Center for Threat-Informed Defense:
Adversary Emulation Library
A set of common emulation plans
The Adversary Emulation Library includes a collection of adversary emulation plans that allow organizations to evaluate their defensive capabilities against the real-world threats they face. Emulation plans are an essential component in testing current defenses for organizations that are looking to prioritize their defenses around actual adversary behavior. Focusing our energies on developing a set of common emulation plans that are available to all means that organizations can use their limited time and resources to focus on understanding how their defenses actually fare against real-world threats.
Why Use Adversary Emulation Plans?
Adversary Emulation mimics the behavior of real world threat actors in a safe and repeatable manner. Executing adversary emulation in your environment helps you answer questions such as:
- How do we build a resilient defense that is not based on static (and easily evaded) IOCs?
- How well do we detect, mitigate, respond to, or prevent against threat actor X?
- Are we collecting the right data and running the right queries to detect technique Y?
- How do we build the experience and skills on our team to defend against real-world threats?
- How do we tune our tools and processes to maximize efficacy against real-world threats?
Adversary Emulation Plans
The library contains two types of adversary emulation plans: full emulation and micro emulation.
Full Emulation Plans
A comprehensive approach to emulating a specific adversary, e.g. FIN6, from initial access to exfiltration. These plans emulate a wide range of ATT&CK tactics & techniques and are designed to emulate a real breach from the designated adversary.
Micro Emulation plans
A focused approach to emulating compound behaviors seen across multiple adversaries, e.g. webshells. These plans emulate a small amount of ATT&CK techniques that are typically performed as part of one adversary action.
Full Emulation Plans
APT29 is thought to be an organized and well-resourced cyber threat actor whose collection objectives appear to align with the interests of the Russian Federation. The group is reported to have been operating as early as 2008 and may have logged operational successes as recently as 2020.
Blind Eagle is a suspected South American threat actor that has been active since at least 2018. Targets are typically Colombian government institutions, as well as entities in the financial, manufacturing, and petroleum sectors.
Not to be confused with FIN7, Carbanak is a threat group that has been active since at least 2013. Using malware that shares its name, Carbanak has been known to target financial institutions, as well as private customers.
FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. Seen as early as 2015, this group has aggressively targeted and compromised point of sale systems in the hospitality and retail sectors
Not be confused with the Carbanak Group, FIN7 is a financially motivated threat group that has primarily targeted the U.S. retail, restaurant, and hospitality sectors since 2013. FIN7 traditionally attacks point of sale systems but has recently shifted to ransomware.
OceanLotus is a cyber threat actor aligning to the interests of the Vietnamese government. First seen in 2012, OceanLotus targets private corporations in the manufacturing, consumer product, and hospitality sectors as well as foreign governments, political dissidents, and journalists.
OilRig is a cyber threat actor with operations aligning to the strategic objectives of the Iranian government. OilRig has been operational since at least 2014 with operations directed against financial, government, energy, chemical, telecommunications and other sectors around the globe.
Responsible for the Ukranian power outage of 2017, Sandworm is a destructive threat group attributed to Russia’s General Staff of the Armed Forces, Main Intelligence Directorate (GRU). Sandworm is known for conducting large scale, well funded, destructive, and aggressive campaigns.
Active since at least the early 2000s, Turla is a sophisticated Russian-based threat group that has infected victims in more than 50 countries.1 The group has targeted government agencies, diplomatic missions, military groups, research and education facilities, critical infrastructure sectors, and media organizations.
Wizard Spider is a Russia-based e-crime group originally known for the Trickbot banking malware. In August 2018, Wizard Spider added capabilities to their Trickbot software enabling the deployment of Ryuk ransomware.
Micro Emulation Plans
User Execution Emulates the compound behavior of delivering a malicious
.iso file (e.g. via Spearphishing Attachment) and then executing arbitrary commands after a user invokes the file.