Adversary simulation, emulation or purple teaming - How would you define it?

This panel discussion from Adversary Village at DefCon USA 2021 explores the definitions, maturity requirements, business justification, and career paths for adversary simulation, emulation, and purple teaming.

Panelists

• Jean-Marie Bobon: Team leader, offensive security service, Post Luxembourg (formerly red teamer/penetration tester in France/Luxembourg)
• Joe Vest: 20 years in security/IT, last 10 years in offensive security testing, Technical Director for Cobalt Strike at Health Systems
• Vincent U: Red teamer for many years (UK → Asia), runs red team in Hong Kong, performs attack simulations
• Martin Lingus: Founder/Principal Consultant, Covert (Norway), penetration testing, red teaming, adversary simulation (5+ years)
• Samuel Kimmins: Red teamer at Cognizant, 10 years IT/security experience, US Air Force, Recon Infosec (100% adversary emulation focus)

Key Topics Discussed

Defining Adversary Simulation, Emulation, and Purple Teaming:

• Key insight from Joe: “It doesn’t really matter what you call these” - definitions come with baggage
• Better approach: Work backwards from goals, not forward from definitions
• Goal: Measuring security operations ability to impact a threat
• Emulation: Goal is to emulate TTPs, reproduce well-known campaigns
• Simulation: More dynamic - define flags/scenarios with customer, execute scenario, adapt to what you encounter
• Red Teaming: More complex - social engineering, phishing campaigns, internal tests, multiple approaches
• Purple Teaming: Hand-holding between red and blue through engagement

Maturity Requirements:

• Debated - some say need high maturity SOC, others say start early to identify gaps
• Key insight from Vincent: “Unless you start doing these assessments, how do you figure out exactly how much can you see?”
• Tabletop exercises as good starting point for low maturity organizations
• Three pillars: Prevention, Detection, Response (world focuses on prevention)
• Response often underrated - detection useless if don’t know how to respond

Getting Budget/Investment:

• Cost comparison: 10 exercises over years < one ransomware incident
• Must pull leadership into conversations to understand threat
• “We don’t have our own place to play - we’re always invited to someone else’s playground”
• Fire drill analogy: Test procedures before real incident
• Show impact: Get access to CEO inbox, call them - “If I get hacked today, someone could be blackmailing me”

Career Guidance:

• IT background helpful as foundation
• Combine red teaming skills + threat research skills
• Don’t start directly in adversary simulation - build foundation first
• MITRE ATT&CK resources - fantastic starting point
• Red teaming is subset of blue - red cannot exist without blue
• “You also have to be a threat actor to simulate threat actor”

Key Insights:

• Definitions don’t matter as much as goals - start with what you’re trying to measure
• Clients often don’t know what they want - education is key
• Maturity requirements debated - some say need high maturity, others say start early to identify gaps
• Budget justification requires threat perspective, not just technical terms
• Career paths vary - IT background helpful, threat intel important, understand both red and blue sides
• Response often underrated - detection is useless if don’t know how to respond
• Red teaming is subset of blue teaming - red cannot exist without blue

Important Concepts:

• Threat Testing: Unified category Joe suggests
• Three Pillars: Prevention, Detection, Response (world focuses on prevention)
• Tabletop Exercises: Good starting point for low maturity organizations
• Fire Drill Analogy: Test procedures before real incident
• MITRE ATT&CK: Key resource for understanding TTPs
• Cost Comparison: 10 exercises over years < one ransomware incident

Actionable Takeaways:

1. Start with goals, not definitions - what are you trying to measure?
2. Educate clients/leadership on threat perspective, not just technical terms
3. Include response phase in engagements - detection useless without response
4. Don’t wait for perfect maturity - start early to identify gaps
5. Use cost comparison (exercises vs. ransomware) for budget justification
6. For career: IT background + threat intel + understand both red and blue
7. Understand infrastructure before trying to attack it
8. Map attacks back to detection and response opportunities
9. Purple teaming can incorporate both simulation and emulation
10. Focus on impact threat’s ability to be successful, not preventing all attacks