Adversary Emulation with MITRE ATT&CK

Adversary Emulation with MITRE ATT&CK

by Drinor Selmanaj
Released April 2024
Publisher(s): O'Reilly Media, Inc.
ISBN: 9781098169473

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

By incorporating cyber threat intelligence, adversary emulation provides a form of cybersecurity assessment that mimics advanced persistent threat (APT) tactics, techniques, and procedures (TTPs). This comprehensive guide introduces an empirical approach with strategies and processes collected over a decade of experience in the cybersecurity field. You'll learn to assess resilience against coordinated and stealthy threat actors capable of harming an organization.

Author Drinor Selmanaj demonstrates adversary emulation for offensive operators and defenders using practical examples and exercises that actively model adversary behavior. Each emulation plan includes different hands-on scenarios, such as smash-and-grab or slow-and-deliberate. This book uses the MITRE ATT&CK knowledge base as a foundation to describe and categorize TTPs based on real-world observations and provides a common language that's standardized and accessible to everyone.

You'll learn how to:

  • Map cyber threat intelligence to ATT&CK
  • Define adversary emulation goals and objectives
  • Research adversary emulation TTPs using ATT&CK knowledge base
  • Plan adversary emulation activity
  • Implement adversary tradecraft
  • Conduct adversary emulation
  • Communicate adversary emulation findings
  • Automate adversary emulation to support repeatable testing
  • Execute FIN6, APT3, and APT29 emulation plans

Publisher resources

View/Submit Errata

Table of contents

  1. Preface
    1. Who This Book Is For
    2. Goals of the Book
    3. How the Book Is Organized
    4. Hands-on Approach
    5. Conventions Used in This Book
    6. Using Code Examples
    7. O’Reilly Online Learning
    8. How to Contact Us
    9. Acknowledgments
  2. I. Understanding Adversary Emulation
  3. 1. Introduction
    1. Know Your Attackers
    2. Maximizing Adversary Cost
    3. Adversary-Inspired Testing
    4. Drawbacks of Traditional Security Assessments
    5. Types of Security Assessments
      1. Vulnerability Scanning
      2. Vulnerability Assessment
      3. Penetration Testing
      4. Red Team
      5. Blue and Purple Teams
    6. Adversary Emulation Fundamentals
      1. Importance of Adversary Emulation
      2. Framework and Evaluations for Adversary Emulation
      3. Benefits of Adversary Emulation
      4. Transparency and Relevance
      5. Engagement Planning
      6. Adversary Emulation Plan
    7. Summary
  4. 2. Advanced Persistent Threats
    1. Mechanics of Motivation
      1. Accidental Threats
      2. Coercion
      3. Disgruntlement
      4. Dominance
      5. Ideology
      6. Notoriety
      7. Organizational Gain
      8. Personal Financial Gain
      9. Personal Satisfaction
      10. Unpredictable Threats
    2. Deception
      1. Deceptive Communication
      2. Deceptive Appearance
    3. APT Attribution
      1. Authorization Process for Cyber Operations
      2. From Intellectual Property Theft to Indictment
      3. Defining Key Terms in Attribution
      4. Data Collection
      5. Analysis
      6. Origin Attribution
      7. APT Doxing
    4. Summary
  5. 3. Dissecting Frameworks and Strategies
    1. ATT&CK Framework
      1. ATT&CK Matrix
      2. Technology Domains
      3. Navigating the Platform
      4. Tactics
      5. Techniques, Sub-Techniques, and Procedures
      6. Software and Mitigations
      7. Groups and Campaigns
      8. Data Sources
      9. Object Model Relationships
    2. Customizing and Extending ATT&CK
      1. Limitations and Boundaries
      2. Accessing ATT&CK in Python
    3. Threat-Informed Defense
      1. Threat Intelligence in Modern Defense
      2. Challenges
      3. Best Practices
      4. Tools and Technologies
      5. Enhancing Security Through Understanding
    4. Integrating MITRE ATT&CK and the NIST CSF
    5. Using ATT&CK to Protect Against Cyber Threats
    6. Summary
  6. 4. The Adversary’s Modus Operandi
    1. Reconnaissance
      1. Active Scanning (T1595)
      2. Gather Victim Identity Information (T1589)
      3. Search Closed Sources (T1597)
    2. Resource Development
      1. Acquire Infrastructure (T1583)
      2. Develop Capabilities (T1587)
      3. Establish Accounts (T1585)
    3. Initial Access
      1. Drive-by Compromise (T1189)
      2. Exploit Public-Facing Application (T1190)
      3. Phishing (T1566)
      4. Supply Chain Compromise (T1195)
    4. Execution
      1. Command and Scripting Interpreter (T1059)
      2. Exploitation for Client Execution (T1203)
      3. Software Deployment Tools (T1072)
    5. Persistence
      1. Account Manipulation (T1098)
      2. BITS Jobs (T1098)
      3. Compromise Client Software Binary (T1554)
    6. Privilege Escalation
      1. Exploitation for Privilege Escalation (T1068)
      2. Domain Policy Modification (T1484)
    7. Defense Evasion
      1. Deobfuscate/Decode Files or Information (T1140)
      2. Masquerading (T1036)
      3. Indirect Command Execution (T1202)
    8. Credential Access
      1. Brute Force (T1110)
      2. Network Sniffing (T1040)
      3. OS Credential Dumping (T1003)
    9. Discovery
      1. Account Discovery (T1087)
      2. Browser Information Discovery (T1217)
      3. System Network Connections Discovery (T1049)
    10. Lateral Movement
      1. Exploitation of Remote Services (T1210)
      2. Replication Through Removable Media (T1091)
      3. Use Alternate Authentication Material (T1550)
    11. Collection
      1. Automated Collection (T1119)
      2. Archive Collected Data (T1560)
      3. Data from Network Shared Drive (T1039)
    12. Command and Control
      1. Application Layer Protocol (T1071)
      2. Ingress Tool Transfer (T1105)
      3. Proxy (T1090)
    13. Exfiltration
      1. Exfiltration over Alternative Protocol (T1048)
      2. Scheduled Transfer (T1029)
      3. Transfer Data to Cloud Account (T1537)
    14. Impact
      1. Data Encrypted for Impact (T1486)
      2. Endpoint Denial of Service (T1499)
      3. System Shutdown/Reboot (T1529)
    15. Summary
  7. 5. In-the-Wild Use of ATT&CK TTPs
    1. Step-by-Step Procedures
      1. Executing a Spearphishing Attachment
      2. Demystifying Command and Scripting Interpreter
      3. Modify SSH Authorized Keys
      4. Deobfuscate/Decode Files or Information
      5. How Threat Actors Conceal Their Artifacts
      6. Password Spray All Domain Users
      7. Delving into Network Communications
      8. OS Credential Dumping
      9. Uncovering Local and Domain Users
      10. How to Propagate Through Removable Media
      11. Abusing Alternate Authentication Protocols
      12. Harnessing Automation
      13. SSH for Exfiltration over Alternative Protocol
      14. Data Held Hostage Using GPG
    2. Active Learning Experience
      1. Architecture and Components
      2. Environment Setup
    3. Putting Theory to the Test
      1. Network and Host Exploration
      2. Brute-Forcing with Hydra
      3. Executing Malicious Payload in Froxlor
      4. Fabricating Logfiles to Inject Malicious Code
      5. Execution via Command and Scripting Interpreter
      6. Discovery Through Command-Line Analysis
      7. Jumping Across Remote Services
      8. Hijacking Linux Shared Directories
      9. Capability Development for Resource Creation
      10. Compromising System Security with PAM Backdoor
      11. Stealthy Data Archiving
      12. Application Layer Protocol for Command and Control
      13. Alternative Protocol Exfiltration
      14. Ransomware Impact
    4. Summary
  8. 6. The Power of Visualization
    1. ATT&CK Navigator
      1. Customizing Matrix with Layers
      2. Editing and Sorting Layers
      3. Navigating and Annotating Techniques in the Interface
      4. Selecting Techniques
      5. Customizing the Navigator
      6. Understanding Dragonfly Tactics
    2. Attack Flow
      1. Operations Teams
      2. Attack Flow Analysis
    3. Cyberattack on a NATO Member
    4. Summary
  9. 7. Cyber Threat Intelligence
    1. Data Acquisition
      1. Data Sources
      2. Ethics of Data Acquisition
    2. Processing and Enrichment
      1. Apache Kafka
    3. Adversary Mapping
      1. Using Narrative Reports to Map Intelligence
      2. Intelligence Mapping from Raw Data
    4. Predictive Threat Intelligence with AI
      1. Machine Learning for Predictive Analysis
      2. Deep Learning for Pattern Recognition
      3. Natural Language Processing for Text Analysis
      4. Voice Synthesis and Caller ID Spoofing
      5. AI in Fraud Detection
    5. CTI and Digital Warfare
      1. Geopolitical Impact
      2. Key Players
      3. Creating an Effective Threat Intelligence Program
    6. Summary
  10. II. Adversary Emulation Operations
  11. 8. Establishing Goals for Adversary Emulation
    1. Understanding Engagement Purpose
      1. Effective Communication
      2. Diverse Stakeholder Expectations
      3. Insufficient Understanding of the Threat Landscape
      4. Undefined Security Goals
      5. Limited Awareness of the Organization’s Security Posture
      6. Resistance from Stakeholders
      7. Lack of Resources
    2. Assessing Suitability for Adversary Emulation
      1. Organizational Readiness
      2. Educate People About Adversary Emulation
      3. Explore Alternatives
      4. Plan for the Future
    3. Interviewing Relevant Stakeholders
      1. Harnessing Global Perspectives
      2. Building Long-Term Relationships
      3. Future Direction
      4. Creating a Culture of Open Communication
    4. Brainstorming Threat Scenarios
      1. The Anatomy of Potential Attacks
      2. The Gateway to Threat Exploitation
      3. A Strategic Approach to Prioritizing Protection Efforts
      4. Adaptive Response to Dynamic Cyber Threats
    5. Document Engagement Objectives
      1. SMART Criteria for Effective Engagement Objectives
      2. Examples of Engagement Objectives
    6. Summary
  12. 9. Researching Adversary Tradecraft
    1. From Surface-Level Tactics to Deep-Dive Procedures
    2. Developing Adversary Profiles
      1. Why Profiling Is Important
      2. Profiling Methodologies
      3. Aggregating Adversary Data
    3. Selecting an Adversary for Emulation
      1. Consequences of Improper Selection
      2. Analyzing the Adversary’s Geographies and Sectors
      3. Deciphering the Goals Behind the Actions
    4. Assembling the TTP Outline
      1. Overview of the Adversary’s Known TTPs
      2. Importance of Maintaining a TTP Repository
      3. Organizing and Categorizing TTPs
      4. The Strategic Role of a TTP Outline
      5. Building a Comprehensive TTP Outline
      6. Review and Adjustment
    5. Summary
  13. 10. Engagement Planning
    1. Understanding the Financial Aspects
    2. The Scope of Engagement
    3. Schedule, Duration, and Frequency
    4. Rules of Engagement
    5. Approving Authorities
    6. Human Resource Planning
    7. Equipment and Software Cost
    8. Cross-Departmental Collaboration
    9. Communication Plan
    10. Engagement Notifications
    11. Summary
  14. 11. Implementing Adversary Tradecraft
    1. Setting Up the Lab Environment
    2. Splunk Attack Range
      1. Setting Up Splunk Attack Range
    3. TTP Development Life Cycle
    4. Adversary Emulation Plan
      1. Threat Actors Intelligence Summary
      2. Visualization of the Emulation Journey
      3. Adversary Arsenal
    5. Testing TTPs in the Lab
    6. Map Detection and Mitigation
    7. Summary
  15. 12. Executing Adversary Tradecraft
    1. Review TTP Implementation
    2. Execute Adversary TTPs
    3. Prelude Operator
    4. Observe and Document TTP Results
    5. Report Findings
    6. Measuring the Effectiveness
    7. Summary
  16. 13. Adversary Emulation Resources
    1. Adversary Emulation Library
    2. Introduction to Caldera
      1. Plug-in Library
      2. Parsers
      3. Relationships
      4. Objectives
      5. Operation Results
    3. Atomic Red Team
    4. BadBlood
    5. Summary
  17. III. Hands-on Adversary Emulation
  18. 14. FIN6 Emulation Plan
    1. Mission Essentials
    2. FIN6 Initial Access
    3. FIN6 Discovery
      1. Domain Account (T1087.002)
      2. Remote System Discovery (T1018)
      3. Domain Trust Discovery (T1482)
      4. System Network Configuration Discovery (T1016)
      5. Domain Groups (T1069.002)
    4. FIN6 Privilege Escalation and Credential Access
      1. Access Token Manipulation (T1134)
      2. LSASS Memory (T1003.001)
      3. NTDS (T1003.003)
      4. LSASS Memory—Windows Credential Editor (T1003.001)
    5. FIN6 Collection and Exfiltration
      1. Archive via Utility (T1560.001)
      2. Exfiltration over Unencrypted Non-C2 Protocol (T1048.003)
    6. FIN6 Emulation Epilogue
    7. Summary
  19. 15. APT3 Emulation Plan
    1. Mission Essentials
    2. APT3 Initial Access
    3. APT3 Discovery
    4. APT3 Defense Evasion
    5. APT3 Privilege Escalation
    6. APT3 Credential Access
    7. APT3 Persistence
    8. APT3 Execution and Lateral Movement
    9. Summary
  20. 16. APT29 Emulation Plan
    1. Mission Essentials
    2. APT29 Initial Access
    3. APT29 Speedy Data Retrieval and Stealth Insertions
      1. Preliminary Data Harvesting
      2. Clandestine Utility Rollout
    4. APT29 Defense Evasion and Discovery
    5. Persistence
    6. Credential Access
    7. APT29 Execution for Lateral Movement
    8. Summary
  21. About the Author

Product information

  • Title: Adversary Emulation with MITRE ATT&CK
  • Author(s): Drinor Selmanaj
  • Release date: April 2024
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9781098169473