Adversary Emulation

To showcase the practical use of ATT&CK for offensive operators and defenders, MITRE created Adversary Emulation Plans which we will follow during our assessment. These are prototype documents of what can be done with publicly available threat reports and ATT&CK. The purpose of this assessment is to allow defenders to more effectively test their networks and defenses by enabling testers to more actively model adversary behavior, as described by ATT&CK. This is part of a larger process to help more effectively test products and environments, as well as create analytics for ATT&CK behaviors rather than detecting a specific indicator of compromise (IOC) or specific tool.

There are many threat intel reports that focus on malware reverse engineering, initial compromise, and command and control (C2) explanations; however, there are not many threat reports on how attackers are chaining techniques together or how attackers operate on keyboard. Because these prototypes are built on these open threat reports, they have the same limitations. To help with this, we provided a sample way to string the ATT&CK tactics together based on general red teaming experience. To create these plans, the team drilled down on specific APT groups listed in ATT&CK and see what kind of plans could be generated for an operator to emulate those APTs. After reading what capabilities were provided by an APT’s tools, we compiled a list of other ways to exhibit the same behavior. We wanted operators to behave generally like a specific adversary (sticking to that adversary’s known TTPs and behaviors), but having some latitude in actual implementation. To help with this, we also provided a cheat sheet for commands that can be executed for similar behavior in some of the most commonly used red teaming tools. A sample, high level diagram is highlight below as one possible way to structure an APT3 emulation plan.

© 2020 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation