October 18, 2021
Atomic Red Team Part 1: Testing Security Controls Through Attack Emulation
Your team has deployed next-gen anti-virus, applied the latest security patches, and your are forwarding all endpoint telemetry to a managed detection and response vendor The question you have now is - how can you ensure that the deployed defenses are working properly and you will be notified of malicious activity?
The answer is to use adversary attack emulation, a powerful method of validating security controls. As we demonstrated in our session at DattoCon last week, we explained the following steps for adding it to your arsenal to help improve your cyber resilience. There are many open-source and commercial tools that you can use to execute this testing, and having a process to follow is just as important as the tool you use.
Our view on a holistic attack emulation process consists of several steps:
- Select the attacks you would like to emulate.
- Choose an emulation tool you can map your attack techniques to.
- Execute the attack technique emulation.
- Review detections and map the results to the tested techniques.
- Remediate issues found with any missed detections, then retesting.
Choose which attacks to emulate
The MITRE ATT&CK framework is a great resource for researching attack techniques. MITRE ATT&CK is a collection of adversary tactics and techniques gathered from publicly observed and disclosed cyber attacks. Each tactic and technique includes information on where it has been observed in the wild, recommended mitigation strategies, and detection opportunities. We highly recommend spending some time familiarising yourself with MITRE ATT&CK as it is a common reference for discussing cyber events and is a key foundation for many security tools.
MITRE also has the ATT&CK Navigator, which allows you to visualise techniques mapped to the phases of an attack. There are several ways you can choose what techniques you want to test.
- Use MITRE ATT&CK and the ATT&CK Navigator to view techniques mapped out a documented Threat Group or Malware Family.
- Find techniques that correspond to recent cyber attacks you have read about or responded to.
- Review Threat Profiles created by the Datto Threat Management team and chose techniques of threat actors that target MSPs and their Customers.
Run the tests
In most cases, choosing a tool to use for testing is much easier than people expect. While paid solutions on the market make attack emulation easy and automated, you can also leverage many open source tools without needing to spend anything other than your time. We recommend Atomic Red Team by Red Canary.
It is important to run your tests in the same order an attacker would execute them in. This can be done by following the MITRE ATT&CK framework and starting from Reconnicance then preceding through Impact. We also recommend running any attack emulations from a test machine. Many make changes to the host they run on, impacting the usability of the host.
Review Your Results
Once you have finished running your chosen attack emulations, it is time to review the outcomes. In an ideal test, all attack emulations should result in some form of detection or alert. Make a matrix of the tests you chose to run and map them to the detections and alerts triggered by your security tools or vendors. Once this mapping is complete, review attack emulations that did not result in detection or alert. These are the attack emulations we focus on for our next step.
Remediate Missed Detections
Missed detections are common and not a cause for immediate concern. It is important to take the time to understand why a detection was missed.
Several issues could lead to missed detections:
- Misconfiguration of security tools
- The detection provider identified it as benign
- A gap in security tool coverage
- Failure to detect by your detection provider or technology
It is important to discuss missed detections with your security partners and vendors to understand the root cause of the missing alert. There are several possible causes which is why a collaborative approach to understanding the results will yield the best solutions.
Once you have remediated any issues with a missed detection, it is important to circle back and rerun your tests. This step will validate that changes made have resulted in a successful detection.
It is good practice to document your test process and the attack emulations you have run. We recommend that you rerun your tests monthly or quarterly. Updates and changes are constantly made within your environment. Different coverage gaps could appear, increasing risk to your organisation. Continuous testing will allow you to track your defenses over time and identify gaps in security coverage.
Lastly, we have worked with our Datto RMM team to build an RMM Component that automates five attack techniques to emulate LockBit Ransomware techniques. This is available now in the Datto ComStore.
When part 2 of this blog is published, it will detail using the Atomic Red team tool to emulate a custom selection of attack techniques.
Hopefully, after reading this, you can utilise adversary emulation inside your environment to validate and improve your cyber defenses. Log in now to follow the process outlined above and test your security controls using the RMM component.
In our next post, we will walk through how to use an open-source tool to emulate attack techniques in your environment.