When an advanced attacker conducts a cyberattack against your organization, they don’t stand and stop once they break past your perimeter defenses. Once inside your network, they move from room to room, trying to circumvent your access controls, looking for new valuables, discovering new pathways, breaking glass, twisting locks, riffling through data, until they get what they want and achieve their strategic objectives. An advanced cyberattack is not a one-shot deal. It is a multi-stage attack that moves across your environment, just like the SolarWinds intruder did in late 2020.
For a breach and attack simulation platform to validate your security program effectiveness with realism, then, it needs to emulate the adversary with specificity at every step in the kill chain. A good platform needs to keep pace with best-in-class artificial intelligence (AI) and machine learning (ML)-based cyberdefense technologies available today. Many of our partners in the Preactive Security Exchange have the kind of AI and ML-based technologies that can tell the difference between a one-off test and a real multi-stage attack. Emulations need to look like the latter.
That is why last spring we launched the AttackIQ Anatomic Engine to generate Attack Graphs and have built a number of Attack Graphs into the AttackIQ Security Optimization Platform. It is also why we are working with the Center for Threat-Informed Defense on their new Attack Flow project. As Center Director Jon Baker and his team wrote in a blog post about the project last week, the Attack Flow project is “developing a data format for describing sequences of adversary behavior in order to improve defensive capability. Attack Flow will enable the community to visualize, analyze, and (possibly most importantly) share sequences of actions and the assets they affect; thus, ultimately advancing our understanding of adversary threats and how to handle them.”
Working with the other lead researchers at the Center for Threat-Informed Defense, we are pushing the envelope in the art of adversary emulation. “There are a number of ways you can use Attack Flow,” the team continues in the blog post, “and it is our hope that the format becomes a standard used throughout the industry to communicate non-atomic information, helping use cases within threat intelligence, adversary emulation, detection, assessments, and so on.” That is our hope as well. Below is an image for how it does so.
Figure 1: Attack Flow based on a threat intelligence report explained here.
There are three use cases for the Attack Flow project:
- Explaining your defensive posture to executives,
- Understanding lessons learned from a cybersecurity incident, and
- Building realistic adversary emulation scenarios.
All these use cases matter for AttackIQ. The latter however is the most important for our product, as you can see in our blog post from two weeks ago about our new attack graph focused on Russia-based threat behaviors. A detailed attack graph allows teams to encode detailed tactics, techniques, and procedures into the attack graph so that purple teams can replay the incident with realism and specificity, chaining behaviors together in a logical sequence just like the attacker does.
Here is the attack graph we released on February 24 in response to US-CERT’s alert about Russian state-sponsored cyberthreats, from this link:
The Center for Threat-Informed Defense’s Attack Flow project gives a clear explanation of the benefits of a multi-stage attack chain, and we are working with the team to develop the concept further to inform our attack graphs and our broader work.
Given our focus on adversary emulation and automated security control validation at AttackIQ, we have built our attack graphs to perform specific functions in addition to the Attack Flow framework.
- Our attack graphs are designed to test specific controls with purpose-built assessments and scenarios, aligned to MITRE ATT&CK®. The attack graphs then generate tailored and granular detail about your control performance, generating clear data-driven assessments.
- Our attack graphs execute behaviors beyond what is described in ATT&CK, based on our threat research, to achieve specific security control objectives. (For example, the attack graph emulates behaviors that can only be detected in a Security Incident and Event Manager (SIEM) with multiple detection technologies.) The AttackIQ Security Optimization Platform then makes mitigation recommendations specific to those behaviors.
The Attack Flows project and the AttackIQ Attack Graphs are the next steps in the art of adversary emulation. Like the NIST 800-53 project, the Cloud mappings project, the Sightings project, and others that we researched and helped develop with the Center for Threat-Informed Defense, the attack flow project is just the kind of transformative research that led us to join the Center from its earliest days. We are immensely proud to be involved in every aspect of this research, and look forward to including more of the work in our product and our practice as time moves forward.