Open Invitation to Share Cyber Threat Intelligence on APT29 for Adversary Emulation Plan and ATT&CK Evaluations

Since we publicly released ATT&CK in 2015, we’ve been working to encourage the community to share information about what adversaries are doing after they compromise an environment. We come to you today in that same spirit of information sharing to invite the community to contribute threat intelligence that will allow us to create a more realistic adversary emulation plan and evaluations that we’ll openly share back with you.

Previously, we released an APT3 Adversary Emulation Plan with a goal of allowing defenders to more effectively test their networks and defenses by empowering red teamers to emulate APT3-like behavior. This plan was based on open source reporting on the group commonly known as APT3/Gothic Panda. We then used that plan to develop a detailed set of procedures that our red teamers performed to execute Round 1 of our ATT&CK Evaluations.

We’re happy to announce that we’ve selected an adversary group for our next adversary emulation plan and the anticipated Round 2 of ATT&CK Evaluations: APT29/COZY BEAR/The Dukes.¹ This group has targeted multiple sectors across many years using advanced techniques and tailored procedures with a focus on OPSEC. APT29 makes a good choice for our next emulation since the group is relevant to many organizations and challenges our collective defenses. We hope to release more details about Round 2 in the coming weeks.

We realized as we worked on the previous APT3 plan that there are limitations with using only public reporting. There were gaps in reporting, but we decided to only use publicly available information to ensure all users of the plan can read the original reporting for themselves. Though we liked the transparency of this approach, it also meant that we had to “fill in the gaps” with our speculation about what behavior was “APT3-like.” We’ve previously noted that this is a necessary part of adversary emulation, but it meant our plan wasn’t as realistic as it could have been in a few areas.

As a result of feedback that we’ve received, we want to try a new community-driven approach to developing our next adversary emulation plan on APT29. We are asking you to share what you know about APT29 so we can create an emulation plan that better reflects what the community knows about the group — and then we’ll release the plan back to you. We intend to use that emulation plan for ATT&CK Evaluations, ensuring we test realistic adversary behaviors against vendor capabilities so you know what those tools can detect.

Here’s how we plan for this to work.

Process for community contributions to APT29 emulation plan and ATT&CK Evaluation

Community Contributions

Starting today and extending through Friday, March 15, we are requesting voluntary contributions from anyone in the community about information on APT29. If you would like to contribute, here’s the process:

  • Email us at attackevals@mitre.org with your contribution. (If you’d prefer secure means, email us there and we’ll get back to you with a secure sharing method.) You must include your real name for your information to be considered. Contributions from company accounts may add to the credibility of the information, but we are also happy to accept contributions from independent researchers.
  • We are looking for information about the group behaviors as well as the overall way they perform intrusions. Information structured using ATT&CK tactics and/or techniques is helpful, but not required.
  • Let us know how you would like to be credited. You can choose to be credited with your name and/or company name, or alternatively, you can choose to remain anonymous. For any anonymous contributors, we will work with you to produce a short statement about the general visibility you have that led to you having access to the information.
  • We will not accept any leaked, proprietary, or sensitive information that was not released with the permission of the original source. Contributions are strictly on a voluntary basis for researchers and analysts who wish to share their own information.

Contributions We’re Looking For

Here is the type of information that would be most helpful to us:

  • The behaviors or ATT&CK techniques used by the adversary, including details like command-line output or execution chain. You can see examples of what this info looks like on our Group pages, such as this one for APT29: https://attack.mitre.org/groups/G0016/.
  • The malware/software used by the group, and specifically what capabilities of that malware the group uses.
  • The priorities of the group when they first start an intrusion. (e.g. do they immediately start with Discovery? Do they grab credentials first?)
  • The ops tempo of a group (e.g. do they do a “smash and grab” and exfiltrate data quickly, or do they take a “low and slow” approach?)
  • Any other characteristics that highlight an interesting aspect of the group (e.g. tendencies/preferences such as particular command-line arguments, programming languages & syntax styles, artifact naming conventions, file types/keywords targeted during collection, etc.)

MITRE Review Process and Public Release of Plan

We will review all contributions for internal and external consistency as well as quality and plausibility. We will compare the contributions we receive with public information as well as other contributions. We will decide what intelligence meets the emulation plan standards and makes sense to be added to the plan, and for any information we use, we will credit the information to the contributor according to their wishes. For any information we include in the plan, we will allow the contributor to review that section to ensure we cited the information appropriately.

We will publicly release the APT29 adversary emulation plan for the entire community to use, with our goal being to release it in Summer 2019. We are also looking for feedback on the type of content and the format of the emulation plan to ensure it’s useful, so please reach out if you have any thoughts.

Use of Plans in ATT&CK Evaluations

We intend to use the APT29 adversary emulation plan for Round 2 of our ATT&CK Evaluations. We hope to release additional details on how to participate in Round 2 in the coming weeks. As we did with Round 1, all results from the evaluations will be released publicly to the community. By using community contributions to inform the plan and therefore the evaluations, we are making sure ATT&CK Evaluations are based on the community’s collective knowledge about adversaries. We believe this means the evaluation results will be more relevant to the community.

In Conclusion

As we seek to write better adversary emulation plans and perform more realistic ATT&CK Evaluations, we know we can’t do it alone. We’ve realized the limitations of publicly-available threat intelligence, so we’re asking you, the community, to share what you know about APT29/COZY BEAR. In return, we’ll share adversary emulation plans and ATT&CK Evaluations results back with you. We’re excited to try out this new approach to sharing information, and we hope it will ultimately help all of us strengthen our defenses based on better knowledge of what adversaries are doing. We know there will be lots of questions along the way, so please don’t hesitate to reach out to us at attackevals@mitre.org.

FAQs

Q: How do you know the information isn’t made up?
 A: We will use traditional procedures and standards for vetting and analyzing information, which include considering the source, looking for information that may be inconsistent with other information, and examining the quality of the information itself.

Q: Will you pay me for my information?
A: No, this is entirely unpaid and voluntary.

Q: Why would I give you information?
 A: We believe that sharing information about adversaries helps us all improve our defenses, and this is motivation enough for many community members. We’ve seen many generous contributors share this information with us to improve ATT&CK, and we want to give the community the same chance to improve the adversary emulation plans.

In addition to helping the community, some tangible benefits include acknowledgement in the plan as well as the chance to contribute behaviors that we may subsequently test in ATT&CK Evaluations. If there are certain behaviors you care about the team testing during the evaluations, this is one way you can let us know about that.

Q: Will MITRE publish the raw intelligence I provide?

A: We will publish whatever information you are comfortable with. We do not publish full reports in our emulation plans, but rather short snippets of information.

Q: What happens when you get conflicting intelligence?

A: Conflicting intelligence is a normal occurrence in cyber threat intelligence due to different visibility. Should this occur, we will follow up with contributors to determine if additional details can be shared about how the information was acquired and its confidence level. Should conflicting intelligence remain that we believe to be accurate, we will note the inconsistency in the adversary emulation plan.

Q: Will the intel I send also be added to ATT&CK?

A: Not necessarily. This call for contributions is focused on adversary emulations that drive our ATT&CK Evaluations, not on our main ATT&CK Group and Software pages. Our threshold for Group and Software contributions to attack.mitre.org have always been that there must be a publicly-available report for citation, and that has not changed. If you submit a publicly-available report with your contribution, we would separately be happy to discuss how that could be made into a contribution for the main ATT&CK website.

¹ We know these group names aren’t exact overlaps due to the different visibility companies have, but open source reporting is in agreement on key campaigns and malware attributed to these names.

©2019 The MITRE Corporation. ALL RIGHTS RESERVED. Approved for public release. Distribution unlimited 18–1528–34.