Guests:

Cat Self, Principal Adversary Emulation Engineer, MITRE [@MITREcorp]

On Linkedin | https://www.linkedin.com/in/coolestcatiknow/

On Twitter | https://twitter.com/coolestcatiknow

Kate Esprit, Senior Cyber Threat Intelligence Analyst at MITRE [@MITREcorp]

On Linkedin | https://www.linkedin.com/in/kate-e-2b262695/

____________________________

Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]

On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin

Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast and Audio Signals Podcast

On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli

____________________________

This Episode’s Sponsors

Island.io | https://itspm.ag/island-io-6b5ffd

____________________________

Episode Notes

In this new Chats on the Road to Black Hat USA 2023 on the ITSPmagazine Podcast Network, hosts Sean and Marco are joined by Cat and Kate from MITRE to discuss the world of adversary emulation and its importance in improving cybersecurity. The conversation covers MITRE's role as an industry thought leader and their focus on making the cyber world a safer place. They explain how MITRE ATT&CK, a framework based on observations from blue and red engagements, led to the development of ATT&CK evaluations, which aim to raise the standard of the industry and provide transparency.

The hosts and guests emphasize the need for transparency in adversary emulation and how MITRE releases their methodology, results, and code to make the practice more accessible.

The group also discusses the challenges faced in aligning emulation plans with the diverse and unique solutions deployed by different vendors and the importance of maintaining the integrity of what the adversaries would actually do.

The conversation also touches on the differences between adversary emulation and simulation. While emulation replicates the actions and techniques of specific adversaries, simulation allows for more flexibility and blends different components of multiple adversaries.

The hosts and guests also explore the power and responsibility that comes with conducting adversary emulation, drawing parallels to superheroes like Batman and Spider-Man.

About the session — Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations

Batman once said, "you either die a hero or live long enough to see yourself become the villain." What if there was a way to become a cyber villain for the greater good? For the last 5 years, the MITRE ATT&CK Evaluations team has been improving the industry by "becoming the villain." We study some of the world's most advanced threat actors, develop a scenario, build malware and tools, then execute the operations against major EDR vendors. And the best part? Not only do we get the business justification of becoming a villain to advance defenders, but our code is also open-sourced.

Using a Latin American APT as our real-world villain, this talk will showcase how to merge CTI and red development capabilities for adversary emulation.

First, our cyber threat intelligence team (CTI) demonstrates how to evaluate reports with the sufficient technical data needed to emulate the adversary's usage of particular techniques. We will build a scenario, create CTI diagrams based on our analysis, address gaps in data, and create alternative attack methods for the red team.

Next, the red team enters the scene to collaborate with the CTI team. They begin building malware, tools, and infrastructure. Translating approved open-source CTI reporting into code, we will walk through process injection, persistence, hands-on-keyboard discovery, and lateral movement for the emulation. Finally, it is time to launch the attack and see how our defenders respond, discern where to search for clues, and help them uncover our plot.

To coincide with this presentation, our code, research, and emulation plans will be publicly released. We hope this empowers the community to use our "become the villain" methodology to improve defenses. Helping defenders discern where to look for our footprints is how we justify our villainous acts.

Subscribe to our podcast, share it with your network, and join us in pondering the questions this conversation raises. Be part of the ongoing dialogue around this pressing issue, and we invite you to stay tuned for further discussions in the future.

Stay tuned for all of our Black Hat USA 2023 coverage: https://www.itspmagazine.com/bhusa

____________________________

Resources

Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations: https://www.blackhat.com/us-23/briefings/schedule/index.html#becoming-a-dark-knight-adversary-emulation-demonstration-for-attck-evaluations-33209

Post: https://medium.com/mitre-engenuity/managed-services-evaluations-round-2-2023-attribution-and-speed-and-efficiency-oh-my-59aa207641fa

Podcast: https://itspmagazine.simplecast.com/episodes/mitre-att-ck-a-conversation-at-the-edge-with-katie-nickels-fred-wilmot-and-ryan-kovar

For more Black Hat USA 2023 Event information, coverage, and podcast and video episodes, visit: https://www.itspmagazine.com/black-hat-usa-2023-cybersecurity-event-coverage-in-las-vegas

Are you interested in telling your story in connection with our Black Hat coverage? Book a briefing here: 👉 https://itspm.ag/bhusa23tsp

Want to connect you brand to our Black Hat coverage and also tell your company story? Explore the sponsorship bundle here: 👉 https://itspm.ag/bhusa23bndl

To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit: https://www.itspmagazine.com/redefining-cybersecurity-podcast

Are you interested in sponsoring an ITSPmagazine Channel? 👉 https://www.itspmagazine.com/podcast-series-sponsorships

Release date

Lydbog: 7. august 2023