08.07 Attack Emulation
I'm good being bad so you can be good, not bad
Attack emulation is a proactive approach to cybersecurity, simulating real-world attacks to identify vulnerabilities and assess defenses. In this lecture, we will explore the methodologies behind attack emulation, its benefits, and how it differs from traditional penetration testing.
Lesson Summary
Attack emulation is a proactive approach to cybersecurity, involving simulating real-world cyber attacks in a controlled environment to identify vulnerabilities and assess defenses. It aims to understand how adversaries might exploit system vulnerabilities and test the effectiveness of security controls.
The primary goal of attack emulation is to validate and identify weaknesses in security controls and incident response procedures. It helps ensure that protection and detection controls are effective and that staff is prepared to respond to security incidents. Attack emulation can involve using tactics, techniques, and procedures known by real-world attackers, and it may mimic a complete attack lifecycle.
Tools like Atomic Red Team can be used for attack emulation, providing predefined tests for different techniques used by threat actors. However, it is crucial to exercise caution when running these tests, as they can potentially cause harm if not done properly.
Red Siege is recommended as a company that offers offensive security services, including red team and penetration testing, to help organizations improve their defenses.
It is important to understand and follow ethical considerations when conducting attack emulation. These techniques should only be used responsibly and with proper authorization.
More advanced solutions, such as continuous threat exposure management platforms, are available for comprehensive testing. These platforms provide visibility and metrics on security posture and resiliency capabilities.
In summary, attack emulation is a crucial aspect of cybersecurity that involves simulating real-world cyber attacks to identify vulnerabilities and assess defenses. It helps validate security controls and incident response procedures, ensuring effective protection and detection. Proper caution and ethical considerations are essential when conducting attack emulation, and companies like Red Siege offer offensive security services to assist organizations in improving their defenses.
Transcription
00:00:03:01 - 00:00:24:12
Hey there, friend. Welcome back. This is the attack emulation lecture, and we're going to be going through what attack emulation is. What is the benefit of attack emulation and what does it look like in practice? And there are different levels of maturity for attack emulation. So that's pretty cool. By the end of this lecture, you'll understand all of that.
00:00:24:12 - 00:00:51:05
So let's define it right. What attack emulation in cybersecurity basically refers to the practice of mimicking in real world cyber attacks in a controlled environment, really to assess the security posture and the resilience of, you know, either a system, a network, an organization against actual threats. Right. So we have a lot of intelligence on what threat actors do, how they behave.
00:00:51:08 - 00:01:23:19
We've talked about minor attack in the course before. All of that information is valuable and we'd be foolish not to learn from our history and past mistakes. So that's what attack emulation is. And it differs from traditional security testing in its approach. And its objectives. Right. See, the primary goal of attack emulation is really to understand how an adversary might exploit vulnerabilities in a system to test the effectiveness of the security controls and the incident response procedure.
00:01:23:19 - 00:01:47:00
Right. It's one thing to go through a organization and say, okay, check it out. We're going to align to missed cybersecurity framework or CIA or whatever. We are going to have, you know, 12 character passwords and everybody has to patch their computer. And we're going to do ETR agents on everyone's computer, right? Like MDM on all the phones, Email security, gateway.
00:01:47:00 - 00:02:10:17
Right. Some of the technologies we've already talked about in this module and we're good to go, right? Like, well, we don't know if all of those controls are good enough because we haven't really tested them, right? You don't want to find out that your fire extinguisher doesn't work when there's a fire, right? No. You want to make sure that fire extinguisher works beforehand.
00:02:10:17 - 00:02:37:17
That way, if there ever is a fire, you know for a fact, you're going to be able to take it out. Right. And active testing will validate your controls and more importantly, identify weaknesses in your controls. Like, for example, let's say you're supposed to stop some type of attack. You've got all the controls in place and the attack, you execute it through attack emulation and it successfully gets through.
00:02:37:17 - 00:02:58:27
You don't even see it. well, that's not good. We've got to fix that. Now, let's look at our tools and say not only did it get through, but we didn't detect it. We didn't know it happened. So now you got to put in protection controls to stop it from happening, but also evaluate your detection controls. And by the way, once you get your detection, controls stood up.
00:02:58:29 - 00:03:24:01
So let you run the test again. You still don't stop it from happening, but you see it happening. Well, now, you would need to respond to that incident. Does the staff that you have know how to respond and handle that issue? For example, a simple one. Let's say your data gets deleted, okay? And you have backups. Does somebody at the business know how to restore backup?
00:03:24:03 - 00:03:48:26
Maybe there's a documented anywhere, maybe. Have you actually tried to restore backup? Do you know that it will work? I don't know. These are the reasons that you do attack emulation. And, you know, basically work through what it would look like if you actually had a real attack. And that's that's really the value. And I hope you take away from this lecture that attack emulation is incredibly valuable.
00:03:48:29 - 00:04:19:26
Now, the methodology of attack emulation is also interesting. It uses tactics, techniques, procedures, which are known as TTPs, that are known by real world attackers, including advanced persistent threats. Right. And it can involve a series of steps that would actually mimic a complete attack lifecycle. So it's not just one atomic, you know, instance thing. You could chain them together like, you're going to get, you know, initial access and then dumb credentials and then laterally move, right?
00:04:20:01 - 00:04:43:03
There's all sorts of things that and this is what you would need to test. But if you don't have attack emulation, you're not going to chain them together. You're almost kind of trans actually testing individual things. And that's really the value. Now, there are a couple different ways to do it. One is a vulnerability scan, right? So you can, you know, kind of test.
00:04:43:03 - 00:05:06:29
I write vulnerability scan, but it's more like, you know, an attack scan using technology. And I'm going to show you a tool here called Atomic Red Team in a second that does this style of attack, you know, kind of point and click and shoot. Then the more advanced scenario are real world attacks by real professionals. And this is called red teaming or penetration testing.
00:05:06:29 - 00:05:34:19
But when you're actually mimicking specific threat actors, that is the activity of red teaming. And I'll show you a company that does that and explain that a little bit more and I'll talk about the pros and cons of like each of these techniques. I do want to point out that the benefit of doing either of these is not just to make sure that your protection controls work and to make sure that you're able to detect certain things and to make sure that you can respond.
00:05:34:26 - 00:06:05:18
But it really is an opportunity to get visibility and have real metrics on how your security posture is and your resiliency capabilities of that. Furthermore, when you get a little bit more advanced as far as a cybersecurity program goes, you can start mimicking specific threat actors. And I'll give you an example to kind of illustrate the point. Let's say you work in finance, right, like your your bank Chase Bank or Capital One or whatever.
00:06:05:21 - 00:06:42:20
Well, you probably invest a lot into security. But at the same time, Lazarus Group, the North Korean financially motivated cybercriminal, advanced persistent threat. They target banks, they target crypto exchanges. So if you are protecting one of those organizations, it would behoove you to run attack communications using the tips of Lazarus Group to see how you would stack up against an attack specifically against them, because chances are more likely somebody like them would attack you than someone else.
00:06:42:20 - 00:07:19:15
Again, that is for more mature, optimized security programs. If you're kind of, you know, ad hoc or just building a program, you don't want to do that specific. You really want to get the fundamentals knocked out. Now, a couple of different ones I mentioned are red canaries, atomic red team. This is a free, open source, viable solution that can be done manually and you don't really need to know how to use it or excuse me, you don't need to be a penetration tester, an atomic or a red team in order to use this.
00:07:19:15 - 00:07:52:19
And let me show you really quickly. I'll drop links in the additional digging section, but this is Atomic Red team right here in their GitHub repo. And you can see it's really, really well defined. It's very mature. And right here you can see that they've built their atomic red team against minor attack. Now, really quick, just to remind everybody, minor attack is this it's provided by miter, but it's basically a public service that provides all of the information that we have currently on different threat actors and their behaviors.
00:07:52:19 - 00:08:14:12
And you can see here, this is called the Enterprise Matrix, and it's mapped to kind of the different phases or techniques, if you will, for cyber kill chain. Right? We got execution, initial access. They're all here and they're all explained. And different threat actors have different one maps to them. I've already talked about minor attack in the course.
00:08:14:12 - 00:08:53:09
I'm not going to go too deep in this, but just to use an example, under the credential access technique, there is a tactic called credential dumping like operating system credential dumping, right, Right here. Okay. So maybe that's something that you're interested in. What's going on here. Okay. So digging into it, you can see it is known as technique 1003.
00:08:53:15 - 00:09:22:29
And then specifically, there is no SAS memory dumping, which is one way to do it. There's security account manager, credential dumping and TD's. Excuse me, there are different ways to achieve OS credential dumping. And so now we've chosen one technique and multiple areas. So getting back to Atomic Red team, you can see atomic Red team has broken it down for all these.
00:09:22:29 - 00:09:48:26
And you can see over here on the side they have them for all the techniques, right? And within this right here are this GitHub repo. You can see it's explaining what it is. And then here are the atomic tests. So you can literally install atomic red team on a workstation and then use it to exploit and attack a typical machine in your environment.
00:09:48:26 - 00:10:11:19
Right. Like you make up, you're in a lab and you have like, this is a common endpoint in our environment. Or maybe you're evaluating between two products and you want to know, is this one more secure than this one? So you can run atomic red team against that and you can see right here, these are five different tests that test that else's dumping.
00:10:11:22 - 00:10:35:01
So basically, when you run this test through atomic red team on a Windows machine, it will attempt to dump the Alsace memory using these different techniques, which is a way to get credentials. This is exactly what threat actors do once they get on a machine and they take it over, one of the first things they're going to do is try to dump credentials.
00:10:35:01 - 00:10:55:26
Commonly, these are the techniques. So by running these tests, you will be able to see whether or not in here I've clicked into it to see what this first one is. Atomic test one. And again, I know this is an entry level class, so I'm not trying to overwhelm you with PowerShell and code and stuff like that. The Atomic Red team handles all of this.
00:10:55:26 - 00:11:13:14
This is basically just telling you what that command is going to do. But Atomic Red team, you're just going to run it and be done. And then the best part is once you've run it and you're done, that's where you can see, was I able to successfully dump Elsa like Elsa's memory was able to do it, yes or no?
00:11:13:17 - 00:11:35:05
If yes, that means that threat actor, that means a criminal, a cyber criminal operator could do it right now. Next step, like I said before, did we see it? Did the ETR agent detect it? Did the simple see it? Like, do we even know that OS credential dumping happened? Yes or no? If the answer was no, that's another big problem.
00:11:35:12 - 00:11:57:11
So now you got to go back to your security tools, like, say, your ETR agent and say, Hey, listen, ETR, why didn't you detect this? Now we need to put in a detection to say when Elsa is dumped, fire off an alert and then tell an analyst to go investigate it. Right. So you put that little change in.
00:11:57:13 - 00:12:24:05
You've now improved the security posture of the environment because of attack emulation. Then you run the same command again. And this time, hopefully your your agent pops in says Alsace memory dump detected. Right. And you're like, okay, we saw it. That's good. Now go one step further and lock down the endpoint, if you can, to prevent it from running at all, then run it again and then it says it doesn't work.
00:12:24:05 - 00:12:58:29
Right. And this is the error of process of hardening your environment, increasing your cybersecurity posture, lowering your cyber risk exposure all through the activity of attack emulation. Okay. And again, I'll put a link to this atomic red team if you'd like to play with it. You can run it as an individual on your own, you know, machines. I would recommend that you don't do it on your dedicated machine in case you dork it up and you have a problem, definitely run it against a test machine or, you know, a test VM or something like that.
00:12:59:02 - 00:13:32:05
But this is what that is. And it's the way that we do. One way that we do individual testing. All right. Now be careful. As I said, when you're doing this, you are actively running code that is, you know, could could result in a compromise or degradation in a system. Remember, threat actors don't care. I mean, they're trying not to get detected or caught, but if they screw up your computer or your business, they don't care.
00:13:32:06 - 00:14:03:06
They're criminals. They're just after straight cash. Right. So if you're running it on your own machines, be very careful. This is more of a disclaimer than anything you could potentially screw up your systems if you run this without, you know, knowing what you're doing. Now, having said that, as I mentioned a moment ago, if you have the capability and you know what you're doing, stand up a virtual machine and run some atomic red team scripts against the VM and see what happens.
00:14:03:09 - 00:14:25:22
There's a lot of videos online on how to use atomic red team and how to set it up. I'll drop those links in the additional digging section of this module, but just for full disclosure, be careful if you're going to run this. Now I mentioned there's more advanced things, right? So just using the atomic red team is fine and it will help your cybersecurity posture.
00:14:25:25 - 00:14:43:27
But if you need to take it to the next level, there are four organizations. And by the way, there's an entire career field in information security or cyber security that you can pursue where you get paid to break into places and pretend to be a criminal. It's kind of cool. Red Siege here. I'm a I'm a big fan of Red Siege.
00:14:43:27 - 00:15:13:22
They're a company and they offer offensive security services, including red team and penetration testing. And basically they do the same things that threat actors do, except when they're done. They tell you exactly how they did it, and then they help your business harden its defenses. Right. So just like atomic red team, if you were to run these commands in as the last dump example I gave earlier in the lecture, when if you weren't able to stop it or detect it, you'd want to fix those things.
00:15:13:26 - 00:15:37:05
But let's say you run all the atomic red teams, right? And you harden all of the things right? You feel pretty good. Chances are your security posture is in a better place. But now you could hire someone like them to come in and they will go through and do more nuanced attacks or maybe you catch them in every way and you have confidence that your know your controls are good to go.
00:15:37:09 - 00:16:01:01
Remember I said it earlier, the whole point of attack emulation is to ensure that you're validating the efficacy of your controls and identifying any weaknesses so you can do something about them. Right. If all you did was run Atomic Red team, yeah, you're in a better spot, but you don't know with any confidence that you've got maybe a gap or an exposure you don't know about.
00:16:01:08 - 00:16:23:03
That's why you use a service like this. Who are humans that do human things just like the criminals do in order to break in and steal, you know, whatever the jewels are. And then but then they'll tell you. And that's the best part. Okay. I do want to tell you about the ethical considerations. Okay. Very important to note this.
00:16:23:05 - 00:16:51:21
You can find weaknesses in systems. You can exploit systems using these attack emulation techniques. The only difference between a criminal and, you know, kind of a righteous person trying to help their organization is intent attack emulation is attacking an organization. It's an emulation because you're you're able to wind it back and, you know, communicate out that you're going to be doing this on what systems you're going to be doing this.
00:16:51:28 - 00:17:13:00
Right. All of these things, not saying how to do it, not telling people you're going to do it, not having permission to do it, not being authorized to do it and doing it, that is criminal. Okay. So it's important to note that the tools in Atomic Red team and the things that you're learning, not just in this class, but like in this lecture specifically you can use to commit crimes.
00:17:13:00 - 00:17:41:02
So it's very important to be ethical and, you know, morally righteous in using the techniques and the tools that we're covering. In this lecture. Again, you could run atomic red team OS credential dumping on, say, your boss's computer and dump your boss's credentials and then log in to the system as your boss, then give yourself a pay raise or whatever.
00:17:41:02 - 00:18:03:25
Right. Like the problem is, you didn't have permission to dump your boss's credentials and then log in as them. That's very, very unethical. So I just I always like to qualify these things because we do dabble with a lot of power in cybersecurity. There are advanced solutions that do kind of like atomic red team. I list one here.
00:18:03:25 - 00:18:30:03
I've done work with them before. There are multiple. So continuous threat exposure management platforms. That's what CTM stands for. I have done work with XM Cyber on that. This is just a more robust solution that basically is better and more comprehensive than atomic red team and more managed than atomic red team, but not quite all the nuances of a red team.
00:18:30:03 - 00:18:54:27
So think of this as like a mid-tier automated solution, but it does cost money, right? Atomic red team is free. Red team services are paid. But you know, I just want to make it obvious. Also, it's worth noting I have done a full course on continuous threat exposure management, which is another discipline within cybersecurity. Again, this is a cyber one on one core, so entity mile wide.
00:18:54:29 - 00:19:15:17
But if you're interested in like vulnerability management, continuous threat exposure management, and you want to take that education for free in the additional digging section of this module, I'll include a link to that. It's a full course. I built the course, if you like, My teaching style, you'll like this course and it cost $0. Okay, so basically this is attack emulation again.
00:19:15:17 - 00:19:42:08
It should always be conducted ethically. It should be absolutely used in any organization as an opportunity to validate the efficacy of your controls. At the end of the day, yes, it's really cool to run these scripts and pop boxes and, you know, learn about attack emulation. But really, there's two reasons to do it. One, if you're learning to be a pen tester, you can see what it looks like and learn those techniques too.
00:19:42:08 - 00:20:02:02
And I would argue more likely is that you can use it at your organizing action to put controls in place that you're paying money for oftentimes and be able to say yes confidently. This control works and I know it's going to work. If a bad guy or bad lady log in and try to breach us on Christmas Eve.
00:20:02:02 - 00:20:24:01
Right. We want that confidence. We want that assurance. We want to be able to report to our management that we are, in fact, at a certain level of cybersecurity posture. Also say you pay up $100,000 a year for an EDR solution. Right? We talked about it in a separate lecture. You pay 100 grand a year, it's installed on everything.
00:20:24:01 - 00:20:46:04
You feel really great and then you do Atomic red team and you're able to dump credentials, right, For example? Well, that's a perfect opportunity to turn around to your EDR provider and be like, Bro, what are we doing here? Like, I can dump credentials. This is not good. How are you going to make this right for me and have the ETR solution, you know, do some detection tuning for you.
00:20:46:04 - 00:20:59:24
So these are all great opportunities. All right. That's going to do it for the attack Emulation lecture again. Go check out Atomic Grad team. I think you'll enjoy it. All the links will be in the additional digging section of this module. Thank you and I'll see you in the next one.