Adversary Emulation Exercise
Service Overview ⫘
The Adversary Emulation Exercise uses threat intelligence to challenge your organization's capabilities to detect, prevent, and respond to a defined threat actor that is known to target your organization's industry. Through emulating the tactics, techniques, and procedures ("TTPs") of the specific threat actor, the objectives of the exercise are as follows:
-
Identify deficiencies in security controls and alerting that could allow the defined threat actor to act on their goals and objectives unimpeded.
-
Train your defenders to become familiar with and spot indicators of compromise from known threats and common TTPs.
Secureworks offers two tiers for the Adversary Emulation Exercise which allow organizations to focus on either a full spectrum of emulated threats through each phase of a cyber-attack or purely on the internal network from a post-breach context as described in the following table.
| Adversary Emulation Exercise - Lite | For organizations who are less concerned with their perimeter and social engineering defenses and who primarily would like to test assumptions about detection, prevention, and response capabilities for activity within the internal network, the "Adversary Emulation Exercise - Lite" takes place over two weeks from an assumed breach context, such as starting from a compromised endpoint or compromised credentials through a VPN or virtual desktop environment. The Lite option is also an attractive option for organizations who are looking for a shorter exercise duration. |
| Adversary Emulation Exercise - Standard | The Standard tier of the Adversary Emulation Exercise examines the detection, prevention, and response capabilities of your organization covering all phases of an attack starting from an assessment of perimeter assets and external footprint, social engineering campaigns for initial access, and ultimately moving to the internal network where consultants will aim to act on goals and objectives established during a pre-engagement kickoff meeting. |
Three main features differentiate the Adversary Emulation Exercise from a standard penetration test:
-
Using threat intelligence-driven emulation of a real-world threat actor that possesses business-impacting goals.
-
Using covert attack methods that defeat many security countermeasures, allowing blue teams to improve detection and defenses, and to tune their existing devices to detect advanced methods.
-
Using blended attacks that combine various techniques and tooling, which may include the following components:
- Open-Source Intelligence ("OSINT") gathering
- Social engineering such as phishing and vishing
- External perimeter attacks
- Malware detonation and command and control
- Internal network attacks and lateral movement
Service Methodology ⫘
The Adversary Emulation Exercise is conducted following each tactical phase of the MITRE ATT&CK framework and is in alignment with methodologies such as TIBER, CBEST, and iCAST, using a combination of proprietary, commercial, and open-source tools and data to ensure a complete assessment of detection, prevention, and response capabilities. A high-level overview of the methodology is summarized below:
-
Threat Intelligence Gathering: Secureworks begins by performing research via public sources, as well as leveraging information from the Secureworks Counter Threat Unit™ (CTU), for threat intelligence data to select an applicable real-world adversary which can be emulated for the exercise.
-
Exercise Planning: The data collected during the threat intelligence gathering phase is analyzed and used to develop an attack scenario that mimics the tactics, techniques, and procedures of the selected threat actor. Consultants will discuss the proposed scenario with you to establish scope and any preparations needed to conduct the exercise. Depending on your organization's level of security maturity, Secureworks can also share the threat actor selected for emulation with your Blue Team to give a bit of guidance for hunting during the exercise.
-
Exercise Execution: Once the scenario is finalized and the tactics, techniques, and procedures are mapped out for emulation, execution of the plan begins. The following outlines different possible segments of the scenario:
-
Perimeter Breach: Social engineering campaigns developed during the planning phase, or the exploitation of discovered vulnerabilities is performed to bypass the security perimeter to gain access to restricted internal networks and resources. This can include compromising users' workstations or public-facing servers, or direct access to cloud-hosted services and resources allowing direct access to information or a foothold to move deeper into the internal network.
-
Internal Access: After breaching the perimeter and establishing a foothold, Secureworks will attempt to set up persistence within your target environment followed by lateral movement to other systems and resources to discover paths to escalate privileges, which helps facilitate accomplishing goals and objectives. As the exercise is constrained by time limitations unlike true adversaries, if Secureworks is unable to find a way to breach the perimeter through exploitation or social engineering in a pre-determined timeframe, an assumed breach model will be adopted to progress the exercise to the internal access phase.
-
Follow-through on Goals and Objectives: After expanding influence in your target environment through lateral movement and privilege escalation, adversaries will begin to act on their goals and objectives. Secureworks will attempt to covertly achieve the goals and objectives that were established prior to the exercise. This includes attaining intellectual property, exfiltrating sensitive data, compromising and subsequently poisoning development operations pipeline, and other objectives for which an adversary would target your organization. The exercise assesses whether current security controls and personnel can mitigate and evict adversaries before they are able to follow through on their goals and objectives. If Secureworks consultants are successfully evicted from the environment, instead of using the remaining time attempting to re-gain access, it is encouraged to proceed into a phase that monitors subsequent activities instead of trying to actively respond and evict so that a complete picture of the latter portions of the kill chain can be attained, and to identify potential security deficiencies.
-
Outcome ⫘
Upon completion of active exercise operations, Secureworks performs a thorough review and analysis of data and logs that were collected during the exercise.
Secureworks maintains comprehensive documentation of how the goals and objectives were achieved. The documentation is used to develop a report containing details about penetration, techniques and tools used, vulnerabilities and systems exploited, the path the tester took through the environment, and how well your organization was able to detect, prevent, and respond to threats. Activities performed during the exercise are tied back to the MITRE ATT&CK framework to better illustrate and deepen knowledge of threat models. The report contains a complete narrative with supporting documentation, such as screenshots, code snippets, and other forms of evidence.
Scoping Information ⫘
| Description | Exercise Duration |
|---|---|
| Adversary Emulation Exercise - Standard | 4 weeks |
| Adversary Emulation Exercise - Lite | 2 weeks |
| Add-on: Extra Time* | Starting from 1 week |
*Additional time can be added to the exercise if desired; however, please note that extra time will be a requirement if the goals and objectives of the exercise warrant additional time as determined during a scoping call.
The complete Service Description for this service can be found here: Adversary Emulation Exercise