WEBVTT 00:00.000 --> 00:01.530 >> Welcome to Module 3, 00:01.530 --> 00:04.690 Lesson 3, threat emulation. 00:04.760 --> 00:07.500 In this lesson, we will explore 00:07.500 --> 00:09.030 my personal favorite application of 00:09.030 --> 00:11.450 attack, emulating threats, 00:11.450 --> 00:13.935 and appreciate how threat emulation 00:13.935 --> 00:15.645 can use known adversary behaviors, 00:15.645 --> 00:18.600 such as those documented within attack to assess, 00:18.600 --> 00:22.050 measure, and eventually improve our defenses. 00:24.170 --> 00:26.505 This lesson will focus on 00:26.505 --> 00:27.780 what we call intelligence-driven 00:27.780 --> 00:31.695 emulation or Red Teams mimicking known threats. 00:31.695 --> 00:33.780 This process allows us to 00:33.780 --> 00:37.005 operationalize intelligence we discussed in Lesson 1. 00:37.005 --> 00:40.190 Specifically, we can use CTI to scope and 00:40.190 --> 00:41.750 prioritize what threats and 00:41.750 --> 00:45.030 behaviors as Red Teams we evaluate. 00:45.220 --> 00:47.480 At the end of the day, this 00:47.480 --> 00:49.100 allows us to observe and evaluate 00:49.100 --> 00:50.840 our defenses from the perspective that 00:50.840 --> 00:53.790 matters that of our adversaries. 00:57.500 --> 00:59.700 Let's look back at the detection 00:59.700 --> 01:01.619 >> analytic from Lesson 2. 01:01.619 --> 01:04.760 >> As you recall, this analytic is targeting, 01:04.760 --> 01:06.260 detecting adversaries, 01:06.260 --> 01:09.210 dumping credentials via LSASS memory. 01:10.150 --> 01:12.680 But the question arises after 01:12.680 --> 01:14.600 developing and deploying this analytic, 01:14.600 --> 01:16.630 what's the next step as a defender? 01:16.630 --> 01:18.650 Do we wait for an adversary to 01:18.650 --> 01:21.690 trigger or potentially bypass this analytic? 01:22.930 --> 01:25.550 We can look back at attack and compare 01:25.550 --> 01:28.980 this analytic to documented procedures. 01:31.550 --> 01:34.615 We can also triage new CTI, 01:34.615 --> 01:37.340 which may pose new questions such as, 01:37.340 --> 01:38.600 are we safe against 01:38.600 --> 01:42.210 these unknown or previously undocumented procedures? 01:46.790 --> 01:50.390 This is where threat-informed assessments comes in. 01:50.390 --> 01:52.345 As you can see what the example 01:52.345 --> 01:54.040 adversary emulation plane below. 01:54.040 --> 01:56.050 We can use intelligence to build out 01:56.050 --> 02:00.320 real-world adversary TTPs into Red Team scenarios. 02:02.460 --> 02:05.080 This process allows us to 02:05.080 --> 02:08.410 actually build out a team TTPs that 02:08.410 --> 02:10.960 provide outputs that are more quantitative and 02:10.960 --> 02:12.220 closely measure how we 02:12.220 --> 02:14.840 fare against real adversary behaviors. 02:18.480 --> 02:22.210 Here's another example of using CTI to build out 02:22.210 --> 02:23.530 Red Team scenarios and 02:23.530 --> 02:27.770 behaviors that we can execute for better assessments. 02:30.760 --> 02:32.860 With that, we've reached 02:32.860 --> 02:34.670 our knowledge check for Lesson 3. 02:34.670 --> 02:37.390 True or false? There's a limit to 02:37.390 --> 02:38.605 the number of different ways 02:38.605 --> 02:41.060 a single behavior can be emulated. 02:41.100 --> 02:43.840 Please pause the video and take a second to 02:43.840 --> 02:46.700 think of the correct answer before proceeding. 02:50.390 --> 02:53.725 In this case, the correct answer is false. 02:53.725 --> 02:57.130 Similar to procedures, there is no limit to the number of 02:57.130 --> 02:58.930 ways a single behavior can be 02:58.930 --> 03:02.270 emulated or executed by an adversary. 03:04.700 --> 03:08.280 With that, we've reached the end of Lesson 3. 03:08.280 --> 03:12.255 In summary, their emulation isn't offensive assessment 03:12.255 --> 03:14.285 making particular adversary behaviors 03:14.285 --> 03:17.130 such as those documented within attack. 03:17.210 --> 03:19.730 We can use threat emulation to 03:19.730 --> 03:21.950 address the unlimited number of procedures or 03:21.950 --> 03:24.260 variations of how adversary techniques can be 03:24.260 --> 03:27.990 executed by adversaries or at Red Teams. 03:29.300 --> 03:33.320 Finally, we can use this threat emulation process to 03:33.320 --> 03:34.670 understand how our defenses 03:34.670 --> 03:38.340 fare against specific threats and their behaviors.