SEC564: Red Team Exercises and Adversary Emulation

Provided by

Enquire about this course

About the course

SEC564 will provide students with the skills to plan and manage Red Team Exercises. Students will understand the tactics, techniques, and procedures (TTPs) used by the adversary to create an adversary emulation plan leveraging MITRE ATT&CK (Adversary Tactics, Techniques, and Common Knowledge). Students will emulate an adversary.

What You Will Learn
In SEC564, you will learn how to plan and execute an end-to-end adversary emulation, including how to plan and build a red team program, leverage threat intelligence to map against adversary tactic, techniques, and procedures (TTPs), emulate TTPs, report and analyze the results of red team exercises, and ultimately improve the overall security posture of the organization.

You will do all of this in a course-long exercise, in which we perform a adversary emulation against a target organization modeled on an enterprise environment. This environment includes Active Directory, email, web, and file servers, as well as endpoints running the latest operating systems. We will start by consuming cyber threat intelligence to identify and document an adversary that has the intent, opportunity, and capability to attack the target organization. You will discover the TTPs used by the adversary while creating an adversary emulation plan leveraging MITRE ATT&CK (Adversary Tactics, Techniques, and Common Knowledge).

We'll cover the planning phase of these exercises, showcasing various industry frameworks and methodologies for red teaming and adversary emulation. These frameworks are industry standards used by various regulatory bodies to ensure consistent and repeatable red team exercises.

Using strong planning and threat intelligence, students will follow the same unified kill chain as the adversaries to reach the same objective, from setting up attack infrastructure with command and control to emulating multiple TTPs mapped to MITRE ATT&CK.

The course concludes with exercise closure activities such as analyzing the response of the blue team (people and process), reporting, and remediation planning and retesting. Finally, you will learn how to show the value that red team exercises and adversary emulations bring to an organization. The main job of a red team is to make a blue team better. Offense informs defense and defense informs offense.

This Course Will Prepare You To:

  • Build a Red Team program
  • Leverage Red Team exercises and adversary emulation to obtain a holistic view of an organization's security posture
  • Measure, train, and improve people, processes, and technology for the organization

You Will Receive With This Course:

  • Two Virtual Machines:Windows 10 and SANS Slingshot C2 Matrix Edition which includes multiple Red Team tools for all exercises including Command and Control Frameworks (C2)
  • Cheat Sheets
  • Frameworks and Methodologies
  • Threat Intelligence reports for two popular threat actors/adversaries
  • Sample Adversary Emulation Plan

Additional Resources:

  • C2 Matrix
  • Red Team Development and Operations: A practical guide by Joe Vest and James Tubberville
  • Using MITRE ATT&CK for Cyber Threat Intelligence Training

Syllabus (12 CPEs)
SEC564.1: Introduction and Planning of Red Team Exercises

SEC564.2: Red Team Exercise Execution and Closure

Prerequisites
The concepts and exercises in this course are built on the fundamentals of offensive security. An understanding of general penetration testing concepts and tools is encouraged, and a background in security fundamentals will provide a solid foundation upon which to build Red Team concepts.

Many of the Red Team concepts taught in this course are suitable for anyone in the security community. Both technical staff as well as management personnel will be able to gain a deeper understanding of Red Team exercises and adversary emulations.

Laptop Requirements
Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

It is critical that you back-up your system before class. it is also strongly advised that you do not bring a system storing any sensitive data.

Baseline Hardware Requirements

  • CPU

64-bit Intel i5/i7 2.0+ GHZ processor

  • BIOS

Enabled "Intel-VT"

  • RAM

16 GB RAM (8GB min)

  • Hard Drive Free Space

60 GB Free space

  • Operating System

Windows 10 Pro or macOS 10.12+
Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.
Additional Hardware Requirements

The requirements below are in addition to baseline requirements provided above. Prior to the start of class, you must install virtualization software and meet additional hardware and software requirements as described below. If you do not carefully read and follow these instructions, you will leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course.

Additional Software Requirements

Google Chrome, Adobe Acrobat or Other PDF reader

  • You will need Google Chrome, Adobe Acrobat or other PDF reader.

Microsoft Office or OpenOffice

  • Install Microsoft Office (any version) with Excel or OpenOffice on your host. Note: You can download Office Trial Software online (free for 60 days). OpenOffice is a free product that can be downloaded here.

VMware Player

Install VMware Player 15, VMware Fusion 11, or VMware Workstation 15.
Older Versions will not work for this course. Choose the version compatible with your host OS. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at its website. VMware Workstation Player is a free download that does not need a commercial license but has fewer features than Workstation. THIS IS CRITICAL: Other virtualization products, such as Hyper-V and VirtualBox, are not supported and will not work with the course material.
System Configuration Settings

Local Admin

Some of the tools used in the course will require local admin access. This is absolutely required. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different system.
If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org.

Author Statement
"Organizations are maturing their security testing programs to include Red Team exercises and adversary emulations. These exercises provide a holistic view of an organization's security posture by emulating a realistic adversary to test security assumptions, measure the effectiveness of people, processes, and technology, and improve detection and prevention controls. This course will teach you to plan Red Team exercises, leverage threat intelligence to map against adversary tactics, techniques, and procedures, build a Red Team program and plan, execute a Red Team exercise and report and analyze the results, and improve the overall security posture of the organization." - Jorge Orchilles

Enquire

Start date Location / delivery
26 May 2021 Online Book now

Related article

At GIAC, we believe that hands-on testing is the future of cybersecurity certification. With five certification exams featuring CyberLive , and thr...