Lab Guide
Foundations of Breach & Attack
Simulation
Revision 2020.11.02
�
Table of Contents
Foundations of Breach & Attack Simulation Lab Guide 3
Exercise 1: Continuous Security Validation 4
Exercise 2: Continuous Security Validation - Reviewing The Data 8
Exercise 3: FIN6 Emulation 11
Exercise 4: MITRE ATT&CK Mapping 15
Exercise 5: Reporting 18
2
�
Foundations of Breach & Attack Simulation
Lab Guide
This lab guide is meant to be used in conjunction with the Foundations of Breach &
Attack Simulation course. With these labs, we hope to provide you with some
hands-on, practical experience with BAS tools. Please note that all of the tasks you
are performing within the BAS tool can have a manual approach. Since the goal of
this course is to familiarize you with putting that approach into action, we have
decided to use the AttackIQ platform to assist in running these labs.
3
�
Exercise 1: Continuous Security Validation
1. Click on the CREATE NEW ASSESSMENT b
utton
2. Click CHOOSE TEMPLATE.
3. On the Assessment Templates page, click the dropdown under Select
template type, and choose Security Controls.
4
�
4. Find the Content Filtering assessment template on the page, and click it.
5. Click Create New.
6. Add both assets to the Assessment.
a. Click the M
anage Assets button
b. Click the checkboxes of B
OTH assets listed.
c. Click Apply
5
�
7. Under the assets, where it lists the tests configured, click on the three dots
under the A
CTION column for the test name Social Media sites.
8. Click Manage Scenarios.
9. Under the details column, click on the icon to see the details for Test Web
access to Social Media site Facebook.
6
�
10. On the resulting scenario details page for Test Web Access to Social Media
Site Facebook, read and make a note of the scenario description.
11. Click on the heading for Scenario Configuration to expand the configuration
details.
12. Review the configuration settings and make note of the Headers sent during
the test. Also, make a note of the method being used.
13. Return to the assessment page and click D
one to close the scenario listing for
the Social Media sites test.
14. Click the C
ontinue button in the bottom right-hand corner of the page.
15. Click the R
un Now button.
You have completed Lab Excercise 1. Please r eturn to the
course videos for more information on the next lab.
7
�
Exercise 2: Continuous Security Validation -
Reviewing The Data
With the testing from Excercise 1 completed, we can begin to explore the results of
the emulation.
1. Note the results in the top three panels for Overall Combined, Overall
Prevention, and Overall Detection scores.
2. In the Overall Detection score panel, expand Security Controls to see
detection rates for security controls involved in testing.
8
�
3. Under the Results menu item, click on S
ummary
4. Scroll down the results page until you find the Scenario results for T
est Web
access to Social Media site Facebook.
5. Click on the entry for T
est Web access to Social Media site Facebook.
9
�
6. If you’ve forgotten what this scenario is trying to accomplish, click the ?
icon next to the scenario title.
7. Expand the A
ctivity Details and make note of the response code received vs.
the response code anticipated.
8. Expand the I NDICATORS OF COMPROMISE (IOCS) DETAILS
a. Make a note of the following information:
i. Destination:
ii. HTTP Method
iii. Protocols
iv. Request Path
v. Source Port
You have completed Lab Excercise 2. Please return to the
course videos for more information on the next lab.
10
�
Exercise 3: FIN6 Emulation
1. Click on the three horizontal lines in the top left-hand corner of the screen to
open the main menu.
2. Click on A
SSESSMENT in the main menu.
11
�
3. Click on the CREATE NEW ASSESSMENT b
utton
4. Click CHOOSE TEMPLATE.
5. On the Assessment Templates page, click the dropdown under Select
template type, and choose Operationalized Threat Analysis.
12
�
6. Find the FIN6 assessment template on the page, and click it.
7. Click Create New
8. Add both assets to the Assessment.
a. Click the M
anage Assets button
b. Click the checkboxes of B
OTH assets listed.
c. Click Apply
13
�
9. Under the assets, where it lists the tests configured, click on the three dots
under the A
CTION column for the test name Lateral Movement.
10. Click DELETE TEST.
11. Click OK
12. Click the C
ontinue button in the bottom right-hand corner of the page.
13. Click the R
un Now button.
You have completed Lab Excercise 3. Please r eturn
to the course videos for more information on the
next lab.
14
�
Exercise 4: MITRE ATT&CK Mapping
1. In the left-hand menu, under Results, click on MITRE ATT&CK
2. Review the results for Prevention.
3. Click on the Detection r adio button to toggle the view to detection results.
4. Click the C
ombined radio button to toggle the view to combined detection
and prevention results.
5. Click on the Discover tactic column heading.
6. On the Results page you will see a listing of results that have been filtered to
display scenarios from the FIN6 assessment that fall under the ATT&CK tactic
of Discovery.
15
�
7. Click on the line item for Get Hardware Model Using WMI (either one is
okay).
8. Click the ?
icon next to the scenario title and read the scenario description to
get a better understanding of what this scenario is trying to accomplish.
9. Make a note of the WMI command used to obtain the hardware model, you
will need this information for your final exam.
16
�
10. Review the Activity Details to see the output or error code for the scenario.
11. Review the Indicators of Compromise (IOCs) Details.
You have completed Lab Excercise 4. Please r eturn to the
course videos for more information on the next lab.
17
�
Exercise 5: Reporting
1. Click on F
IN6 (Results) in the breadcrumb navigation at the top of the page.
2. Click on R
eports in the left-hand menu.
3. Click the A
DD Report b
utton.
4. Give your report a name, select MITRE ATT&CK Report as the report type, and
chose the assessment you ran in previous exercises.
18
�
5. Click SAVE CHANGES.
6. Click on the three vertical dots at the end of the row for the report you just
created.
7. Click VIEW.
8. Review the report to get a better understanding of how the lab environment
responded to different MITRE ATT&CK techniques.
19
