Red Team Exercises & Adversary Emulation Course

What You Will Learn

In SEC564, you will learn how to plan and execute an end-to-end adversary emulation, including how to plan and build a red team program, leverage threat intelligence to map against adversary tactic, techniques, and procedures (TTPs), emulate those TTPs, report and analyze the results of red team exercises, and ultimately improve the overall security posture of the organization.

You will do all of this in a course-long exercise, in which we perform an adversary emulation against a target organization modeled on an enterprise environment. This environment includes Active Directory, email, web, and file servers, as well as endpoints running the latest operating systems. We will start by consuming cyber threat intelligence to identify and document an adversary that has the intent, opportunity, and capability to attack the target organization. You will discover the TTPs used by the adversary while creating an adversary emulation plan leveraging MITRE ATT&CK (Adversary Tactics, Techniques, and Common Knowledge).

We'll cover the planning phase of these exercises, showcasing various industry frameworks and methodologies for red teaming and adversary emulation. These frameworks are industry standards used by various regulatory bodies to ensure consistent and repeatable red team exercises.

Using strong planning and threat intelligence, students will follow the same unified kill chain as the adversaries to reach the same objective, from setting up attack infrastructure with command and control to emulating multiple TTPs mapped to MITRE ATT&CK.

The course concludes with exercise closure activities such as analyzing the response of the blue team (people and process), reporting, and remediation planning and retesting. Finally, you will learn how to show the value that red team exercises and adversary emulations bring to an organization. The main job of a red team is to make a blue team better. Offense informs defense and defense informs offense.

Syllabus (12 CPEs)

Download PDF

Overview
Day 1 begins by introducing Red Team exercises and adversary emulations, showing how they differ from other security testing types such as vulnerability assessments, penetration tests, and purple teaming. Following the hybrid approach of the course, you will be introduced to a number of industry frameworks (including the Cyber Kill Chain, Unified Kill Chain, and MITRE ATT&CK) for Red Team exercises and adversary emulations. Threat Intelligence is critical to performing Red Team exercises and will be covered early in the course. A red teamer needs to know how to obtain and consume threat intelligence in order to successfully emulate an adversary. Red Team exercises require substantial planning, and you will learn what triggers an exercise and how to define objectives and scope, set up attack infrastructure, understand roles and responsibilities (including those of the Trusted Agents, be they White Team or Cell), and establish the rules of engagement. With a strong plan in place, the exercise execution phase begins. You will learn how to perform the steps to emulate an adversary and carry out a high-value Red Team exercise. We will cover reconnaissance, social engineering, weaponization, and delivery. Day 1 concludes with a lab testing your payload and attack infrastructure.
Exercises
- Consuming Threat Intelligence
- Attack Infrastructure
- Recon and Social Engineering
- C2 and Weaponization
Topics
- About the Course
- Defining Terms
- Motivation and Introduction
- Frameworks and Methodologies
- Threat Intelligence
- Planning
- Red Team Exercise Execution
Overview
Day 2 continues with executing a Red Team exercise and wraps up with closure activities. The day is filled with exercises that walk students through the course-long Adversary Emulation Red Team Exercise. Multiple Red Team exercise phases are explored that use realistic TTPs to ultimately meet the emulated adversary objective. During the exercises, you gain initial access, perform discovery of the target network from patient zero, attempt privilege escalation, create advanced command-and-control channels, and establish persistence. These exercises reinforce the lecture portion of the course. You will learn various methods covering defensive evasion and execution, access to credentials, and lateral movement and pivoting techniques. You'll then use those skills in exercises to obtain the emulated adversary's objective. Lastly, you will complete the exercise by performing various closure activities.
Exercises
- Discovery, Privilege Escalation, and Persistence
- Defense Evasion, Credential Access, and Pivoting
- Action on Objectives
- Exercise Closure
Topics
- Red Team Exercise Execution
- Exercise Closure

Prerequisites

The concepts and exercises in this course are built on the fundamentals of offensive security. An understanding of general penetration testing concepts and tools is encouraged, and a background in security fundamentals will provide a solid foundation upon which to build Red Team concepts.

Many of the Red Team concepts taught in this course are suitable for anyone in the security community. Both technical staff as well as management personnel will be able to gain a deeper understanding of Red Team exercises and adversary emulations.

Laptop Requirements

Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

It is critical that you back-up your system before class. it is also strongly advised that you do not bring a system storing any sensitive data.

Baseline Hardware Requirements

CPU
- 64-bit Intel i5/i7 2.0+ GHZ processor
BIOS
- Enabled "Intel-VT"
USB
- USB3.0 Type-A port
RAM
- 16 GB RAM (8GB min)
Hard Drive Free Space
- 60 GB Free space
Operating System
- Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below.

Additional Hardware Requirements

The requirements below are in addition to baseline requirements provided above. Prior to the start of class, you must install virtualization software and meet additional hardware and software requirements as described below. If you do not carefully read and follow these instructions, you will leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course.

Network, Wireless Connection

A wireless 802.11 B, G, N, or AC network adapter is required. This can be the internal wireless adapter in your system and/or an external USB wireless adapter. A wireless adapter allows you to connect to the network without any cables. If you can surf the Internet on your system without plugging in a network cable, you have wireless.

Additional Software Requirements

Google Chrome, Adobe Acrobat or Other PDF reader

You will need Google Chrome, Adobe Acrobat or other PDF reader.

Microsoft Office or OpenOffice

Install Microsoft Office (any version) with Excel or OpenOffice on your host. Note: You can download Office Trial Software online (free for 60 days). OpenOffice is a free product that can be downloaded here.

VMware Player

Download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x or Fusion 11.5.x or higher versions before class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website.

Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.

VMware Workstation Pro and VMware Player on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class, if they're enabled on your system, by following instructions in this document.

System Configuration Settings

Local Admin

Some of the tools used in the course will require local admin access. This is absolutely required. If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different system.

Your course media will now be delivered via download. The media files for class can be large, some in the 40 - 50 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful by keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

Author Statement

"Organizations are maturing their security testing programs to include Red Team exercises and adversary emulations. These exercises provide a holistic view of an organization's security posture by emulating a realistic adversary to test security assumptions, measure the effectiveness of people, processes, and technology, and improve detection and prevention controls. This course will teach you to plan Red Team exercises, leverage threat intelligence to map against adversary tactics, techniques, and procedures, build a Red Team program and plan, execute a Red Team exercise and report and analyze the results, and improve the overall security posture of the organization."

- Jorge Orchilles

Ways to Learn

OnDemand

Study and prepare for GIAC Certification with four months of online access to SANS OnDemand courses. Includes labs and exercises, and SME support.

Live Online

Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

In Person (2 days)

Training events and topical summits feature presentations and courses in classrooms around the world.

Who Should Attend SEC564?

Security professionals interested in expanding their knowledge of Red Team exercises in order to understand how they are different from other types of security testing
Penetration testers and Red Team members looking to better understand their craft
Blue Team members, defenders, and forensic specialists looking to better understand how Red Team exercises can improve their ability to defend by better understanding offensive methodologies, tools, tactics, techniques, and procedures
Auditors who need to build deeper technical skills and/or meet regulatory requirements
Information security managers who need to incorporate or participate in high-value Red Team exercises

See prerequisites

SEC564: Red Team Exercises and Adversary Emulation

Course Authors:

Jorge Orchilles