Feature Release: Threat-Led Attack Emulation

Table of Contents

Cloud security operations tend towards a cat-and-mouse game, leaving security teams aghast. Threat Informed Defense changes the game by fusing together Cyber-threat Intelligence (CTI), testing and evaluation, and defensive measures. When employed in tandem, these three components empower organizations to stay ahead of adversaries cheaply and efficiently. However, most organizations employ CTI to enhance their defensive measures without evaluating the efficiency of this combination. Since testing and evaluation are essential aspects of Threat Informed Defense, omitting them denies organizations the ability to fully maximize the potential of Threat Informed Defense strategy. Threat-Led Attack Emulation is a feature recently added to Mitigant Cloud Attack Emulation to empower comprehensive adoption of Threat Informed Defense.

Demystifying Threat Informed Defense

The sheer complexity of the sprawling cloud infrastructure presents a breathtaking attack surface that demands the best of a team’s effort to tame it efficiently. Security teams are easily overloaded with unnecessary alerts, get distracted, or eventually burn out. One approach to addressing these issues is by adopting a Threat-Informed Defense strategy.

Threat-Informed Defense is an initiative by MITRE ENGENUITY designed to overcome the challenges mentioned above. The initiative leverages deep understanding and analysis of attacker tradecraft to determine the best actions to thwart cyber attacks. This approach enables security teams to focus on the more relevant threats rather than trying to solve every security issue. Security teams' ability to identify and concentrate on the most crucial threats enables a solid and efficient defense.

Threat-Informed Defense Enables a Continual Feedback Loop (Source: MITRE ENGENUITY)

The Feedback Loop

Threat-informed defense aims to improve cybersecurity via three fundamental pillars: Cyber-threat intelligence, test & evaluation, and defensive measures. These pillars work in tandem as a feedback loop designed to thwart cyber attacks efficiently; hence, properly adopting the Threat-Informed Defense requires positioning these pillars. Let's briefly examine each of them:

Cyber Threat Intelligence: This refers to information aggregated, analyzed, interpreted, or enriched to provide necessary context for decision-making processes. CTI enables a global understanding of adversary behaviors, allowing for more contextual decision-making.

Test & Evaluation: Regardless of CTI and implemented defensive measures, the acid test for effectiveness is validated via security testing and evaluation. The adversary perspective allows defenders to test whether the defenses can thwart attacks.

Defensive Measures: Defenders leverage cybersecurity tools to prevent, detect, and respond to cyberattacks. These systems work in several ways, including analyzing log events for Indicators of Compromises and identifying threat actors based on the MITRE ATTACK framework and CTI.

Bite as Much as You Can Chew

Identifying and focusing on the most relevant adversaries can be challenging despite being imperative. While organizations might identify the most critical threats via security exercises like tabletop exercises, threat modeling workshops, and threat intelligence, validating the accuracy of defenses is a different game. Recent research has indicated that specific threat actors target particular industries; hence, it makes sense to concentrate defenses on these threat actors. For example, Scattered Spider is more interested in attacking victims in telecommunications, financial services, entertainment, and cryptocurrency. Consequently, organizations in these sectors should implement measures that quickly prevent, detect, or respond to these attacks by focusing on Scattered Spider's Tactics, Techniques, and Procedures (TTPs).

Attack is the Best Defense

However, it does not stop with integrating CTI and focusing on the essential TTPs; continuous testing and validation are integral aspects. Testing and validation are necessary because adversaries and environments are not static. The surrounding factors are transient, so yesterday's defenses may be obsolete. A false sense of security is adopted without validation, resulting in a successful attacker.

**MITRE ATT&CK Showing Tactics & Techniques Used by TeamTNT Threat Actor**

Threat-Led Attack Emulation

Adopting a Threat-Informed Defense in cloud infrastructure requires an approach that combines the three pillars of Threat-Informed Defense: cyber-threat intelligence, testing/evaluation, and defensive measures. Each pillar complements the other and empowers defenders to stay ahead of attacks with precision and cost-effectiveness. While many teams leverage the MITRE ATT&CK framework, they are quickly swarmed by the number of alerts and attempt to implement defenses that cut across the entire MITRE ATT&CK framework. While this approach might seem ideal from afar, it results in burnout and gaps due to resource limitations, staffing, etc. Attempting to achieve 100% coverage of the MITRE ATT&CK framework is not an ideal approach. The framework comprises approximately 193 techniques and 401 sub-techniques across the ten tactics.

Context is King

Context is KING in cybersecurity; especially for SOC teams tasked with threat detection and response. Adding environmental context is essential, BUT more importantly, doing this is challenging. For example, most detection and response systems (XDR, CDR ..etc) come loaded with Out-of-the-Box (OOTB) detection rules. These OOTB rules bring some value; however, security teams become heavily laden with alert fatigue, false positives, manpower shortages, burnouts, etc. Overcoming these challenges requires tuning, i.e., the addition of context. Sadly, context cannot be purchased or outsourced. Context must be created continuously in situ because context is not static.

Leveraging Threat-Led Emulation for Context

Threat-led attack emulation aims to narrow down precisely the specific threat actors that are relevant and important for enabling effective defense. This allows testing and balancing an organization's threat model, customized security tools, integrated CTI, and other accurate adversarial signals to determine the factors that influence practical decision-making. Recent research into the threat landscape, e.g., the Crowdstrike Global Threat Report 2024, indicates adversaries' preference for industry verticals. Within these verticals, adversaries are noticed to execute specific TTPs that follow a pattern. Defenders and leverage these patterns to enable strong defenses. However, like traditional investigations, most pattern-based investigations occur after breaches, when investigative and forensic experts are called in to investigate the attack. Most of these go into reports for the sake of compliance and regulations. Defenders can flip around this approach by preparing for specific adversaries using Threat Led Attack Emulation.

**Mitigant Attack Emulation Showing Attacks That Emulate Scattered Spider TTPs**

Game Changer: Mitigant Cloud Attack Emulation

The Mitigant Cloud Attack Emulation now provides support for Threat-Led Attack Emulation. Three threat actors are currently included: Scattered Spider, TeamTNT, and Xcatze, for attack actions and attack scenarios. Attack actions are atomic and straightforward, usually targeting one cloud resource, e.g., creating an IAM login profile or making a private S3 bucket publicly accessible online. Conversely, attack scenarios are multi-step attacks that combine two or more attack actions, thus providing more solid realism. An example of an attack scenario involving Scattered Spider is the S3 bucket ransomware attack scenario.

**Workflow of An S3 Ransomware Attack Emulation**

Advantages of the Mitigant Threat-Led Attack Emulation

There are several benefits to adopting the Mitigant Threat-Led Attack Emulation:

Validation of defenses: Organizations can validate defenses based on the threat actors prevalent in their industry vertical. For example, the threat actor Scattered Spider has been viciously attacking organizations in the Telecommunications and entertainment industries. Organizations can quickly run emulations that implement TTPs used by specific threat actors and validate their defenses' strength.

**Threat-Led Attack Emulation Integrated CTI About Threat Actors Like Scattered Spider**

Validation of cyber threat intelligence: Many organizations subscribe to threat intelligence platforms. These CTI platforms provide curated information about threat actors, which can be helpful in several ways, including detection, identification, validation, and investigation of potential security threats. However, organizations are challenged with the best means to validate the ROI of these CTI platforms and how to validate correct usage. Threat-led attack emulation allows teams to orchestrate attacks against a set of threat actors based on CTI and then analyze the value of the added CTI.

**Attacks Emulated from Mitigant Viewed on AWS Detective**

Validation of security readiness: Defeating threat actors combines people, processes, and technology. While some organizations focus on technology, others focus on one or more of these components in a siloed fashion. This approach often leads to limited outcomes and, ultimately, security breaches. Organizations can leverage Mitigant Cloud Attack Emulation to validate the security readiness across people, processes, and technology.

Properly Adopt a Threat-Informed Defense Strategy

We aim to provide a massive value to SOC teams, detection engineers, CTI analysts, and other security teams at the front of the battle against adversaries. The Mitigant Cloud Attack Emulation empowers the implementation of a holistic Threat-Informed Defense strategy. Sign up for a FREE one-month trial today - https://www.mitigant.io/sign-up

‍

Ready to Secure Your Cloud Infrastructures?

Connect with the Mitigant Team and proactively protect your clouds today.

Book Demo Start Free Trial