Unit 1: Adversary Simulations

This unit describes skills and knowledge required to build an adversary simulation unit and design and execute an adversary simulation across an organisation, in any industry setting to improve the effectiveness of security defences.

It applies to individuals, employed or contractors who are working in positions of authority and are approved to implement change within a department or across the organisation. They have responsibility for directly supervising others.

No occupational licensing, certification or specific legislative requirements apply to this unit at the time of publication.

1.1 Establish adversary simulation goals and human, technological, equipment and time resource requirements to execute adversary simulations

1.2 Create a business case for adversary simulations proposing funding and resource requirements

1.3 Consult with senior management or client and obtain approval to proceed with the business case

1.4 Develop adversary simulation policies, procedures, methodologies, report templates and supporting documents

1.5 Propose and obtain approval from senior management or the client for an annual schedule of adversary simulation activities

1.6 Establish recordkeeping process for capturing lessons learnt from adversary simulations

1.7 Obtain required resources to implement adversary simulations

2.1 Identify relevant team members and stakeholders and allocate roles and responsibilities

2.2 Establish adversary simulation objectives, technical capabilities and attack scenarios

2.3 Create a plan detailing client communication strategies, guard rails and items out of scope

2.4 Assess and establish risks and determine strategies for risk mitigation

2.5 Review plan in consultation with team members, senior management and stakeholders, review feedback and implement recommendation

2.6 Present plan to senior management or client and seek approval

3.1 Conduct business and network reconnaissance to collect information on target to identify potential weaknesses

3.2 Use social engineering to compromise computers and obtain sensitive information

3.3 Obtain initial foothold on the target’s network

3.4 Perform host and internal network reconnaissance

3.5 Build malware to compromise work stations and servers

3.6 Obtain persistence on the network for future access and prevent removal from the network

3.7 Escalate privileges to achieve objectives to obtain credentials, obtain access to files, ex-filtrate data from the network and simulate and simulate destructive attacks

3.8 Provide leadership to team members to achieve simulation objectives

3.9 Identify and resolve issues and technical challenges

4.1 Maintain accurate and structured records through all stages of adversary simulations

4.2 Report choices and decisions made during the adversary simulation

4.3 Report findings and recommendations relevant to executive team members and Information Technology (IT) personnel

4.4 Make separate presentations to executive team members and IT personnel providing relevant information

Evidence of the ability to complete tasks outlined in elements and performance criteria of this unit in the context of the job role, and:

• Effective use of verbal and nonverbal communication to gather information from range of stakeholders and clearly communicate with senior management, clients, stakeholders and team members
• Language skills to translate technical findings to be understood by business and lay persons
• On a minimum of one (1) occasion lead an adversary simulation
• On a minimum of three (3) occasions demonstrate ability to:
  • Write tools to automate parts of the adversary simulation process
  • Write malware for adversary simulations
• On a minimum of one (1) occasion demonstrate ability to write:
  • A script obfuscator tool
  • A https reverse shell
  • A port forwarding utility
  • A password dumper
  • A custom C2 protocol for malware infrastructure
  • A spear-phishing framework
  • A code injection utility

The learner must be able to demonstrate essential knowledge required to effectively do the task outlined in elements and performance criteria of this unit, manage the task and manage contingencies in the context of the work role.

This includes knowledge of:

• Legal and ethical boundaries
• Levels of risk relating to Adversary Simulations, potential outcomes of risks and how to mitigate the risks including:
  • Forecasting risks and implementing mitigation controls
  • Planning, illuminating, engaging, reviewing/reporting (PIER) cycle
• Attack Phases and Techniques
  • Persistence
  • Lateral movement
  • Tunnelling
  • Exploitation
  • Command and control
  • Host reconnaissance
  • Network reconnaissance
  • Phishing and spear-phishing
  • Obfuscation and stealth
• Social Engineering
  • Phishing
  • Spear-phishing
  • Elicitation
    • Flattery
    • False statements
    • Ignorance
    • The sounding board
    • Confidential baiting
  • Pretexting
  • Influencing
    • Reciprocity
    • Authority
    • Scarcity
    • Likability
    • Concession
    • Obligation
  • Framing
  • Mirroring
  • Labelling
  • Calibrated questions
  • Leading questions
  • Body language
  • Understanding the other side
  • Extracting information without asking questions
  • Creating the illusion that the other side is in control

Assessment may be in the form of:

• work samples
• written assignments
• theoretical examination
• observation

Both practical skills and knowledge must be assessed.

Assessor requirements

No specialist vocational competency requirements for Assessors apply to this unit.