Integrate MITRE Engenuity Adversary Emulation Plans into PlexTrac

Use Runbooks for PlexTrac with MITRE Resources to Up Your Purple Teaming Game

IMMEDIATE RELEASE: Wednesday, July 28, 2021

Boise, Idaho— PlexTrac is excited to share some cool new features that will upgrade your purple teaming capabilities and leverage the amazing work of the MITRE Engenuity Team to provide adversary emulation plans to the community—plans that allow you to use the Runbooks for PlexTrac to replicate the very same methods that threat actors are using today.

If you aren’t already cheering, let us tell you why you should be. Whether you and your team are experienced with purple teaming or just getting started, MITRE Enginuity’s collected real world threat intelligence shared out in their Center For Threat-Informed Defense Adversary Emulation Plan Library is an invaluable resource.

The Center For Threat-Informed Defense works by partnering with industry. Normally a group of organizations come together to pony up the cash that funds the researchers who produce the emulation plans—and this research is performed by some of the best forensic researchers in the world. The organization is still relatively young and the library is not huge, but the quality of the work is extremely impressive.

PlexTrac now integrates with these publicly-available adversary emulation plans. Whether you are a current PlexTrac user or just getting started with the concept of adversary emulation, check out this explainer and demo video to learn more about this exciting integration or read on to get the full scoop on the value of adversary emulation plans and the PlexTrac solution.

What is an Adversary Emulation Plan?

Just as SOCs have playbooks for incident response, threat actors have playbooks of common procedures used to achieve their objectives. While threat actors try to cover their tracks as much as possible, inevitably any attack leaves some forensic evidence of their tradecraft.

And adversaries are like anyone else—they will continue to use the same techniques and procedures as long as they remain effective. Each attack that can be attributed to a particular threat actor allows researchers to augment and refine the collection of commonly used methods by that actor. These are adversary emulation plans.

An adversary emulation plan can be extremely valuable to your defensive efforts. If an organization has a mature threat intelligence program (or if they have been handed intel by a third party, like the FBI), they may have a solid understanding of the particular threat groups that are targeting them. An emulation plan thus enables highly realistic testing of defenses.

Regardless, adversary emulation plans can be of value to almost any organization because everyone is at risk from common ransomware families and should be maximizing defenses against these known tactics and techniques.

How does PlexTrac fit this Ecosystem?

It’s helpful to begin with a basic understanding of the PlexTrac Runbooks Module. The Runbooks Module is designed to allow you to create a very granular set of procedures that give even junior testers the guidance they need to execute each stage of an exploit—down to the specific commands and payloads to execute.

Out of the box, Runbooks comes pre-populated with a horde of procedures built by the great folks on the Red Canary Atomic Red Team—which they also make freely available to the community. But you can always create your own or import new procedures that come as part of MITRE Engenuity emulation plans, other Runbooks, or even other emulation plans like those from our friends at SCYTHE.

As you execute an emulation plan in Runbooks, both red and blue teams have a single place to document results of the attempted exploit from both the offensive and defensive perspective, gathering evidence and creating detailed, time-stamped execution logs to assist in the debrief.

The greatest value comes when a Runbook is repeated iteratively. The cycle of execution, remediation, re-testing, and measurement allows you to quantify your improvement over time and demonstrate the value of your remediation efforts—or the return on investment of new solutions you’ve implemented.

Using a MITRE emulation plan is easy and powerful. You simply grab the plan from their GitHub Repo and import it as a Runbook. Just like with any Runbook, the plan guides you through execution of various procedures at a very granular level allowing collection of both offensive and defensive evidence in real time.

When execution is complete, the data can be transformed into a standard PlexTrac report for polishing and delivery of results. Assuming you use those results to make changes in your environment, the same Runbook can be used to retest and validate your efforts. After two more runs, you can measure the effectiveness of your remediation efforts in our dedicated Runbooks Analytics section.

Ready to Level Up Your Capabilities Using Adversary Emulation?

Our sincerest thanks go out to the sponsors and the people at MITRE Engenuity who are championing threat-informed defense and gifting these emulation plans to the community. Be sure to follow their work and make use of these libraries of freely available adversary emulation plans.

And if you are ready to make the most of these and other resources and threat intelligence and make measurable progress in your security posture, schedule a demo of PlexTrac today.