attack-control-framework-mappings
adversary_emulation_library
| attack-control-framework-mappings | adversary_emulation_library | |
|---|---|---|
| 3 | 8 | |
| 465 | 1,545 | |
| - | 1.6% | |
| 4.6 | 9.5 | |
| 30 days ago | 4 months ago | |
| Python | C | |
| Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
attack-control-framework-mappings
-
Is there a Mitre Att&ck mapping to NIST Threat Events?
Here's a mapping to 800-53: https://ctid.mitre-engenuity.org/our-work/nist-800-53-control-mappings/
- NIST 800-53 Control Mappings to MITRE ATT&CK. Pretty handy, if you like that sort of thingā¦
-
What are the most important metrics for measuring cloud and endpoint security?
BlindSPOT: https://blindspotsec.com/ Specific graphic from BlindSPOT: https://blindspotsec.com/wp-content/uploads/2021/04/Failure_Before.jpg How to Measure Anything in Cybersecurity Risk: https://www.amazon.com/dp/B01J4XYM16/ Monte Carlo simulation approach: https://embracethered.com/blog/posts/2020/red-teaming-and-monte-carlo-simulations/ D3FEND: https://d3fend.mitre.org/ ATT&CK mappings: https://github.com/center-for-threat-informed-defense/attack-control-framework-mappings ATT&CK evals: https://attackevals.mitre-engenuity.org/index.html CALDERA: https://github.com/mitre/caldera Offensive Countermeasures: https://www.amazon.com/dp/1974671690/ SPIFFE: https://spiffe.io/ SPIRE: https://github.com/spiffe/spire Zerotier: https://www.zerotier.com/ Zerotier libzt: https://github.com/zerotier/libzt
adversary_emulation_library
-
What adversary emulation options are there nowadays to test SIEMs and IDSs?
Unfortunately I don't have the background and knowledge of cybersecurity needed to plan a pentest of my own. Also, it would be more interesting to emulate the attacks of actual APTs known in the wild. So far, I've tested Caldera, Invoke-AtomicRedTeam and manual tests from CTID's adversary emulation library: https://github.com/center-for-threat-informed-defense/adversary_emulation_library
- adversary_emulation_library: An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs.
-
New blue team
This is a great callout! To help get started, check out the adversary emulation library, https://github.com/center-for-threat-informed-defense/adversary_emulation_library. There are also micro-emulation plans, described here: https://ctid.mitre-engenuity.org/our-work/micro-emulation-plans/.
- micro_emulation_plans: This collection expands the impact of the Adversary Emulation Library by developing easy-to-execute adversary emulation content that targets specific behaviors and challenges facing defenders
-
Advice on purple teaming
I don't know how we know what CS would do if that command was part of a chain of attack, I'm assuming it would just detect on the more malicious activities. Once we get a bit more mature in our use of Atomic Red team I was looking at this framework for simulating an actual attack chain.
- THT: When hunt APT look for emulation ...
- Adversary Emulation Library
- menuPass Adversary Emulation
What are some alternatives?
caldera - Automated Adversary Emulation Platform
tram - TRAM is an open-source platform designed to advance research into automating the mapping of cyber threat intelligence reports to MITRE ATT&CKĀ®.
ZeroTier - A Smart Ethernet Switch for Earth
sysmon-modular - A repository of sysmon configuration modules
attack-flow - Attack Flow helps executives, SOC managers, and defenders easily understand how attackers compose ATT&CK techniques into attacks by developing a representation of attack flows, modeling attack flows for a small corpus of incidents, and creating visualization tools to display attack flows.
caldera_pathfinder - Pathfinder is a plugin for mapping network vulnerabilities, scanned by CALDERA or imported by a supported network scanner, and translating those scans into adversaries for network traversal.
RedEye - RedEye is a visual analytic tool supporting Red & Blue Team operations
libzt - Encrypted P2P sockets over ZeroTier
stix2.1-coa-playbook-extension - A STIX 2.1 Extension Definition for the Course of Action (COA) object type. The nested property extension allows a COA to share machine-readable security playbooks such as CACAO Security Playbooks
attack-stix-data - STIX data representing MITRE ATT&CK
auditd-attack - A Linux Auditd rule set mapped to MITRE's Attack Framework