 42, ESET

    ▪ Visit MITRE ATT&CK ▪ Pivot to Atomic Red Team Start With Intelligence

  16. OPTIONAL TAG

  17. ▪ Execution Framework ◦ There’s a wizard for that! ▪

    Chain Reactions ◦ Simulate a specific attack The Fancy Stuff

  18. Other Cool Projects Metta RTA Caldera “Security Instrumentation & Validation”

  19. Test and Improve with Atomic Red Team https:// atomicredteam.io https://www.redcanary.com/blog