Creating a Full Kill Chain Attack With MITRE’s Engenuity Evaluation APTs

Earlier this week, MITRE released its annual Engenuity vendors’ solution evaluation. The main idea behind MITRE Engenuity evaluations is to check how vendors’ solutions fare when faced with a real-life attack and see if they provide defenders with the necessary information and/or automation needed to detect, prevent, stop, or mitigate the attack.  

MITRE’s Methodology 

To do so, MITRE emulates the exact attack path used by attackers in designated vendors environments dedicated to threat-informed defense practice. This provides insights into participating vendors product’s capabilities and performance. The evaluation results are publicly available to enable defenders to make better-informed decisions on how to leverage the products that secure their organizations. This year’s Sandworm and Wizard Spider threat emulation plans used by MITRE are made to the public and can be consulted here 

A Deeper Look into Sandworm Assessment Scenario 

To better understand each scenario propagating the threat hiding behind these names, let’s take a deeper look at each scenario’s steps as done by MITRE and the connections between them, as done by Cymulate to provide a more in-depth, end-to-end evaluation. 

 

Most recently, Sandworm (suspected to be a Russian cyber-military unit) unleashed cyberattacks against Ukrainian infrastructure targets. 

Sandworm’s advanced scenario contains 17 different executions that, articulated together, amount to a complete real-life attack simulation. 

 

Sandworm advanced scenario assessment starts by downloading a phishing attachment and running a VBS script from that attachment and proceeds with the attacks’ steps: 

(Note: On Cymulate’s dashboard, the connections between the different attack steps are visually displayed as shown in the examples included.) 

  1. It uses WMI to download a file with PowerShell and writes a web shell on the disk.
  2. It creates an admin user on the SQL server and creates a new SMB share for anonymous access.
  3. It discovers domains within the organization and attempts password spray and RDP connection to one of them. Domain Discovery Flow
  4. It attempts execution of a command with run32.dll and tries to install a keylogger, followed by keystrokes capture. 
  5. a. It enumerates all local and domain users, compresses the data, and exfiltrates with a C2 channel.
    b. It encrypts a file in a temp folder to simulate data encryption.
    MITRE Engenuity evaluations
  6. It deletes Event Viewer logs. 

The attack is now complete.  

A Deeper Look into Wizard Spider Assessment Scenario

Wizard Spider’s advanced scenario contains 18 different executions that, articulated together, amount to a complete real-life attack simulation. 

The Wizard Spider intrusion advanced scenario mimics a real intrusion aimed at deploying Diavol Ransomware through the following steps: 

(Note:  On Cymulate’s dashboard, the connections between the different attack steps are visually displayed as shown in the examples included.) 

  1. Perform internal discovery using Windows utilities.
  2. Execute lateral movement using AnyDesk and RDP. 
  3. Dumps credentials in multiple ways.
  4. Compressing data with PowerShell for later exfiltration. Data Exfiltration Flow
  5. Exfiltrate data using PSFTP  
  6. Deploy domain-wide ransomware 

The attack is now complete. 

Optimizing Your Own Results with Cymulate  

Using Cymulate’s native capabilities to operationalize TTPs attack paths through scenarios and campaigns, Cymulate Sandworm and Wizard Spider scenarios help users of the solutions tested by MITRE Emgenuity to see how well they prevent those attacks in their own environments. A purple team template of this year’s emulated attacks that closely follows Engenuity’s emulation plans is now available in the advanced scenarios templates. Keeping in mind that Cymulate’s attack emulations are evaluating resilience across the full kill chain while MITRE Engenuity evaluation is on a step-by-step basis, a significant gap between your instance of the solution performance and the MITRE Engenuity overall results would indicate either that your solution configuration is not optimized or that the step-by-step nature of Engenuity assessments is missing potential attack paths that also need attention. 

The point-in-time snapshot of your organization’s resilience to those two specifics attacks assessments provide should be run again after applying the recommended fixes to check if they impact the defensive performance. In any case, as threats evolve at a fast pace and agile development results in frequent changes in the environment, so, as a rule, continuously running security validation tests is highly recommended. 

 

This year’s selection for MITRE Engenuity were the two APTs “Wizard Spider” and “Sandworm”. 

These APT Groups have been wreaking havoc over the past few years – developing and deploying cybercrime tools like Conti, Trickbot, or Ryuk ransomware. 

Here are the templates created by Cymulate Research Team: 

 

APT Groups Dashboard

 

Contrary to MITRE’s Engenuity evaluation process that considers each step separately, Cymulate’s scenario mimics a real-life attack along the full kill chain, connecting each step to the next one in a continuous end-to-end flow.   

What now? 

With this clearer understanding of the end-to-end unfolding of these two attacks across the entire kill chain, it is time to run an assessment and see for yourself how your instance of the solution fares in detecting and stopping them. 

The result provided by Cymulate automated assessments will slightly differ from those published by MITRE Engenuity as, as stated above, Cymulate evaluates your resiliency across the entire kill chain instead of evaluating each step individually as MITRE does. 

Regardless, it will give you a good evaluation of your performance against these two attacks and provide actionable recommendations to improve it. 

Schedule a demo to see how Cymulate can keep your environment up to speed on the latest attacks.

Schedule A Demo