center-for-threat-informed-defense / adversary_emulation_library

An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs.
https://ctid.io/adversary-emulation
Apache License 2.0
1.73k stars 314 forks source link

Question regarding Fix for APT29 Emulation Plan #118

Open L015H4CK opened 1 year ago

L015H4CK commented 1 year ago

Hello there,

it was already stated in issue https://github.com/center-for-threat-informed-defense/adversary_emulation_library/issues/84 and in this comment on an issue in the repository for the CALDERA emu-Plugin that the APT 29 emulation plan included in this adversary emulation library is faulty. To summarize: it includes abilities that do not belong there.

My question is, if a fixed version for the APT29 emulation plan does exist somewhere. If not, I will work on it myself. Is anyone interested in the fixed version of the emulation plan? It will probably be split into two seperate scenarios (APT29-Day1.yaml and APT29-Day2.yaml) as well as a completely new APT directory containing the APT3 emulation plan. I will gladly open a pull request as soon as I am done with it but I just wanted to reach out to anyone who might be working on the APT29 emulation plan beforehand.

Best regards.

Additional information

The history of the problem

The "original" APT29 emulation plan was published in the CALDERA evals-plugin. This plugin includes the first round of the MITRE ATT&CK evaluations (APT3) as well as the second round (APT29). In total, it includes 10 different CALDERA adversary profiles. Three of them belong to two different scenarios of APT29 (Day1.A, Day1.B and Day2) and the other seven belong to different phases of APT3.

In January 2021 the content of the above-mentioned repository was ported to this repository and the "old" form was archived. During this port, all adversary profiles were merged into one emulation plan - APT29.yaml. This plan now contains both scenarios for APT29 as well as the abilities for APT3.

Now, when using the CALDERA emu-Plugin (which basically just downloads the emulation plans from this repo and parses them into CALDERA abilities and adversaries) we get one large adversary profile also containing both APT29 scenarios as well the abilities for APT3.

Both scenarios in one emulation plan?

It is quite trivial to see that the APT29 emulation plan contains both scenarios. Scenario 1. Scenario 2

APT3 abilities in APT29 emulation plan?

The ability System Network Configuration Discovery with ID ee08a427-1e1d-4d8a-aeb1-978a7fcf9087 was originally included in the adversary profile for APT3.

It could not be found in the original adversary profile for APT29 Day1.A.

The APT29 emulation plan is this repository contains this specific ability as a substep of step 2 in scenario 1. When parsing a new adversary profile using the emu-plugin, all abilities (also this specific ability) are included there.

Multiple YAML-emulation plans and the emu plugin

The emu plugin is able to parse several YAML files contained in the Emulation_Plan/yaml directory. For each YAML file a separate adversary profile can be parsed.

L015H4CK commented 1 year ago

Hello again,

I took the time and looked into the faulty APT29 emulation plan. The APT29 emulation plan was split into 4 separate emulation plans: APT29-Day1.A, APT29-Day1.B, APT29-Day2 and APT3.

The changes can be seen in my fork https://github.com/center-for-threat-informed-defense/adversary_emulation_library/compare/master...L015H4CK:adversary_emulation_library:master.

How was it done?

I looked into the original, archived adversary profiles for APT29 and APT3 in the old evals plugin. For every archived profile, for each ability in it I checked the APT29 emulation plan for a matching ability. The matching ability was then copied to the new corresponding emulation plan.

Some interesting notes

Results

With the above described technique I got 4 separate emulation plans: APT29-Day1.A, APT29-Day1.B, APT29-Day2 and APT3. The emulation plan for APT3 was moved to a separate directory called apt3 with no additional information about APT3. The resulting emulation plans are all complete when compared to the original, archived adversary profiles. Only the emulation plan for APT29-Day2 misses the first ability, which was not included in the APT29 emulation plan. This ability is used as a setup - more info here. I did not check yet, if the missing ability is really needed or if it was removed because it was deprecated or no longer necessary.

Also, I did not find the time yet to run the new emulation plans using CALDERA and its emu plugin. I only checked if CALDERA correctly parses the emulation into adversary profiles and abilities (which it did). I think I will get to run the simulations later this week.

I will happily open a pull request if you are interested in the new emulation plans.

mticmtic commented 1 year ago

Hi L015H4CK, I appreciate the time and research you put into this issue! If you submit a PR, we can take a look to better understand the issue and what was fixed.

L015H4CK commented 1 year ago

Hello Mike, I just created the pull request. If you have any questions regarding the changes please let me know.

L015H4CK commented 9 months ago

Hello again! Is there still a chance the pull request will be reviewed? I am more than willing to pitch in and help or answer any questions about it.

nism385 commented 8 months ago

Not sure how I ended up involved with the project. Please remove me, Thank you.

mehaase commented 8 months ago

Hi @L015H4CK, thank you for submitting the PR. We have discussed internally and would like to merge it but we need somebody on our staff to manually verify, and we are stretched thin atm with a lot of other releases this month. Please bear with us while we bring in the right personnel to review your PR.

@nism385 I cannot change your notification settings. Please check if you have “watch” set on this issue or on the whole repo.