{"id":7070,"date":"2025-01-24T13:47:37","date_gmt":"2025-01-24T19:47:37","guid":{"rendered":"https:\/\/www.darkreading.com\/cybersecurity-operations\/mitre-simuluations-shine-light-on-attackers-techniques"},"modified":"2025-01-24T13:47:37","modified_gmt":"2025-01-24T19:47:37","slug":"mitres-latest-attck-simulations-tackles-cloud-defenses","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/01\/24\/mitres-latest-attck-simulations-tackles-cloud-defenses\/","title":{"rendered":"MITRE’s Latest ATT&CK Simulations Tackles Cloud Defenses"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

In 2025, an international fintech firm will face attacks through its hybrid cloud infrastructure by some of the most sophisticated cyber operators on the Internet, targeting the company’s Active Directory instance, employees’ LinkedIn profiles, and shared code repositories to further their compromises.<\/span><\/p>\n

A prediction? Not quite.<\/span><\/p>\n

The <\/span>scenario<\/a><\/span> is the premise of the latest MITRE ATT&CK Evaluations test, an annual assessment gauntlet that pits cybersecurity firms against the techniques and tactics of the latest cyber threats actors. For vendors, the exercises \u2014 conducted by government contractor MITRE \u2014 allow them to test their detection, protection, and response capabilities in real-world scenarios to see what can be improved. For cybersecurity professionals, the results of the assessments can help them determine whether they are prepared to defend against sophisticated attacks.<\/span><\/p>\n

While some vendors tout their detection ratings in the evaluations, the point is less about grades for security software and more about improving companies’ defenses and vendors’ products, says Lex Crumpton, principal cybersecurity engineer at MITRE.<\/span><\/p>\n

“ATT&CK Evaluations is more of an adversary-emulation, purple-teaming, collaboration effort, if you will \u2014 we assess the vendors tooling on an environment that we build in-house,” she says. “They don’t know which techniques we are going to choose, or what we’re not going to choose, based off of that techniques and scope document.”<\/span><\/p>\n

The MITRE ATT&CK Framework is well-known as <\/span>a taxonomy of tactics and techniques<\/a><\/span> used by cyberattackers, but every year MITRE also conducts testing of security products against the latest threats targeting organizations. In 2024, for example, the exercise mimicked attacks by the LockBit ransomware-as-a-service group, the Cl0p ransomware gang, and North Korean state-sponsored threat groups, which have commonly used ransomware to fund national goals.<\/span><\/p>\n

A variety of ransomware attacks were emulated in the test environment, including those targeting Windows and MacOS, MITRE said in <\/span>a December 2024 statement<\/a><\/span>.<\/span><\/p>\n

For 2025, one part of the evaluation \u2014 known as the Managed Services Evaluation \u2014 will focus on “cloud-based attacks, response\/containment strategies, and post-incident analysis,” according to <\/span>the organization’s scenario outline<\/a><\/span>.<\/span><\/p>\n

Companies can use the ATT&CK Evaluations in two ways, says Greg Young, vice president of cybersecurity at Trend Micro, which participated in the 2024 Evaluations along with 18 other companies.<\/span><\/p>\n

“For [a company’s] purchase decisions, this is one sort of data input \u2014 it should not be the only data input because the testing for MITRE is exceptionally narrow against a few techniques and tactics,” he says. “For the second part, the tests [can inform] companies’ own security ops centers and their own red teaming behavior \u2014 looking at it and saying, ‘Well, what are adversaries using today?'”<\/span><\/p>\n

Developing More Realistic Adversaries<\/h2>\n

The ATT&CK evaluations use cybersecurity observations and threat reporting from analysts worldwide, collected from both MITRE’s in-house cyber threat intelligence team and from the CTI community at large. The group collects information on attacks and selects the adversaries for the evaluations. A red development team creates a set of tools to emulate current techniques used by selected adversaries, while the detection team \u2014 the blue team \u2014 confirms whether those approaches are legitimate in terms of the evaluation.<\/span><\/p>\n

MITRE conducts two distinct rounds of testing. One is a managed-service round, in which the organization creates a black-box testing environment, giving no information about the attack to the vendor being evaluated except for the general category of threat. In an enterprise round, the vendor is given the technical scope and potential information about the adversaries, such as whether they are a nation-state, such as China or the DPRK, or using some other tactics.<\/span><\/p>\n

Like many testing organizations, MITRE has faced some pushback on aspects of its scenarios, Crumpton says.<\/span><\/p>\n

“One of the biggest comments we had this year is \u2014 because we brought in false-positive noise [such as] benign user activity \u2014 some vendors argued that, ‘Hey, this could be deemed malicious activity’,” she says. “I think one of the benign use cases was disabling the firewall. One vendor said, ‘Hey, the sys admins from our companies would never disable the firewall.'”<\/span><\/p>\n

Evaluations Push for Improvement<\/h2>\n

Vendors get graded on how they perform, but the focus is on giving information to both the vendors and businesses about how they can improve their defenses, Crumpton says.<\/span><\/p>\n

“Ultimately, we are there to improve the tools,” she explains. “If we’re emulating this adversary and we find this technique that your tool can’t detect, can we help you improve your tool so that you can now detect that technique? That’s something that I think also the customers or the community should look at.”<\/span><\/p>\n

Defenders can take a page from the ATT&CK evaluations as well, creating playbooks to detect and protect against the tested threats, says Trend Micro’s Young. During the ATT&CK Evaluation, <\/span>MITRE logs activity and takes screenshots<\/a><\/span>, giving organizations a detailed picture of the attack unfolding and mapping the steps against the ATT&CK Framework.<\/span><\/p>\n

“Knowing that adversaries are now using this kind of technique \u2014 say, this kind of lateral movement, or they’re going to go after this kind of resource \u2014 that’s exceptionally helpful for [a company] designing their defenses,” he says. “I almost think there’s more value in looking at the [ATT&CK] framework than the evaluations, but it depends on your purpose.”<\/span><\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

In 2025, an international fintech firm will face attacks through<\/p>\n","protected":false},"author":12,"featured_media":7071,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[809],"class_list":["post-7070","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-dark-reading"],"featured_image_urls":{"full":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/mitres-latest-attck-simulations-tackles-cloud-defenses.jpg?fit=1920%2C1080&ssl=1",1920,1080,false],"thumbnail":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/mitres-latest-attck-simulations-tackles-cloud-defenses.jpg?resize=150%2C150&ssl=1",150,150,true],"medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/mitres-latest-attck-simulations-tackles-cloud-defenses.jpg?fit=300%2C169&ssl=1",300,169,true],"medium_large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/mitres-latest-attck-simulations-tackles-cloud-defenses.jpg?fit=640%2C360&ssl=1",640,360,true],"large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/mitres-latest-attck-simulations-tackles-cloud-defenses.jpg?fit=640%2C360&ssl=1",640,360,true],"1536x1536":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/mitres-latest-attck-simulations-tackles-cloud-defenses.jpg?fit=1536%2C864&ssl=1",1536,864,true],"2048x2048":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/mitres-latest-attck-simulations-tackles-cloud-defenses.jpg?fit=1920%2C1080&ssl=1",1920,1080,true],"chromenews-featured":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/mitres-latest-attck-simulations-tackles-cloud-defenses.jpg?fit=1024%2C576&ssl=1",1024,576,true],"chromenews-large":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/mitres-latest-attck-simulations-tackles-cloud-defenses.jpg?resize=825%2C575&ssl=1",825,575,true],"chromenews-medium":["https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/mitres-latest-attck-simulations-tackles-cloud-defenses.jpg?resize=590%2C410&ssl=1",590,410,true]},"author_info":{"display_name":"Dark Reading","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/darkreading\/"},"category_info":"Uncategorized<\/a>","tag_info":"Uncategorized","comment_count":"0","jetpack_featured_media_url":"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/mitres-latest-attck-simulations-tackles-cloud-defenses.jpg?fit=1920%2C1080&ssl=1","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7070","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7070"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7070\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media\/7071"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7070"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7070"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7070"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}