Written by Jon Baker and Forrest Carver.
The Center for Threat-Informed Defense (Center) is excited to announce one of our first major initiatives — a public library of adversary emulation plans. Our structured library of adversary emulation plans is a freely available resource to help red teams and other cyber defenders systematically test their defenses based on real-world adversary TTPs. We have brought together the combined knowledge and expertise of our Center Participants to build upon MITRE Engenuity’s ATT&CK Evaluations program and MITRE ATT&CK® to create these intelligence driven resources.
Each adversary emulation plan is rooted in intelligence reports and other artifacts that capture and describe breaches and campaigns publicly attributed to a specific named threat actor. To develop each plan, we research and model each threat actor, focusing not only on what they do (e.g.: gather credentials from victims) but also how (using what specific tools/utilities/commands?) and when (during what stage of a breach?). We then develop emulation content that mimics the underlying behaviors utilized by the threat actor (i.e. not an exact representation, rather capturing the pertinent elements that accurately generate appropriate test telemetry for defenders). This approach results in nuanced emulation plans, each capturing unique scenarios and perspectives that we can leverage as threat-informed defenders.
MITRE’s focus on building adversary emulation plans started with the release of the APT3 Emulation Plan in 2017. The APT3 plan used three general phases: initial compromise/setup, network propagation, and collection/exfiltration. To give a general sense of the emulated behavior, these phases were briefly described in terms of the adversary’s intended goal, but more importantly how the threat actor achieves these goals.
MITRE’s approach to adversary emulation has evolved from that initial publication driven by experience in the ATT&CK Evaluations program, numerous purple team engagements, and community feedback. The ATT&CK Evaluations adversary emulation plans have become a popular resource for red teams and purple teams to use for testing their defenses, but their structure needs refinement for broad use beyond the ATT&CK Evaluations program. The Center’s Participant-funded collaborative research and development program recognizes the value of these adversary emulation plans and the need to come together to refine the model and develop a more robust collection of adversary emulation plans for the community.
Improvements Over Time
Our methodology has always focused on capturing an adversary’s publicly attributed techniques, then chaining those techniques together into a logical series of actions that are inspired by how the adversary has acted in the past. As the MITRE team progressed through additional Rounds of ATT&CK Evaluations, both the process to create emulation plans and the plans themselves matured.
The ATT&CK Evaluations APT29 Emulation Plan signaled a significant evolution to the process and established a close-to-ideal structure of components that made up the emulation plan. Those were:
- Intelligence Summary: An overview of the adversary and references to cited Intelligence
- Operational Flow: Chains techniques together into a logical flow of the major steps that commonly occur across the selected adversary’s operations
- Emulation Plan: The TTP-by-TTP, command-by-command walkthrough to implement the adversary’s operational tradecraft as described in the Intelligence Summary and the Operational Flow
Converging on One Format to Increase Impact
Now is the time to establish a public library of adversary emulation plans based on a consistent methodology and structure. Adversary emulation plans require a substantial amount of time, expertise and effort to develop, including: cyber threat intelligence (CTI) research, TTP analysis, ATT&CK mapping, custom tool development (when required), test range setup, emulation plan development, testing, and final quality review. The variety of methodologies and representations used for existing plans undermines their utility and increases the burden on users.
With additional adversary emulation plans under development and planned for the future, there is a significant opportunity to increase our overall impact by defining a common methodology and consistent structure with a single focal point for accessing these adversary emulation plans. These crucial steps will maximize reusable resources by ensuring that adversary emulation plans are consistent and easily accessible to consumers and reducing the overall cost for organizations to use adversary emulation to test their defenses. Ultimately, our goal is to significantly increase the number of organizations worldwide that routinely evaluate their defenses against real-world adversary behavior, which should, in turn, help improve their security posture.
Adversary Emulation Plan Template
After reviewing previous work on adversary emulation, and using the APT29 Plan as a template, the Center’s team identified the following main imperatives for a common emulation plan template:
- The sections defined as part of the APT29 plan would endure: Intelligence Summary, Operations Flow, and Emulation Plan.
- The emulation plan format must be widely accessible, easily updatable, and track modification history over time.
- The emulation plan must follow a set of CTI-informed scenarios, fitting the motivations and typical objectives of the selected threat.
- The emulation plan must include a human-readable, command-by-command version for organizations and teams to easily follow the implementation.
- The emulation plan must include a machine-readable representation to enable automated parsing/execution of the emulation plan. This representation should be compatible with other accepted industry approaches to adversary automation.
Based on those imperatives, we iterated on the APT29 format and landed on the following structure:
- Github would be utilized to develop and publish all emulation plans.
- The main emulation plan components (Intelligence Summary, Operations Flow, and human-readable Emulation Plan) would be written in Markdown to ensure ease of access, ease of update, and enable Github modification history tracking.
- The machine-readable Emulation Plan representation would be implemented in YAML. The YAML format would be as consistent as possible with accepted industry approaches to automated emulation. In the case of our YAML format, we started from the established Red Canary Atomic Red Team format but made some modifications to capture the threat intelligence that informs the emulation and to ensure a direct correlation between the human-readable and machine-readable versions of the Emulation Plan.
- The library would be licensed under the Apache 2.0 license to maximize the use and adaptation of the plans by the community.
The Adversary Emulation Plan Library
The Center, working in collaboration with Center Participants, will periodically develop and release new adversary emulation plans to this library. In addition, the Center will also work to transform some of MITRE’s previously published emulation plans into this new format. Over time, we will continually evolve these plans to best suit human and machine consumption for testing defenses based on real-world adversary behaviors.
Ultimately this library will have strong, cross-industry, public interest impact by enabling any team or organization to easily assess their own environments using emulation plans, and then use the results to prioritize investments to improve their organization’s cybersecurity posture. We hope to enable industry innovation around these plans by supporting use cases like automated import of the library into purple team collaboration tools and breach and attack simulation tools.
On September 15th, we will release the library’s first adversary emulation plan!
About the Center for Threat-Informed Defense
The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Currently comprised of 23 Participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.
© 2020 MITRE Engenuity. Approved for Public Release. Document number CT0005