ATT&CK EmulationPlans

If these tools provided to us by MITRE are not enough, under MITRE ENGENUITY, we have CTID, the Adversary Emulation Library, and ATT&CK® Emulation Plans.

CITD

MITRE formed an organization named The Center of Threat-Informed Defense (CTID). This organization consists of various companies and vendors from around the globe. Their objective is to conduct research on cyber threats and their TTPs and share this research to improve cyber defense for all.

Some of the companies and vendors who are participants of CTID:

• AttackIQ

• Verizon

• Microsoft

• Red Canary

• Splunk

Per the website, "Our goal is to change the game on adversaries by relentlessly improving our collective ability to prevent, detect, and respond to cyber attacks."

Adversary Emulation Library & ATT&CK® Emulations Plans

The Adversary Emulation Library is a public library making adversary emulation plans a free resource for blue/red teamers. The library and the emulations are a contribution from CTID. There are 3 ATT&CK® Emulation Plans currently available: APT3, APT29, and FIN6. The next ATT&CK® Emulation in the pipeline is FIN7. The emulation plans are a step-by-step guide on how to mimic the specific threat group. If any of the C-Suite were to ask, "how would we fare if APT29 hits us?" This can easily be answered by referring to the results of the execution of the emulation plan.

Review the emulation plans to answer the questions below.

How many phases does APT3 Emulation Plan consists of?

Under Persistence, what binary was replaced with cmd.exe?

Examining APT29, what 2 tools were used to execute the first scenario?

What tool was used to execute the second scenario?

Where can you find step-by-step instructions to execute both scenarios?