Re: Adversary Simulation

[benjamin heise <heise.benjamin () gmail com>]

Justin Warner actually wrote a, IMO, great overview of adversary emulation
and how to carry it out, as well as delving lightly into the Diamond Model
of Intrusion Analysis.

Does Immunity follow this same model, or have you developed your own model
for performing adversary simulation?

References:
http://www.sixdub.net/?p=762
http://www.dtic.mil/dtic/tr/fulltext/u2/a586960.pdf

V/r,
Ben

On Tue, Nov 29, 2016 at 3:57 PM, Paul Melson <pmelson () gmail com> wrote:

> So are you aware of a criminal actor that uses Immunity's Innuendo in
> their attacks?  If not, then which adversary are you simulating?
>
> The point to my obvious straw man is that if you really want to help your
> clients up their game in detecting and responding to real threats,
> shouldn't you study the actors that target their industry verticals and
> emulate their operations using the same tools and tactics they are known to
> choose?
>
>
>
> On Nov 29, 2016, at 9:26 AM, dave aitel <dave () immunityinc com> wrote:
>
> So obviously everything a penetration testing company does is at some
> level "Adversary Simulation". I like to call it "Focused Training" -
> because penetration testing is more about education than anything else, but
> the WAY you do to that is by emulating and instrumenting some sort of
> adversarial process.
>
> Ok, that said, we have for the past year offered a special service called *Adversary
> Simulation <https://www.immunityinc.com/services/adversary-simulation.html>*
> by which we meant something quite specific. We go to some big financial
> company, usually super under-dressed for the cold because we live in Miami,
> and we install INNUENDO on a couple machines. Then we exfiltrate a few
> terabytes of data over whatever protocols are working and we work with the
> company to do a hardcore analysis of their detection systems for that sort
> of thing.
>
> That sounds simple. But in practice, every company at that size range has
> multiple products trying to detect you, and they provide overlapping
> coverage. Sometimes the Alerts are useful, and sometimes not. For example,
> when you're doing DNS exfiltration, FireEye will alert on the weirdness of
> the DNS packets. But it has no idea who the infected endpoint is, because
> those DNS packets came from intermediary DNS servers! :)
>
> With web-based analysis systems I worry more about false positives, and of
> course, false negatives. Detecting beacons from malware but not from, say,
> DropBox is a hard problem. In theory, products like StealthWatch work, but
> in practice, that depends on the team.
>
> Likewise, there are gaps in the market itself: Who is looking at all
> outbound e-mail to find data exfiltration channels? And on the host, when
> faced with a new product, all the protection systems we've seen have not
> detected INNUENDO. Some of them detect injection, but you don't really need
> to do that. What if there is too much chaos on a big company's desktop for
> reputation-based protection systems to work?
>
> -dave
>
>
>
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunityinc com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
>
>
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunityinc com
> https://lists.immunityinc.com/mailman/listinfo/dailydave
_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave