Ahhh, This Emulation is Just Right: Introducing Micro Emulation Plans

Written by Mike Cunningham and Jamie Williams

We love adversary emulation. So much so that we’ve written about it, spoken about it, developed training on it, and continue to create and share more emulation plans (including one of the first public Adversary Emulation Plans). However, the cost and complexity of developing or even executing most adversary emulation plans have created a barrier to entry that many organizations cannot breach.

In an attempt to bring adversary emulation to a broader audience, the Center for Threat-Informed Defense (Center) partnered with, AttackIQ, Inc., Booz Allen Hamilton, Inc., Citigroup Technology, Inc., Ernst & Young U.S. LLP, Fujitsu, HCA — Information Technology & Services, Inc., IBM Corporation, Microsoft Corporation, and Verizon Business Services, to develop Micro Emulation Plans. These emulation plans re-imagine adversary emulation to focus on very specific threat-informed defensive objectives via easy to execute binaries that any user can operate.

How Adversary Emulation Works Today

When we look at adversary emulation today, there are four general steps that go into an operation: cyber threat intelligence (CTI) research, technique selection, offensive development, and emulation execution.

1. CTI research is first conducted to identify an adversary that is both relevant and a significant or growing threat. After a short list of candidates is created, a deeper dive into each adversary is conducted to understand the scope, sophistication, and impact of each potential emulation plan.
2. Once an adversary is selected, we proceed into the technique selection phase, where ATT&CK techniques from a wide range of tactics are extracted from the CTI reporting and organized into an emulation scenario.
3. Once the ATT&CK techniques are built into a scenario, offensive development can begin. In this phase, tools/commands are developed that emulate the selected scenario.
4. Finally, emulation execution can begin, typically carried out by an experienced red team operator.

This workflow helps produce and deliver threat-informed assessments that allow defenders to experience and learn from breach scenarios inspired by real-world threat activity. However, this four-step research to execution process can be time consuming as well as require a lot of coordination between various unique skillsets.

Micro Emulation Plans: Focusing on the Good Stuff

As a tailored application of adversary emulation, micro emulation plans follow the same four steps as above, but in a more efficient way. As opposed to identifying a single adversary and enumerating their many techniques to emulate, CTI research is conducted to find specific compound behaviors that are commonly abused across multiple adversaries or campaigns. Compound behaviors are a string of techniques that are part of the same adversary activity. For instance, many payloads will inject into a sacrificial process, perform an action such as executing a command, kill the sacrificial process, then repeat. Many adversaries use this “fork & run” behavior and as a greater concept, understanding and emulating the macro intelligence leads us to micro emulation.

Technique selection is performed in the same manner as above but targeted towards just those compound behaviors of interest. The offensive development lifecycle is more focused, as well. Micro emulation plans can be developed in a short sprints because they are focused on a much smaller set of techniques.

Finally, execution occurs in seconds. It’s as simple as double clicking an executable. Anyone can execute a micro plan and you don’t need a complicated environment to make it happen. Adversary emulation is now accessible to any defender or organization.

What’s in the Box?

Our initial release includes nine micro emulation plans in five different areas of particular interest for defenders. Eight plans are developed for Windows, and one plan was developed for Linux.

1. Data Sources: We wanted to include an opportunity for defenders to get a baseline on the types of data they are collecting. These plans focus on three ATT&CK-defined data sources we felt are often underrepresented: file access/modification, registry modification, and named pipes. These plans should allow a defender to test and tune how they are logging this crucial data before moving on to more adversary-focused emulations.
2. Web shells: Many different adversaries backdoor web servers with web shells to establish persistent access to victims. These plans drop a web shell to disk, establish a network connection to the shell, then execute a series of discovery commands. For this area, we developed a plan for both Windows and Linux.
3. Fork & Run: As mentioned above, this plan creates sacrificial processes that are then injected to execute a series of discovery commands. This is similar to what you would see from typical beacon payloads.
4. Post-Phishing User Execution: These plans execute behaviors that are likely to occur after a malicious payload has been delivered to a user. We created three different emulations based on different payload types that our emulated “user” will execute: the traditional malicious Office macro, the slightly less traditional but present .lnk file, and the quickly gaining more and more adoption .iso container.
5. Active Directory Enumeration: This plan generates the telemetry associated with some common active directory discovery behaviors you would see before privilege escalation and/or lateral movement. This plan will execute in any environment, but complete results will only be returned if it is executed within a domain.

How can these be used?

We designed micro emulation plans with defenders in mind who might not have access to a sophisticated red team. These plans can be executed manually from a command-line, with a simple double-click, or through existing red team tools. On our GitHub page, you can see a walkthrough of how to integrate micro emulation plans into another tool (using CALDERA as an example), but our plans should be compatible with any breach and attack simulation solution. Within seconds of execution, a defender can generate and begin learning from the emulation telemetry. Each plan includes documentation covering:

• Description of Emulated Behaviors: What are we doing?
• CTI / Background: Why should you care?
• Execution Instructions / Resources, including a demo and how to customize each micro plan: How do I run it?
• Defensive Lessons Learned, highlighting both detection and mitigation opportunities: What can I do next?

The Future of Adversary Emulation

Are micro emulation plans the solution to every challenge presented by traditional adversary emulation? Absolutely not, but they are a low effort and high impact option to consider when developing an emulation plan.

We still strongly value complete adversary emulation plans for their ability to give defenders a more complete idea of what a breach feels like. We also love the work by Atomic Red Team because it’s fast, it’s easy to execute, and it allows defenders to focus on a wide range of unit testing. However, we believe that micro emulation plans fill the missing piece between the two. Defenders can use micro emulation plans to easily and quickly test their defenses against threat-informed and crafted groupings of adversary techniques.

To ensure that micro emulation plans are easily accessible, we have added them to the Adversary Emulation Library. We consider this just a start and plan to develop additional micro emulation plans over time. If you have ideas of any compound behaviors that should be emulated, we would love to hear from you! Don’t worry, we’ll be keeping an eye out for new ideas, too. You can also open an issue on our GitHub page or send us an email at ctid@mitre-engenuity.org.

About the Center for Threat-Informed Defense

The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.

© 2022 MITRE Engenuity. Approved for Public Release. Document number CT0054.