In MITRE ATT&CK, techniques describe the means by which adversaries achieve tactical goals, sub-techniques describe the same means but a more specific level, and procedures describe the variations that are precise implementations of those techniques. This precision in many ways is what enables adversary emulation, and makes it, well, emulation. It allows us to confidently and accurately call something “in the spirit of APT29”. In many cases, in an effort to try to be precise, we narrow the focus of our evaluations and only implement the limited procedures an adversary is known to perform. But what happens if procedural information is not available for a specific adversary? We have to make an assumption about them. We do our best to get in their mindset. We consider what we believe to be their end goals, but in the end, we are left with a couple choices. We can make an educated guess, but in this case we fall into the same trapping of above - a narrowed focus that might not even be accurate. The alternate is to implement a variety of procedures and hope that we effectively cover our bases.
Procedural variation looks at a single technique or sub-technique, and implements them in different ways, ideally to trigger different data sources, and thus potentially different defensive capabilities. It is for this reason that over the past year, there has been an increased awareness and advocacy for procedural variation. Procedural variation gives us greater confidence that when we say we have a defensive for the technique under test, the defense will actually work. Procedural variation comes with its own challenges; increased development costs and potentially reducing the accuracy of our emulations are only the start of that conversation. So how do we balance the benefits of procedure variation with the challenges? In this talk, we will present the key considerations to make when designing your ATT&CK test plans so that you can maximize your test plan’s bang-for-the-buck, gaining the key confidence that procedural variation offers while staying true to threat intelligence, and doing all of this while keeping budget in the back of our minds.