Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations

Becoming a Dark Knight: Adversary Emulation Demonstration for ATT&CK Evaluations

Kate Esprit & Cat Self

Batman once said, “you either die a hero or live long enough to see yourself become the villain.” What if there was a way to become a cyber villain for the greater good? For the last 5 years, the MITRE ATT&CK Evaluations team has been improving the industry by “becoming the villain.” We study some of the world’s most advanced threat actors, develop a scenario, build malware and tools, then execute the operations against major EDR vendors. And the best part? Not only do we get the business justification of becoming a villain to advance defenders, but our code is also open-sourced.

Using a Latin American APT as our real-world villain, this talk will showcase how to merge CTI and red development capabilities for adversary emulation.

First, our cyber threat intelligence team (CTI) demonstrates how to evaluate reports with the sufficient technical data needed to emulate the adversary’s usage of particular techniques. We will build a scenario, create CTI diagrams based on our analysis, address gaps in data, and create alternative attack methods for the red team.

Next, the red team enters the scene to collaborate with the CTI team. They begin building malware, tools, and infrastructure. Translating approved open-source CTI reporting into code, we will walk through process injection, persistence, hands-on-keyboard discovery, and lateral movement for the emulation. Finally, it is time to launch the attack and see how our defenders respond, discern where to search for clues, and help them uncover our plot.

To coincide with this presentation, our code, research, and emulation plans will be publicly released. We hope this empowers the community to use our “become the villain” methodology to improve defenses. Helping defenders discern where to look for our footprints is how we justify our villainous acts.



Kate Esprit is a Senior Cyber Threat Intelligence Analyst at MITRE and is the author of the Phishing for Answers cybersecurity blog. With over 7 years of experience in information security, Kate’s career highlights include: combatting misinformation at Facebook/Meta, dispatching aircrafts for emergency evacuations during Hurricane Maria, and working for Amnesty International in Argentina. She specializes in Latin American affairs and speaks Spanish and Portuguese. Outside of work, Kate is usually practicing her salsa dancing moves or baking delicious treats.

Cat Self is an Adversary Emulation Engineer for MITRE ATT&CK® Evaluations, macOS/Linux Lead for ATT&CK® and serves as a leader of people at MITRE. Cat started her cyber security career at Target and has worked as a developer, internal red team engineer, and threat hunter. Cat is a former military intelligence veteran and pays it forward through mentorship, blogging, and public speaking. Outside of work, she is often planning an epic adventure, climbing mountains in foreign lands, or learning Chinese.

More Upcoming Events

No hay próximos eventos en este momento.