SpecterOps to use in-house approximation to test for global attack variations

With threat actors constantly evolving tact, it is becoming quite clear that a certain attack can take numerous forms with a slight tweak in the underlying tooling. While an exhaustive test of security controls for detecting all these variations may not be possible, SpecterOps' new purple team assessment is now offering a close second.

The new offering uses the principle of classifying the variations of attack techniques into representative test cases that organizations can test their security controls against.

"Most traditional purple team approaches underestimate the complexity of intra-technique variation, which often leads to a false sense of detection coverage," said Jared Atkinson, chief strategist at SpecterOps. "Our approach utilizes a diverse set of test cases to measure true coverage."

The two-week assessment offering, already available to SpecterOps' customers, will also help security teams understand how adversaries modify techniques to avoid detection.

SpecterOps implements Atomic Testing

The new offering will be leveraging the approach pioneered by Red Canary's Atomic Red Team project, which involves extracting individual behaviors from an attack chain in order to control variables impacting the results of security controls.

"Atomic Testing understands that while there is a broad range of variation between attack techniques, we must not forget that there is also a wide range of variation within technique categories," said Atkinson. "In order to address this, Atomic Testing approaches leverage numerous test cases to present multiple implementations to relevant security controls."

While Atomic Testing is a useful framework for testing security controls, the selection of test cases matters immensely, Atkinson added.

The implementation of Atomic Tests combined with SpecterOps history of adversary simulation and detection exercise across government, defense, financial, and healthcare environments has allowed the offering to pack an ability to detect various obfuscations used by the attackers.

"Our experience with malware analysis allows us to analyze samples to identify new variations and integrate them into our overall threat model," Atkinson said.

Picking the test cases

The number of variations an attack chain can adopt can be quite overwhelming and it is not always easy to test for all the possible ways an attack can happen, SpecterOps pointed out.

"I analyzed Process Injection tools to demonstrate this range of variations (and) calculated the existence of at least 4.4 million variations of the Process Injection Technique," Atkinson said. "Assuming that the typical Atomic Test implements something like 10 test cases for a technique, what is the probability that those 10 test cases are representative of the range of variation within those 4.4 million implementations?"

For this, the new offering implements a proprietary model to evaluate the similarities between these implementations to select the optimal set of test cases.

The model studies each technique’s implementation and understands their differences. Then it selects a set of use cases that exaggerates the difference between these tests to approximate the full range of variation that exists within the technique category.

"We’ve found that a mixture of Atomic Testing (controlling non-relevant variables), Representative Sampling (selecting tests that approximate the range of variation that exists within a Technique category), and Education (helping our customers learn the skill sets and methodology necessary to integrate this practice into their own program) provides that provable solution to this problem," Atkinson said.