Written by: Alex Martirosyan, OSCP, GPEN
I had the opportunity to attend as a speaker at Adversary Village – DEF CON 30 and wanted to reflect on my overall experience. For those that don’t know, the Adversary Village is a community-run space with the primary focus of understanding adversarial behaviors. DEF CON itself is a massive security conference with several thousands of attendees held annually in Vegas. Villages are subsections of the conference that provide a specific focus compared to the madness that is attached to a summer hacking-fest. Although the Adversary Village is still in its infancy, I highly encourage anyone interested in adversary tradecraft, MITRE ATT&CK®, purple teaming, TTPs, or anything in between to attend one of their events. You will find some of the brightest people in our field working to share their knowledge all with the common goal of enhancing defensive postures by thinking like an adversary.
“If you know the enemy and know yourself, you need not fear the result of a hundred battles.”
– Sun Tzu
The Art of War
It’s reasonable to assume that when we buy something, we’ll get what was advertised based on the description. Unfortunately, this is not always the case with cybersecurity solutions, which poses a unique problem in our industry.
What’s worse, malicious actors are actively testing defensive controls in the form of breaches before we do. If you have implemented the latest bleeding edge tools such as EDRs, SIEMs, MDRs, etc. you should know the importance of continuously tuning them to ensure they are working as described. Performing atomic testing or creating an emulation plan is one way to get started. My talk was focused on how to create these test plans for cheap, planning for success by starting simple, and assessing the results effectively to incorporate them in any business. As an introduction, I want to first explore how our industry has shifted over the year.
Offensive security engagements have been slowly increasing in complexity and aiming to better recreate realistic scenarios. Consider how penetration tests have developed over the past decade – the security industry was initially running automated scans and exploiting all possible vulnerabilities. With the expansion of offensive tooling and focus on Active Directory based attacks, testing has now shifted to allow businesses to fully understand a worst-case-scenario. All offensive security tests are aimed to demonstrate impact to best identify gaps, and more importantly, help the “blue team.”
Unfortunately, although penetration tests are great point in time tests against a control environment, they do not enable security teams to prioritize their controls against realistic threats. However, with the advancement of offensive capabilities, we now have the ability to automate techniques with the primary goal of validating assumptions using a threat-informed approach. This can be facilitated internally or by a third party, and unlike a penetration test has a specific objective of emulating a known and observed threat.
It is important to be specific – our goal here is to find procedures or adversarial actions known to have been deployed, and then emulate them. We can take this further and use audit principles and frameworks to help build continuous testing plans to effectively test defensive postures.
Security teams are often tasked with building a layered control environment through a defense-in-depth approach. Audit and compliance teams may even require these controls to align to a specific benchmark or framework. With MITRE ATT&CK becoming the latest hot buzzword in our industry we need an actionable way to use this classification scheme internally.
My main takeaway from the Adversary Village, and the professionals I spoke to, is the idea that we must enable offensive security practitioners to think like an adversary. Providing more realistic tests and challenging both the red and blue team will leave us better prepared against threats in the wild.
DenSecure’s Alex Martirosyan receives the honorary “Knight of ATT&CK” distinction after his talk, Purple Teaming for Auditors and the Business, at DEF CON 30.
Watch Full Video
