Ondřej Nekovář and Jan Pohl


Adversary Emulation within the Grey Zone of Active Defence

Surprisingly, infrastructure defence today still relies primarily on reactive elements of defence, i.e. those waiting to be triggered. These triggers are based on actions taken by the adversary in the past, so they are useless in "nature" for effective defense. Just ask yourself a simple question: Where do these trigger rules come from? They are found by proactive actions such as honeypots, threat-hunting, deep packet inspection, etc., not by the reactive products themselves.

And this is the reason why we all need to change our attitude towards defense, and the main reason why we took this path. That doesn't mean we should forget about what we already have and use, like firewalls, antiviruses, SIEM, etc. Not at all, but we need to rethink where the core of our defence lies and how to reallocate our resources. And that's through our concept of Active Defense's Gray Zone. This lies between reactive cyber defence, known and strongly promoted mainly by commercial actors, and offensive cyber operations. This Gray Zone needs to be categorized and its various elements properly classified so that it is clear that we are still properly in the range where we are not attacking or launching attacks, but building defenses in such a way that we can react in a timely manner and more effectively protect and defend our organization's assets and resources.

One of the Active Defense's Gray Zone categories is the Adversary Emulation. The execution of the attack itself is only a fraction of the activities an attacker must complete to gain a foothold (foot in the door) in the target environment. The far greater challenge is to make his infrastructure as undetectable and repeatable as possible.

This paper is based on the speaker's own research and practical experience in applying each of the categories from their redefined the Grey Zone of Active Defense.

Ondřej Nekovář

He currently works as CISO at the Státní pokladně Centrum sdílených služeb, s. p., where he and his team provide cyber and information security for the national data centre of the Ministry of Finance, an element of the critical information infrastructure. His other role is Chief Deception Officer, where he is responsible for the strategic development of the active cyber defense elements. He also specializes in cybersecurity and active defense legislative issues.

Jan Pohl

He currently serves as a threat hunter at the Státní pokladna Centrum sdílených služeb, s. p. His specialty is APT techniques, procedures, and tactics for attackers in the context of active defense deployments. He also spent several years as a Red Team member in a multinational corporation.