The Red Report 2024: The Top 10 Most Prevalent MITRE ATT&CK Techniques
By Picus Labs • June 16, 2023, 22 min read
In our digital age, everyday actions like clicking an email link can expose businesses to security threats. These risks underscore the necessity for proactive security approaches, one of which is Attack Simulations. This process tests defenses by mirroring the tactics, techniques, and procedures (TTPs) employed by cyber attackers in real-world scenarios, thereby aiding in the identification and remediation of weaknesses.
In this blog, we'll examine how an attack simulation operates, its importance, and its distinctions from other security practices, such as penetration testing. By the conclusion, you'll gain a deeper understanding of how this process can amplify your organization's cybersecurity posture.
Attack simulation is a process designed to test an organization's security posture against both known and emerging threats in a safe and controlled environment. This proactive approach seeks to mimic the tactics, techniques and procedures (TTPs) used by real-life adversaries in an effort to understand how they might attack an organization's digital infrastructure, what vulnerabilities they might exploit, and how well the organization's current defenses would react against such an attack.
The primary purpose of a cyber attack simulation is to proactively identify and address the security gaps within an organization's cybersecurity infrastructure. It's a realistic approach to understanding how resilient an organization is to different types of cyber threats. By mimicking real-world attack tactics, techniques, and procedures (TTPs), it tests the effectiveness of current security measures and incident response capabilities. It also helps to identify both technical and procedural gaps that could be exploited by adversaries. This proactive assessment aids in enhancing the organization's overall cybersecurity posture, making it more difficult for actual cyber attacks to succeed.
An attack simulation requires good planning. Here is the overall flow of a cyber attack simulation.
1. Threat Profiling with Cyber Threat Intelligence (CTI)
2. Defining the Attack Simulation Scope
3. Defining the Objective of the Cyber Attack Simulation
4. Planning the Attack
5. Executing the Cyber Attack Simulation
6. Results and Reporting
Below, you will find a detailed explanation for each six step.
For example, if an offensive security professional were to perform an attack simulation on an organization's network, understanding the organization's threat profile would be crucial.
This implies that if the organization operates within the finance sector, threat profiling should involve comprehensive cyber threat intelligence research. This research would focus on threat actors and potentially advanced persistent threat (APT) groups that specifically target the finance sector in their attack campaigns.
Alternatively, consider a scenario where a destructive wiper malware primarily targets governmental institutions. An example of this could be found in the Russian-Ukrainian war where the Cadet Blizzard threat actor orchestrated a malware campaign against Ukrainian organizations . In such a situation, any cyber attack simulation conducted on hosts affiliated with a Ukrainian organization should indeed incorporate the specific behavior of this malware.
As can be discerned, identifying threat actors or other cyber attack trends in real-world situations requires significant work in cyber threat intelligence (CTI). This task can be exceptionally challenging for solo offensive security practitioners, as the landscape is continuously evolving. Keeping pace with this ever-changing threat landscape can be a demanding endeavor when undertaken alone.
The next step involves identifying the scope of your cyber attack simulation. During this phase, the organization needs to establish the boundaries for the simulation. For instance, they must decide which network segments are permissible for performing an attack simulation, which IP addresses are considered safe for executing reconnaissance attack techniques, and which machines are strictly off-limits to prevent potential disruption to the production line or network.
Every adversary seeks to accomplish a specific goal. While some attackers launch campaigns with the intention of financial gain, others may be driven by different motivations such as seeking recognition within the hacker community or promoting a form of activism.
Regardless of their objectives, attackers aim for the maximum possible impact. For example, if conducting a ransomware campaign, they would strive to gain the highest privileges possible to infect as many machines as they can. This way, they can coerce the organization into paying the ransom to continue their operations and safeguard their sensitive data.
Therefore, when an offensive security professional plans to conduct an attack simulation, they need to set a clear objective. This could be gaining access to the Domain Controller in the Active Directory, acquiring access to a domain admin's account through OS credential dumping attack technique, and so forth.
With the objective of the attack simulation established, the next step involves planning the attack strategy for the simulation. This step is crucial in setting the stage for a successful, realistic simulation.
In this stage, the cybersecurity expert meticulously outlines potential attack pathways they plan to explore, taking into account the organization's unique threat landscape and the identified objectives.
Figure 1. Finding attack paths in an organizational environment.
Simultaneously, they determine the best tools to deploy during the simulation. These tools may range from third-party security testing software to native operating system utilities, each chosen based on their functionality, efficiency, and the realism they lend to the simulation.
Furthermore, the cybersecurity professional determines which techniques, tactics, and procedures (TTPs) will be implemented. This could involve a variety of cyber attack techniques such as malware injection, exploitation of known vulnerabilities, or network and system reconnaissance, all based on what best matches the threat profile of the organization.
In essence, this planning phase transforms the abstract objectives of the simulation into a concrete, actionable strategy, thereby paving the way for a comprehensive and effective cyber attack simulation.
This is the stage where the offensive security professional puts the plan into action and carries out the simulated cyber attack. This step follows the strategy outlined in the previous stage but is also flexible and adaptive, accommodating for unforeseen opportunities or challenges.
It's important to note that while there is a plan in place, the actual execution of the attack simulation may not strictly adhere to it. The dynamic nature of a networked environment often presents unforeseen opportunities that could lead to a more effective demonstration of vulnerabilities.
For example, during the reconnaissance phase of a cyber attack simulation, the security professional might identify a highly privileged user account with access to multiple critical domains. If unauthorized access to this account is achieved, it could drastically alter the attack path. The professional might then be able to misuse a valid Kerberos ticket-granting ticket (TGT) to gain access to the Domain Controller or even a critical server—perhaps one hosting the organization's sensitive financial records.
This highlights the iterative and adaptive nature of conducting a cyber attack simulation. The process allows for real-time adjustments to the plan, ensuring that the simulation is as thorough and accurate as possible in uncovering potential weaknesses in the organization's cyber defenses.
In the aftermath of a cyber attack simulation, the offensive security professional creates a comprehensive and detailed report. This document serves to summarize the findings of the simulation, highlighting the vulnerabilities uncovered, potential attack paths that an adversary could exploit, and the potential threats to an organization's most critical assets or 'crown jewels'.
These reports are not merely a narration of events but also a strategic guide, often containing recommended mitigation strategies to counter the identified vulnerabilities. The goal here is to provide actionable intelligence to the organization, helping them understand where their defenses may be weak and how they can bolster them effectively.
These detailed reports form the basis for an ongoing dialogue between security professionals and organizational stakeholders. They enable informed decision-making about investments in security tools and personnel training, as well as the adjustment of policies and procedures to better manage potential future attacks.
Various types of cyber attacks can be simulated as part of a cyber attack simulation process to understand and strengthen an organization's cybersecurity posture. These include but are not limited to:
While these categories cover a broad range of potential threats, it's important to understand that the scope of possible attack techniques and campaigns is immense, and it's practically impossible for any individual or group of professionals to simulate all of them. The threat landscape is continuously evolving, with new attack vectors, techniques, and vulnerabilities emerging frequently.
How Confident Are You in Your Security Layers?
Test the integrity of every layer with BAS and gain the confidence that comes from knowing your security controls are as robust in practice as they are on paper.
Network attack simulation is a method of assessing an organization's cybersecurity posture by proactively emulating potential cyberattacks on its network, systems, and security controls. This process enables organizations to identify vulnerabilities, evaluate security control effectiveness, and refine their defense strategies.
The benefits of network attack simulation include discovering weaknesses within security controls, training IT personnel to handle various attack scenarios, verifying controls' efficacy against different attack types, and maintaining compliance with industry regulations.
During network attack simulation, several security controls are tested, such as Next Generation Firewalls (NGFW), Intrusion Detection and Prevention Systems (IPS & IDS), Anti-virus (AV) Solutions, Web Gateways, Sandboxing Solutions, Endpoint Detection and Response Solutions (EDR), and Endpoint Protection Platforms.
Thus, conducting a network attack simulation, organizations can prioritize remediation efforts, strengthen their overall security posture, and enhance their resilience against genuine cyber threats by answering the following questions.
What would happen if a client on my network downloads a malicious file from the internet?
Can my security controls protect me against this specific threat?
What are the gaps in my network security controls?
Is my Next-Generation Firewall (NGFW), Intrusion Prevention and Detection Systems (IPS & IDS) effectively protecting against real-world threats?
Do I need additional security controls on my network?
Figure 2. Testing Your NGFW, IPS and Proxy Solutions with a Network Attack Simulation.
Endpoint attack simulation is a process of simulating various types of cyberattacks on an endpoint device, such as a laptop or server, to identify vulnerabilities in the existing security controls. The process can include simulating attacks on different stages, modules, and extensions to see how the security controls respond.
The intent of an endpoint attack simulation is to test the readiness and effectiveness of security controls before a real cyberattack occurs.
Figure 3. Windows Endpoint Attack Simulation with Picus Security.
The benefits of endpoint attack simulation include its ability to identify weaknesses in an organization's security controls, help security teams detect potential cybersecurity threats, and provide a platform for continuous security testing. Organizations can gain a better understanding of their security posture by examining the results of endpoint attack simulation tests and adjust the security controls accordingly, ultimately strengthening incident response plans and reducing organizational risk. Endpoint attack simulation can test various security controls, such as Endpoint Detection and Response (EDR) systems, Antivirus, and Next-Generation Firewalls (NGFW) and Web Application Firewalls (WAF), to ensure that they are functioning properly.
Figure 4. Mitigation Suggestions for a RomCom Malware Endpoint Attack Simulation.
Vendors that can perform endpoint attack simulations may provide detection and mitigation suggestions to ensure that your organization can effectively detect and prevent cyberattacks on endpoint devices, thus mitigating the risk of infrastructure compromise and data breaches.
Email attack simulation is the process of imitating various email-based cyber-attacks to evaluate the effectiveness of an organization's email security controls. Email is one of the most commonly used entry points for cybercriminals to gain access to sensitive information or systems, making email attack simulation a crucial element of a comprehensive cybersecurity strategy.
Figure 5. TONESHELL Backdoor Malware Email Attack Simulation with Picus Security.
The benefits of email attack simulation include the ability to identify vulnerabilities and weaknesses in email security controls before an actual attack occurs. With deep insights into the organization's email security posture, security teams can effectively implement security controls to prevent and mitigate future cyber attacks. Email attack simulation can test a range of security controls, including spam filters, antivirus software, firewalls, and intrusion detection systems.
By conducting email attack simulations regularly, organizations can better understand their potential risk levels for different types of attacks and make informed decisions about security investments. This helps to improve the overall security posture and reduce the chances of an actual attack occurring. Overall, email attack simulation is a critical component of proactive cybersecurity strategy that helps to keep an organization safe from the ever-evolving cyber threats.
A Phishing Attack Simulator is a security tool that allows organizations to create and launch simulated phishing campaigns to test their employees' awareness of phishing attacks and improve their response to potential threats. It helps organizations identify weaknesses in their security measures and develop strategies to strengthen them against actual phishing attacks. These simulated attacks can range from simple email scams to sophisticated, targeted spear-phishing attacks.
Microsoft's Attack Simulation Training is one such tool designed to help organizations test the effectiveness of their security policies and employee cybersecurity awareness. It integrates with Microsoft 365 Defender for Office 365 Plan 2 and offers various types of simulated cyberattacks, including credential harvesting, malware attachments, and OAuth consent grant attacks.
By leveraging real-world attack scenarios, Microsoft's Attack Simulation Training allows administrators to launch benign cyberattacks that mimic actual phishing attempts to identify vulnerabilities in their employees' security awareness. The simulation results provide valuable insights into click rates, compromised users, and training progress, which can then be used to refine security policies and target user-specific training efforts.
Moreover, the platform offers a vast content library with pre-built payloads, login pages, and training materials to customize simulations further. Companies can use this information to fine-tune their security education programs to reduce the risk of falling victim to real-life phishing attacks, thereby fostering a more security-conscious culture within their organizations.
Cyber attack simulations should ideally be a consistent and ongoing part of an organization's cybersecurity framework, rather than a one-time or occasional event. Traditional security assessments, such as red teaming and penetration testing, although valuable, can be resource-intensive and only provide a snapshot of the organization's security posture at a specific point in time.
In today's dynamic organizational environments, changes are constant. This could include new machines being added to a network, initiation of new services, alterations in user privileges, or the creation of new network segments with distinct administrative rights. Such fluidity in an organization's digital landscape could potentially introduce numerous new attack pathways that a malicious actor could exploit to access critical assets, like the Domain Controller (DC).
As such, it is crucial for cyber attack simulations to be conducted regularly, with minimal intervals in between. In fact, best practice encourages the utilization of automated and continuous cyber attack simulations. This approach can be facilitated through the use of Breach and Attack Simulation (BAS) tools offered by various vendors.
These BAS solutions enable organizations to automate the process of simulating cyber attacks, making the process more efficient and less resource-intensive. With continuous simulations, organizations gain a real-time understanding of their security posture against both known and emerging threats, allowing for more prompt and effective action to be taken when vulnerabilities are detected.
In the forthcoming discussions, we will delve into how BAS solutions streamline the process of conducting cyber attack simulations, enabling organizations to maintain a more accurate and up-to-date understanding of their cybersecurity posture.
While both penetration tests and cyber attack simulations are methods of assessing the strength of an organization's cybersecurity defenses, there are some fundamental differences between the two.
The difference between an attack simulation and penetration testing can be listed under five main categories, such as scope, goal, approach, timing and frequency, and reporting.
Scope: A penetration test is typically more focused and narrow in scope, often testing a specific system or application for vulnerabilities. On the other hand, a cyber attack simulation tries to mimic a real-world cyber attack and, as such, is typically broader in scope, potentially covering the entire organization's digital infrastructure.
Goal: The goal of a penetration test is to identify as many vulnerabilities as possible in the target system or application. In contrast, a cyber attack simulation aims to understand how an attacker might exploit vulnerabilities to achieve specific objectives, such as data exfiltration or gaining control over certain systems. This involves understanding potential attack paths and how different vulnerabilities can be chained together to achieve the attacker's objectives.
Approach: Penetration testing typically involves a more static, methodical approach, systematically testing for known vulnerabilities. A cyber attack simulation, on the other hand, is more dynamic and attempts to emulate the tactics, techniques, and procedures (TTPs) of real-world adversaries.
Timing and Frequency: Penetration tests are usually one-off engagements or are conducted at regular intervals, providing a snapshot of the organization's security posture at a specific point in time. Cyber attack simulations, particularly when automated using Breach and Attack Simulation (BAS) tools, can be run continuously, providing a more real-time view of the organization's security posture.
Reporting: Both practices provide detailed reports, but penetration tests typically provide a list of identified vulnerabilities and recommended fixes. A cyber attack simulation report, on the other hand, might focus more on potential attack paths, demonstrating how vulnerabilities could be exploited in a real-world attack scenario and providing more strategic recommendations on how to improve overall security posture.
It's important to note that these practices are complementary and both valuable to an organization's cybersecurity strategy. Penetration tests can provide deep insights into specific areas, while cyber attack simulations can provide a more holistic view of the organization's defenses and their ability to withstand real-world attacks.
Traditional Approaches Don’t Provide A Complete Picture
Learn how BAS strengthens cyber resilience by answering essential questions about the risks organizations face.
An attack simulator is a security tool that organizations use to create, launch, and analyze simulated cyberattacks on their network and email systems, web applications, endpoints and data leakage protection solutions. These simulations help organizations identify their potential weak points in their security posture, and evaluate effectiveness of their existing security controls against real-life threats. Attack simulators can emulate various cyberattacks, including but not limited to malware infections, malicious email campaigns, threat actor campaigns, Advanced Persistent Threat (APT) scenarios, and ransomware attacks.
By mimicking real-world attack scenarios on email systems, network traffic, and endpoints, attack simulators provide valuable insights into an organization's overall security posture. These insights enable organizations to uncover weaknesses in their defenses, detect any security gaps in their infrastructure, and measure employee behavior when faced with potential threats.
The information gathered from attack simulations can be used to enhance security policies, deploy necessary system upgrades and patches, and develop targeted training programs to improve employees' cybersecurity awareness. Regularly conducting such simulations fosters a proactive and security-conscious culture within the organization, ultimately reducing the risk of falling victim to real-life cyberattacks.
There are various attack simulations tools. In this section, we try to give both open-source and commercial attack simulation tools.
MITRE Caldera: MITRE Caldera is a highly sophisticated, open-source automated adversary emulation framework that is designed to provide comprehensive simulations of post-compromise adversary behavior to help organizations improve their incident response processes and threat detection capabilities. It comes with a customizable set of adversary scenarios and plugins, which makes it one of the most versatile adversary emulation tools available. Additionally, Caldera also offers autonomous incident response to help organizations quickly contain and mitigate threats before significant harm is inflicted.
Atomic Red Team: Atomic Red Team is an open-source library of adversary procedures that are designed to test the detection capabilities of security controls. Each technique in the library is mapped to the MITRE ATT&CK framework and may include multiple procedures that emulate individual adversary techniques. Since these are individual tests, they do not simulate any specific attack scenarios unless an operator sequences multiple atomic tests to do so. Atom Red Team is an incredibly useful tool for organizations looking to assess their security controls against specific ATT&CK techniques.
Infection Monkey: Infection Monkey is an open-source breach and attack simulation tool that is mainly designed to prioritize the lateral movement of attacks over specific predefined attack patterns. Infection Monkey does not follow any predetermined attack scenarios and can simulate vulnerability exploitation, brute force, post-compromise, and ransomware attacks to test an organization's security posture. The tool takes a relentless approach to testing an organization's security controls to identify gaps or weaknesses that attackers can exploit.
Microsoft's Attack Simulation: Microsoft's Attack Simulation is a cloud-based security tool that allows organizations to simulate potential phishing threats to test their employees' awareness of such attacks. It offers several different types of simulated attacks, including credential harvesting, malware attachments, and OAuth consent grant attacks, to identify weaknesses in an organization's security posture. In addition, the tool provides personalized training and educational resources to address identified vulnerabilities.
Picus’ Breach and Attack Simulation: Picus Security's Breach and Attack Simulation (BAS) is designed to help organizations assess and improve their security posture by simulating potential attacks against their infrastructure, applications, and data. The platform provides a wide range of simulation scenarios and attack patterns that can be customized according to the needs and requirements of the organization. It generates comprehensive reports with remediation recommendations and prioritization based on risk levels to help organizations identify and address vulnerabilities. The platform is suitable for businesses of all sizes and industries.
Breach and Attack Simulation (BAS) automates cyber attack simulations to help organizations validate their existing security measures against a wide range of attacks. BAS utilizes a constantly updated threat library, pre-built templates, and integrates with the MITRE ATT&CK framework to identify potential weak spots in an organization's security infrastructure. Automated detection and prevention signatures offer quick mitigation of security gaps, while log visibility increases visibility into detective security controls. BAS provides an effective solution to assess the strength of security measures.
With the constantly evolving and dynamic nature of cyber threats, organizations are increasingly turning to BAS solutions. These solutions offer automated and continuous simulations that complement traditional assessment services like red teaming, penetration testing, and vulnerability scanning. BAS solutions provide a more efficient way to regularly test an organization's defenses against a variety of threats, offering a more comprehensive and ongoing view of their security posture and readiness to face real-world cyber threats.
Figure 6. Cyber Attack Simulation with BAS.
Cyber attack simulations are incredibly realistic, mirroring the tactics, techniques, and procedures (TTPs) employed by real-world threat actors. Powered by continuously updated threat libraries, they emulate both known and emerging threats, including zero-day vulnerabilities as soon as a proof of concept of an attack is found.
The effectiveness of these cyber attack simulations lies in their attention to detail; from the abuse of built-in system tools to custom scripts used for a variety of malicious actions such as system information gathering, OS credential dumping, everything is simulated based on authentic incidents.
Moreover, solutions like Breach and Attack Simulations (BAS) provide ready-to-use templates that offer comprehensive testing of your existing security controls, further enhancing the realism and practical value of these simulations.
Cyber attack simulations, facilitated through Breach and Attack Simulation (BAS) testing, are designed to be safe and non-intrusive. They evaluate an organization's security posture without exposing sensitive data or disrupting system performance. Simulations mimic prospective attacks in a controlled environment, thus eliminating the risk of system-wide impacts.
Additionally, BAS solutions align with regulatory frameworks, ensuring compliance during testing activities. These solutions allow for customized parameters, offering a fit that is tailored to individual environments and risk thresholds. This approach minimizes potential system impacts. Importantly, cyber attack simulations occur without the need for invasive network scanning or firewall exceptions, leaving your existing security infrastructure undisturbed.
In essence, cyber attack simulations provide a secure, reliable, and risk-free approach to assessing and reinforcing an organization's cybersecurity defenses. They offer confidence and reassurance in the effectiveness of their security measures.
How Can a Cyber Attack Simulation Help Improve Our Incident Response Strategy?
The dynamic nature of the cyber threat landscape calls for a proactive and comprehensive approach to incident response.
A well-implemented Cyber Attack Simulation, through the use of a Breach and Attack Simulation (BAS) platform, enables the defense team to stay ahead of emerging threats. Utilizing an up-to-date threat library, attack simulations validate various security controls, including but not limited to
Next Generation Firewalls (NGFW),
Web Application Firewalls (WAF),
Intrusion Detection and Prevention Systems (IPS & IDS),
Endpoint Detection and Response (EDR) solutions,
Email Gateway solutions,
AntiVirus and Anti-Malware solutions,
Extended Detection and Response (XDR) technologies,
Data Loss Prevention (DLP) solutions,
Security Information and Event Management (SIEM) systems.
This rigorous evaluation reveals potential vulnerabilities and gaps, providing invaluable insights into your organization's defense capabilities. By understanding these gaps, the defense team can act preemptively, optimizing incident response strategies, and ensuring the robustness of the organization's cybersecurity posture.
Finally, BAS platforms’ continuous feedback mechanism further assists in making necessary adjustments and improvements, equipping the defense team with a continuously evolving, agile, and effective incident response strategy.
 Microsoft Digital Security Unit (DSU), M. I. Response, and M. T. Intelligence, “Destructive malware targeting Ukrainian organizations,” Microsoft Security Blog, Jan. 16, 2022. [Online]. Available: https://www.microsoft.com/en-us/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/. [Accessed: May 31, 2023]