Invoke-APT29: Adversarial Threat Emulation
There are many threat intel reports that focus on malware reverse engineering, initial compromise, and command and control (C2) explanations; however, there are not many threat reports on how attackers are chaining techniques together or how attackers operate on keyboard. Because these prototypes are built on these open threat reports, they have the same limitations. To help with this, we provided a sample way to string the ATT&CK tactics together based on general red teaming experience. To create these plans, the team drilled down on specific APT groups listed in ATT&CK and see what kind of plans could be generated for an operator to emulate those APTs. After reading what capabilities were provided by an APT's tools, we compiled a list of other ways to exhibit the same behavior. We wanted operators to behave generally like a specific adversary (sticking to that adversary's known TTPs and behaviors), but having some latitude in actual implementation. To help with this, we also provided a cheat sheet for commands that can be executed for similar behavior in some of the most commonly used red teaming tools. A sample, high level diagram is highlight below as one possible way to structure an APT3 emulation plan.
Invoke-APT29: Adversarial Threat Emulation
The MITRE APT3 Adversary Emulation Plans outline the behavior of persistent threat groups mapped to ATT&CK. They are used by adversary emulation teams to test an organizations network security and security products against specific threats.
Cobalt Strike debuted in 2012 in response to perceived gaps in an existing red team tool, the Metasploit Framework. In 2015, Cobalt Strike 3.0 launched as a standalone adversary emulation platform. By 2016, Proofpoint researchers began observing threat actors using Cobalt Strike.
Proofpoint has observed dozens of threat actors using Cobalt Strike. However, like their legitimate counterparts, threat actors exhibit many attack paths and use cases of the malicious actor emulation software. Threat actors use different lure themes, threat types, droppers, and payloads. For example, the earliest Cobalt Strike campaigns distributed email threats with malicious document attachments to distribute the malware, but campaigns distributing malicious URLs directly in the email body have overtaken attachments as the more frequently utilized threat type.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.
As our main focus is on threats, and, more specifically, adversarial threats (as opposed to environmental threats and accidental threats), in the above hierarchy, we redacted other types of threats, as well as the different components of vulnerabilities and assets.
We will first see what the different teams look like within an organization, such as what a red and blue team is, before digging into recent key concepts that are often misunderstood or used interchangeably, like cyber range, breach attack simulation, and adversary emulation. We will also briefly describe a new standard terminology, which is threat-informed defense. However, we will not yet tackle purple teaming, as this will be described thoroughly in the next chapter.
Finally, adversary emulation also focuses on the human dimension, and this will help the blue teams to test and improve their skills and capabilities to respond to a threat. BAS solutions, on the other hand, will mainly focus on the validation of existing security controls. The difference between BAS and adversary emulation is well described by Scythe in its blog post, The Difference Between Cybersecurity Simulation vs Cybersecurity Emulation. We will also deep dive into the difference between simulation and emulation in Chapter 9, Purple Team Infrastructure.