Development and operations a practical guide
Download 4.62 Mb. View original pdf
|
- Navigate this page:
- Scenario Models
| Threat Emulation Threat Emulation is the process of mimicking the TTPs of a specific threat. A Red Team performs threat emulation by acting as a representative threat. Threats of any variety can be emulated. This can include: Zero-day or custom attacks Script kiddie to advanced threat Emulation of specific threat tools or techniques (botnets, DDOS, ransomware, specific malware, APT, etc.) Scenario-driven assessments are typically driven by the emulation of some level of threat. This maybe a specific threat, such as the Havex trojan used by Energetic Bear / Crouching Yeti / Dragonfly, or a general threat, such as a simple Command and Control botnet. Regardless of the scenario, the TTPs outlined drive the rules a Red Team must follow to perform an engagement. When a threat emulation scenario is being designed, that threat's key components should be defined. While it can be difficult to emulate a specific threat in detail, this does not mean the threat cannot be emulated, or there is no value in attempting to do so. A Red Team should focus on following a threat's key components and use its own TTPs to fill in the gaps. A Red Team is not the original designer or author of a threat, but is a highly skilled and capable group that can (and should) reinforce an emulated threat's TTPs with its own developed Tradecraft and processes. In this way, the Red Team can model a threat actor in away that supports the goals of a threat-based scenario. The biggest challenge in threat emulation is executing to a level where an analyst believes the threat is real. Approaches may include the use of known bad malware, developing custom malware that models a threat, using tools that generate the Indicators of Compromise (IOCs) of a known threat, or simply using system and network native tools and commands. Effective planning and determining the critical components of a threat will lead to abetter threat emulation design. Scenario Models As stated earlier, it is common to select a scenario model that will not enable a Red Team to successfully achieve their goals within the time limits of an engagement. When selecting a scenario model, choose it based on what operational impacts should be measured. These models only help design a scenario. The execution of a scenario maybe adjusted during an engagement. Being flexible and prepared to make adjustments is critical. If a Red Team is successful too quickly, observations may not be valuable. If a Red Team is stopped too soon, an organization may not get exposure to the desired impact. Selecting the right model will help ensure the right balance. What does "scenario model" actually mean Threat Emulation Scenario Models include Full Engagement Model, Assumed Breach Model, and Custom Scenario Model. Download 4.62 Mb. Share with your friends:
|