🟣Adversary Emulation
Last updated
Last updated
Developed by Lockheed Martin, the Cyber Kill Chain® framework is part of the Intelligence Driven Defense® model for identification and prevention of cyber intrusions activity. The model identifies what the adversaries must complete in order to achieve their objective.
Prior to the first version of the kill chain described by Lockheed Martin, Dell Secure Works has developed a more detailed version of the kill chain :
The Unified Kill Chains provides insight into the tactics that hackers employ to attain these objectives. This provides a solid basis to develop (or realign) defensive strategies to raise cyber resilience.
MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
MITRE ATT&CK categorizes adversary behavior by TTPs (tactics, techniques and procedures).
The 14 tactics can be summarized as follows:
Reconnaissance - Collecting information from the target organization to prepare future adversarial activities.
Resource Development - Acquiring infrastructure and resources to support adversarial activities against the target organization.
Initial Access - Gaining initial access to the target network.
Execution - Techniques for running malicious code on the network, usually to explore or steal data.
Persistence - Maintaining access to the target network over time by circumventing measures like credential changes or restarts that could interrupt access.
Privilege Escalation - Gaining administrator or other high-level permissions on the target network.
Defense Evasion - Avoiding detection by security software and IT security teams.
Credential Access - Stealing account names and passwords, allowing the adversary to circumvent security measures by accessing the network with legitimate credentials.
Discovery - Exploring the network and collecting information, such as which applications and services are running, what accounts exist, what resources are available, etc.
Lateral Movement - Accessing and controlling remote services on the target network.
Collection - Aggregating data from a variety of sources on the target network.
Command and Control - Techniques for communicating with systems under the adversary’s control within the target network.
Exfiltration - Techniques for stealing data from the target network and transferring it to an external server controlled by the adversary.
Impact - Techniques for destroying data or disrupting the availability of applications, services, or the target network itself.
Knowing these tactics will help us in :
Cyber Threat Intelligence
Threat Intelligence & Analytics
Penetration Testing & Adversary Emulation
Threat Coverage Gap Assessment
Adversarial techniques answer “how” an adversary attains a tactical objective, and the course of action they take to get what they seek.
Threat Intelligence : Cyber threat intelligence is all about understanding the cyber threat groups that matter to your organization, including their motives, typical targets, behaviors, and preferred software/techniques. IT security teams can use the MITRE ATT&CK framework to access specific information on the behaviors of known threat groups, then identify strategies to detect and mitigate their preferred techniques.
Threat Detection & Analytics : Each technique in the MITRE ATT&CK framework includes a metadata field called “Data Sources”. This field lists specific types of data that organizations should collect to gain the visibility needed to detect that technique.
Penetration Testing & Adversary Emulation : Once your security team writes an analytic or configures security monitoring to detect an adversarial technique, penetration testing or adversary emulation can be used to evaluate the effectiveness of the implemented threat detection measures.
Threat Coverage Gap Assessment : IT security teams can map existing threat detection capabilities onto the MITRE ATT&CK framework to identify gaps in their defenses. They can identify the cyber threat groups which are most likely to target them and compare their threat coverage to the preferred techniques used by those organizations.
Adversary emulation, also commonly referred to as Red Team exercises, is meant to provide comprehensive and real-world conditions that demonstrate substantial risks posed by adversaries operating today.
Atomic Red Team™ is library of tests mapped to the MITRE ATT&CK® framework. Security teams can use Atomic Red Team to quickly, portably, and reproducibly test their environments.
Atomic Red Team will run APT tactics described in MITRE ATT&CK framework based on category and IDs. these tests can be done manually or automatically using https://github.com/redcanaryco/invoke-atomicredteam/wiki.
CALDERA™ is a cyber security platform designed to easily automate adversary emulation, assist manual red-teams, and automate incident response.
A toolset to make a system look as if it was the victim of an APT attack.
flightsim is a lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility. The tool performs tests to simulate DNS tunneling, DGA traffic, requests to known active C2 destinations, and other suspicious traffic patterns.
