The Roundup: Adversary Emulation

MC: Jorge Orchilles, SCYTHE
 $0 (Free to Attendees)
Date: October 22, 2020
Time: Noon to 5PM EST
Click here to register

Adversary emulation is a type of ethical hacking engagement where a Red Team imitates how an attacker operates, leveraging frameworks like MITRE ATT&CK to identify specific tactics, techniques, and procedures (TTPs) that a real threat actor might use against an organization. Rather than focusing on attacks less likely to occur, these engagements draw upon Cyber Threat Intelligence to identify adversaries with the intent, opportunity, and capability to attack. Further, adversary emulation may proceed with the Blue Team having no knowledge of the exercise or full knowledge (Purple Team).

Ultimately, every organization has blind spots, gaps, and weaknesses that adversary emulation can help to detect. The most prudent organizations will want to anticipate the best attacks against them. Why waste precious resources preparing otherwise?

Join Jorge Orchilles, CTO at SCYTHE and expert in adversary emulation, for this October’s Roundup event held from noon to 5PM EST on October 22, 2020.

Dan DeCloss, CEO & Founder of PlexTrac

Dan DeCloss is the Founder and CEO of PlexTrac and has over 15 years of experience in Cybersecurity. Dan started his career in the Department of Defense and then moved on to consulting where he worked for various companies including serving as a Principal Consultant for Veracode on the penetration testing team. Dan’s background is in application security and penetration testing, involving hacking networks, websites, and mobile applications for clients. He has also served as a Principal Security Engineer for the Mayo Clinic and a Sr. Security Advisor for Anthem. Prior to PlexTrac, Dan was the Director of Cybersecurity for Scentsy where he and his team built the security program out of its infancy into a best-in-class program.

Dan has a master’s degree in Computer Science from the Naval Postgraduate School with an emphasis in Information Security. Additionally, Dan holds the OSCP and CISSP certifications. Dan has a passion for helping everyone understand cybersecurity at a practical level, ensuring that there is a good understanding of how to reduce their overall risk.

Dan can be reached on LinkedIn at or on Twitter @wh33lhouse.

Joff Thyer, Black Hills Information Security

Joff Thyer has been a penetration tester and security analyst with Black Hills Information Security since 2013. Prior to joining the InfoSec world, he had a long career in the IT industry as a systems administrator and an enterprise network architect. He has an Associate’s in Computer Science, a B.S. in Mathematics, and an M.S. in Computer Science, as well as several certifications (listed below). The best part of a penetration test for Joff is developing sophisticated malware that tackles defensive solutions, ultimately delivering exciting wins for company engagements. He has extensive experience covering intrusion prevention/detection systems, infrastructure defense, vulnerability analysis, defense bypass, source code analysis, and exploit research. When Joff isn’t working or co-hosting the Security Weekly podcast, he enjoys making music and woodworking.


Kent Ickler and Jordan Drysdale, Black Hills Information Security

Kent started his Information Technology career working for an Internet Service Provider supporting the MidWest’s broadband initiatives of the early 2000s. His interest in technology and business operations drove his career into working for multiple Fortune 500 companies and equipping their organizational leadership with business analytical data that would support their technology initiatives. With his continued interest in Business Operations, Kent completed his postgraduate education in Business Management. With an understanding of Information Technology, System Administration, Accounting, and Business Law, Kent has helped businesses leverage technology for competitive advantage while balancing the risks associated with today’s dynamic network environments. Kent has been with Black Hills Information Security for three years in security and administration roles.

Jordan was around for the inception of Napster and the explosion of P2P networks. This drove his fascination with network systems and led him toward a career in IT. Jordan’s first gig in the industry included supporting Latin American networking customers for Hewlett Packard’s network support division. After five years of support, engineering, training, and stress, Jordan became a wireless escalations team lead and multi-vendor certified problem solver. With kids in tow, Jordan headed back toward the Dakotas to be nearer extended family and friends where he learned Citrix, VMware, VDI, supported Cisco gear, implemented profile management solutions, deployed remote networks at scale, and ensured performance across infrastructure. Before becoming a penetration tester, Jordan supported multiple (50+) domains as part of an MSSP’s rock star team. Solutions utilized included HP Networking, FortiGate/FortiManager/FortiWeb/FortiAnalyzer et al., Cisco ASA, HP DL/GL/ML, Dell, VMware, NetApp, and the list goes on. For the last five years, Jordan has been a penetration tester with the Black Hills InfoSec team.

Forrest Carver, MITRE Corporation

Forrest Carver has been a Principal Cybersecurity Engineer with the MITRE Corporation for just over 4 years, where he leads multiple Cybersecurity efforts for the US Government. His work primarily focuses on Threat Emulation / Red Teaming, Detection Engineering, Threat Hunting, and independent Cyber Assessments, mainly within the Department of Defense (DoD). Most recently Forrest began leading the MITRE Engenuity Center for Thread Informed Defense work developing an Adversary Emulation Plan Library to serve as a resource for purple teaming for the global InfoSec community.

Forrest’s career has primarily focused on IT and Cybersecurity, with a specific emphasis on offensive and defensive cyber operations. His career spans across multiple government organizations and focus areas, including:

  • Vulnerability Assessments & Audit for a DoD Agency
  • Information Security Manager for a DoD organization
  • Manager for Cyber Operations for a DoD Combatant Command
  • Red Team Operations Manager for a DoD Cyber Red Team

Forrest received his B.S. in Telecommunications Systems Management with a concentration in Information Security from Murray State University in Kentucky, followed by a M.Eng. in Computer Engineering and Information Assurance from Iowa State University. In addition to education, Forrest has a variety of Cybersecurity-focused industry certifications.

He lives in Alabama with wife and 3 sons. Outside of work, Forrest stays active in church, kids sports, as well enjoying playing several instruments, hiking, kayaking, riding motorcycles, and an occasional round of paintball.


Adam Mashinchi, SCYTHE

Adam is SCYTHE’s VP of Product Management where he leads the project management, design, and quality assurance departments. Before SCYTHE, Adam defined and managed the development of enterprise security and privacy solutions with an emphasis on usable encryption at a global scale and led numerous technical integration projects with a variety of partners and services. Adam holds a Master of Science in Applied Computer Science from Southern Oregon University with a focus on computer security and encryption.

Time Speaker Presentation
12:00PM to 12:45PM ET Dan DeCloss Title: Going from 0 to 1: Getting your internal adversary emulation program up and running

Abstract: Building an adversary emulation program may seem overwhelming and even daunting if you don’t know where to begin.  This talk will focus on the crawl-walk-run scenarios for building your adversary emulation program and operationalizing your campaigns.  We’ll discuss a real-world example where we helped a blue team get started with internal adversarial emulation which showed demonstrable results.

1:00PM to 1:45PM ET Forrest Carver Title: FIN6 Emulation Plan

Abstract: The FIN6 emulation plan is the first addition to the overall Adversary Emulation Plan Library, which is designed to enable red teams and cyber defenders to systematically test their defenses based on real-world adversary Tactics, Techniques, and Procedures (TTPs). To develop and publish this plan, MITRE brought together the combined knowledge and expertise of our Center for Threat Informed Defense Participants to create a high quality, intelligence driven resource.

In addition to being the first addition to the Library, the FIN6 plan also represents our standardized methodology and format for emulation plans for the foreseeable future. Moving to this common, repeatable template ensures that this plan, and all future additions to the Library, can be easily consumed and used by the global InfoSec community to enable continues, threat-informed purple-teaming of environments as well as use the associated findings and supporting intelligence to prioritize mitigations for identified risks.

The main components of the FIN6 emulation plan are:

  • A curated summary of available cyber threat intelligence, composing an intelligence overview of the actor (describing who they target, how, and why where possible) as well as the scope of their activity (i.e. breadth of techniques and malware used). The FIN6 Intelligence Summary outlines 15 publicly available sources to describe FIN6, their motivations, objectives, and observed target industries.
  • An operations flow that provides a high-level summary of the captured scenario(s). These scenarios will vary based on the adversary and available intelligence, but typically follow a sequential progression of how the actor breaches then works towards achieving their operational objectives within a victim environment (espionage, data/system destruction, etc.). The FIN6 Operations Flow chains techniques together into a logical flow of the major steps that commonly occur across FIN6 operations.
  • A detailed adversary emulation plan based on the Intelligence Summary and the Operations Flow. The Emulation Plan is a human-readable, step-by-step / command-by-command implementation of the adversary’s TTPs organized into phases defined in the Operations Flow. The Emulation Plan includes an overview of each phase, an administrative section describing pre-requisites (toolsets required, supporting infrastructure, etc), and the Emulation Plan itself.
  • A YAML representation, providing a machine-readable version of the overall plan that mirrors the human-readable plan. The FIN6 YAML file includes all steps, commands, and syntax for both Phase 1 and Phase 2. This standardized YAML representation should allow for broad ingest by Breach and Attack Simulation toolsets, ultimately enabling automation that maintains threat-informed credibility.

This talk will walk through the methodology to develop and create the emulation plan using a solid foundation of relevant cyber threat intelligence, overview the main components of the plan, discuss use cases for implementation, and discuss the long-term goal of a standardized Library and potential automation possibilities.

2:00PM to 2:45PM ET Joff Thyer Title: Attacker Emulation in the Age of Endpoint Detection And Response

Abstract: Red Teaming, Purple Teaming, and Assumed Compromise cooperative security engagements have changed.  As little as 6 years ago it would be unusual to think beyond commodity malware frameworks such as Metasploit, and PowerShell Empire with near default payloads and still be able to perform attacker emulation activities.  In modern networks we have deployments of advanced Endpoint Detection and Response software, Application whitelisting, User Behavior Analytics, and other artificially intelligent software designed to scale the efforts of defenders and give real indications of compromise for malware across the board which includes commodity command channel operations.

As security professionals we should applaud these efforts.  We have succeeded in raising the awareness of malfeasance to a point whereby there are realistic defenses to not necessarily destroy malware execution upon initial encounter, but to effectively reduce and even eliminate the dwell time of an attacker established command channel.  Its a given that the stakes are higher than ever.

This talk will address techniques to establish the initial foothold and still be able to proceed with attacker emulation techniques in a modern well instrumented environment.

3:00PM to 3:45PM ET Adam Mashinchi Title: You’re* Adversary Within – The Golden Age of Insider Threats

Abstract:Coming Soon

4:00PM to 4:45PM ET Kent Ickler and Jordan Drysdale Title: Unicorn Evangelism The Case for Purple Teaming

Abstract: Kent and Jordan will discuss the case for better enterprise security through purple teams. By improving business relationships and communications, we all end up with better security outcomes. Wait, how? When we bring together executives, IT operations, HR, and marketing, we can produce outcomes that impact all business operations. Acknowledging first that the purple team is composed of all job roles will help drive the success of infrastructure change that will result in better security outcomes. Also make note that this talk is being used as a case for better business outcomes, and better IT security. However, better business outcomes can best be achieved through the balancing act of risk and reward consumption.