You are here

You are here

MITRE Engenuity emulates real-world attacks. Here's how it works

public://pictures/Juan C Perez photo1.jpg
Juan Carlos Perez Freelance writer

An ambitious plan from MITRE Engenuity could dramatically boost security operations teams' ability to prepare for and combat well-known, devastatingly effective cyber attacks.

The organization is creating a free, public repository of adversary emulation plans (AEPs), designed to help organizations systematically assess, test, and tune their defenses by replicating the tactics, techniques, and procedures of specific advanced persistent threat (APT) groups.

The expectation is that, with these detailed plans in hand, red teams will actively and accurately simulate APT cyber attacks. Meanwhile, blue teams will see their defense plans through the eyes of an adversary and make adjustments accordingly, including to their tool set, strategies, and environment.

The value MITRE Engenuity seeks to deliver with these AEPs is to operationalize cyber-threat intelligence by outlining in detail how APT groups chain techniques together, hopefully giving SecOps teams a holistic, nuanced, and end-to-end understanding of how specific attacks are carried out.

The ultimate goal of creating these intelligence-driven emulation plans is to improve and simplify how SecOps teams assess their environments against real-world threats and use those insights to improve their organizations' cybersecurity posture.

In developing the AEPs, MITRE Engenuity is aiming to save SecOps teams time, make them better informed, boost their productivity, and empower them to more effectively prioritize and optimize their limited resources.

Here's what your SecOps team needs to know, so that you can bolster your Security Operations Center (SOC).

MITRE's AEP Library in a nutshell

The repository, called the Adversary Emulation Plan Library and hosted on GitHub under an Apache 2.0 license, has now launched its first AEP, devoted to FIN6. This cyber-crime group has stolen an estimated $400 million by aggressively compromising retail point-of-sale and hospitality systems since 2015, mostly in Europe and the United States, according to MITRE Engenuity.

The Adversary Emulation Plan Library is the work of MITRE Engenuity's Center for Threat-Informed Defense, a nonprofit, privately funded research and development organization made up of 23 participating organizations with highly sophisticated security teams.

"Creating publicly available resources that empower organizations to make evidence-based decisions and investments is at the heart of the Center's purpose," Center for Threat-Informed Defense director Richard Struse said in a statement.

Too many organizations lack the resources to study adversaries and build these emulation plans, said Carl Wright, chief commercial officer at AttackIQ, a founding research partner of the Center for Threat-Informed Defense.

"We are working in the public interest to help every organization become more resilient to cyber attacks."
Carl Wright

An AEP's structure

AEPs focus on what a specific group does, how it does it, and at what stage of the breach it acts, and they provide emulation content for mimicking the group's underlying behaviors. SecOps teams can use an AEP for an end-to-end emulation, or they may want to pick certain behaviors. They can also modify the AEP and personalize it for their own requirements and scenarios.

Each AEP has three parts:

  • A curated summary of cyber-threat intelligence, including an overview of the group—whom it targets, how, and why—as well as the breadth of techniques and malware used.

  • An operational flow with a high-level summary of the scenario that was captured, typically outlining the breach and subsequent steps toward the attacker's goal.

  • An emulation plan that explains, step by step, how to execute the scenario in both human- and machine-readable formats.

The AEPs will leverage MITRE's ATT&CK, a free knowledge base of real-world adversary tactics and techniques used as a foundation for developing threat models and methodologies to improve enterprise security.

FIN6 is just the start

The FIN6 plan is the first in what the Center for Threat-Informed Defense says will be a collection of AEPs intended to be comprehensive and, equally important, based on a consistent methodology and structure. Having uniformity among AEPs is crucial for making them effective and user-friendly, according to the organization.

In addition to developing new AEPs for the library, MITRE Engenuity will also adapt to its new format existing AEPs it previously created, including those for the cyber-crime groups APT29 and APT3.

Fernando Montenegro, principal analyst for information security at 451 Research, part of S&P Global Market Intelligence, said he finds the initiatives from MITRE Engenuity that are intended to bring a level of consistency to information sharing within the industry "interesting and positive." 

"Many professionals are familiar with the MITRE ATT&CK framework and associated work around it. I expect it to be pretty clear for most professionals doing red-team, blue-team, and purple-team type of work."
Fernando Montenegro

Why AEPs matter

AEPs in general are valuable tools because they help SecOps teams test the efficacy of their detection capabilities, and possibly also of their response capabilities. "They’re not the first step someone should take, but will be more useful to an experienced team," Montenegro said.

It's key for SecOps teams to have good feedback loops, he said, and AEPs give them a controlled manner to practice and perfect this process.

"With this type of exercise, rather than just speculate about whether their defenses would detect or stop a specific actor, they can test it."
—Fernando Montenegro

A well-designed AEP allows teams to replicate enough of the adversary behavior and techniques that the emulation is realistically close to the real attack. "You also want to be able to easily automate it and execute again," he said.

Asked about MITRE Enguinity's FIN6 AEP, Montenegro said its instructions are clear enough so that infosec teams will understand the basics of the attack itself, as well as the emulation engine that will be used.

Building momentum

This project not only builds on previous experience simulating other bad actors, such as APT3 and APT29, but also combines technical depth and community participation. Overall, it is well worth watching, Montenegro said.

As MITRE Engenuity adds entries to the AEP library, it would do well to consider different variables for inclusion. Some threat actors may be more regional. Some may use techniques that, if properly exercised, can yield a "good return" to defenders in terms of capturing many other threat actors.

This is akin to the typical recommendation to "eliminate classes of bugs, rather than individual bugs on vulnerability research," Montenegro said.

As the library grows, so will the "significant opportunity" to increase the initiative's influence through the definition of a common methodology and consistent structure focused solely on accessing AEPs, MITRE Engenuity said in a blog post:

"Ultimately, our goal is to significantly increase the number of organizations worldwide that routinely evaluate their defenses against real-world adversary behavior, which should, in turn, help improve their security posture."

Evaluate and rethink your SecOps strategy

This new MITRE project has the potential to strengthen how organizations proactively prepare to fend off attacks from notorious, dangerous, and chillingly effective APT groups.

Getting this unique attacker perspective, and understanding at a granular, comprehensive level how these attacks are carried out, should help organizations evaluate their tools, rethink their strategies, and alter their environment as needed. It's all about being faster, smarter, and more effective at preventing catastrophic breaches that endanger an organization and its business.

Keep learning

Read more articles about: SecurityInformation Security