We covered the concept of threat emulation, the difference between threat emulation, threat simulation and penetration testing in addition to discussing the steps and frameworks such as MITRE ATT&CK and TIBER-EU used to guide the process of threat emulation. Lastly, we solved the practical challenge in TryHackMe Intro to Threat Emulation room which is part of SOC Level 2 track.
Blue Team Cyber Security & SOC Analyst Study Notes
What is Threat Emulation
Threat emulation is meant to assist security teams and organisations, in general, in better understanding their security posture and their defence mechanisms and performing due diligence in their compliance. This ensures they are provided with an adversary’s perspective of an attack without the hassle of dealing with an actual threat with malicious intent. Additionally, the organisation will be well prepared if a real-time and sophisticated attack is initiated against them.
Threat Emulation vs Threat Simulation
Threat emulation is an intelligence-driven impersonation of real-world attack scenarios and TTPs in a controlled environment to test, assess and improve an organisation’s security defences and response capabilities. This means that you seek to behave as the adversary would. Threat emulation aims to identify and mitigate security gaps before attackers exploit them.
Emulation can be conducted as a blind operation – mainly as a Red Team engagement and unannounced to the rest of the defensive security team – or as a non-blind operation involving all security teams and ensuring knowledge sharing.
In contrast, threat simulation commonly represents adversary functions or behaviour through predefined and automated attack patterns that pretend to represent an adversary. This implies that the actions taken during the exercise will combine TTPs from one or more groups but not an exact imitation of a particular adversary.
Threat Emulation Methodologies
MITRE ATT&CK
The MITRE ATT&CK Framework is an industry-known knowledge base that provides information about known adversarial TTPs observed in actual attacks and breaches. Threat emulation teams can extract many benefits from integrating ATT&CK with their engagements as it would make it efficient when writing reports and mitigations related to the behaviours experimented with.
Atomic Testing
The Atomic Red Team is a library of emulation tests developed and curated by Red Canary that can be executed to test security defences within an organisation. The testing framework provides a mechanism for learning what malicious activities look like and provide telemetry from every test to facilitate defence improvements.
TIBER-EU Framework
The Threat Intelligence-based Ethical Red Teaming (TIBER-EU) is the European framework developed to deliver controlled, bespoke, intelligence-led emulation testing on entities and organisations’ critical live production systems. It is meant to provide a guideline for stakeholders to test and improve cyber resilience through controlled adversary actions.
CTID Adversary Emulation Library
The Center for Threat-Informed Defense is a non-profit research and development organisation operated by MITRE Engenuity. Its mission is to promote the practice of threat-informed defence. With this mission, they have curated an open-source adversary emulation plan library, allowing organisations to use the plans to evaluate their capabilities against real-world threats.
Threat Emulation Steps
- Define Objectives
- Research Adversary TTPs
- Planning the Threat Emulation Engagement
- Conducting the Emulation
- Concluding and Reporting
Check out the video below for detailed explanation.
Room Answers | TryHackMe Intro to Threat Emulation
What can be defined as an intelligence-driven impersonation of real-world attacks?
Threat Emulation
What is the exercise of representing adversary functions through predefined and automated attack patterns?
Threat simulation
Under TIBER-EU, under which phase would Engagement and Scoping fall?
Preparation
What is the library that provides technical emulation tests based on TTPs?
Atomic Red Team
There’s a set of 3 software used by FIN6 & FIN7. Can you identify them? Answers are in alphabetical order, separated by a comma.
AdFind, Cobalt Strike, Mimikatz
Which factor will be considered when analysing whether to use existing or custom tools during the emulation?
TTP Complexity
The emulation plan component determining which activities are to be conducted is known as the?
Scope
What is flag one obtained after completing the exercise?
THM{C4RB0N_$P1D3R_1$_F1N7}
What is flag two obtained after completing the exercise?
THM{3$P1ON4G3_F0R_R34P3R}
Click the View Site button at the top of the task to launch the static site. What is flag three obtained after completing the exercise?
THM{D3F3NC3_1N_3MUL4T10N}
What is flag four obtained after completing the exercise?
THM{S3CUR3_4LL_W3B_4553T5}
Video Walkthrough | TryHackMe Intro to Threat Emulation