Security teams are often tasked with building a layered control environment through a defense-in-depth approach. Audit and compliance teams may even require these controls to align to a specific benchmark or framework. Unfortunately, the scenario often arises where these controls are only put to the test when a real attack occurs leading teams confused when responding to an incident. Assumptions are made by all business units about the operating effectiveness of the environment. Remember when we all relied on the perimeter firewall for security a decade ago? We now have the same problem with heavily relying on default configs within EDR’s. Business leaders may be lulled into thinking that these tools will prevent sophisticated attack chains by nation state adversaries and meanwhile get burned by lazy PowerShell tradecraft that goes undetected. These assumptions are rarely validated through active testing or standard day-to-day activity due to the complexities of a behavior or technique. From an auditing perspective, this is a critical hidden gap that creates a cyclical problem. We are maybe the only industry that provides technical solutions that still requires customers to continuously tune and validate they are working as intended. Although the controls may align to a specific need on paper, significant gaps go unnoticed allowing attackers to achieve their end objectives. A purple team/threat emulation exercise can help prevent this. However, most businesses are often unequipped to know where to begin.
Many of us are not speaking the same language as the business when attempting to introduce the enterprise matrix from MITRE ATT&CK(®). Further, we have now entered an unfortunate reality where every vendor, tool, and third party reference the framework. As an industry, we need to be able to use this framework in a concise and repeatable manner. We also must be honest with the short comings of ATT&CK and what it cannot be used for. It is extremely enticing to fall under several traps when attempting to use the framework and perform simulations internally. This includes playing bingo and not truly understanding how techniques are emulated in an environment. This talk proposes an approach for how to use existing free tools including the Atomic Red Team library, Prelude Operator, and Vectr to begin tracking adversaries and testing control resiliency in an environment. This talk will educate all business units about the MITRE ATT&CK framework and how it can be incorporated within their assessments. To proactively defend against cyber threats, we cannot rely on individual experts alone. Many of us have been exposed to the ATT&CK framework in some capacity. However, as an industry we do not have a clear way to abstract specific detail from the framework and align to our businesses primary mission. The business from the top-down need to be able to understand how to conduct these types of tests and why they matter. Strong relationships between audit, compliance, third-parties, IT, and security lead to the most secure environments. Everyone, whether on the blue team or red team, plays a role in executing these tests, remediating, and communicating results across the business.
As assessors we build test procedures to identify gaps, remediate issues, and retest just like any traditional audit. When examined closely, we are effectively quality assurance for cybersecurity. We have specific playbooks of what adversaries attempt upon achieving initial access. Think about the Conti Playbook that was released and translated earlier this year. We can leverage existing tooling to emulate the identified behaviors in our environment creating a “data-driven” and threat informed test. Equipped with this knowledge, we can layout controls that allow the business to operate and provide assurances that an attack chain is mitigated. We have rich and continuously improving public cyber threat intelligence reports that must be used in our programs. Public annual reports from Red Canary, Microsoft, DFIR Report, Scythe, and countless others all can be used to tune our controls against a specific threat. Security professionals can emulate adversaries for cheap all the while expanding budgets and showcasing their work to executives. My hope is to be able to bridge existing understanding of ATT&CK and provide a path to reliably use it regardless of size or complexity of an institution.