Introduction

[Date: 2023/06/21]

In this Class 28: Learning Journal, I am going to talk about the main ideas/concepts covered in the atomic testing lecture.

Today I Learned

Atomic Testing

Testing coverage is fundamental to improving security outcomes.

Testing should be fast and easy.

Defenders need to keep learning how adversaries are operating.

Have a testing method.

• Without a testing method, admin will just download a VM and pull 100 viruses from VirusTotal to test their defenses.

Post-Exploitation

1. Recon

2. Weaponize

3. Deliver

4. Exploit

5. Control

6. Execute

7. Maintain

The MITRE ATT&CK framework documents the attack techniques used in post-exploitation stage of the kill chain.

• Control
• Execute
• Maintain

So far we've studied

• RCE (Remote Code Execution)
• Persistence

Atomic Testing Cycle

The Atomic Testing Cycle is a phased approach to improving your cyber defenses by testing them.

Levels of security team sophistication:

• Level 1: Just starting out, limited resources
• Level 2: Starting to mature, some resources
• Level 3: Advanced cybersecuirty teams and resources

Even at level 1, Atomic Tests can add a great deal of value to security efforts.

Adversary Emulation

Matured security teams (Level 3) already using the Atomic Testing Cycle should consider "adversary emulation".

In adversary emulation the red team executes the emulation engagement

• Gather threat intel
• Extract techniques
• Analyze and organize
• Develop tools and procedures

Team Colors

Adversary emulation in action:

• The red team acts as the adversary, attempting to penetrate the network or exploit the network as a rogue internal attacker (in-house security staff or a third-party company)
• The blue team operates the security system with a view to detecting and repealing the red team.
• A white team sets the parameters for the exercise (like a referee) -> Authorized to monitor or halt the exercise.
• Purple teams enchance information sharing between the red and blue teams.