Designing realistic cyber threat emulations

Threat emulation is a process of imitating the tactics, techniques, and procedures of real-world threats in order to test the effectiveness of security controls. It is important to design realistic threat emulations because they can help organizations identify and mitigate risks that are likely to be used in an attack.

Types of Threat Emulations

When designing a threat emulation, it is important to first understand the different types of threats that can be emulate. A few common types of threat emulation are:

  1. Phishing: Phishing is a type of social engineering attack that involves sending fraudulent emails or messages to individuals in an attempt to steal their login credentials or other sensitive information. Phishing emails often appear to be from legitimate sources, such as banks or other businesses, and may contain malicious attachments or links.

  2. Spear Phishing: Spear phishing is a more targeted form of phishing that typically targets a specific individual or group of individuals. Spear phishing emails are often personalized with information specific to the recipient, such as their name or job title.

  3. Denial of Service (DoS): A denial of service attack is a type of attack that aims to flood a target system with traffic or requests, causing the system to become overloaded and unavailable to legitimate users.

  4. Person-in-the-Middle (PitM): A person-in-the-middle attack is a type of attack that allows an attacker to intercept and potentially modify data as it is being transmitted between two parties. MitM attacks can be conducted on a local network or over the internet.

  5. Ransomware Attack: A ransomware attack is a type of malware that encrypts the files on a victim’s computer or network, then demands a ransom payment in order to decrypt the files.

  6. Espionage Campaign: An espionage campaign is a type of attack that is conducted in order to steal sensitive information from a target organization. Espionage campaigns often involve the use of malware, social engineering, and phishing attacks.

  7. Destruction Attack: A destruction attack is a type of attack that is designed to destroy or damage the target system.

  8. Massive Data Breach: A data breach is a type of security incident in which sensitive, confidential, or otherwise protected data is compromised or released to an unauthorized party. Data breaches can occur via malicious attacks, accidental leaks, or human error.

  9. Supply Chain Attack: A supply chain attack is a type of attack that targets the supply chain of a business or organization in order to gain access to their systems.

Understanding the Threat Emulation Process

Threat emulation is the process of understanding and modelling an adversary’s capabilities in order to improve the security posture of an organization. The first step is to identify and understand the adversary, their objectives, and what they are trying to achieve. Once this is understood, the organization can model the adversary’s behaviour and capabilities, using this information to improve their security posture.

The entire process can be summarized in a few steps:

Step 1: Use threat intelligence to define a scenario

Step 2: Research the tactics, techniques and procedures (TTPs) of relevant threat actors

Step 3: Reproduce the tooling and TTPs in a test environment

Step 4: Design and propose one or multiple Red Team Operations

Step 5: Obtain Authority to Operate (ATO)

Step 6: Execute the mission

Step 7: Analyse the outcomes, report the results, train the Blue Team

Step 8: Support remediation activities and re-test where necessary

Modelling an adversary’s capabilities

When modelling an adversary’s capabilities, it is important to consider their possible motives, as this will help to inform the types of capabilities they may be able to develop. For example, if we are modelling a terrorist organization, we would need to consider their political goals and ideologies in order to accurately model their potential capabilities.

We can also learn a lot about an adversary’s capabilities by studying their past operations. This can help us to identify any areas that they may have had success in, as well as any areas that they may be weak in. By understanding an adversary’s strengths and weaknesses, we can better defend against them.

Finally, it is important to keep in mind that an adversary’s capabilities can change over time. So it is important to constantly update our models as new information becomes available.

Maturity model for Threat Emulations

A red team that is mature will choose the right adversary, the right target, and the right time to emulate. This can be accomplished by using a maturity model that assesses organizational risk. The model should identify which threats are most relevant to the organization and prioritize these threats. In order to be effective, red teaming must be tailored to the specific needs of the organization.

Red teamers must also use creativity and innovation when designing their threat emulation. Simply replicating an attack that has been seen before may not be effective. The red team must consider the organization’s defenses and find ways to get around them. They also need to think about how the attack might play out over time and what the consequences could be.

Final Words

So far, we have looked at how to design threat emulations that are realistic in terms of their representative attack scenarios, the adversary motivations and behaviour, and the impact on the organisation. However, we have not yet looked at how to make these emulations realistic in terms of their technical execution. This will be the topic of a future article!

Looking to expand your knowledge of red teaming? Check out our online course, MRT - Certified Red Teamer. In this course, you’ll learn about the different aspects of red teaming and how to put them into practice.