This past year, we funded research at MITRE Engenuity’s Center for Threat-Informed Defense into “micro-emulation plans”, combining adversary tactics, techniques, and procedures into plans that are easier to digest than the Center’s full-scale adversary emulation plans. The Center’s research is publicly available on their open website and GitHub link here. For anyone looking to learn about the MITRE ATT&CK framework and how to validate their cybersecurity program performance, it helps to have an open, public project about micro-emulation planning and how teams can put adversary emulation to work.
But there’s also much more to the story of democratizing adversary emulation. As the industry’s first and leading independent provider of breach and attack simulation solutions and automated security control validation, we at AttackIQ are obviously very bullish about the idea of defense teams learning how to run adversary emulations. We are even more bullish about how AttackIQ does this better than anyone else. The AttackIQ Security Optimization Platform puts adversary emulation into the hands of defenders all over the world, including at Bupa, GE, JetBlue, the U.S. Army, ISS World, and many more. Our assessments, attack graphs, packet capture (PCAP) replay capability, and our open API give defenders the tools they need to run emulations at scale and in production to answer the question: are we ready for the next attack?
This blog post describes some of our recent product updates in reporting and analysis of adversary emulations, and explains our automated testing and security control validation lifecycle in detail. In summary, however, AttackIQ works to put adversary emulation into practice through the following key capabilities:
- The AttackIQ Security Optimization Platform tests in production, at scale across your security program, and it tests security controls against multiple adversary tactics, techniques, and procedures concurrently.
- Our platform has the deepest alignment with MITRE ATT&CK, and our open API allows teams to build and deploy adversary emulations quickly, and teams can tailor their tests to specific regulatory, insurance, and board requirements.
- The AttackIQ Adversary Research Team produces attack graphs and assessments as soon as US-CERT publishes its alerts, research you can see here.
- And our platform tests artificial intelligence and machine learning-based cyberdefenses technologies with specificity and realism through our attack graphs.
The result of AttackIQ’s detailed and comprehensive adversary emulation capabilities is that we generate data that security teams can use right now to measure their program performance. See below for some examples from our reporting and analysis in our platform, leveraging Jupyter notebooks and Kibana reporting.
Figure 1: AttackIQ Jupyter notebook top-line analysis.
Figure 2: AttackIQ Kibana reporting and analysis from a threat and US-CERT alert perspective.
The AttackIQ Security Optimization Platform measures your security program performance in a myriad of ways that you can determine — against specific threat groups, against specific MITRE ATT&CK tactics, or through the lens of a specific security control or compliance requirement — and generates clear, digestible, and tailorable analysis of your program performance so you can report to your leadership team, board, regulators, or insurance companies about your security effectiveness.
So, how do we do adversary emulation and automated security control validation?
The AttackIQ Security Optimization Platform puts MITRE ATT&CK into operational practice testing defenses and generating real-time performance data so teams can fix misconfigurations, make adjustments, find efficiencies, and save resources across the organization. The below chart shows how. It moves from left to right from our research with the Center for Threat-Informed Defense and our teaching at AttackIQ Academy, through the MITRE ATT&CK framework and our testing process, to the analysis that security operations teams need, to the savings and major financial and personnel benefits that our customers gain by using our platform.
Figure 3: AttackIQ automated testing and security control validation lifecycle.
Our deep partnership with MITRE ATT&CK underpins all of our testing. From our founding research partnership with the Center for Threat-Informed Defense and our free online courses about operationalizing MITRE ATT&CK and breach and attack simulation at AttackIQ Academy to our comprehensive publishing program, we are the premier MITRE ATT&CK company.
The black column is at the center of our strategy: it includes all the tactics, techniques, and procedures in the MITRE ATT&CK framework of observed, real-world adversary behavior. Building from ATT&CK, US-CERT alerts, and their analysis of the threat landscape, our Adversary Research Team and engineers write scenarios that put these tactics, techniques, and procedures into action so that our customers can run safely assessments against their security programs.
The next column on the right displays our testing methods, to include atomic testing, attack graphs, and packet capture (PCAP) replay. As a defender, you can tailor atomic tests to run in a manner that you need, whether that’s hourly, daily, weekly, or monthly, emulating specific techniques and behaviors against your controls. Our attack graphs emulate the adversary with specificity and realism in a comprehensive campaign. Finally, our market-unique packet capture (PCAP) replay capability tests your boundary controls. With AttackIQ and MITRE ATT&CK aligned in this manner, you can test your defenses at the beginning, middle, and end of a campaign, elevating your performance. Our emulations and assessments measure your controls at a single point in time, longitudinally, and against multiple threats concurrently.
Finally, the far right column displays data from the analyst firm IDC, which interviewed five of our large enterprise customers and found, among things, that security operations teams achieved significant value through AttackIQ by honing and tuning their defense technologies, identifying gaps in their security control posture, and discovering redundant controls that they could remove (saving an average of $1m per customer). By adopting a purple team operational construct, security teams became more efficient across operations, saving teams an average of $4.7 million per year. Real cybersecurity readiness speeds up time to discovery and remediation when an incident occurs, improves detection engineering, and helps teams close gaps. That’s what these results mean. For more, you can read about the business benefits of AttackIQ through this IDC white paper here.
As a founding research partner of the Center for Threat-Informed Defense, we believe in democratizing the practice of adversary emulation for everyone. Even the best teams need to prepare constantly for the adversary. You wouldn’t expect Lionel Messi to skip out on the video reels of his French opponents in advance of the World Cup. He’d pour over them, listen to his coaches, and master his technique. Cybersecurity teams need to do that same thing to ensure everything works as intended — and the only way to do so is by running automated tests continuously, at scale, and across your entire security program.
