With threat actors constantly evolving tact, it is becoming quite clear that a certain attack can take numerous forms with a slight tweak in the underlying tooling. While an exhaustive test of security controls for detecting all these variations may not be possible, SpecterOps\u2019 new purple team assessment is now offering a close second.\n\nThe new offering uses the principle of classifying the variations of attack techniques into representative test cases that organizations can test their security controls against.\n\n\u201cMost traditional purple team approaches underestimate the complexity of intra-technique variation, which often leads to a false sense of detection coverage,\u201d said Jared Atkinson, chief strategist at SpecterOps. \u201cOur approach utilizes a diverse set of test cases to measure true coverage.\u201d\n\nThe two-week assessment offering, already available to SpecterOps\u2019 customers, will also help security teams understand how adversaries modify techniques to avoid detection.\n\nSpecterOps implements Atomic Testing\n\nThe new offering will be leveraging the approach pioneered by Red Canary\u2019s Atomic Red Team project, which involves extracting individual behaviors from an attack chain in order to control variables impacting the results of security controls.\n\n\u201cAtomic Testing understands that while there is a broad range of variation between attack techniques, we must not forget that there is also a wide range of variation within technique categories,\u201d said Atkinson. \u201cIn order to address this, Atomic Testing approaches leverage numerous test cases to present multiple implementations to relevant security controls.\u201d\n\nWhile Atomic Testing is a useful framework for testing security controls, the selection of test cases matters immensely, Atkinson added.\n\nThe implementation of Atomic Tests combined with SpecterOps history of adversary simulation and detection exercise across government, defense, financial, and healthcare environments has allowed the offering to pack an ability to detect various obfuscations used by the attackers.\n\n\u201cOur experience with malware analysis allows us to analyze samples to identify new variations and integrate them into our overall threat model,\u201d Atkinson said.\n\nPicking the test cases\n\nThe number of variations an attack chain can adopt can be quite overwhelming and it is not always easy to test for all the possible ways an attack can happen, SpecterOps pointed out.\n\n\u201cI analyzed Process Injection tools to demonstrate this range of variations (and) calculated the existence of at least 4.4 million variations of the Process Injection Technique,\u201d Atkinson said. \u201cAssuming that the typical Atomic Test implements something like 10 test cases for a technique, what is the probability that those 10 test cases are representative of the range of variation within those 4.4 million implementations?\u201d\n\nFor this, the new offering implements a proprietary model to evaluate the similarities between these implementations to select the optimal set of test cases.\n\nThe model studies each technique's implementation and understands their differences. Then it selects a set of use cases that exaggerates the difference between these tests to approximate the full range of variation that exists within the technique category. \n\n\u201cWe've found that a mixture of Atomic Testing (controlling non-relevant variables), Representative Sampling (selecting tests that approximate the range of variation that exists within a Technique category), and Education (helping our customers learn the skill sets and methodology necessary to integrate this practice into their own program) provides that provable solution to this problem,\u201d Atkinson said.