Collaborative Adversary Exercise
Service Overview ⫘
The Collaborative Adversary Exercise ("CAE") allows your defenders to experience live-fire information security exercises designed to mimic real-world threat scenarios. You defend and/or hunt in your own network, using your own tooling, against a live attack while maintaining a real-time, constant communication channel with the Secureworks Adversary Group ("Red Team").
The CAE is for organizations with established security monitoring—either in-house or third-party monitoring services—that want to test assumptions about current detection, prevention, and response capabilities against common tactics, techniques, and procedures ("TTPs") of modern threat actors. This exercise is an excellent starting point to identify the readiness of your detection, prevention, and response capabilities prior to executing more advanced exercises, such as the Adversary Simulation Exercise ("ASE") and Adversary Emulation Exercise ("AEE").
Each exercise is based on common scenarios that emulate real-world TTPs with a goal of providing actionable events for the defenders so they can identify visibility deficiencies within security controls, and work with our consultants to improve detection capabilities.
Additionally, Secureworks understands that each organization has different needs and time constraints for interactive exercises, and as such, the CAE service has various tiers which offer flexibility and scaling interactivity based on individual needs as outlined in the table below.
| Collaborative Adversary Exercise - Lite | For organizations that may be short on time to participate in live and interactive exercises, the "Collaborative Adversary Exercise - Lite" option allows for sequential execution of playbook tasks with no time delays or pauses for the blue team to hunt and validate alerting. Instead, after full playbook execution on a single day, the blue team can hunt and check detections and alerting on their own time for up to 30 days and then participate in a collaborative debrief where activity can be discussed through Q&A sessions and a comparison of notes between the Red and Blue teams to assess hunting and alerting deficiencies. One or more of the following playbooks can be chosen for this tier:
|
| Collaborative Adversary Exercise - Standard | The "Collaborative Adversary Exercise - Standard" tier is a good middle ground for organizations that have the time to interact with the Red Team over the course of five days. This option spreads out playbook tasks to give defenders ample time to hunt and validate alerting, as well as communicate with the Red Team in real-time during activities to ask questions and discuss how to improve detection and alerting. One or more of the following playbooks can be chosen for this tier:
|
| Collaborative Adversary Exercise - Immersive | For organizations that are seeking more guidance for their defenders in regard to hunting and how to respond to and investigate alerts, the "Collaborative Adversary Exercise - Immersive" tier provides a more tailored and customized exercise wherein a Secureworks member participates on the Blue Team side to teach and guide your organization's defenders amidst a live fire exercise which is performed by the Secureworks Red Team. This tier leverages customized playbooks as well as customized goals and objectives, which are tailored to each organization's environment and needs. As the name of the tier implies, this requires a time commitment as the exercise takes place over the course of 5 days. The first three days are concentrated with activity and split by different attack phases, and the first part of each day will involve running attacks, hunting, and responding, while the latter portion of each day will consist of a collaborative debrief to discuss the activities. |
For each of the exercises above, an add-on service—Post-Remediation Exercise Replay—is available. During each CAE, Customer may identify and remediate visibility deficiencies within existing security controls. If a Post-Remediation Exercise Replay add-on ("Replay") is purchased, then Secureworks will perform a Replay of one Exercise to validate that any newly added remediations are working as expected.
Service Methodology ⫘
Each CAE is driven by pre-defined playbook scenarios that map to the MITRE ATT&CK framework, and evaluate the detection, prevention, and response capabilities of your organization's defensive team (known as the "Blue Team").
A high-level overview of the exercise methodology is summarized below:
-
Establish Communication Channel: Secureworks establishes a dedicated communication channel for constant communication throughout the Collaborative Adversary Exercise, allowing your team to communicate with the Red Team in real time to address detection gaps where applicable.
-
Pre-defined Playbook Execution: Secureworks will emulate threats in alignment with the chosen predefined playbook, one action at a time, notifying your Blue Team with appropriate timestamps, commands and tools used, and any applicable notes to aid in detection efforts. The executed threat activity will map to MITRE ATT&CK to provide a consistent framework for Red and Blue Team alignment. While most playbooks will attempt to breach networks and guess valid credentials using the same methodologies of a threat actor, certain playbooks may require the Blue Team to provide valid credentials and access to pre-selected target endpoints following an assumed breach model to achieve maximum value of the exercise. Upon completion of playbooks, if ample time remains during the execution window, individual Red Team actions can be re-played at the request of the Blue Team to test any newly created security controls.
-
Detection and Response Result Collection: After execution of each playbook action, Secureworks will update the Blue Team on the outcome of the action and ask for the Blue Team to provide sample logs to identify what activity was logged, triggered a signature detection from security controls, and if that detected activity was brought to the attention of your security team via alerting notifications systems. These metrics are recorded and provided in a detailed report.
Outcome ⫘
Upon completion of the Collaborative Adversary Exercise, Secureworks will provide a detailed report containing all actions performed during the playbook execution, MITRE ATT&CK framework mapping of each action, tool commands and output, activity timestamps; and all provided Blue Team results, including notes, logs, signature detection, and alerting metrics.
Scoping Information ⫘
| Description | Exercise Duration |
|---|---|
| Collaborative Adversary Exercise (Lite) | 2 days* |
| Collaborative Adversary Exercise (Standard) | 1 week |
| Collaborative Adversary Exercise (Immersive) | 1 week |
| Add-on: Post-Remediation Exercise Replay | - |
*The Collaborative Adversary Exercise - Lite tier takes place on two separate days: one for playbook execution and a second day for a collaborative debrief; however, the collaborative debrief cannot be scheduled more than 30 days from the time of the playbook execution date.
The complete Service Description for this service can be found here: Collaborative Adversary Exercise