Adversary Emulation: Why We Do It

ATT&CK Evaluations is getting ready to hit its 5-year operating milestone! While we share all of our emulation collateral in the Adversary Emulation Library and post our round results publicly, we’re taking this opportunity to kick off a series where we’ll outline our approach to adversary emulation and impart details on our methodology. Our goal with this series is to underscore Evals’ commitment to providing a transparent, publicly available methodology for threat-informed defense — and making adversary emulation more accessible for every defender.

But first, Thucydides.

The Importance of Understanding the Adversary: Origin Stories

Threat-informed defense has illuminated the significance of understanding adversary tradecraft and technology to build resilient defenses. This adversary-focused approach has a proven success record, emerging in the writings of the Greek historian Thucydides, showcased in Sun Tzu’s ‘Know your enemy’ philosophy, and featured in conflicts and maneuverings throughout history:

• During the Greco-Persian Wars, in addition to demonstrating superior swimming skills, the Greeks achieved key advantages in battle by gaining a deep understanding of the culture and behavior patterns of their enemies.
• Genghis Khan heavily (and savagely) leveraged adversarial intelligence gleaned from spies and defectors to strategically employ targeted disinformation; effectively manipulating rival perceptions and disrupting their decision-making processes.
• Alan Turing recognized that human behavior played a significant role in the Enigma’s security weaknesses and exploited these behavioral errors and patterns to decipher the encoded messages.
• Throughout the Cold War, the United States and the Soviet Union sought to glean insights into each other’s actions, intentions, and capabilities through intelligence operations, modeling adversary behavior, and diplomatic machinations.

While technology has evolved and the underlying principles of kinetic conflict aren’t always transferrable to the cyber domain, human behavior has remained relatively consistent. Whether in physical clashes or cyber engagements, we aim to achieve our objectives by exploiting vulnerabilities and raising the costs for adversaries.

Mirroring the Threat: 10,000-Foot Process View

Adversary emulation provides a method for turning the tables on adversaries, effectively using their own characteristics and behaviors against them. Rather than relying on theoretical assumptions, emulation mirrors real-world behaviors, enabling us to view security through the eyes of the adversary and giving us unique insights into their mindset and tradecraft. These perspectives empower us to implement proactive defenses that alter adversaries’ decision calculus and how they perceive the benefits and costs of malicious operations.

The ATT&CK Evaluations team classifies adversary emulation as an intelligence-driven discipline. This practice strives to measure and improve cybersecurity by researching, modeling, and executing adversary tactics, techniques, and procedures (TTPs). Our Evaluations are scoped around the publicly known threats featured in ATT&CK and are anchored in the real-world tactics employed by adversaries.

We build the Evaluations in a (fully purple, collaborative) way that:

Brings the Realism: We use ATT&CK as a foundation to build emulation plans that test security products “in the style of” a specific adversary. This realism is vital for capturing critical context around a solution’s ability to detect or protect against known adversary behaviors. Each adversary emulation plan is based on comprehensive cyber threat intelligence (CTI) and modeling of the selected adversaries. We develop thorough adversary profiles that include an analysis of capabilities, resourcing, motivations and objectives, behavioral evolutions, tools, geopolitical and sociocultural impacts, constraints, and victimology.

Our targeting and victimology profiles reflect an assessment on the types of organizations or industries targeted by the adversary, their preferred victim profiles, and past victimology trends. By analyzing targeting patterns, we’re able to gain additional insight into the adversary’s motives and potential pre- and post-intrusion activities. The target profiles don’t depict one environment, but rather comprise the key characteristics of the adversary’s victim archetype. We recently published a high-level Target Organization Profile to represent the type of victim environment exploited by the adversary for the upcoming Managed Services round.

Executes the Lifecycle: We sequence and implement techniques in a logical step-by-step ordering to explore the breadth of defenses and mirror in-the-wild operations. This sequencing reflects how adversaries follow an end-to-end process, involving a chain of interconnected actions, to achieve their objectives.

Captures Adversary Nuance: The emulations go beyond simple repetition of known techniques. While many adversaries execute the same behaviors, they do so in diverse ways. We incorporate procedural variation in our emulations to capture the assorted ways that adversaries might execute the same behavior. This provides a more comprehensive and nuanced approach for understanding the effectiveness of products.

Each Evaluation features emulation content that replicates the essential ATT&CK-mapped behaviors utilized by the adversary and captures the pertinent elements necessary to generate objective insights into how products respond to in-the-wild behaviors. While rounds are scoped around the operations of specific adversaries, the selected threats can also be viewed as a representation for known adversary behavior. Even if a particular adversary isn’t on your APT-most-likely-to-target-my-organization/industry list, focusing on the underlying behaviors allows the emulations to have much broader applicability.

Next Up

We hope this post provided insight into why and how we apply adversary emulation for ATT&CK Evaluations. In the coming months, we’ll share additional context into our process for building out emulations, with the goal of making our methodology — and adversary emulation — more accessible.

© 2023 MITRE Engenuity, LLC. Approved for Public Release. Document number AT0046