Skip to content

Adversary Emulation for Business Cybersecurity

Andrew Costis talks about adversary emulation and why businesses should do it.

Security risks are constantly changing. Projects start and end, employees leave and are hired, new tools replace old tools, and configurations get adjusted. Many companies run penetration testing (pen testing) scenarios on a regular basis. But with today’s fast-paced changes, even frequent pen testing may not be able to keep up with all the new threats. Which means that to fully secure your company, you may need to upgrade your pen testing to the next level and consider a technique known as adversary emulation.


See Threat Emulation with Andrew Costis for a complete transcript of the Easy Prey podcast episode.

Andrew Costis has over twenty-two years of cybersecurity and IT experience. He is currently a Chapter Lead of an adversary research team at AttackIQ, a cybersecurity readiness company that helps businesses find out if they’re ready for future attacks. His work involves a lot of security research, reverse-engineering malware, and discovering new threats. Previously, he did similar work at VMware Carbon Black and LogRhythm.

Like many cybersecurity experts, Andrew started in IT, mostly doing field engineering and working with hardware. He was completely self-taught, but he picked up some certifications along the way and worked his way up to systems administrator and network administrator roles. Through this, he became interested in security. Eventually, a security position opened up at the company he was with, and he moved into the new niche. Now he spends his time focused on malware analysis and the newest cyber threats.

Cybersecurity Before Adversary Emulation

Historically, many companies have paid for pen testing, typically by external teams, and usually between one and five times a year. The pen testing team would receive a specific target, rules of engagement, and a scope of what they can and can’t do. They would then take about five days to attack the target like a cyber criminal would. After the test is over, the team would then explain to the company where they got in, what they could access, and what security things the company needs to fix.

Pen testing was the gold standard of cybersecurity for a long time. But eventually, adversary emulation, sometimes called threat emulation, came around. Adversary emulation is a systemic, iterative, and repeatable approach. Businesses can use it to test their cybersecurity comprehensively and constantly. And it uses real-world cybercriminal behavior. With all the data you get from adversary emulation, you can build a blueprint of how your security is performing and where your weaknesses are. Then you can take steps to start shoring up those weak areas.

Adversary emulation gives visibility into your security and helps your business protect what matters.

AttackIQ is in the business of testing and enabling customers to test. They preach the “assume breach” mindset and that every day is a zero day. Just about every week, there’s a new critical vulnerability or exposure. And those critical events need to be dealt with urgently. Zero days and critical days aren’t going away. But the good news is that attackers are lazy – they don’t want to spend the time building a new way of attacking when there are pre-made options already. Adversary emulation lets you put up defenses against those pre-made attacks and protect your company.

Every day is a zero day, and there is no getting away from that.

Andrew Costis

Common Vulnerabilities and Exposures

Common Vulnerabilities and Exposures (CVEs) are common ways criminals get into company systems in the first place. These especially target web-connected devices. And they have a scale of severity, from very high to really low. Some CVEs can lead to things like running malicious code on the device, escalating local privileges, or executing man-in-the-middle attacks or side channel attacks.

When someone tells a company about a CVE, there’s a very small window for the company to patch it before cybercriminals start to exploit it. CVEs are often reported by researchers, who notify both the company and the official channels. At that point, the vendor has to provide a response to that researcher, as well as to their customer base. But response times vary between companies.

Earlier this year, there were a bunch of critical CVEs affecting common security controls and gateway devices. Attackers were trying to leverage those as an access point. Recently, Microsoft clamped down on malicious email attachments, and that was a major vector for their access, sso they’ve had to get creative. The ways of “opening the door” and getting inside vary. But once they’re inside, all criminals follow a similar playbook.

Every single day, a new CVE, a new vulnerability, a new exploit will always be found.

Andrew Costis

What Criminals Target

The kind of things they go after once they’re in can vary. Andrew has seen it time and time again with ransomware. They get an initial foothold in a network, then they do discovery to see what’s available to steal. Once they uncover assets, they typically compress them and send them out of the network to the criminal’s devices. It’s not just about the ransom payments – it’s also about other information they can steal and sell.

Once they have access, the intent is often just to try and get their hands on as much sensitive information as possible, because everything has resale value.

Andrew Costis

With ransomware in particular, often the ransom is not their priority. Their priority is to get in quick and steal information quick. Criminals are generally lazy – they want a quick payout for as little effort as possible. Once they’re in and have taken what they wanted, they throw up some ransomware to encrypt important files and systems. They hope to pressure you to pay the ransom so they can get even more money for very little work.

How Adversary Emulation Works

Andrew’s approach to adversary emulation is to throw everything they have at production networks and all assets to get results. This is because there’s a lot of misconceptions behind adversary emulation. A lot of people are still in the mindset of vulnerability scanning – pick a somewhat narrow range of things to target, let the test or scan run, and then get the results.

The benefit of adversary emulation is that it’s not necessarily one-size-fits-all. AttackIQ’s library has over 5,000 unique scenarios. An important key is that once you see the results from a test, from an audit perspective, you can’t un-see it. AttackIQ recommends to start small to avoid overwhelming your company with a huge number of things that need fixed.

Adversary emulation isn’t just about using a piece of software or locking a few back doors. It’s about building a security program and repeatable process that relies on communication and collaboration across all teams and all levels. That’s why they recommend starting small. Test just a few techniques, get into the mindset, and then scale up. This is also helpful with what Andrew calls “indirect findings.” Maybe your company’s cybersecurity defenses picked up the attack right away, but your Security Operations Center didn’t know about it until the next day. That kind of data can be just as useful in improving your cybersecurity defense as knowing the attack couldn’t exfiltrate data to a cloud instance.

Adversary emulation lets you see what would happen in a real attack without going through a real attack.

No Company is Perfectly Secure

Andrew has done work for clients where adversary emulation was able to get into everything with little effort. It’s a sad truth, but it happens. But on the flip side, there are companies out there that have a lot of security tools and put effort in, but still have gaping holes. A common misconception is that the more tools you use, the better. When adversary emulation comes in and reveals gaping holes, it can be eye-opening for customers.

No organization is perfect, and no organization is going to be bulletproof 365 days of the year.

Andrew Costis

Andrew loves hearing success stories from customers. Like everything about new security products, people tend to be skeptical of adversary emulation and wonder if it’s worth the investment. But every single time he runs an adversary emulation for a customer, it comes up with dozens of gaping holes in security. Even companies out there doing an exceptional job still have weak points. It’s rewarding for him to see the light bulb go off when customers realize this type of test has value.

Good Cybersecurity Today Doesn’t Equal Good Cybersecurity Tomorrow

One of the biggest challenges in cybersecurity is that just because you get it right today doesn’t mean it will still be right tomorrow. Things are changing all the time, from projects to configurations to staff to available tools. Security has to e dynamic. Even if you have an internal red team and do regular engagements, it won’t be able to cover your entire organization and keep up with all the changes. The same is true with a pen test. You can throw all the money in the world at it but it probably won’t be enough.

The power of adversary emulation is that it can test constantly, every day and all year. This gives great visibility when things regress. Andrew doesn’t talk about regression initially. Companies are often so horrified at the initial report that it can take a while to absorb the shock. Once they’re ready, he’ll bring up the idea of regression. Regression is when a change or update makes security worse. You close a port on a firewall to enable a secure configuration, and then a new patch comes out. If that secure configuration regresses, would anyone know? Who’s monitoring it and when? People aren’t thinking about the need to re-test and confirm things are still secure after patches and updates. But if you don’t do that, you could be leaving your company vulnerable through someething you thought was secure.

Prioritize What Matters for Your Company

One of the things Andrew and his team do is after an adversary emulation, they help the company sort through their findings and prioritize what to focus on. The key is that they prioritize based on what the company considers a priority. One company may be more focused on endpoint security than their server environment; another may not have many on-premise assets or endpoint devices, but needs to prioritize securing their cloud assets.

It can vary, and it comes down to the industry or vertical you’re operating in. Ransomware has been a major topic for years now, and some organizations are more curious than others about particular actors or groups because they’re operating in different industries. There are a lot of variables and no straightforward answers.

Learn More About Adversary Emulation

A great resource for learning more about adversary emulation and cybersecurity in general is AttackIQ Academy. It’s free, widely available, and open to everyone. You just need to create an account, and you’ll get access to a ton of free training videos, courses, and webinars. And it’s not just attack simulations and threat-informed defense. It also covers many other topics, like AI, and provides expert speakers to give general perspectives.

MITRE is another company with great free tools. MITRE ATT&CK Navigator is a great option to overlay techniques, mitigations, and detections over a heat map and build custom heat maps. ATT&CK Workbench tool also allows you to annotate the ATT&CK framework, as well as allows you to collaborate with colleagues and peers.

Atomic Red Team is another great free resource. It’s been around a long time and is highly regarded. Vector.io is a free platform as well that helps in organizing assessments and starting a collaboration process.

Learn more about AttackIQ on their website, attackiq.com. You can also connect with Andrew Costis personally on LinkedIn.

Related Articles

All
  • All
  • Easy Prey Podcast
  • General Topics
  • Home Computing
  • IP Addresses
  • Networking Basics: Learn How Networks Work
  • Online Privacy
  • Online Safety
Bruce Schneier talks about tech and AI regulation and why it's so important.

AI Regulation and Why We Need Laws About Tech

Very few people are ready and willing to say that what we need is more regulation. But…

[Read More]
Fastest VPNs of 2024

Top 10 Fastest VPNs of 2024: A Complete Guide

When it comes to choosing a VPN, speed is often a top priority for users – and…

[Read More]
Anonymously Stream Content with your Fire Stick

How to Safely and Anonymously Stream Content Using the Best VPNs for a Fire Stick

Imagine traveling back to the 1990s and explaining streaming services to someone. “Streaming is like cable, but…

[Read More]
Best VPN Trials for 2024

Choosing from the Best VPN Trials of 2024: Which One is Best?

Whether you are shopping for a VPN for the first time or you are ready to make…

[Read More]
Types of AI Models

Guide to Types of AI Models and How They Work

When you think of AI (Artificial Intelligence) models, you may automatically think of generative AI like OpenAI’s…

[Read More]
Andrew Costis talks about adversary emulation and why businesses should do it.

Adversary Emulation for Business Cybersecurity

Security risks are constantly changing. Projects start and end, employees leave and are hired, new tools replace…

[Read More]