How to Empower Adversary Emulation

Leveraging threat intel, tools, and tactics for success

We all know that proactive security based on actual threat intel is the best way to prevent and mitigate attacks, but how do you get there? Keith McCammon, co-founder and CSO at Red Canary, came on a recent Friends Friday cast to talk with PlexTrac’s Dan DeCloss about adversary emulation — how to get started and why it’s so important. 

Keith leads Red Canary’s threat detection and analysis operations, providing customers with a level of detection previously available only to well-funded teams staffed by scarce talent.

Watch the full episode or read on for the highlights.

A shared language thanks to MITRE ATT&CK 

Dan and Keith kicked off their conversation by discussing the changing landscape of in cybersecurity. They agreed that MITRE ATT&CK was and continues to be critical resource in lowering the bar to effectively get started with adversary emulation. 

Keith said, “I would say honestly, the single biggest catalyst [to threat intel becoming useful] probably was and still is ATT&CK because I think it, you know, prior to that, again, there were a small number of shops producing, doing kind of like rigorous threat intelligence, research and reporting. But by and large, everyone had their own language and their own taxonomy. And it wasn’t that great stuff wasn’t being published, but the barrier of entry for putting together a program that’s capable of doing that is like super high, right? And so I think that was absolutely the single biggest catalyst was just having like that common language, but also like that taxonomy and that structure. And as that’s evolved over the years, I think it’s just continued to make it easier and easier.”

Consistency as the key to proactivity

Now with a common language and accessible resources of good threat intel, nearly any team can work more proactively. Keith advocated for proactive security in the form of continuous testing.

He said, “But for one of the things that we encourage, and I’d say the mantra and the spirit, I guess, of Atomic Red Team in general, not just the open source project, is that the best test is the one that you can do every single day, like, and it’s honestly just like establishing that drumbeat. We kind of liken it to health — like take your vitamins, do this as often as possible. It doesn’t have to be big, it doesn’t have to be really complex.” 

Dan agreed, “I mean, that’s what we’ve kind of been preaching. We’ve been preaching for a long time is like, one, being able to move from a reactive state to a proactive state and then shortening the cycle on how quickly you can identify what you should be testing and testing for it on a regular basis. Right? Yeah. It is that daily hygiene, kind of apple-a-day type of a thing. And that’s what I’ve loved about ATT&CK and even Atomic Red Team is that it provides those. You can go as broad and wide and deep as you want or as narrow as you need to, and you don’t have to have 100% of the skill sets as a seasoned, veteran red team or pentesting team to be able to at least identify some of the things that you probably know you should be fixing.”

A systematic approach to security

In addition to frequent testing, Keith suggested a highly systematic approach as important in becoming more proactive rather than just reactive. 

Keith said, “First of all, I’d say taking an engineering-driven approach to that is absolutely the right way. Right. That’s how you do, like, just ensure continuous improvement. But also, to your point about how do you kind of balance the proactive and the reactive, right? I mean, I’d say one of the things that we’ve always felt super strongly about is we spend, I’d say, as I would hypothesize, that our detection engineering team spends easily as much time on testing and writing tests as we write analytics and then just continuing to pressure test in those areas. I mean, 50-50, I think is actually like a great and very realistic rule, right?”

Keith continued, “And that only comes through just constant experimentation and being super proactive and really a mindset that’s very focused on just assuming that any one of those stages, processes, opportunities, assume any one of them will fail and make sure the whole system works. And that right there is the difference between doing atomic testing and doing detection engineering at a granular level — which is important — but, like, adversary emulation. And the importance of it is that that just plays out the whole attack from start to finish with as much variability as you can afford to introduce over time and make sure if the whole system doesn’t work, none of the system works.” 

He went on to compare reactive security to diving saves — they are great but it’s much better not to need to make them. “Like, the real goal in all of this is not to get great at diving saves. We built a ton of detection coverage at Red Canary. That is our bread and butter. Be better at detecting things that everything else has missed, and that’s where we operate. But those are diving saves. Every single one of those is a miss away from an adversary making it one step further. And now, like, every step further, every, every step that they progress, stakes are higher, you’re working harder to find them, scope that intrusion, mitigate it. And really what we want, it’s like when you talk adversary emulation and just systematizing — that that’s the Holy Grail.” 

Small steps add up to big gains

Keith summed up his advice: “And I think with proactivity in general, it’s the number one thing I always recommend is just, there’s great sources of free intelligence. Take even a few of those — you can make a really short list. The number of initial access vectors have not changed much in five or ten years — it’s phishing, it’s vulnerabilities. Figure out how folks are getting a foothold in the first place. Instrument as much visibility as you can there, and then take all of this great open source intelligence that’s available, figure out again those small number of techniques in each of those areas, to your point, just box them in. Don’t worry about all the other things that could happen. There will always be more ways, but I think just very granularly stepping through that. Like, how are they getting in in the first place? Are we instrumented there? Do we have visibility? And then what are the most prevalent techniques? Again, not a ton of drift there year over, year over year. And just keep that flywheel moving.”

Dan agreed that the most important thing any team can do to become more proactive and to begin using threat intel to implement strategies like adversary emulation and continuous assessment, is just to take very small steps forward. Do that consistently, and any team will be better off. 

He said, “My advice also, you know, when people ask is like, ‘Hey, don’t feel overwhelmed.’ It’s like you said, starting somewhere and doing something every day is better than nothing. Right? Similar to the way you lose 20 pounds is you just start, you start on day one. You just can’t take a day at a time. It doesn’t happen overnight.”

Follow PlexTrac on LinkedIn for more engaging episodes of PlexTrac Friends Friday, featuring leaders across all aspects of the cybersecurity industry.