The Value of Attack Emulation
Source for this document: Continuous End-to-End Detection Validation and Reporting — presented by Carrie Roberts
In cybersecurity, there are crucial questions that need to be answered, such as: “What value do each of our security products provide?” This is essential for determining where to allocate resources effectively to maximize value and enhance protection against adversaries. When comparing different products, it’s crucial to rely on actual data rather than potentially biased opinions to answer this question accurately.
We often hear about new ransomware attacks targeting hospitals or organizations in the news, which serves as a stark reminder of the real threat these attacks pose. This raises important questions: How would we respond if such an attack targeted us? Could we be the next victim? These uncertainties can be concerning, especially if we feel unprepared.
To better equip ourselves, it’s crucial to assess our readiness. What steps should we take to enhance our preparedness? Where are our weaknesses or gaps in defense? What specific detections do we need to develop or improve? Most importantly, can we be confident that our existing detection mechanisms are effective?
Addressing these questions requires more than hope or assumptions; we need concrete data and a proactive strategy to bolster our security posture.
Returning to the initial question, “What value do each of our security products provide?” Rather than relying solely on opinions it would be beneficial to utilize a dashboard to present example data. This approach allows us to showcase tangible metrics and insights derived from actual performance, enabling a more objective evaluation of our security investments.
We can observe that Product A prevents and detects a significant number of techniques known to be used by attackers, in comparison to Product B and Product C. By examining this data in detail, we can identify overlaps where certain products already cover the capabilities of others.
Returning to the specific questions like “Are we protected against attack group XYZ?” or “What detections do we need to create?”, it’s crucial to leverage the MITRE ATT&CK matrix, which is known to be used by adversaries globally to target organizations.
By leveraging the MITRE ATT&CK matrices, we can apply heat maps to visualize detection coverage, as demonstrated in the example above. Dark green areas indicate solid coverage for specific techniques or threat groups.
When identifying areas for new detections, we can focus on the lighter-colored sections (indicating low coverage) and prioritize efforts to enhance our preparedness in those specific areas. This approach enables us to address the question, “Are we sure our detections are working?” more effectively.
To confidently answer these questions using provided data, we can adopt a proactive approach. We can compile all known tactics and techniques used by adversaries and develop scripts to emulate these behaviors. These scripts can then be continuously run on representative systems, such as executing all emulations on a weekly basis.
The collected data from these executions can be integrated with our cybersecurity products to assess their response capabilities. This process enables us to validate the effectiveness of our detections and defenses against real-world attack techniques.
By continuously testing and integrating emulated attack scenarios with our security systems, we enhance our readiness to address emerging threats and confidently validate our security posture.
One of the primary free and open-source tools for conducting red team tests and emulations is Atomic Red Team, available at https://github.com/redcanaryco/atomic-red-team. This framework can be utilized alongside Invoke-AtomicRedTeam (https://github.com/redcanaryco/invoke-atomicredteam), which facilitates the execution of emulations.
To track and gather statistics on these emulation tests, we can use VECTR. VECTR allows for the collection of comprehensive statistics, including data on tests that were blocked, alerted, or logged, providing valuable insights into our security posture.
By leveraging these tools together, we can systematically conduct and track red team emulations, ensuring robust testing of our cybersecurity defenses and enhancing our overall readiness against potential threats.
The Pyramid of Pain, pioneered by David J. Bianco, is a conceptual framework that categorizes the effectiveness of detection techniques based on their impact on adversaries. This model illustrates that higher fidelity indicators, such as specific TTPs (Tactics, Techniques, and Procedures) used by adversaries, are more impactful for detection and response.
Red team emulation plays a pivotal role in validating our defenses against these TTPs. By simulating real-world attack scenarios and leveraging tools like Atomic Red Team (https://github.com/redcanaryco/atomic-red-team) and Invoke-AtomicRedTeam (https://github.com/redcanaryco/invoke-atomicredteam), organizations can proactively test their security controls against known adversary behaviors.
Emulation allows us to collect valuable data on how our cybersecurity products and systems respond to simulated attacks. This data, tracked and analyzed using tools like VECTR (https://docs.vectr.io/), provides actionable insights into our security posture, highlighting areas of strength and weakness.
Ultimately, the goal of red team emulation is to fortify our defenses by identifying and addressing gaps in detection and response capabilities. By aligning our strategies with the principles of the Pyramid of Pain, focusing on higher fidelity indicators derived from real-world TTPs, we can enhance our ability to thwart advanced adversaries effectively.
In summary, integrating red team emulation into our cybersecurity practices is essential for staying ahead of evolving threats. By leveraging tools and frameworks like those discussed, organizations can adopt a proactive approach to security, effectively mitigating risks posed by sophisticated adversaries.
