Pen testing, Training

Adversary emulation tutorial showcases benefits of red teams using real-world TTPs

The Mitre office building. (Antony-22, CC BY-SA 4.0, via Wikimedia Commons)

Compared to other forms of offensive security assessments, adversary emulation presents more relevant and realistic attack scenarios and is more likely to promote healthy collaboration between red and blue teams, according to a pair of experts speaking at Mitre Engenuity’s Threat-Informed Defense User Conference on Wednesday.

The duo offered a sneak preview of Mitre’s brand new ATT&CK Adversary Emulation Fundamentals Certification program, which is still in the late stages of development — and SC Media was there to sit through the course’s first module.

The program is designed for red teamers, pen testers and other cybersecurity practitioners who specialize in assessing an organization’s cyber posture in the face of real-world threats. Presenters and program authors Michael Long, principal adversary emulation engineer at Mitre, and Govardhen Arunagiri, offensive security engineer, said the goal is to help security professionals conduct attack scenarios that very accurately mirror the tactics, techniques and procedures (TTPs) of threat actors that are of specific concern to the business at hand.

These emulations ultimately help businesses prepare for the real deal by exposing network defenders to malicious tactics, while providing a means to assess the security of internal processes and the effectiveness of one’s cyber solutions.

“Adversary emulation is an intelligence discipline that entails researching, modeling and executing cyber adversary tactics, techniques and procedures to assess and improve cybersecurity…” said Long. “We're talking about using real-world observations and cyber threat intelligence to execute adversary behaviors.”

Mitre’s newest certification course is composed of five modules. The first covers the definition, purpose and use cases of adversary emulation, the second addresses the researching of adversary TTPs based on available threat intelligence, and the remaining sessions examine how to plan, implement and execute the emulations.

The conference presentation focused on the first module, which provides an overview of adversary emulation and reveals its benefits. The module also familiarizes trainees with the concept of an adversary emulation framework, which involves defining your specific objectives, choosing which threat actors and TTPs are most relevant to your company and planning the scope of the emulation.

Later, the lesson plan moves on to introducing the concept of an adversary emulation plan, which “is a collection of resources that enables operators to emulate adversary TTPs,” said Long. “It’s kind of like a playbook or procedure that a red teamer could use in order to execute different adversary behaviors in the style of one of their campaigns based on cyber threat intelligence.” A plan for a given adversary might include step-by-step instructions, along with known malicious binaries and scripts, diagrams, ATT&CK tools and more, he explained.

“It’s something that's repeatable; you could run it over and over to try and measure for things like improvement, to measure for regression. It also makes it easier to scale up adversary emulation activities,” Long continued.

Conference attendees who went through the entire module were invited to separately take part in three virtual lab exercises as well — one to tour an emulation plan library from Mitre Engenuity’s Center for Threatened Informed Defense, another to set up one’s own lab environment, and a third to execute an adversary emulation plan that mimics the TTPs of cybercriminal group FIN6.

But before security leaders can think too far ahead, they have to get past step one: making a successful business case for adversary emulation. From Long’s point of view, there are numerous reasons to justify an investment in this particular brand of offensive security — including certain benefits that traditional vulnerability assessments, pen tests and red-team exercises don’t necessarily offer, even if there is still value in these options.

A key advantage, he said, is that adversary emulations emphasize the threats that are most relevant to a particular company, while other offensive security exercises might rely more heavily on whatever a particular red team’s unique bag of tricks happens to be. Also, adversary emulations are more representative of how threat actors actually behave in real life.

“You might have somebody do a Nessus scan. They deliver a report to the network owner that contains thousands of findings, not necessarily prioritized in terms of: What is the risk? Is it actually something that is exploitable?” said Long. Moreover, “are those findings at all correlated to the ways that adversaries are actually compromising networks? Oftentimes, the answer is no,” he continued.

Adversary emulations, meanwhile, are “completely predicated on real-world observations in cyber threat intelligence,” said Long. “So… when we're executing behaviors that are real world, we're supporting meaningful, impactful cybersecurity improvements. I'd rather spend a week to a month trying to patch vulnerabilities we know adversaries are actually exploiting rather than chipping away at a 1,000-page Nessus report.”

Another benefit of the adversary emulation process is that it’s designed to break down barriers between red teams and blue teams such that they openly share and collaborate rather than see each other as untrustworthy rivals.

“Speaking from experience, I can tell you that red and blue teams are commonly disincentivized from working together,” said Long. “There's this natural tension between red and blue teams where red team's success is often perceived as blue team failure.” And vice versa.

“As a red teamer, you might say to yourself, ‘If we share the full extent of our tactics, techniques and procedures [with] the blue team, [the TTPs will] no longer be as effective,” Long added. Likewise, blue teamers may be reluctant to reveal how they are detecting and mitigating the red team attacks, for fear those methods will be countered.

As an offensive security researcher, Long in the past has encountered certain network owners that refused to suggest which critical systems to probe for vulnerabilities, because they believed it was part of the red team’s job to figure that out.

“It's often lost on network owners that as red teamers, we're trying to model in one week what a real world adversary might do over the span of a year,” said Long.

Arunagiri had similar experiences. “Back when I was doing web application pen testing… code review was a pretty big part of… identifying and verifying vulnerabilities,” he said. “But there were some engagements where the client would explicitly say that no, we're not getting any code access.”

But adversary emulation changes the whole dynamic between red and blue, because there are no secrets between them. The attack methodologies are already public knowledge that can be found in such resources as the ATT&CK framework.

“Adversary emulation supports transparent disclosure of TTPs and findings from both sides,” said Long. “There's no proprietary information. What we're doing is emulating activities that have been seen in the wild. So it's very easy for both red teams and blue teams to fully disclose the extent of their activities.”

“You get a really great feedback loop,” Long continued. “Red team will execute some adversary behaviors; blue team will say, ‘No, I didn't detect it. Help me fix it,’ or ‘We did detect it and this is how.’ In that way we both work together to make our red or blue teaming disciplines better.”

And because the attack behaviors used in the emulations are known to occur in the real world, there’s also “a greater sense of urgency” to fix these issues,” Long added.

Security practitioners who sign up for the forthcoming adversary emulation course are advised to come in with an understanding of the ATT&CK framework and familiarity with basic Windows and Linux command line tools.

prestitial ad