Everyone wants a stronger security posture, but not everyone has the tools to become more aware and secure. At a time when newsfeeds are overflowing with stories about massive ransomware attacks and other devastating breaches, how can cybersecurity professional up their game in the fight against threat actors?
One answer, among many possible candidates, is to get started or level up your adversary emulation threat intelligence through popular frameworks like MITRE ATT&CK.
But let’s take a step back… What is adversary emulation? Why is adversary emulation important to know and utilize? And how does a platform like PlexTrac help you carry out red and purple teaming engagements that include adversary emulation data?
Let’s talk about it.
Let’s walk before we run.
What is adversary emulation, actually? Adversary emulation is a practice that “aims to test a network’s resilience against advanced attackers or advanced persistent threats (APTs).” Basically, adversary emulation is a way for security organizations and consultants to carry out the same tactics, techniques, and procedures (TTPs) that bad actors would use against you in the real-world but in a contained emulation.
Basically, adversary emulation is a type of red (or purple) team engagement that uses real-world threat intelligence to impersonate the actions and behaviors that your red team (or bad actors) would use in practice.
Pretty cool right? And while many different frameworks can be used to carry out your adversary emulation exercises, many opt to use MITRE’s expansive knowledge base of real-world adversary behaviors outlined in the ATT&CK framework and their Adversary Emulation Plans. (We’ll talk more about that later).
DISCLAIMER: It must be mentioned that while we use the terms emulation and simulation interchangeably, there is a strong argument in the industry that the terms should be separated.
The usefulness of adversary emulation exercises for security teams of all sizes cannot be understated. Let us approach this question from the perspective of both a red and blue teamer.
For red teams: Adversary emulation exercises is vital for red teams, largely because it enables the group to do their job on offense more effectively. With AE, red teams can focus on trying out real-world activities that threats would use to infiltrate their network. This exercise gives red teams guidelines and a roadmap to follow on their quest to conquer the blue team’s defenses.
For blue teams: Defense is hard enough in cybersecurity. Adversary emulation helps blue teams stay focused on remediation and work in the places where it’s most necessary. Carrying out adversary emulation exercises helps clearly point out gaps in your defenses, allowing you to identify and fill your largest vulnerabilities at a faster pace.
In case you couldn’t tell, we love purple teaming at PlexTrac.
Adversary emulation is a vital part of establishing a purple teaming environment within your security team. This is because adversary emulation/simulation works as a bridge between red and blue teamers, enabling both teams to work more effectively, collaborate more closely, and strengthen the entire organization’s security posture.
While not all adversary emulation exercises are labeled as “purple teaming” by default, purple teaming engagements include a fair amount of adversary emulation exercises work to bring efforts of the teams together, allowing both to gain visibility and detection that they otherwise wouldn’t have.
PlexTrac is a powerful platform that helps you make sense the data you obtain from attack, detect, and respond (ADR) tools like SCYTHE. Data you generate from SCYTHE can be directly imported into PlexTrac and then analyzed through our Analytics module, giving you the power of knowledge.
But that’s not all! We’re also very excited to announce that MITRE Adversary Emulation Plan imports can now be imported directly into PlexTrac’s Runbooks module. This functionality allows you to create new Runbooks that line up directly with the purple teaming engagements you used to carry out outside of the platform.