Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Intelligence Driven Testing with Atomic Red Team

Tony M Lambert
April 13, 2019
Technology
2
390

Intelligence Driven Testing with Atomic Red Team

Time is short, resources are spread thin, and you have the responsibility to ensure your security investments deliver on their promises. Intelligence-driven testing shows how you can prove your controls work against real-world adversary techniques by consuming information and about adversaries and adapting tests for use from the freely-available Atomic Red Team project.

Tony M Lambert

April 13, 2019
Tweet

More Decks by Tony M Lambert

See All by Tony M Lambert
The Wild World of macOS Installers
forensicitguy
0
33
Whitelisting LD_PRELOAD For Fun and No Profit
forensicitguy
0
360
Alertable Techniques for Linux using MITRE ATT&CK
forensicitguy
1
2.2k
Spotting Lateral Movement - BSides Augusta 2019
forensicitguy
1
930
Spotting Lateral Movement with Endpoint Data
forensicitguy
2
580

Other Decks in Technology

See All in Technology
小規模に始めるデータメッシュとデータガバナンスの実践
kimujun
3
600
ネット広告に未来はあるか?「3rd Party Cookie廃止とPrivacy Sandboxの効果検証の裏側」 / third-party-cookie-privacy
cyberagentdevelopers
PRO
1
140
【技術書典17】OpenFOAM(自宅で極める流体解析)2次元円柱まわりの流れ
kamakiri1225
0
220
Gradle: The Build System That Loves To Hate You
aurimas
2
150
カメラを用いた店内計測におけるオプトインの仕組みの実現 / ai-optin-camera
cyberagentdevelopers
PRO
1
120
「 SharePoint 難しい」ってよく聞くけど、そんなに言うなら8歳の息子に試してもらった
taichinakamura
1
640
Apple/Google/Amazonの決済システムの違いを踏まえた定期購読課金システムの構築 / abema-billing-system
cyberagentdevelopers
PRO
1
220
Autify Company Deck
autifyhq
1
39k
Vueで Webコンポーネントを作って Reactで使う / 20241030-cloudsign-vuefes_after_night
bengo4com
4
2.5k
コンテンツを支える 若手ゲームクリエイターの アートディレクションの事例紹介 / cagamefi-game
cyberagentdevelopers
PRO
1
130
サイバーエージェントにおける生成AIのリスキリング施策の取り組み / cyber-ai-reskilling
cyberagentdevelopers
PRO
2
200
AWS CodePipelineでコンテナアプリをデプロイした際に、古いイメージを自動で削除する
smt7174
1
120

Featured

See All Featured
How To Stay Up To Date on Web Technology
chriscoyier
788
250k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
VelocityConf: Rendering Performance Case Studies
addyosmani
325
24k
How GitHub (no longer) Works
holman
311
140k
Practical Orchestrator
shlominoach
186
10k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
What's in a price? How to price your products and services
michaelherold
243
12k
Why Our Code Smells
bkeepers
PRO
334
57k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
41
2.1k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
32
1.8k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
Teambox: Starting and Learning
jrom
132
8.7k

Transcript

  1. Intelligence-Driven Testing With Atomic Red Team

  2. Detection & analysis at Red Canary Recovering sysadmin Loves to

    teach, hates to grade homework Tony Lambert Evil Finder Red Canary @ForensicITGuy $env:UserName

  3. IDEA Anyone can test their own security controls.

  4. ▪ Where are you in control testing? ▪ Problems in

    testing methodology ▪ A better way to test ▪ Atomic Red Team Overview

  5. ▪ Adversary Simulation ▪ Red Teams ▪ Penetration Testing ▪

    Blue Team Maintaining Controls Places in Testing

  6. ▪ Not everyone can afford simulations ▪ Some do compliance

    only ▪ Testing without money to test ▪ Do you improve between tests? Where Are You?

  7. LOLBINS & GTFOBINS Frustrating Tests Malware Zips Random Malicious Binary

  8. Behavioral controls need context for testing!

  9. ▪ Baseline current controls ◦ Simpler is better ▪ Construct

    a chain of adversary behavior ◦ Start with phishing ▪ Inspect your controls ▪ Improve coverage and configurations A Better Way

  10. Baseline Heatmap MITRE ATT&CK Navigator Excel Spreadsheet Start Small

  11. Make it real Start simple with phishing Chain of Behavior

    HTA Email Attachment (T1170) PowerShell to Download Something (T1086) Scheduled Task for Persistence (T1053)

  12. What worked or didn’t? Inspect Controls ▪ HTA Attachment ◦

    Email, AV, Endpoint Monitoring ▪ PowerShell Download ◦ Endpoint Logging ▪ Scheduled Task ◦ Hunts for persistence ◦ Windows Event Logs

  13. ▪ Coverage ◦ Artifacts or hosts ▪ Configuration ◦ Did

    you think you’d catch it? ◦ Opportunity to fix things Improve

  14. Atomic Red Team

  15. ▪ Articles with adversary techniques ◦ Cybereason, Unit 42, ESET

    ▪ Visit MITRE ATT&CK ▪ Pivot to Atomic Red Team Start With Intelligence

  16. OPTIONAL TAG

  17. ▪ Execution Framework ◦ There’s a wizard for that! ▪

    Chain Reactions ◦ Simulate a specific attack The Fancy Stuff

  18. Other Cool Projects Metta RTA Caldera “Security Instrumentation & Validation”

  19. Test and Improve with Atomic Red Team https:// atomicredteam.io https://www.redcanary.com/blog