Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Intelligence Driven Testing with Atomic Red Team

Tony M Lambert
April 13, 2019
Technology
2
330

Intelligence Driven Testing with Atomic Red Team

Time is short, resources are spread thin, and you have the responsibility to ensure your security investments deliver on their promises. Intelligence-driven testing shows how you can prove your controls work against real-world adversary techniques by consuming information and about adversaries and adapting tests for use from the freely-available Atomic Red Team project.

Tony M Lambert

April 13, 2019
Tweet

More Decks by Tony M Lambert

See All by Tony M Lambert
The Wild World of macOS Installers
forensicitguy
0
20
Whitelisting LD_PRELOAD For Fun and No Profit
forensicitguy
0
260
Alertable Techniques for Linux using MITRE ATT&CK
forensicitguy
1
2k
Spotting Lateral Movement - BSides Augusta 2019
forensicitguy
1
860
Spotting Lateral Movement with Endpoint Data
forensicitguy
2
550

Other Decks in Technology

See All in Technology
動画配信サービスの 人気番組配信のスパイクアクセスに、 サーバレスキャッシュで立ち向かう
miu_crescent
1
460
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
0
400
サーバーレスは死なぬ!みんなEDA(Event Driven Architecture)として使ってるでしょ?
cyberarchitect
5
1.7k
Microsoft Azure Well-Architected Framework でセキュアに
masakamayama
1
180
バクラクのAI-OCR機能を支えるアノテーションの仕組み
tomoaki25
2
370
Beyond the Baseline: Horizons for Cloud Security Programs
ramimac
0
170
サーバーレスで仮想待合室を作ろう! / Serverless Virtual Waiting Room
_kensh
3
920
Amazon SES のバウンス率が急上昇 〜Amazon SES を止めてしまった日〜
tomuro
3
2.6k
サーバーレスアーキテクチャを使って、小さく作って大きくする取り組み
daikimori
0
740
テンションも揚げてこう! Ebitengine開発
lapis2411
0
160
Swift Package Mangerのバグを直した話
k_koheyi
1
110
Towards sustainable learning, designing, and decision-making
emgsilva
2
120

Featured

See All Featured
How to name files
jennybc
56
84k
What the flash - Photography Introduction
edds
64
11k
Ruby is Unlike a Banana
tanoku
93
9.9k
Faster Mobile Websites
deanohume
296
29k
The Art of Programming - Codeland 2020
erikaheidi
39
12k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
11
880
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
Web Components: a chance to create the future
zenorocha
304
41k
Creatively Recalculating Your Daily Design Routine
revolveconf
208
11k
What's new in Ruby 2.0
geeforr
336
30k
[RailsConf 2023] Rails as a piece of cake
palkan
14
2.7k
How to Ace a Technical Interview
jacobian
272
22k

Transcript

  1. Intelligence-Driven
    Testing
    With Atomic Red Team

    View Slide

  2. Detection & analysis at Red Canary
    Recovering sysadmin
    Loves to teach, hates to grade homework
    Tony Lambert
    Evil Finder
    Red Canary
    @ForensicITGuy
    $env:UserName

    View Slide

  3. IDEA
    Anyone can test their own
    security controls.

    View Slide

  4. ▪ Where are you in control testing?
    ▪ Problems in testing methodology
    ▪ A better way to test
    ▪ Atomic Red Team
    Overview

    View Slide

  5. ▪ Adversary Simulation
    ▪ Red Teams
    ▪ Penetration Testing
    ▪ Blue Team Maintaining Controls
    Places in Testing

    View Slide

  6. ▪ Not everyone can afford simulations
    ▪ Some do compliance only
    ▪ Testing without money to test
    ▪ Do you improve between tests?
    Where Are You?

    View Slide

  7. LOLBINS & GTFOBINS
    Frustrating Tests
    Malware Zips Random Malicious Binary

    View Slide

  8. Behavioral controls need
    context for testing!

    View Slide

  9. ▪ Baseline current controls
    ○ Simpler is better
    ▪ Construct a chain of adversary behavior
    ○ Start with phishing
    ▪ Inspect your controls
    ▪ Improve coverage and configurations
    A Better Way

    View Slide

  10. Baseline Heatmap
    MITRE ATT&CK Navigator
    Excel Spreadsheet
    Start Small

    View Slide

  11. Make it real
    Start simple with phishing
    Chain of Behavior
    HTA Email Attachment (T1170)
    PowerShell to Download Something (T1086)
    Scheduled Task for Persistence (T1053)

    View Slide

  12. What worked or didn’t?
    Inspect Controls
    ▪ HTA Attachment
    ○ Email, AV, Endpoint Monitoring
    ▪ PowerShell Download
    ○ Endpoint Logging
    ▪ Scheduled Task
    ○ Hunts for persistence
    ○ Windows Event Logs

    View Slide

  13. ▪ Coverage
    ○ Artifacts or hosts
    ▪ Configuration
    ○ Did you think you’d catch it?
    ○ Opportunity to fix things
    Improve

    View Slide

  14. Atomic Red
    Team

    View Slide

  15. ▪ Articles with adversary techniques
    ○ Cybereason, Unit 42, ESET
    ▪ Visit MITRE ATT&CK
    ▪ Pivot to Atomic Red Team
    Start With Intelligence

    View Slide

  16. OPTIONAL TAG

    View Slide

  17. ▪ Execution Framework
    ○ There’s a wizard for that!
    ▪ Chain Reactions
    ○ Simulate a specific attack
    The Fancy Stuff

    View Slide

  18. Other Cool Projects
    Metta RTA Caldera
    “Security Instrumentation & Validation”

    View Slide

  19. Test and Improve with
    Atomic Red Team
    https:// atomicredteam.io
    https://www.redcanary.com/blog

    View Slide