Threat Emulation – Tune Tune Tune

Today’s compliance environment requires more and more monitoring to be put in place, which is awesome! More logs, more samples, more alerts! However, just implementing and monitoring a SIEM or other log/alerting solution is not really going to ensure you’re seeing what you need to so.

Instead you might want to consider a bit of threat emulation (red team in miniature, if you will). My team has devoted many afternoons to simply acting as the adversary, versus just responding to the normal alert and health events we see so often. This has the side benefit of breaking the monotony of being a security analyst as well, and gives the analyst a chance to discover other career and learning possibilities.

Well how do I get started?

To get started, don’t over think this. If you think you immediately need to start deploying a red infrastructure that include test automation, Chaos Monkey, and other intense projects; you’re wrong. SMB’s simply don’t have the kind of firepower or time on their hands. Instead let’s think about what you are trying to test to being with.

Take a look at your IDS rules. Would you discover if someone in your VDI environment kicked off an nmap scan? Of course your IDS has rules in there to detect scans, but what happens if it’s a scan that’s only looking for open SMB shares? Have you ever tested it?

So an easy first step is to go create a ‘test’ box in your VDI environment, make sure it’s identical to your other VDI’s (has the same GPO’s, AV, HIDS, etc), and launch a scan. Did you catch it? Did it get blocked? Did you get an alert? Did you even see it in the network logs?

If your answer is no you had no idea that it happened. Well you need to tune your controls some. You might need to make sure you interfaces are set up correctly, or maybe just need to tune your IDS rules. If you did have logs of the scanning happening, but no alerting, congrats! That’s an easy fix.

Is that it?

Negative. The next step is to upgrade the emulation activity and set it up as a form of a repeatable procedure. You’re going to want to have documentation that lays out what your analyst should be looking for, how they initially set up their infrastructure, and what they should be doing.

Next, you probably don’t want to just do a 10 minute test like the one above. You’re going to want to do one that actually puts some pressure on your logs to discover on going threats that are in the wild.

The easiest way I have discovered to do this (especially if you don’t have penetration testers or red teamers at your disposal) is to consult MITRE and RedCanary.

Both resources provide excellent information on how to deploy tests that match up with particular adversaries or common attack patterns. The Red Canary Github actually breaks down their tests by using Powershell, CMD, or Bash. This is a huge help to analysts that are just trying to make sure that they will get the alerts that they expect.


Your analysts need a break from their daily digging; while they may not be ready to be penetration testers, threat emulation like this gives them capability to explore new avenues and develop their skills.