Threat Actor Simulation: Be the bad you are likely to see in the world

Jason Roland is a cyber executive with over 20 years of experience leading the delivery Security Programs and defense strategies operational capabilities and assessments as BP penetration testing Atri price Jason is focused on providing Cyber Solutions that support the success of his clients and participating in initiatives to threaten the our community please welcome

Jason thank you everybody here okay

is it on I mean I'm super loud I probably don't need the mic all right awesome well um as uh mentioned my name is Jason Roland and uh man I'm really glad been out here probably um it's been 10 years probably since I was out here I live in Phoenix Arizona and if you're thinking that doesn't sound like a Phoenix Arizona accent that's cuz I am from Arkansas originally but uh but now um and I I want to just talk a little bit about threat forense today I don't know if this is something that uh you guys are familiar with but I will tell you that I stumbled upon it I would say probably about two years

ago and I was helping someone that wanted to get into cyber security and I said you know you're started in cyber security I think you should start in a sock and then their response was can you help me figure out how to do sock anus work and uh that sent me down a path and turning up elastic and I started the sock but I haven't done it in years turning up elastic and and looking for you know you know starting to map gtps and build analytics so that I can kind of give this person a little bit of a leg up in their career and I stumbl on to a threat formed defense which is a

project run out of the min Center for Ingenuity um some of the biggest security um shops uh in America are associated with this thing they are the founding members and that includes folks like America uh JP Morgan Chase HCA which is the biggest health care provider in America so you know these massive companies with these massive security budgets have said the traditional way of running security uh isn't fitting you know is meeting all of our needs and we need to really look at your um and this is what they came up with and and my experience just so you know comes from a background I've been a network security engineer I've been architecture work um started in a sock

and then for the last five years I've LED uh pentest teams red team red teams and Cloud security engineers and what I you know the other aspect that I noticed is there's so much pet testing going on in the marketplace today and please let me be clear I'm a fan you know what I mean like it's good stuff and we should continue to do it but there is so much penetration testing and red teing that's going on today that is disconnected from the tactics and techniques that are used by adversaries to uh to compromise an environment uh and it's not thing we need to start paying closer attention to um you know I you know like said and

and by the way I'm going to go through this as a normal clip I've got a webinar that I will get the link to the or organizers if you're interested in the methodology that we're going to be talking about uh you can get the long version and I'll also provide my contact information if you ever want to talk about this I'd love to hear you hear from you and if you think I'm wrong about anything I'd definitely love to hear from you because you might help you know save me from talking to people about information because a lot of this that you'll hear is their methodology some of my opinion and I I'll try to be

clear about which is which U like I said for the last 5 years I've LED organizations from you know 50 to 200 of pesters and I love this community man it's great it's why I'm in Albuquerque this weekend and U if um if you're not involved in the community out here but you're are a security practitioner if your experience is like mine I would say that every minute that you spend for an into this community you will get paid 10 and just opportunities and direct relationships um so you know we have what I call the Cyber song and the Cyber song is we don't have enough people we don't have enough money our SS too noisy

the adversary is too advanced um like you know we can't we got too much going on we can't do right um and and I think that that is backed up by the statistic that if you're an organization that runs a Security operation Center that Security operation Center is the fourth most likely person to tell you that a breach has occurred on your network four first is the uh you know the first is uh the criminal themselves because they're they're asking it for money uh the second is normally um you know C Brands and folks that are real good at monitoring Pride the third would be law enforcement and then fourth is the investment that youve made in

security operations and I think might indicate that there's some adjustments that we need to make um and I think this could be a part of the problem this is a stat of rent across from a ambient survey it basically says that the vast majority uh B based on a survey of cyber security decision makers the vast majority of their investment decisions are made without understanding of the adversary and specifically the TPS that are going to be used by the adversaries closely aligned to their organization I mean that's you know that seems to me like that's crazy like what what are we basing it on you know what I mean what are we basing our investment

decisions on if we're not basing it on stop and bag I was raising the sock and I know we all do a lot of different kinds of jobs in cyber but I was taught that our job is to stop bad that's kind of the metric we should be better in our and if we don't understand how they work how can we possibly know if we're investing in the right tools and processes and people Etc um and one more thing I'll say on that is um not only how do we know if we're investing in the right people processing technology but when we're in a position which many of us are in now where we can't do everything how do we know what

we should do how do we know how we should use the resources that we do have because maybe our issue isn't that we're so short on and this is my opinion maybe the people that we do have we just have been focused on not the most important and I think that is a problem that you know and and you know like compliance has been great for security compliance has moved security forward in uh in a big way you know they they've been um they've really drove a lot of change in our posture but maybe everything that's a part of compliance regulation maybe we need having conversations with regulators and conversations with people and say listen I've only got this amount

of people and I can either go and uh you know do these things or I can go and stop that I can invest those people resources and stop and that and I don't think it's an overnight fix but I do think we are the cyber community and we should be the one that's having those conversations right so what a threat form defense uh says says we're basically going to take a deep understanding of the atmos and we are going to use uh our understanding of their methods as a way of prioritizing where we invest and what cyber activities we undertake it's kind of that simple um it's funny I explained this to my wife she's not in cber and

couldn't care less about really this whole thing I said this is what you know these guys are talking about and she Lally looked at she goes you guys don't already didn't I mean I think I mean it's it's it's pretty on point because you would have thought this would be what we were wholly focused on but as all the people in this room that's not case so there's essentially three pillars to threat form defense um there is cyber threat intelligence and that is how do we get really good at taking finished and raw threat intelligence and turning that into actionable defense adjustments defense improvements how do we that and turn it into analytics that will tell us

when threat actors are in our environment and then how do we also take that information and emulate uh those threat actors to validate that we can defend and detect those TS right and that's what we're going to be talking today is adversary relation because that's the part that I have the most experience with but I can encourage you strongly enough go check these guys out they've published a t tools and they're all free they're all free and they're all freely available um and uh you know and I would also encourage anyone to like you know if you're you know in your shop that you know is under under resource and you guys are talking about what you should do challenge the

status quo man challenge because you know when I first got in this industry when someone gave me a new piece of technology all I can think about was man I'm going to get smarter and I want to build my resume and I in high demand and I will say that that is a shortsighted point because I had forgotten that my job was not to be smarter and not to uh have all this high technology my job was to stop that so I think inject this into the conversations that you're having about how you spend your money in your organizations uh yeah and also all these are just free tools side Caldera it's a it's best tool it's free anybody can go

download it use it um they've got Cloud analytics there's pre-built analytics if you're not familiar with Sigma um like all like this stuff is just waiting on you to come and be able to explain to your business how it's applicable and how you need to go about implementing it and matur it's all their way for you um a lot of great work um and then and I'm sure everybody's familiar with attack you know this is another M project it's about 10 years old uh a lot of the concepts that we'll be talking about are based on attack um I don't think that attack has the best threat in in it but what it does have is if you

understand the attack flow of an adversary from the time they you know begin doing Rec conance all the way through taking data you can map your attack flow and understand exactly what they do along the way and attack and attack will give you mitigations detections um that you can Implement in your environment to you know to valid or to make sure that you're able to defend and attack against those techniques we talked a lot I heard a couple talks yesterday we talked a lot about fishing I would tell you that the number one thing that you can do to improve your fishing program is to understand the next step that an adversary takes after a successful fish

and stop that because I haven't heard of anybody that I believe that does me 100% on the fishing campaigns right so you need to understand what happens next if that's that Nation well then you need to make sure you have control for that you have EDR I haven't seen any recent stories that there any are failure but those might not always be 100% and you need to know what the next step is after that um like this single Home Defense where we think we can you know really sh up one part of our environment like and EDR has been revolutionary don't wrong it's awesome but the truth of the matter is is most of the people that I see to

get breached today so you know they just didn't have it on everything or they didn't have it configured right or nobody was watching when they should right so understanding this attack path and making sure that you can account for each uh of the techniques along the way is I believe the best time that you can spend inside um and and and again you'll find gaps and and the other thing is is that we really have to become bus bu experts too because it's not just about knowing what techniques how to defend against techniques you need to know what adversaries have the means and motivation to uh you know come after your organization's assets and that

means that we need to be you know we need to be up to speed with business operations and what assets we have and we need to be able to map that to life the adversaries because what we can't do you know what we can't do is look at the newspapers and say oh that's how they did this this one you know like when MGM happened I can tell you I was taking five calls a day about hey can you come right can you come see if you can get a password from our he test and I'm like yeah I can do that but let's be thoughtful about it let's see if that is your most critical initial access B

because I what I'd really like to do is help you figure out a way to determine that on an ongoing basis and test that and let's not respond to new uh so you know having that understanding of where your business meets the adversary is is this right already 20 minutes okay how many okay um okay so uh we're going to talk about the the assessment leg of the threat form defense today and specifically adversary ulation I'm going to give the framework that we use with our customers when we do these adversary emulation engagements um some of it is slightly different than what M put out make it your own feel free to go and look at what they've got

and uh and they've even got like adversary emulation plans for folks like fin s fin 11 so you can actually go step by step um and and and conduct that so why do we need adversary emulation I mean we've already got so many testing services out in the industry and you know they all designed you know since the dawn of networks we've asked ourselves are people trying to learn like will they see something uh bad happen um are our processes effective and do we have the right technology and is it configured cor and these questions have been so pervasive that uh they have literally spawned an entire industry that I've been a part of for most of my

career uh delivering these services to try to help answer those questions and all of these services are valuable um and they have a place um but to be clear none of these necessarily align to the activities that are taken by actor when they are perpetrating a breach on your environment vulnerability assessment I mean we all know it gives you a very Broad View and it's important there's 20,000 of those um you know 20,000 that come out each year and I can go on for an hour about M it's valuable but like we got to get a little bit more focused on what we're fixing and what we're not going to fix uh but it again does not

replicate U you know a threat Act testing phenomenal service you should do it because it validates your primary controls but it's almost wholly focused on initial access vectors and it does not cover post exploitation activities at all and the reason that's a problem is because more and more what we're seeing is that when a threat actor goes to Pivot in an environment that's the first time that they're getting on a box that you even know exists in your environment because a lot of times if you're get initial access on Shadow it that you don't know anything about so being able to understand what happens at lateral movement is of critical importance and you're probably not going

to get that out your average um and then red ending um you know red ending is great my only issue with red tending is I think we too much of it that has to do with the tester's bag of tricks and has little to do with what a customer might actually see so I would encourage anybody in here that does hire someone to do a red team to ask them how they model the threats and how they determine the ttps that they're going to use in your environment and if there's not some sort of threat intelligence baked into that and some industry specific threat intelligence then I say you should probably Mo on because they'll probably be able to get

in but they may execute ttps that you're likely to never see in real life which makes it in my opinion not 100% Val so all these reasons are why needed another service and that service is AD adary simulation um and it basically says we're going to test in line and exactly as known or likely threats would get into your environment so we're going to test the initial access vectors that are most likely to be seen by your operations team we're going to test uh and post exploitation we're going to go by the book and I'll show you how we do that um you know primary characteristics based on real world threat is behavior Focus so you know we're focusing at the

top of pyramid of pain you don't if you don't know the Pyramid of pain I encourage you to go check it out but we're operating at the top of the Pyramid of pain and secondary characteristics it's transparent and it's collaborative there's no secrets when I come in to do an adversary imulation engagement you and if it's collaborative which I recommend and your blue team are going to know exactly what we're going to do and the reason that I want you to know exactly what we're going to do is because that gives you an opportunity to look at the research that we' put together and give you the why and it also prepares your blue team to

determine if they have the data sources the analytics and the controls to defend and detect uh our activity does that make sense any questions so far all right um so this is the framework that that you know I kind of adjusted from uh the folks over the center for Ingenuity or the center for threat form defense and it's you know I I won't spend too much time here but I'm going to go through each step and kind of tell you how we do it a very high level um the first part is defining objectives and this is again this can be many things this can be we're you know we have a large store of financial data

and we know that we're a target for finel based on you know rad and t uh so we want to do an entire emulation of how fin1 operates throughout you know the attack time that's one option for conductiv this another option that is just as good in my opinion is hey we feel like we're a little weak on lateral movement and we don't know that we can see lateral movement so we want you to take thecal lateral movement techniques that might be used in our environment and we want you to run those right run run those so either one of those you can do micro emulations you can do full uh threat actor emulations there's no wrong

way to do as long as it's aligned to your business and your side um so once you divine your objectives then the next thing that we're going to do is a little bit of T TTP research um and I will say that there are some areas here where um you know resource limitations could come into play a lot of this stuff I think any shop uh could could get good at conducting this in some instances ttps will be custom development might things that need to be done that are Beyond um you know your capabilities and you might need some outside help um but uh you know after you've kind of looked at your objectives going with the ttps I mean

this thread thread and tail is so pervasive these days you know if you don't have the defer report if you're not plugged into CA you know if you're you know not looking at the on average of three R inel platforms that most companies have like go figure that out like because it will help you tremendously in your decision making process um and you know like understand threat landscape understand how it relates to your business and this exercise should not be arbitrary this is the value everything that we're going to do in a threat defense really hinges on your ability to understand what is most likely to come at impact you and I think in this in our industry we do a whole

lot of you know planning for what could happen and I think that's good but I think sometimes we do that at the cost of planning for what's probably going to happen and I think you know this bread inail can can really provide that and then do internal research like maybe you had Bri before well it's pretty good chance that they might come back you know that's that's if You' got a thread Intel team uh get plugged into them um and then and then just ask you know ask your um you know ask your teams business it everyone like what are we concerned these are all good ways to start collecting information so that you can

hone in on the right uh Intel and select the right threats and then like I said external research uh title cyber they've got a community addition um I I highly advise everybody go check it out it's basically the attack framework but it is in a a much more manageable form at least for me I'm easily distracted by details and they really simplify things so go check that out look at CTI articles industry reports IBM's a good one IBM thread index great report Verizon De is a great report there's there's it's information overlo and and one of the tools actually that they have on the center for engineuity GitHub is a calculator where you can go and put in uh you can

download it so it's not a SAS thing you can go and put in specific attributes about your environment and they'll tell you they'll do some calculations and they'll tell you is the most likely ttps at each phase of the attach so there's unlimited resources and tools for you to be able to prioritize your evidence um and then when you complete your research you shouldn't be down to a short list um of um of threats that you want to emulate uh and you should be able to clearly communicate their relevance to the non-technical people in your environment these are the threats this is why they're important to us like can't like that's our job that's our job

to educated business like you need to be able to have that level of conversation and need you know to be confident in your ability to kind of separate the the week from the chat um and then selection criteria like I said relevance obviously number one with the bullet available CTI you'll see in a minute like once we determine what those threats are we're going to have to go collect cyber threat intelligence and understand piece together exactly how they operate um TTP complexity there may some things that you're not able to do easily um and you know there's work arounds or maybe a third department help with those and then available resources again we don't have unlimited resources

so we may not it may not make sense for us to go spend two weeks developing a custom exploit so that we can uh you know implement it in our environment we've got to be pragmatic the next thing that we do is simulation planning I going to kind of run through this quick um you know like planning is important like what what I'm what I'm suggesting that you do is to go and do bad things on your NE right so like it should not be done on a whim and it should not I know everybody's boss loves them I'm sure but like you need to make sure that you put the right thought into a plan to do this because things

can't go side um you know you need and even if it's an internal assessment in my opinion you need you know objectives defined and that's written down on piece paper not your head uh scope schedule you need Rules of Engagement you need to get the proper permission and you need to have a Communications um and you know again you know all all the normal stuff I I won't even go into this like you know if something's you know super fragile maybe maybe how much time I five minutes okay um okay uh so in in your Rules of Engagement what I recommend that you do is you should be able to you know talk about gtps that you're going to test at

the you know at the highest level you know startingly probably a threat overview an overview of the threat that you're going to emulate next level down you should go a and put it into the attack framework so that you can walk someone through the attack chain um uh this permission communication plan and then and then once you have it an attack the next thing that you should do is you should take those ttps you should break them down you should give a description and then you should be able to site the Intel that you use to go and determine how to execute those T like this should be a part of your process if we're doing

this this is one of the things that we deliver to customers because again we want you to know that you know this stuff is the true simulation and not just us show the magic trick to um and then at the lowest level and this is a simple example at the lowest level you should have TTP procedures and that means you B will be able to explain step by step how you're actually going to execute your TT I'm out of time I've got uh reporting still left on here I will make sure that they get a link to my webinar if you are interested in learning more and I'll also make sure include my contact information please reach out and I love

having these conversations I'm not going to sell you anything I just love to hear about how you think this might be applicable in your environment and answer any questions cross over the last few years since I've been de so appreciate your time [Applause]