In the lead-up to Black Hat Las Vegas 2023, hosts Marco and Sean converse with experts Cat and Kate from MITRE to discuss the world of adversary emulation, its importance in cybersecurity, and MITRE's role as an industry thought leader and advisor.
Guests:
Cat Self, Principal Adversary Emulation Engineer, MITRE [@MITREcorp]
On Linkedin | https://www.linkedin.com/in/coolestcatiknow/
On Twitter | https://twitter.com/coolestcatiknow
Kate Esprit, Senior Cyber Threat Intelligence Analyst at MITRE [@MITREcorp]
On Linkedin | https://www.linkedin.com/in/kate-e-2b262695/
____________________________
Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin
Marco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society Podcast and Audio Signals Podcast
On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli
____________________________
This Episode’s Sponsors
Island.io | https://itspm.ag/island-io-6b5ffd
____________________________
Episode Notes
In this new Chats on the Road to Black Hat USA 2023 on the ITSPmagazine Podcast Network, hosts Sean and Marco are joined by Cat and Kate from MITRE to discuss the world of adversary emulation and its importance in improving cybersecurity. The conversation covers MITRE's role as an industry thought leader and their focus on making the cyber world a safer place. They explain how MITRE ATT&CK, a framework based on observations from blue and red engagements, led to the development of ATT&CK evaluations, which aim to raise the standard of the industry and provide transparency.
The hosts and guests emphasize the need for transparency in adversary emulation and how MITRE releases their methodology, results, and code to make the practice more accessible.
The group also discusses the challenges faced in aligning emulation plans with the diverse and unique solutions deployed by different vendors and the importance of maintaining the integrity of what the adversaries would actually do.
The conversation also touches on the differences between adversary emulation and simulation. While emulation replicates the actions and techniques of specific adversaries, simulation allows for more flexibility and blends different components of multiple adversaries.
The hosts and guests also explore the power and responsibility that comes with conducting adversary emulation, drawing parallels to superheroes like Batman and Spider-Man.
About the session — Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations
Batman once said, "you either die a hero or live long enough to see yourself become the villain." What if there was a way to become a cyber villain for the greater good? For the last 5 years, the MITRE ATT&CK Evaluations team has been improving the industry by "becoming the villain." We study some of the world's most advanced threat actors, develop a scenario, build malware and tools, then execute the operations against major EDR vendors. And the best part? Not only do we get the business justification of becoming a villain to advance defenders, but our code is also open-sourced.
Using a Latin American APT as our real-world villain, this talk will showcase how to merge CTI and red development capabilities for adversary emulation.
First, our cyber threat intelligence team (CTI) demonstrates how to evaluate reports with the sufficient technical data needed to emulate the adversary's usage of particular techniques. We will build a scenario, create CTI diagrams based on our analysis, address gaps in data, and create alternative attack methods for the red team.
Next, the red team enters the scene to collaborate with the CTI team. They begin building malware, tools, and infrastructure. Translating approved open-source CTI reporting into code, we will walk through process injection, persistence, hands-on-keyboard discovery, and lateral movement for the emulation. Finally, it is time to launch the attack and see how our defenders respond, discern where to search for clues, and help them uncover our plot.
To coincide with this presentation, our code, research, and emulation plans will be publicly released. We hope this empowers the community to use our "become the villain" methodology to improve defenses. Helping defenders discern where to look for our footprints is how we justify our villainous acts.
Subscribe to our podcast, share it with your network, and join us in pondering the questions this conversation raises. Be part of the ongoing dialogue around this pressing issue, and we invite you to stay tuned for further discussions in the future.
Stay tuned for all of our Black Hat USA 2023 coverage: https://www.itspmagazine.com/bhusa
____________________________
Resources
Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations: https://www.blackhat.com/us-23/briefings/schedule/index.html#becoming-a-dark-knight-adversary-emulation-demonstration-for-attck-evaluations-33209
For more Black Hat USA 2023 Event information, coverage, and podcast and video episodes, visit: https://www.itspmagazine.com/black-hat-usa-2023-cybersecurity-event-coverage-in-las-vegas
Are you interested in telling your story in connection with our Black Hat coverage? Book a briefing here:
👉 https://itspm.ag/bhusa23tsp
Want to connect you brand to our Black Hat coverage and also tell your company story? Explore the sponsorship bundle here:
👉 https://itspm.ag/bhusa23bndl
To see and hear more Redefining CyberSecurity content on ITSPmagazine, visit:
https://www.itspmagazine.com/redefining-cybersecurity-podcast
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/podcast-series-sponsorships
Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording as errors may exist. At this time we provide it “as it is” and we hope it can be useful for our audience.
_________________________________________
Sean Martin: Marco. You know,
Marco Ciappelli: Sean,
Sean Martin: I I have a story for you.
Marco Ciappelli: I love stories. Go.
Sean Martin: You, you have to know, you have to know what the title of the story, given the topic of today's comment. You, I've said,
Marco Ciappelli: usually you start with, it was a, it was a, dark and stormy night.
Sean Martin: A dark and stormy night. Exactly. Exactly. And, uh, we're going to, we're going to not make it about a weather event in any specific location.
We're going to switch it and talk about a, uh, an entity of a person, perhaps, uh, somebody within an organization, good or evil. I don't know. We're going to see where this goes. Uh, but this is part of our Chats on the Road series and I'm in the Batmobile. What are you, uh, what are you driving to Vegas, Marco?
Marco Ciappelli: I'm in with you. I'm wearing yellow, green, and red. I'm Robin right now.
Sean Martin: You're my co pilot, all right.
Marco Ciappelli: I'm your co pilot.
Sean Martin: So now, I'm afraid I have to ask what, uh, Kate and Cat, who have joined us for this, uh, what appears to be a silly conversation already. Uh, what, what you'll be, uh, Taking for your journey.
What, what, uh, what transportation mode are you, uh, are you going to be hailing for, uh, your trip to Vegas at Black Hat USA 2023?
Kate Esprit: Cat, you want to go first? I already know my answer. My answer is not practical though. My answer is the... The intense motorcycle that Batman ran, or that he rode in, I think it was the Dark Knight, the Christopher Nolan series, and it could switch directions.
So I'll be writing that from D. C. all the way to Vegas.
Sean Martin: So you can escape quickly if you need to.
Marco Ciappelli: You can change your mind.
Sean Martin: Or if you win lots of money you can. Quickly reverse and take it away.
Cat Self: So I'm going to shamelessly leverage my network of DC Universe heroes and then jump in Wonder Woman's invisible jet and then just roll that way because the airport's right there by the strip.
Sean Martin: Oh, that's true. That's true. Love it. Very smart. Love it. All right. So people who are listening have heard, and if you're watching, you've seen, you see names, um, but I think we need to do a formal introduction for our two guests, Marco. So, uh, Cat and Kate, uh, have put together a session at BlackHat and they've, they've politely agreed to join us to, to understand what it is they're going to be presenting during that session.
And, uh, Cat and Kate, if you don't mind, Maybe sharing a few words about your roles and what you're up to, and then, uh, whomever wants to take it, kind of the catalyst behind. Putting this session together.
Cat Self: I can definitely go with the intros first, but I will have to admit the Catalyst is definitely a combination of two to one, so I don't think either one of us can take credit, but my name is Cat Self.
I started my InfoSec journey actually at Target, where I was a software developer, went teamer, specializing in Mac, and then eventually jumped over into the threat hunting, which is super fun because it's that full purple team experience. Then MITRE stole me away. And I was hired on as an adversary emulation engineer, where I was exposed to attack evaluations.
And, um, on attack evaluations, I was able to develop, I was actually the CTI team lead for a while where we chose adversaries. Um, we developed them into emulation plans, and then we executed those emulation plans for the industry. Um, and then I eventually just moved into, uh, malware development. It's a fancy term for adversary engi Adversary emulation engineer.
Um, and then now I kind of head up, uh, multiple projects underneath that same vein. But I'm also the Mac OS and Linux lead for ATT& CK. So, or MITRE ATT& CK, which hopefully some of you have heard of. Um, I'm one of the maintainers. I'm the one that you get to blame if Linux and Mac OS is missing certain techniques.
So feel free to shoot emails. I really don't like email. So shoot slack messages my way and I'll probably respond to you via slack quicker than email. It's a thing.
So that's all about me. So let me transfer you to Kate, who I just have a special place in my heart for.
Kate Esprit: The feeling is mutual.
Um, I'm Kate. It's nice to be here. Thank you so much for having us. Um, so I've been working at MITRE for a year and a half now. Um, I work as a senior CTI analyst. I actually came to MITRE initially with the blessing of working directly under Cat. Um, on the attack evaluations project. So I really got thrown into the world of adversary emulation and I've kind of never looked back since.
Um, my background is not actually in adversary emulation at all. I came from a embedded Intel role at Meta, formerly known as Facebook. Um, and before that I was working about five years in Latin America security and affairs. So kind of, kind of hit a bunch of different points in my career, but, um, it's great to be here.
Sean Martin: So nice one. And I want to do this because I mean, I'm a huge fan of MITRE and the ATT& CK framework and a lot of the other stuff that your, your team, your broader team is doing. Um, but maybe just a quick word on MITRE and MITRE ATT& CK and then maybe transition to a definition of what adversarial simulation is as part of that.
Cat Self: Definitely. So MITRE is a non profit. They've been in the cyber security space for about 50 years where they're kind of like a thought leader and advisor. That's really the position that MITRE takes. We don't have any real stake. There's not like, it's not like every quarter we get our stocks back.
There's, there is none of that I can assure you, painfully so. And so it's, it's a nonprofit and whole moral of the story, right, is we try to make the world a safer place. It's not just our area, it's actually the entire world. So, which is actually one reason why we really wanted to focus on Latin American adversaries, right, which Kate will definitely speak to during the talk and you'll be able to understand that entire landscape with her commentary.
But MITRE, um, launched MITRE ATT& CK. Fun fact, that came from a CSV file. Um, and then it is what it is today, which is amazing because it was observations based off of blue and red engagements, right? How do we talk to each other? And what's really neat is that's actually led into ATT& CK evaluations, which is how do we provide an evaluation to help raise the standard of the industry?
To provide transparency, right? Between I said, I can do this, but can I actually do this, right? How do we create this environment and space to be able to have transparency while also making sure it's this like equal playing field, right? Where everyone's got the same information or operating from the same knowledge base.
Which is what Attack Evaluations does, right? It takes MITRE ATT& CK and using MITRE ATT& CK we build out evaluations. And then I will, even though I'm the adversary, I'm an engineer, I'm going to let Kate take the discernment between of what adversary emulation actually is.
Kate Esprit: Yes, which we will cover in full detail in our talk with some references to Batman and Batgirl.
Just a little bit of a surprise there. Um, so I'm really glad you asked this because I think The industry is still maybe conflates the two adversary emulation is essentially taking is looking at a whole picture what an adversary does at every single phase of an attack. What techniques are they doing?
Not only what makes them unique, but what are some kind of tried and true methods they also use? Um, what are they doing for initial access? So it's taking kind of a holistic picture and really getting in the details of this particular actor. You know, what types of victims do they go after? What is their action on objectives?
You know, what do they ultimately want to do? So it's taking all that information and basically replicating it in a scenario. Um, so for us, it's kind of, we always talk about adversary emulation as there's not a lot of room for flexibility. Um, which we will definitely cover in our talk. I think sometimes it's hard as, you know, analysts and developers in doing an emulation because there's not a lot of room for, oh, what, it would be so much easier just to do this.
It would be so much easier to just RDP into the environment. Can't we do this? Nope. Because that is not maintaining the integrity of what the actor would actually do. Now... Simulation is taking some of those components of a particular adversary, but having more room for flexibility, right? So simulation might be, might look something like, okay, we have our adversary, We're going to take a couple of components of their privilege escalation, but then also add in a couple of other components that other adversaries do.
So it's kind of more of a blend, um, and it's a little, again, there's more room for that flexibility and interpretation. Um, so our presentation is going to focus specifically on emulation and why that helps network defenders.
Marco Ciappelli: Well, I'm going to let Sean dive into the technicality of it, but I want to touch on the fact that we started with all this.
Weird vehicles, kind of like superhero ish. And before starting the recording, we even ask each other, or at least you ask me, which is my favorite superhero, and I say Spider Man. And there is a very famous quote about that with great power comes great responsibility, which is very well connected to the quote you have here about Batman, which I'm going to let you guys hear.
You said that because it's been part of your presentation, which is like, you have a thin line between being the hero and being the bad guy. But I think the real good guy, the real hero, needs to, as we learned from, you know, even the art of war or Machiavelli, the prince, that you need to know your enemy.
And that's why I would like to make a point here that it's not that you, you go that much outside of the scope when you try to simulate the villain, you, you have to, you can't just build a wall and say, Hey, it looks good from the inside. Um, but how, how is it going to work with the attacker? So I think, isn't this supposed to be a.
A very common approach in the industry or or MITRE kind of brought something completely new to the table of cyber security.
Cat Self: I'm really excited about this. Who's going to talk on this one?
Kate Esprit: Go ahead, go ahead.
Marco Ciappelli: Both.
But not at the same time.
Cat Self: Yes, that with great power comes great responsibility. Absolutely. Um, and that is actually something we actually had to take into account as we release this software. Right. One of the things that we do is we not only release all the screenshots into these billion dollar companies.
So you can see what you're paying for essentially. Right. We also release all at least majority of the code. That we used during the evaluation. So that way you can run it in your own environments. You can see how this does against tools that you already have. Right. So with that said, one of the things that MITRE, the thing that MITRE actually brings to the table, if we can just break this up, adversary emulation is not new.
Nor are we like rock stars and look at us like we're the shiny new objects. No, no. But most people don't have the problem set of let's, can your emulation run against every single defender, right? That has a product for detection and protections and their unique snowflake solutions. Because I can tell you right now, that is a really compliKated problem to be able to emulate for.
There's a We actually go over. Kind of some pivot points that we have to have with these considerations, because we can emulate something exactly, but then does it run in the environment against this vendor who has an entirely different kernel? Cause that's how they're, like, that's how their end point, like their protections and detections are deployed.
Right. Or does it work against this one, which doesn't even ever enter into user land or just solidly into kernel. Right. So all of these different protections and detection companies have to come to the table in the same environment. And we have to be able to have an emulation plan that is as non bias and objective as possible, um, done in a two month period of time, two to three month period of development time.
where nation states get four, five, six, ten years to develop these things over time. And we're also deploying these things in environments that they're not necessarily initially deployed to, right? Some of these tools that we've done in air gapped environments. That means their C2 communication is going to be very different.
It's going to be a very linear communication channel, right? There's going to be different dependencies that they're doing. Um, we don't necessarily know the environment variables are pulling from because some absolutely pull from those. We don't necessarily know the shared objects that they're using because those were never released in a public reporting.
So there's certain considerations that just put us in a different, a different Kategory that absolutely does make us bleeding edge in this regard. Because not many people have to operate with the amount of limitations and trying to align as hard as we do to the line of CTI, which Kate can speak more to.
Kate Esprit: Yeah, and just add on because I think that transparency component that Cat talked about is really important and integral to kind of our why we do what we do. I would agree like adversary emulation as a practice is not necessarily new in the industry, but I think a key differentiating factor, um, in what we do with regards to emulation is the fact that we are transparently releasing our methodology.
We release the results of every single emulation round. We release all of our plan, all of our code, and a key kind of takeaway that we're hoping the audience gets from our presentation is, hey, adversarial emulation is a lot more accessible as a practice than you think. I think sometimes in the industry.
Smaller organizations who might not have a whole department or whole team dediKated to adversary emulation. I think those smaller industry folks sometimes feel like, you know, they may lack the resources or, um, personnel to carry out something like this. Um, and we're kind of trying to change that notion and make, um, adversary emulation more accessible by just lowering the bar of entry.
Sean Martin: Well, it's because they're spending nine of their 12 hours that day patching. Crap. Right? And so maybe if they had a better view of what, what's really going on and what matters, uh, they can get out of patch land and, and in more of a control land and mitigation land. Um, I want to, I want to look at the, the role.
Cause you mentioned, I think you said simulation, now we're all, we're talking all about emulation here. And I think you described the difference between those two. Simulation seems safer, but then maybe a little more generic, uh, in my perspective. And then emulation is where you actually get in there and in your, in your session description, you talk about the red team are coming in and working with CTI and I immediately turned to tools that go in and, and they.
Act and execute and emulate what you're trying to pretend to be or repliKate being, which has some danger that a simulation doesn't bring to the table. So how, how do you, and this isn't the tool being used for nefarious purposes. This is somebody using it for good reason, for a good cause. But it takes, perhaps takes a step too far and knocks the system over or, or, uh, exposes something that, uh, we didn't want it to say, did you have to take that into account as you're working on this?
And how do you, how do you help the teams that actually end up using this, uh, walk that fine line if, if they have to.
Cat Self: Are you talking about like deploying this in production environments?
Sean Martin: Yes.
Cat Self: I'm assuming, like, you're referring to, like...
Sean Martin: I'm thinking, like, pen tests and things like that, where, yeah, Red Teamer would be called in unknowingly to, to explore, and I don't know if this is, the purpose of this is...
To do something like that or not. But
Cat Self: I mean, there's a lot of tools out there that already conduct this, like specifically atomic red team, right. But the isolated tests, um, you're looking at like different vendors have their own formalities of these, right. Where they're running these small, like isolated scenarios.
Is that what you're referring to?
Sean Martin: Yes. And I'm wondering what, what you've built, how does it relate to that and fit in with that and what are the, some of the considerations you had to make and the teams have to make based on what you built.
Cat Self: So the power behind ATT& CK Evaluations, and at least, honestly, this is more from feedback from the community that I've had.
Um, because when you're doing it, you're kind of like, I'm just doing the thing. You know, you're like, I do it, I build it, I deploy it, and we're done. Next. Um, so fortunately, I've been on the ATT& CK Evaluations team long enough to actually get some feedback from different industry professionals that use this.
Here's the main three use cases that I've seen ATT& CK Evaluations use. Outside of the people that request the binaries for the hash to put in their AVs. Outside of that, really specific, do not endorse that, but understand it, scenario. One of them is being able to deploy it and collect all the data and artifacts so they can threat hunt it.
Like, specifically, uh, Threat Hunters Forge, right? Roberto Rodriguez did that for APT29, where he pulled in the emulation plan, ran it in an environment, and collected all the artifacts, and then was able to use that as a hunting use case. Um, and then other ones have been translating it into, like, micro what we have just come out with as, like, micro emulation plans, or smaller emulation plans, or atomic red team tests.
Um, and then another one has been, Primarily the fact that this simulation plan builds on each step. So a lot of times, one of the things that's missing in a lot of these automated environments, right, is you go in, you launch, you do it and you're done, but there's a lot of like discovery information that you kind of have to have prior to, and it doesn't necessarily have the same exact timestamps every time, right?
It's not this automated, not everything is automated. Um, and so, but. This discovery creates this. They exfil this file that then builds up this database of knowledge. Now I can know, like, okay, I've collected this known host file, and I've also collected these keys and I collected these keys from these other people.
So now I have, like, a collection of all of this information. Now, how do I take all of this and then scan the environment using this very targeted information? Move laterally using A, B, and C technique, then once I move laterally, I do additional internal reconnaissance, right? Like, those really meaty, very, like, not clean and clear repeatable instructions are really what attack evaluations, I think, gives you.
And also along with the diversity and the complexity of what a scenario actually provides.
Kate Esprit: Yeah, and I would add also, I think, I think sometimes when we, I have conversations with people in the industry, they're like, well, why do you need CTI for this? Like, what do you bring to the table? Which is a fair question, but I think that is something, it's an additional value add, it's additional context that we provide around the adversary, but also With attack evaluations, we're always thinking about the impact we're trying to have on the industry.
So it's not even necessarily, we're only thinking about the vendors. We're thinking about it from the perspective of like, before we even select an adversary, what are our goals and objectives? Like what are we seeing in industry right now? Maybe it's cloud exploitation. Maybe it's, um, you know, like super stealthy techniques.
And I think That kind of component is the, it forms a foundation of threat informed defense because we continuously go back to those goals and objectives throughout the creation of the emulation scenario. Um, and that's not necessarily a impact that you could have with automated tools. If that makes sense.
Marco Ciappelli: Actually, make me wonder, how do you decide what is your next challenge, right? I mean, in this case, you say you're going to use as a, as a real world villain case, Latin America. And I'm wondering why. So that's one question. And then the second follow up question is, how do you decide what is the next one that you need to focus on?
Did you have some magic formula to get to that? You look around, what's going on? What's, uh, what's the story there? And, uh, I don't know, Kate, maybe you want to talk about the Lighting America scenarios?
Kate Esprit: Yeah, sure. If you want me to stand on my soapbox, I will happily stand on my soapbox. Um, so I do focus on Latin American adversaries.
Um, we spoke about at the beginning that that is a region that is quite underreported, um, in larger industry, but there are definitely cyber adversaries doing very interesting things. I will not get into why I think it's underreported. Um, I think that's a whole separate podcast, but. One of the reasons why we chose a Latin American adversary for this particular presentation is it because it underscores our objective of making everything more accessible in the community.
And I think when it comes to the cyber industry, we tend to focus on four big countries, right? Because You know, Russia, DPRK, China and Iran. I'm not going to lie to you. They're very sophistiKated actors doing a lot of damage from those countries. And so I completely understand the focus of the industry and CTI reporting.
I completely understand that. But at the same time, there are victim organizations around the world being targeted by other actors. And I think that deserves recognition. And so, bringing it back to our presentation, you know, we kind of wanted to use this opportunity to not only have Kate have her Latin America fun, but also to reach a community that might not even know about evals yet, or might not be.
Um, completely included in conversations around adversary emulation. And, um, that community that we're really talking about is the community in Latin America as well. So, ATT& CK Evaluations is, has a global focus and I think because of that we need to have a more global mindset in the way that we go about selecting adversaries.
Marco Ciappelli: Very cool. So what's going to be the next one?
Kate Esprit: That's a good question.
Marco Ciappelli: Or if you don't want to tell me that, if you don't want to tell me that, tell me how you select potentially the next one.
Sean Martin: You gotta come to the talk. What do you look at? Yeah, come to the talk.
Kate Esprit: All right. Okay, like just to clarify about our adversary selection. In evals? Okay. Yeah, that's a great question.
So kind of going back to what we were talking about earlier, we definitely set goals and objectives. We track industry developments, you know, throughout the year and we have regular discussions so that we're keeping on track of those trends. Those feed into our ultimate goal, right? Um, that's gonna serve as the common point of the emulation plan.
Now, when it comes to adversary selection, we have a whole slide dediKated to this. Um, but in Brevity, I will say we have a certain baseline criteria that we need to meet that, surprisingly, not a lot of actors meet. Um, especially as it relates to our initial objectives. Um, and then the other really hard thing sometimes is we try not to repeat actors.
So we're, you know, coming up on almost six rounds of enterprise evaluations, almost two rounds of managed services. Um, so we've used a lot of actors and we try not to, to, to repeat them, so.
Sean Martin: All right, so I, I have to ask, how does this fit in? So, and I'll ask the question in a different way. Um, I presume you want CTI and, and...
Red, blue, purple teamers to join you for your session. Maybe others you can, you can let me know if there are, um, what do you want them to walk away with? How can, how can they take action after hearing you share what you're, what you've put together for the session? Is it a change to the way they think? A change to the tooling, a change to.
Culture change to operations, all the above, none of the above. I've completely missed the mark. What, what, what do you, uh, what do you want folks to take away?
Cat Self: I'll speak to the adversary emulation side. Um, we've really structured this talk to be able to showcase, honestly, the really tough challenges we've had. As a team, we've had to overcome so many tough decisions and try to, and know that we're going to have to publicly, publicly present our decisions and then be able to back one.
And that puts you in a very tough position when it's not just your manager or your leadership being like, why'd you do it that way? So we've been very systematic about that. And the thing that we've really had to break down as silos. 100% we have had to break down the silo between CTI and RED, um, the silo between infrastructure and the other two teams, the silos between blue teams and CTI and blue teams and RED and blue teams and infra, um, and then even in tooling, like breaking our, the way we think about what is available to what is it that we actually need.
And asking hard questions and having the humility to come back to the table and being like, I can't do this is there's gotta be an alternate method, right? Like I don't like given these constraints, by the way, I have constraints. I didn't even know I had constraints until. Now, which makes your team change everything that they just gave me, right?
So this, there's this constant collaboration that we talk about in our talk and we use very specific products and we've geared these very specific products that each team produces. Because they're the most viable thing, they're the most viable item that we've had that has forced collaboration and it has created the space for collaboration and then the rest of it's all up to the humans.
Kate Esprit: Completely agree. I would also say going, it's kind of our talk focuses on the true spirit of what it is to Purple Team, right? Like every, like Cat just mentioned, we have infrastructure, we have Blue Team, Red Team. Um, C t I, even, you know, what we call our white team who lead vendors through things. Every single of one of those disciplines deserves a amount of respect.
And every single one of those disciplines cannot necessarily be done by the other teams, right? So it's this constant back and forth, and what we kind of hope to communiKate too is. Why should you care about adversary emulation if you're an end user? Like, if you're maybe from an organization that could see themselves participating in an attack evaluation in the future, that's awesome.
But we're also gearing this talk for just end users, for network defenders. Um, you know, how does answering questions of like, how does adversary emulation give you different points in data and a different, more enriched level of knowledge? Then anything else then pen testing then automated simulation.
That's a key question that we're seeking to answer in our talk as well.
Sean Martin: Yeah, and I can see, um, I can see those teams like the network defenders, perhaps seeing. Signs or seeing trends or seeing threads or something else coming from this That perhaps changes the way they think about how they put controls in place.
So rather than having a super complex multi system multi rule Set of, uh, policies and controls. Maybe there's a different way to package that up. That's a little more stable. Little more, uh, a little less, uh, headache, hair pulling, uh, to, to manage day to day. I don't know. I'm just making something up there, but I can see that.
And the other thing... Based on what you described, Kate, correct me if I'm wrong, but I can also see where somebody like a CISO might have some learnings in here for breaking down those barriers. I mean, you had to do it. I don't know how much detail you described there, but, uh, in the session, but I can see where, I mean, the CISOs battle with this all the time, right?
They don't trust the other teams to, to, uh, maybe they, maybe they trust them to do what they're told to do, but not embrace security. Uh, like they want them to and or need to. And, uh, so I think breaking down those barriers and, and, uh, force collaboration, as you called it, uh, there's probably some key learnings in there for the executive level and security leadership, I'd suspect.
So, um. I want to, I think we're probably getting close to the time here. I think, and I'd love to have you back maybe to talk more about, uh, Latin America thing, and perhaps we can dig deeper. I had, I had a few folks in where we, uh, it was Catie Ryan and Fred Wilmot, uh, talking about how to operationalize this.
So actually. Digging deeper into how, how to bring ATT& CK into a security program. And this is early days before SOAR was SOAR and things like that. But anyway, we can, I'm happy to talk about how, how we bring that in, but maybe a final call from each of you, a little teaser or a little, a little nugget you want to share for your session to, uh, to get people to, to join you at Blackout there.
Cat Self: I'd say probably the coolest thing that we found was there are certain things that you learn only through emulation.
That'll lend itself to, like, what the adversary actually did versus what reporting actually says.
Sean Martin: Interesting.
That's a good one.
Kate: Um, mine would be, there is more of a let's show you rather than let's tell you element to this presentation, where we will show exactly how we emulated this adversary in Latin America, rather than tell you all about it. Let's show you.
Sean Martin: That's all I'll say. That's the true spirit of emulation as well, right?
Kate Esprit: Exactly. We have to follow our own rules.
Sean Martin: Way better than a report. Way better than a report. Well, I'm super grateful for the two of you for doing what you do with MITRE and all the effort you put into that and to this session. I know it's not easy getting... Getting a spot at Black Hat to be able to speak and connect with the community there.
So congratulations on that. I'm excited to hear how that goes. It's becoming a Dark Knight adversary emulation demonstration for ATT& CK Evaluations. Cat and Kate. It's on Wednesday the 9th, 1. 30. Pacific. They're at Black Hat USA 2023 and uh, you don't want to miss it. That's for sure. Um, of course for those listening and watching in the notes for this episode, we'll include a link to the session, Cat and Kate's, uh, profiles on social media, whatever they want to share there so you can connect with them.
And, uh, yeah, we'll include other resources, uh, That Cat and Kate want to share, uh, links to ATT& CK, links to, uh, evaluations, links to resources. Not, not anything that gives away the session yet, but, uh, anything you want to share, we'll include in the show notes. And of course, Marco, we're, we're still on the road.
I'm in, I'm in the Batmobile still. We're not quite there. We have more sessions to record, more stories to tell.
Marco Ciappelli: Uh, we have, we have told quite a bit. We have told a lot. I think there are a lot of more story to tell and this one in particular for me that I'm not so deep into the technicality of it, but it all makes so much sense.
It's kind of like the superpower here is to kind of like really understand and foresee the future because if you, if you know your enemy, you can actually, it's a, it's a great investment. I'm, I'm thinking all you've been saying Put it into the business mentality, right? On why should I budget for this?
Because it makes sense. Otherwise, you're going to whack them all, all the problem when you can actually have a much better focus, as Sean said, to really put the control in place. So I've learned a lot. I'm excited for All that the people will learn at the actual session there and uh, it was nice to have you on and um, I hope everybody will just keep listening to us our coverage and subscribe and definitely Go to this session.
Sounds like a lot of fun if you are into these kind of things, of course and superheroes
Cat Self: But you should be
Sean Martin: All right,
thanks everybody, thank you, uh, see you on the road to vegas enjoy keep well stay safe