Center for Threat-Informed Defense:
Adversary Emulation Library
A set of common emulation plans
The Adversary Emulation Library includes a collection of adversary emulation plans that allow organizations to evaluate their defensive capabilities against the real-world threats they face. Emulation plans are an essential component in testing current defenses for organizations that are looking to prioritize their defenses around actual adversary behavior. Focusing our energies on developing a set of common emulation plans that are available to all means that organizations can use their limited time and resources to focus on understanding how their defenses actually fare against real-world threats.
Why Use Adversary Emulation Plans?
Adversary Emulation mimics the behavior of real world threat actors in a safe and repeatable manner. Executing adversary emulation in your environment helps you answer questions such as:
- How do we build a resilient defense that is not based on static (and easily evaded) IOCs?
- How well do we detect, mitigate, respond to, or prevent against threat actor X?
- Are we collecting the right data and running the right queries to detect technique Y?
- How do we build the experience and skills on our team to defend against real-world threats?
- How do we tune our tools and processes to maximize efficacy against real-world threats?
Adversary Emulation Plans
The library contains two types of adversary emulation plans: full emulation and micro emulation.
Full Emulation Plans
A comprehensive approach to emulating a specific adversary, e.g. FIN6, from initial access to exfiltration. These plans emulate a wide range of ATT&CK tactics & techniques and are designed to emulate a real breach from the designated adversary.
Micro Emulation plans
A focused approach to emulating compound behaviors seen across multiple adversaries, e.g. webshells. These plans emulate a small amount of ATT&CK techniques that are typically performed as part of one adversary action.