The mine shaft blogs - Threat Emulation
As a means to develop our business we like to think about and prototype new ideas on how to improve and extend threat modeling, attack simulations and securiCAD. This happens down in the foreseeti mine where our engineers are most happy. We have different shafts with different topics open. This blog series summarizes some of that work.
Not the least thanks to the fantastic ATT&CK framework developing threat emulation plans over various attacker groups has become a topic of interest to many. How would you do this in securiCAD? Here are our current thoughts on it.
Different threat actors are skilled in different attacker techniques. From ATT&CK we can for instance learn that APT38 is known to use the technique drive-by compromise. It seems reasonable to assume that they are also good at what they do. In securiCAD terms this would correspond to APT38 being faster than our average attacker persona used in the attack simulations on attack steps relating to drive-by compromise.
So, the time to compromise probability distributions related to these attack steps should be lowered somewhat if we want to analyze our IT infrastructure of vulnerabilities with respect to APT38. This means that the critical path(s) in the simulations will (likely) be changed (at least partly). But which exact attack steps are we talking about? The mapping is of course not clear-cut, but for drive-by compromise attack steps related to web browsers and servers is expected to be affected. We perhaps want to assume that identifying, developing exploits, and deploying exploits on such software.
Updating and tailoring probability distributions on individual attack steps is possible to do in securiCAD already today. We can also do it on the “language level” so all assets of a certain type are changed or for a specific asset instance in a model. To simplify the practical work, we can make use of tags to extract for instance web software.
Last year our research engineer Andreas Gylling did a Master thesis project prototyping a solution for this. If you happen to be interested in this topic, have a look here. In the meantime, we keep scratching our heads about how to add features to securiCAD with respect to this topic. Let us know your thoughts – holler down the mine!