Chapter 12. Executing Adversary Tradecraft

This chapter serves as a detailed guide through the critical stages of the adversary emulation (AE) process: reviewing and executing TTPs, analyzing outcomes, and documenting findings.

It starts with examining all elements in the emulation plan to ensure they are well designed and functional. Next, it discusses activating the TTPs in a setup that simulates your real operational environment, followed by observing and analyzing the results to evaluate the effectiveness of the tactics and your defense mechanisms. The final section explains how to document and report the engagement, its results, and insights gained. The focus is on the crucial steps of implementing, executing, and assessing adversary tactics and compiling and sharing the findings to benefit the organization.

Testing activity in a controlled environment versus in actual operation can lead to very different outcomes due to unpredictable factors in the real world. For instance, a software company’s new application worked flawlessly in testing—fast, efficient, and without issues. However, upon release to customers, it struggled with the volume of real data, leading to slow responses and crashes. Unanticipated user behaviors and interactions with other applications caused errors, highlighting the gap between testing and real-world conditions.

This situation mirrors adversary emulation: TTPs might work perfectly in a controlled test but encounter unexpected challenges in live settings. ...