The offensive security industry is hopping – awesome folks out there can help you find your security flaws! Companies today are leveraging security assessments, audits, penetration tests and red team assessments. These evaluations help to validate coverage within the architecture of a threat model. As your organization matures you will focus more on an expected adversary’s behavior than on generic atomic events. It just so happens MITRE’s ATT&CK is a catalogue of those atomic techniques!

I thought Kerberoasting my environment would be easier than this.

MITRE and many other consulting, attack simulation, and research organizations leverage ATT&CK to build out expected patterns of behavior and explain the playbooks that threat actors use. MITRE has provided a template illustrating just how this can be done using APT 3 (https://attack.mitre.org/resources/adversary-emulation-plans/). Plans like these also ensure that you or your red teams structure a realistic and useful engagement. 

Flow chart of APT 3's emulation plan as provided by MITRE's Center for Threat Informed Defense.
High-level APT 3 Adversary Emulation Plan from MITRE

Can’t we just detect it all and be done with it?

Well, there are two concerns here. First, some things are super easy to see happen – so detections are low-effort, high efficacy. Most adversaries don’t use those techniques unless it is either very necessary or to distract from something else. Second, not all techniques can be detected all of the time. Every environment and adversary present a different set of variables that might make that impossible. So let’s break these two concerns down a little bit more.

Why did it have to be so hard?

The aim of any analytic is to detect the vulnerability under attack, not just the symptoms of an specific exploit of that vulnerability. This ensures that the detection offers more visibility throughout the life of that vulnerability. Attackers can modify, customize or hide any technique to evade a symptom-dependent detection. Furthermore, there may be several exploits that target the same vulnerability in a system.

We can see some of this come to light in different types of detection content. Dynamic feeds containing signatures, hashes, domains and IPs will all have varying useful lifetimes based on the type and the sophistication of the attacker and the mutability of the type. Take signatures for example – we can write them to detect a symptom of an exploit, but better ones focus on how the vulnerability might be accessed. More often than not, a well-crafted Snort or Suricata signature will survive long after attackers have altered a hash, re-hosted on a new IP, or generated a new domain.

We can’t detect all techniques? I want my money back.

These emulation plans provide a more complex pattern of behaviors that together look like a real playbook is being executed. The truth is that while any technique should be cause for alarm (see what I did there?), defenders don’t have to have 100% coverage to be protected. Most adversaries need to string a few techniques together to do damage or leave a mark, and sometimes the timing of those detections might not be in line with the execution of that plan. So what do we do about that?

The best remedy of this is to practice like you play. Red Team exercises or penetration tests should help identify blindspots and also give teams confidence in their investigative abilities. They can also help dispel the myth that you must detect everything to be an effective defender.

The more you sweat in practice, the less you bleed in combat!

MITRE’s CTID folks have carried on and built some more awesome emulation plans, and I encourage you to check them out. Even if you aren’t a tester, they give you an amazing insight as to how each of these APTs present to you. Read up on them, you will be surprised what you learn!

Example flow for the Sandworm threat actor provided by the folks at MITRE's CTID.
An example of CTID’s awesome emulation plans, in this case covering one of Sandworm’s playbooks

Whether you directly work with emulation plans or not, your red team engagements should leverage similar approaches. Testers can ensure they are providing accurate facsimiles of adversaries in your threat picture. By leveraging emulation plans or known playbooks, the they can help expose gaps in your detection strategy. Just as exciting, they will uncover tool misconfiguration, out-of-date processes and opportunities for better team enablement.

So the benefits are clear! But a big question remains – who has the honors of conducting the test?