CypherCon 2023

ATT&CKing Unicorns

Matthew Lange & Gary Lobermier


Getting started with MITRE ATT&CK is relatively easy, which is great! Pick a Technique that’s relevant to your organization, execute it, and go hunting for unicorns – er, threat actors. However, executing hundreds of attacker techniques, and validating your detections at scale, turns out to be a daunting task even with the help of incredible tools like Caldera, and Atomic Red Team.
In this talk we’ll detail how and why we chose to assemble a custom automation platform to scale the Red Team component of our Purple Teaming program, and how it enables continuous attack and alert validation at a scale.
We will do a demo of our platform to show how we automate scheduling, deploying, and tracking the results of executing hundreds of daily MITRE ATT&CK Techniques and Procedures across Windows, MacOS, Linux, and AWS ec2 instances.
We’ll describe the problems we’ve encountered with the lack of detailed “Procedure” tracking in the MITRE ATT&CK framework when implementing this approach over the past two years and how we’re solving that issue with a custom YAML schema and integration with our Threat Intelligence and Detection Engineering teams.
Finally, we’ll discuss where we think a program like this can go next using custom automation and templating or possible integrations with ChatGPT. The audience will take away lessons learned by our team and ideas, strategies, and tools to help jumpstart or mature their adversary emulation purple team programs in their own organizations.

Importance: We’re submitting this talk because we believe the success of any security program hinges on its ability to prevent, detect, and alert on malicious activity taking place in its environment. Any program that builds or buys preventive and detective technology but fails to consistently validate that it is performing as expected or advertised is fooling themselves into thinking they are safe.
While off-the-shelf tools do exist, we’ve repeatedly come to the conclusion that those tools require heavy customization and usually only validate the most basic, surface-level attacks.
This talk details our process, tools, and lessons learned so others can benefit from what we’ve learned and help us mature the security industry as a whole.

Matthew Lange & Gary Lobermier

2024, a full track of Matt & Gary

Matt Lange has been an Incident Responder, Digital Forensic Analyst, Penetration Tester, and Red Teamer for more than a decade. Currently he manages a team of Pen Testers and Red Teamers and leads the Purple Team at Northwestern Mutual.


Gary Lobermier has 10 + years of experience in tech as a Network or Sys-Admin and IT Manager. He is currently a Red Teamer and Penetration Tester holding various OffSec and SANS/GIAC certifications, working primarily on the automation of a Purple Team framework for controls validation at Northwestern Mutual. In his free time, he is a musician and a recent 3d printer hobbyist.