Cyber Threat Emulation

Abstract

The rising frequency of cyber attacks presents challenges in protecting confidential data. As technology continues to evolve, it empowers both attackers and defenders to enhance their capabilities to exploit and protect software systems. This dynamic fuels innovation in security measures as organizations seek new and effective methods to mitigate cyber attacks that aim to violate the confidentiality, integrity, and availability of information. To face emerging cyber threats, threat intelligence frameworks have been proven essential for gathering information on the motives, targets, and attack behaviors of threat actor groups. By connecting the information from these frameworks, organizations can facilitate realistic training environments to increase the excellence of security practitioners. In this master thesis, the capability of linking attack techniques used by known threat actor groups and modules for attack execution is investigated. This is done by developing a mapping framework in an attempt to represent these techniques in SVED and subsequently instantiate this as an attack profile against a virtual organization in CRATE. The results indicate that when a specific CVE-entry (Common Vulnerabilities and Exposures) is prevalent in the incident description, there is a high likelihood of identifying an attack module for an attack technique. However, in the context of the experiment, the thesis has identified difficulties in emulating techniques by known threat actor groups. The evidence implies further research to explore more effective solutions for processing the modules in the attack profiles.