What is Adversary Emulation?

In this comprehensive blog, we delve into adversary emulation, a cutting-edge security assessment approach. We explore its benefits, design an emulation plan, and showcase a step-by-step methodology to perform such an emulation using the MITRE ATT&CK framework. Further, we distinguish between adversary emulation and simulation, and conclude by discussing how adversary emulation can dramatically enhance an organization's security posture. An absolute must-read for cybersecurity professionals aiming to stay ahead of real-world threats.

What Is Adversary Emulation?

Adversary emulation is a cybersecurity assessment method that aims to test an organization's security controls against the tactics, techniques, and procedures (TTPs) used by threat actors posing the greatest risk to its industry. This strategy involves understanding the latest malware and attack campaigns of adversaries, then simulating them in a controlled environment to evaluate the security posture of the organization.

What Are the Benefits of Threat Emulation in Cybersecurity?

Often used interchangeably with adversary emulation, threat emulation is a crucial element in augmenting an organization's cybersecurity. By emulating the tactics, techniques, and procedures (TTPs) of real-world adversaries, threat emulation enables proactive identification of potential vulnerabilities, allowing for adversary-focused and effective defense preparation.

The threat emulation approach tests an organization's incident response strategies by simulating cyberattacks based on the real tactics, techniques and procedures (TTPs) used by adversaries that target your region or industry. This process provides a practical assessment of how the security teams perform under these simulated attacks, revealing areas for enhancement and consequently fine-tuning the overall incident response plan.

Utilizing a shared framework like MITRE ATT&CK boosts collaboration between offensive and defensive cybersecurity teams, fostering improved communication and understanding of strategies and tactics. 

Through threat emulation, organizations can gain data-driven visibility on their security posture. This provides critical data to identify weaknesses, track progress, and shape future cybersecurity strategies. It enriches threat intelligence, adding a real-world context to theoretical knowledge. 

Lastly, threat emulation guides effective resource allocation in cybersecurity investments. By knowing existing vulnerabilities and potential threats, organizations can prioritize their resources efficiently, bolstering their cybersecurity posture.

What Is an Adversary Emulation Plan?

Adversary emulation plans are prototype documents, using publicly available threat reports and the ATT&CK framework, to demonstrate how both the offensive and defensive security professionals can model adversary behavior. 

Created by the MITRE Corporation [1], the main goal of an adversary emulation plan is to enhance network and defense testing by emulating specific threat actors or Advanced Persistent Threat (APT) groups' tactics, techniques, and procedures (TTPs). 

Unlike traditional approaches that focus on identifying specific indicators of compromise or tools, these plans aim at creating analytics for ATT&CK behaviors. While they draw upon open threat reports, they often encounter limitations in detailing how adversaries chain techniques together or perform hands-on keyboard operations. Nevertheless, adversary emulation plans provide a roadmap for operators to behave generally like a specific adversary, allowing some implementation flexibility. This approach supports comprehensive product and environment testing, moving cybersecurity defenses towards a more proactive and adversarial-focused security posture.

Here, you may examine an example of an adversary emulation plan for APT3, conducted by the MITRE Corporation.

How to Perform an Adversary Emulation with MITRE ATT&CK Emulation Plan?

In order to conduct an effective adversary emulation exercise, it is important to follow a systematic process. This process involves several key steps that help gather threat intelligence, map it to the MITRE ATT&CK framework, analyze and organize the information, develop the necessary tools and procedures, and finally, execute the adversary emulation engagement. Let's explore each step in more detail.

Figure 1. Creating your own Adversary Emulation Plan Leveraging the MITRE ATT&CK Framework.

Here are the steps of creating an adversary emulation plan using the MITRE ATT&CK framework.

• Gather comprehensive threat intelligence

• Extract the ATT&CK techniques

• Analyze and organize

• Develop tools and procedures 

• Emulate the adversary

In the below, each step is provided with an extensive explanation.

a. Gather Comprehensive Threat Intelligence 

The first step of adversary emulation is to gather extensive threat intelligence, focusing on selecting a specific adversary that poses a threat to your organization. 

To conduct in-depth cyber threat intelligence research, various resources must be utilized, including malware dump platforms, threat intelligence platforms, sandboxes, and blogs. These resources enable you to identify which particular attack or malware campaigns are currently targeting your industry, region, or sectors similar to your organization. 

For instance, let us say that your organization is considered to be a “critical infrastructure”, and is based in Thailand. Yet, you just discovered that Earth Longzhi APT (a sub-group of APT41) has been lately targeting organizations based in Taiwan, Thailand, the Philippines, and Fiji [2]. It becomes crucial to accumulate as much data about Earth Longzhi as possible. This data collection should include information about the adversary's previous actions, behaviors, tactics, targets, and attack patterns, using both internal and publicly available sources.

b. Extract the ATT&CK Techniques 

Once you have collected your threat intelligence, the next step is to map this intel to specific techniques in the MITRE ATT&CK framework. This process is similar to mapping your own red team operations to ATT&CK techniques.

Figure 2. Using the MITRE ATT&CK Navigator for Behaviour Mapping.

The following steps can be used to map the adversary behavior to the MITRE ATT&CK framework.

• Step 1: Understand the ATT&CK Framework

• Step 2: Find the Behavior 

• Step 3: Research the Behavior 

• Step 4: Translate the Behavior into a Tactic

• Step 5: Figure Out What Technique Applies to the Behavior

For instance, let us say that In the course of conducting your threat intelligence research, you identified that the Earth Longzhi APT group is utilizing the Behinder malware [2], which notably includes the capability to establish a SOCKS5 proxy for stealthy command and control communications. 

Now, you are going to map the “SOCKS5 proxy” behavior to the ATT&CK framework.

• Step 1: Understand the ATT&CK Framework

The ATT&CK framework provides a structured methodology for categorizing and understanding an adversary's tactics (their objectives), techniques (how they achieve those objectives), and procedures (specific ways they apply those techniques).

• Step 2: Find the Behavior

Earth Longzhi APT has been observed using a SOCKS5 proxy, which allows them to tunnel network traffic in a way that is difficult to trace, essentially providing a way to hide their actions on a network.

• Step 3: Research the Behavior 

SOCKS5 is a protocol that routes network packets between a client and server through a proxy server. SOCKS5 can provide a high level of anonymity, making it a popular choice for adversaries who wish to obfuscate their actions on a network.

• Step 4: Translate the Behavior into a Tactic 

The overarching objective for this behavior is maintaining control over a compromised system and ensuring the persistence of that control. In the ATT&CK framework, this falls under the "Command and Control" (TA0011) tactic.

• Step 5: Figure Out What Technique Applies to the Behavior

Given that Earth Longzhi is using SOCKS5, a network protocol, for command and control, this behavior is best mapped to the "Non-Application Layer Protocol" (T1095) technique. This technique covers the use of network protocols that are not typically used by applications for command and control purposes, which perfectly aligns with the use of SOCKS5 in this instance.

This methodology, when consistently applied, can help in predicting and mitigating future threats, as well as in informing strategic planning and improving defenses.

c. Analyze and Organize 

With the threat intelligence mapped to specific techniques, you should organize this information into an operational flow that makes it easy to create specific plans from. For example, if you were emulating the Earth Longzhi APT, you would create an operational flow based on Earth Longzhi APT’s known behaviors.

This flow can be divided into three different phases such as the following.

• Phase 1: Initial Access and Execution

• Phase 2: Persistence and Privilege Escalation

• Phase 3: Defense Evasion and Exfiltration

d. Develop Tools and Procedures 

With a clear understanding of what you want your red team to emulate, the next step is figuring out how to implement these behaviors. This may involve choosing or developing specific tools to replicate the tactics, techniques, and procedures (TTPs) of the threat actor. You should consider the context in which the threat group uses each technique, and how the group varies their use of each technique based on the environment.

For this step, you can ask yourself the following questions:

• Question 1: In what context and manner did the threat group employ this specific technique?

• Question 2: Were there variations in the threat group's use of the technique depending on the surrounding environment?

• Question 3: Which resources can we leverage to successfully imitate these TTPs?

Let us get back to our adversary emulation scenario: We require a comprehensive toolkit and robust procedures [2] in order to emulate the Earth Longzhi's TTPs. 

• Social engineering techniques, such as decoy documents, should be contextualized for your organization. 

• You'll need software for creating malicious DLLs and injecting processes to mimic their execution techniques. 

• Tools allowing Windows task scheduling and UAC bypassing can replicate their persistence and privilege escalation methods. 

• Emulating defense evasion may require network tools for RPC communication, known driver vulnerability exploits, and registry editors. 

Ensure all actions are reversible and aim to identify vulnerabilities, not cause damage.

e. Emulate the Adversary 

With the plan and tools in place, your red team is ready to execute the emulation engagement. 

Red team should closely collaborate with the blue team during the execution to help identify gaps in the blue team's visibility and understand why these gaps exist. After this process, the red and blue teams can collaborate with the CTI team to identify the next threat to emulate, creating a continuous, cyclical process of improvement against real-world threats. This process not only strengthens an organization's defenses but also ensures a proactive approach towards potential threats.

Adversary Simulation vs Emulation

Adversary Emulation and Adversary Simulation, while commonly used interchangeably, do possess nuanced differences.

Adversary Emulation implies a focused approach that aims to replicate the exact tactics, techniques, and procedures (TTPs) employed by a specific known threat actor. The principal objective of this method is to mimic an identified adversary's behavior as closely as possible, thereby enabling an organization to assess and fortify its defensive mechanisms against this known threat. This requires a thorough understanding of the adversary's modus operandi, acquired through detailed threat intelligence, and is intended to offer a precise, threat actor-specific perspective of the organization's vulnerabilities.

Adversary Simulation is a broader process that involves the simulation of potential adversarial behaviors during an attack on an organization's systems. Unlike adversary emulation, it does not strictly conform to a specific threat actor's TTPs. Adversary Simulation provides the freedom to incorporate a variety of tactics and techniques, extending beyond those used by known adversaries. Adversary Simulation is essentially a more flexible and versatile approach, intended to expose a wider range of potential vulnerabilities.

In summary, while adversary emulation targets the imitation of specific threats, adversary simulation provides a broader view of potential attack scenarios. Both strategies offer distinct insights and together constitute a comprehensive approach to improving cybersecurity defenses.

How Can Adversary Emulation Help Improve an Organization's Security Posture?

Adversary emulation significantly contributes to enhancing an organization's security posture. By mimicking the tactics, techniques, and procedures (TTPs) of real-world adversaries, adversary emulation helps organizations identify potential security vulnerabilities and test the effectiveness of defensive measures against the latest threats posing the greatest risk to their industry. 

This realistic approach encourages an accurate evaluation of the organization's incident response capabilities under realistic threat emulation plans. Moreover, it provides valuable context, bridging the gap between theoretical threat intelligence and practical defense scenarios. 

Adversary emulation exercises promote better communication and collaboration within security teams, fostering a unified front against cyber threats. Additionally, it offers quantifiable data to guide future cybersecurity strategies and investments. Hence, adversary emulation plays a pivotal role in maintaining a robust security posture.

Which Frameworks are Commonly Used for Threat Emulation, and Why?

The MITRE ATT&CK framework is a commonly used tool for threat emulation, also known as adversary emulation. This globally-accessible knowledge base consists of real-world observations about the tactics, techniques, and procedures (TTPs) that cyber threat actors utilize in their attacks.

The framework's widespread use is largely due to its comprehensiveness and flexibility. MITRE ATT&CK framework offers a detailed, structured, and systematic way to emulate the behavior of various threat actors, providing context to an organization's specific threat landscape.

Moreover, MITRE ATT&CK encourages improved communication and collaboration within cybersecurity teams. Its standardized terminology helps bridge the gap between offense and defense teams, enabling more efficient identification, prevention, and mitigation of cyber threats.

In essence, the MITRE ATT&CK framework facilitates a threat-centric approach to security, enhancing an organization's ability to understand, prepare for, and defend against cyber threats through realistic threat emulation plans.

How Does Adversary Emulation Differ from Penetration Testing?

Adversary emulation and penetration testing are both valuable methods of assessing an organization's security posture, but they serve different purposes and approach the security assessment from distinct angles.

Penetration testing is a targeted process where a cybersecurity professional, the penetration tester, attempts to exploit vulnerabilities in an organization's systems to assess their security. Penetration testing typically focuses on finding as many vulnerabilities as possible in a specific system or network within a set period. It's often more goal-oriented with a focus on the vulnerability itself, rather than the methods used to exploit it.

On the other hand, adversary emulation is a threat-focused approach. It involves mimicking the tactics, techniques, and procedures (TTPs) of real-world adversaries to test an organization's defenses. This includes attempting to move laterally through networks and maintaining stealth, just as an actual threat actor would. 

Adversary emulation provides a more holistic view of an organization's security posture, as it takes into account the tactics and strategies that real-world adversaries employ.

In essence, while penetration testing seeks to identify and exploit vulnerabilities, adversary emulation aims to understand and replicate the behavior of threat actors to provide a more comprehensive evaluation of an organization's security defenses.

What Are Adversary Emulation Tools?

Adversary emulation tools are a great alternative for security teams starting to adopt automated adversary emulation to their toolset. 

Figure 3. Adversary Emulation Tools Comparison Table.

• MITRE Caldera: An open-source, automated adversary emulation system that uses the MITRE ATT&CK framework to model threats and replicate their behaviors.

• Atomic Red Team: A library of scripts designed to simulate adversary behaviors and validate detection capabilities. It does not offer automation by default, but is versatile and widely used.

• Infection Monkey: An open-source breach and attack simulation tool that prioritizes breaching a target and infecting the entire network by moving laterally from host to host.

• Stratus Red Team: An adversary emulation tool specifically for cloud environments, emulating adversary techniques from the MITRE ATT&CK for Cloud Matrix.

• DumpsterFire: A tool that replicates security events to test and validate security controls, aiming to simulate a wide range of adversaries including insider threats, non-technical threat actors, and sophisticated attackers.

• Metta: An adversarial simulation tool from Uber that runs adversary actions described in YAML format to test and validate detection capabilities of hosts and networks.

• Red Team Automation (RTA): An open-source framework of scripts for assessing detection capabilities with test scenarios modeled after the MITRE ATT&CK framework.

• Breach and Attack Simulation (BAS): Breach and Attack Simulation (BAS) tools automate adversary emulation, providing a resource-efficient solution for organizations. BAS tools offer automated adversary emulation by leveraging continuously updated threat libraries. These libraries are enriched with deep cyber threat intelligence to craft adversary emulation plans mirroring real threat actors' behaviors safely and non-disruptively.

These tools can provide valuable insights into how well your organization can withstand actual cyber threats, helping you to improve your security posture over time.

Can Adversary Emulation Be Automated with BAS?

Yes, adversary emulation can indeed be automated. Given the significant effort required to prepare an individual adversary emulation plan, many organizations may not have the resources to dedicate entire teams to this task. This is where Breach and Attack Simulation (BAS) tools come into play.

BAS vendors offer automated solutions for adversary emulation. They maintain comprehensive, continuously updated threat libraries, enriched by deep cyber threat intelligence research conducted by red team professionals. This research focuses on analyzing and creating adversary emulation plans that mimic the behaviors of various threat actors in a safe, non-disruptive manner.

Moreover, BAS solutions include ready-to-run threat templates that emulate TTPs of particular adversaries that target your region or sector. These templates, as shown in the figure below, represent the attack and malware campaigns of specific threat actors and Advanced Persistent Threat (APT) groups.

Figure 3. APT Groups Threat Templates from the Picus’ Security Control Validation (SCV) Platform.

Each template is essentially an adversary emulation plan, designed to mimic the most recent attack behaviors of threat actors and APT groups. This automation can streamline the process, making it more accessible for organizations to regularly test and improve their defenses.

How Often Should an Organization Conduct Adversary Emulation Exercises?

The frequency of adversary emulation exercises should be continuous and adjusted according to the specific threats an organization faces. A threat-based approach requires constant vigilance, especially considering the rapidly evolving cyber threat landscape. 

By continually running these exercises, an organization stays up-to-date with the latest attack trends, thereby enhancing its defense strategies. The practice should be woven into regular cybersecurity protocols, allowing the identification of weaknesses and immediate rectification. Essentially, rather than having a set schedule, adversary emulation exercises should be an ongoing, dynamic part of an organization's risk management and security enhancement efforts.