Written by: Sean D. Goodwin, GSE
Our recent blog posts have covered a variety of topics related to threat emulation, including:
- The benefits of threat emulation.
- The important factors that differentiate threat emulation from penetration testing.
- Understanding how to leverage these tests to implement controls where they’re needed.
- Finding out how known adversaries are exploiting similar organizations.
Today, we’ll be exploring resources you can use to build your knowledge base to start implementing threat emulation tests.
Free Resources
There are more free resources than we can list here, so we’ve included a few of the resources our team has found especially valuable.
Of course, this conversation can only begin by first reading the Purple Team Exercise Framework (PTEF) from Scythe. Scythe offers an adversary emulation platform product, but makes the PTEF and several attack chains and emulation plans freely available to the community. The PTEF is the place to start because it will help you understand the necessary foundations of a program before getting into the actual execution of attack chains. A strong foundation will make it easy to have a repeatable process and structure that other stakeholders can follow with results they can understand.
The team at MITRE ATT&CK® includes links to several free training courses on their website that introduce the concepts of mapping cyber threat intelligence to the ATT&CK knowledge base, and thus into actionable adversary emulation plans.
SANS makes their Summit recordings available, and at the time of this post, there are over 30 presentations available with the “Purple Team” tag, indicating its applicability to threat emulation.
Paid Resources
The first paid resource to look at is the MITRE ATT&CK Defender™ (MAD) program. This program is a full curriculum covering various aspects related to threat emulation starting at an introductory level and moving up to advanced training and certifications. The topics covered in MAD are:
- ATT&CK Fundamentals
- ATT&CK for Cyber Threat Intelligence (CTI)
- ATT&CK for Security Operations Center (SOC) Assessments
- ATT&CK for Adversary Emulation Methodology
- ATT&CK for Threat Hunting and Detection Engineering
- ATT&CK Purple Teaming Fundamentals
The SANS bootcamp classes are the second paid resource to consider, specifically SEC599: Defeating Advanced Adversaries – Purple Team Tactics & Kill Chain Defenses and SEC699: Purple Team Tactics – Adversary Emulation for Breach Prevention & Detection. Both classes are considered advanced training in threat emulation because of their fast pace and depth of coverage.
There are many more resources available, but this short list should get you started in your learning journey. As you build out your skillset, you’ll be able to identify which areas of expertise you want to further develop, whether they lie on the attacker or defender side of the “purple teaming” program.
