Written by: Sean D. Goodwin, GSE
What is Threat Emulation?
You may have heard the term “threat emulation” or some of the other synonyms like “purple teaming” or “adversary simulation.” According to the Purple Team Exercise Framework, “Purple Team Exercises are an efficient method to test, measure, and improve your organization’s resilience to an attack. A Purple Team focuses on fostering collaboration with your entire security stack including people, process, and technology.”
For the purposes of this blog post we’ll be using the three terms interchangeably to describe collaborative testing focused on improving an organization’s security posture.
How is this different from a penetration test?
A threat emulation or purple team exercise is intended to test, and re-test, the performance of detective and preventive controls in an organization’s environment against a specific, pre-defined set of attacker techniques. A penetration test may incorporate some of these techniques, but the intent of a penetration test is to find as many issues as possible for the scope and time allotment.
To put this into a simplified narrative, a penetration test is like a robber going around a house and checking all the doors and windows for locks, looking out for security cameras or other sensors, and trying to find multiple ways to access the safe stored in the basement. Perhaps we’re able to look at a string of recent home robberies to identify the common technique of entering through a ground level window located at the back of the house.
Instead of checking each window and door, a threat emulation exercise would focus on testing our house for access via ground floor windows located at the back of the house. If someone was able to get in, we would look at preventive controls like window locks or bars, as well as detective controls like cameras or sensors, and then repeat testing until we were comfortable with the residual risk of this particular type of home robbery.
How to get started with a threat emulation program
Step One: Determine Scope
Before you dive into getting the right tools prepared, you should start by choosing a small scope. Our preference is to reference MITRE ATT&CK® as the pool of adversarial techniques we can pull from. You can filter down to threat actors that target your industry by using the “Groups” tab.
When the threat emulation program is in the early stages, we would recommend cutting down the scope to 5-10 techniques to ensure you can focus on building a repeatable process without being overwhelmed by gaps in your controls.
Many US-CERT alerts include references to the relevant tactics, techniques, and procedures (TTPs) in ATT&CK. This means that once you have a mature process in place, you’ll be able to quickly test – or report based on recent tests – how your organization is positioned to address breaking news.
Step Two: Track Execution
You can track execution several ways, but Vectr is a free tool that makes tracking and reporting much easier. This allows you to build a campaign from the scope you established in step one. Here you will track the status of both execution and your defensive controls.
For example, was the technique successfully run, or did a control block its execution? Was an alert generated in either case? Was the alert classified with an appropriate criticality rating? Be as detailed as you can here – this data will build over time and will provide actionable information on where your controls are performing well, and where additional work is needed.
Step Three: Determine Remediation Efforts
Now that you’ve tested the environment, you likely have some control gaps or areas where you are not satisfied with the control performance. We recommend using MITRE’s D3FEND Matrix to identify the relevant controls that need additional prevention or detection capabilities. To find the relevant controls you can search D3FEND using the Technique ID (e.g., T1566.001 for Spear-phishing Attachment). You’ll be presented with a mind map of controls that may prevent or detect the success of each attack technique.
There are many other approaches and areas of focus to explore once you get started on this journey, but this quick primer will allow you to get a threat emulation program started at your organization.