4 open-source Mitre ATT&CK test tools compared

Any of these tools from Endgame, Red Canary, Mitre, and Uber will get your red team and pentesters started with Mitre's ATT&CK framework.

An engineer reviews strategy framework data.
Metamorworks / Getty Images

One way to learn how to better defend your enterprise is to train a red team to simulate attacks. The Mitre ATT&CK framework, which can be a very useful collection of threat tactics and techniques for such a team. The framework classifies and describes a wide range of attacks. To make it even more effective, various commercial and open-source general testing tools have been built to complement its schemas.

I examine four of the open-source tools: Endgame’s Red Team Automation (RTA), Mitre’s Caldera, Red Canary’s Atomic Red, and Uber’s Metta. Many others are either fee-based (such as Safebreach, AttackIQ’s FireDrill, or Verodin) or focus on limited use cases. All four are free and require a varying degree of supporting infrastructure. I tried them out on a test network of both Windows 7/10 and Mac endpoints to see how they work and what kinds of reports and insights they provide. 

Selecting and using ATT&CK testing tools

Before using any of these products, think about what you will be testing and how diverse your endpoint population will be. If you are primarily concerned with Windows, then all of them are appropriate. If you also want to examine the impact on Mac and Linux endpoints, you will need to look at Atomic Red or Metta.

CSO table: Open-source ATT&CK test tools CSO / IDG

Once you start your testing, I recommend first setting up at least one Windows virtual machine (VM) and disabling Windows Defender or other antivirus (AV) programs. Metta has a somewhat different testbed, but it also uses VMs. Turn off any AV screeners, because they could block some of the activities of the ATT&CK-based products that simulate threats.

To continue reading this article register now

The 10 most powerful cybersecurity companies