Leveraging Adversary Emulation / Simulation to Improve Security Posture in Organization

Few weeks ago, i gave a presentation in Cyber Defense Community Indonesia about Adversary Emulation. You can access the slide here : https://www.slideshare.net/digitoktavianto/adversary-emulation-and-its-importance-for-improving-security-posture-in-organization and the video (in Bahasa Indonesia) here : https://www.youtube.com/watch?v=9s9rmkpDRQg&t=8768s

First of all, we need to understand correctly the context terminology of adversary emulation and/or adversary simulation. A lot of people confused with both terminology and sometimes they mixed up each other.

Let’s take a look at Merriam-Webster dictionary the translation of emulation and simulation to grasp the fundamental things and differentiate each other in term of the activities :

Merriam-Webster Dictionary Translation of Emulation

Merriam-Webster Dictionary Translation of Simulation

As we can see from the translation itself :

Emulation : ambition to equal, or in further translation of imitation is something produced as copy.

Simulation : the imitative representation of the functioning of one system or process

So, we can say that :

Adversary Emulation : a process of imitate the activities or mimicking or copying the adversaries or threat actor behavior.

Adversary Simulation : a process of simulate or represent the functioning of adversaries or threat actor behavior when attacking the target.

Tim MalcomVetter mentioned in his blog post about this : emulation implies an EXACTNESS to the copy, whereas simulation only implies SIMILARITY with some freedom to be different. I am totally agree with his opinion.

NVISO in their website explaining about Adversary Emulation :

“Adversary emulation aims to test a network’s resilience against advanced attackers or advanced persistent threats (APTs). These are targeted, coordinated threat groups with the intent, opportunity, and capability to harm their targets in a continuous fashion. With adversary emulation, we employ the same tactics, techniques, and procedures (TTPs) along the cyber kill chain, leading deeper into the target network on to the objectives or flags.”

In my personal opinion, Adversary Emulation is a type of red teaming activities which focuses on the emulation of a specific adversaries / threat actor and leverage the threat intelligence to define the behavior and TTPs that will be used in the process.

Phase of Security Assessment

The picture above is purely from my opinion. It is not represent the level of the security assessment. Each other has its purpose for organization. I just want to highlight the difference between each other. Jorge Orchilles, SANS Instructor for SEC564 Course : Red Team Exercise and Adversary Emulation, has his own explanation, and i think it is also great to differentiate the term between read teaming, adversary emulation, and purple teaming :

Jorge Orchilles’s Slide About Adversary Emulation (https://www.slideshare.net/jorgeorchilles/adversary-emulation-and-red-team-exercises-educause)

Jorge Orchilles and Scythe in their blogpost differentiate term of red teaming, adversary emuation / simulation and purple teaming in this statement :

“Adversary Emulations may be performed in a blind manner (Red Team Engagement) or non-blind (Purple Team) with the Blue Team having full knowledge of the engagement.”

Based on that statement, it can be conclude that Red Teaming and Purple Teaming is part of Adversary Emulation. It depends on the engagement, if the engagement performed without Blue Team knowing the activities, than it is called as red teaming. If the engagement involved blue team, then it is called purple teaming.

VAPT is the most common service asked by every organization in order to find the gap in their applications, infrastructure, and even in the process. In Indonesia especially, Red Teaming, Adversary Emulation, and Purple Teaming is still very new. Not many organizations adopt that term for their security assessment. That is why one of my reason writing this article, to give awareness and information the importance of Adversary Emulation for improving security posture in organization.

Adversary Emulation is an end to end security assessment of the entire organization. The main differentiation between VAPT and Adversary Emulation are :

1. The scope is not limited to certain object (Application, Server, Network, Domain, etc)
2. Adversary Emulation emulate certain TTPs of the threat actor (Take a look at example of FIN6 Emulation Plan from MITRE Engenuity Center for Threat-Informed Defense : https://github.com/center-for-threat-informed-defense/adversary_emulation_library/tree/master/fin6
3. Emulate end to end process of Cyber Kill Chain from Reconnaissance to Action on Objective.
4. Leverage certain Framework for Emulation process (Cyber Kill Chain, MITRE ATT&CK Framework, Diamond Model of Intrusion Analysis as example)
5. Unlike VAPT which have main objective is to find the vulnerability / exploit within the infrastructure, application, or server, in Adversary Emulation / Simulation Objective are more into assess the current capabilities in cyber security aspect of the organization (People, Process, Technology) and to improving security posture in a whole process and also enhancing the blue team capabilities for detection and response process.

What is the benefit of Adversary Emulation?

Red Team using Adversary Emulation plan to develop an attack emulation and/or simulation and execute it against your enterprise infrastructure. These activities leverage real-world attacks and TTPs by Threat Actor, so you can identify and finding the gaps in your defense before the real adversary attacking your infrastructure. Adversary Emulation also help security team to get more visibility into their environment. Performing Adversary Emulation continuously to strengthen and improve your defense over the time

1. Adversary Emulation is just like IR and Tabletop Exercise, but in different perspective. This exercise allows your organization to test your security team against the latest threats used by real threat actor which posing the greatest risk to your organization in specific industry.
2. Sometimes BoD or Management challenge you, will the real adversaries able to attack our infra? Then you can do this simulation to giving them a proof of how a targeted attacker could penetrate your infrastructure and compromise sensitive assets, and even stealing your sensitive data.
3. Adversary emulation can showing you whether the defensive capabilities succeed or failed in preventing and responding the simulated attack. It is giving you an analysis of your organization’s strengths and weaknesses based on the result of the simulation.
4. Adversary emulation can help you not only to prioritize current existing technology capability improvement, but also also giving you a recommendation for future investments and provide recommendations for maturing your cybersecurity posture.
5. It can give you a focus on objective-based testing demonstrates the effectiveness of your security controls
6. Adversary Emulation can help you to measure your organization’s cybersecurity maturity level by evaluating it across the kill chain phases of the MITRE ATT&CK framework or other relevant frameworks.

Developing Adversary Emulation Plan

Adam Pennington’s Slide : Leveraging MITRE ATT&CK for Detection, Analysis & Defense (https://www.slideshare.net/AdamPennington4/rhisac-summit-2019-adam-pennington-leveraging-mitre-attck-for-detection-analysis-defense)

I quote a paragraph from Tim MalcomVetter Blog About Emulation Plan in Practice (https://malcomvetter.medium.com/emulation-simulation-false-flags-b8f660734482):

“In practice, emulating is very hard. First, not all threat actors have publicly or privately available intelligence in the format necessary to complete all of the threat actors’ steps with the precision required to meet the definition. Second, even for those that do, certain key steps may be out of bounds, legally, for the person “replaying them” (such as compromising third party infrastructure). Third, the “programmed TTPs” were collected at a single point in time, and techniques that were used during that string of events may not be reused in the future by that threat actor, so replaying them with precision may not be that valuable of an exercise.”

As you can see, developing emulation plan is not easy. You need the trusted intelligence source as a baseline information for gathering the intel technique of adversaries, and it is not cheap. After that, TTPs of adversaries can be changed over the time. You need to refine your data carefully before creating the emulation plan.

Adversary emulation plans are based on known-adversary TTPs (Tactic, Technique, and Procedure) and it is designed to give your red teams information to emulate a specific threat actor in order to test the defensive capabilities from a threat-informed perspective. The characteristic of emulation plan as described from MITRE Blog https://medium.com/mitre-engenuity/introducing-the-all-new-adversary-emulation-plan-library-234b1d543f6b as below :

1. Each emulation plan focuses on a specific adversaries / threat actor.
2. Each adversary emulation plan is gathered from threat intelligence reports and other artifacts that capture and describe breaches and campaigns publicly attributed to a specific threat actor
3. To develop each plan, Red Team should do the research and model each threat actor, focusing not only on what they do (e.g.: gather credentials from victims) but also how (using what specific tools/utilities/commands?) and when (during what stage of a breach?)
4. Red Team then develop the emulation content that mimics the underlying behaviors utilized by the threat actor
5. To describe the details flow of emulation plan, Red Team should develop the operational flow which provides a high-level summary of the captured scenario(s).
6. The scenario(s) of emulation plan is broken down into step-by-step procedures provided in both human and machine-readable formats. (like .yaml in Atomic Red Team for example). Scenarios can be executed end-to-end or as individual tests.
7. The emulation plan scenarios will vary based on the adversary and available intelligence, but typically follow a sequential progression of how the actor breaches then works towards achieving their operational objectives within a victim environment

APT3 Operational Flow https://attack.mitre.org/resources/adversary-emulation-plans/

For example, the MITRE The ATT&CK Evaluations of APT3 Emulation Plan structure of components contain of :

1. Intelligence Summary: An overview of the adversary and references to intelligence report gathered in the beginning process
2. Operational Flow
3. Emulation Plan

Getting Started with Adversary Emulation

When starting the Adversary Emulation Exercise, Emulation Plan is one of the most critical part. The Emulation Plan section is a specific, detailed breakdown of the tactics of the adversary group.

1. For developing the Emulation Plan, red team firstly must gather the threat intelligence document related to threat actor group that they want to emulate.
2. Red team must identify the tactics the adversary group uses for an attack, along with the particular techniques and procedures for each tactic. Mostly the TTPs defined based on MITRE ATTCK Framework as a standard.
3. To detail an emulation plan in exercise, red team must breakdown the tools that they will use to emulate the particular TTP. This information is available as part of the MITRE ATT&CK description of the adversary group, and also from Threat Intelligence Report.
4. Red Team also need to build the infrastructure as part of the emulation plan such as C2 Infrastructure, or Infrastructure for collecting sensitive data after exfiltration phase (if any)
5. Execute the emulation plan as procedure and workflow defined in the exercise. Follow up the result of the exercise with blue team and also with management.

Some notable tools for adversary emulation :

• Caldera (MITRE)
• Atomic Red Team (Red Canary)
• APT Simulator
• Red Team Automation (Endgame)
• Infection Monkey (Guardicore)
• Blue Team Toolkit (BT3) (Encripto)
• AutoTTP (https://github.com/jymcheong/AutoTTP)
• Purple Team ATT&CK Automation (https://github.com/praetorian-inc/purple-team-attack-automation)
• ATTPwn (https://github.com/ElevenPaths/ATTPwn)
• PurpleSharp (https://github.com/mvelazc0/PurpleSharp)
• Prelude Operator (https://www.prelude.org/)

Some notable tools for developing adversary emulation :

• MITRE ATT&CK Navigator
• NSA Unfetter (https://nsacyber.github.io/unfetter/)
• MITRE Cyber Analytical Repository (https://car.mitre.org/)
• VECTR (More into for your Purple Teaming)
• _YOUR THREAT INTEL REPORT_ Provider

Summary

• Adversary emulation is needed by organization to fill the gaps for their current existing security assessment activity
• Adversary emulation is HARD. Combining the threat intelligence and Adversary TTPs is not a simple task to do.
• Threat-informed defense approach needed by every organization to get a deep understanding of adversary tradecraft and technology to protect against, detect, and mitigate cyber-attacks.
• Developing Adversary Emulation Plan is a Critical part in Adversary Emulation Exercise before the Execution of scenarios defined.
• Adversary Emulation showing that defensive capabilities succeed / failed in preventing + responding the simulated attack. It is giving you analysis of your organization’s strengths and weaknesses based on the result of the simulation
• Adversary Emulation can help you to measure your organization’s cybersecurity maturity level by evaluating it across the kill chain phases of the MITRE ATT&CK framework or other relevant frameworks.