What is it?
Since I’m technically talking about two somewhat distinct things, I’ll start by briefly explaining that, according to its documentation, “Atomic Red Team is a library of simple tests that every security team can execute to test their controls.” These tests “are focused, have few dependencies, and are defined in a structured format that can be” readily automated.
Atomic Red Team’s chain reactions are grounded in the concept that adversaries do not leverage attack techniques in isolation. In fact, adversaries generally chain a variety of techniques and tactics together in an effort to accomplish their goal, whatever it is. To these points, chain reactions are sequential combinations of Atomic Red Team tests that form more realistic execution and better simulate how an attack would unfold in the real world. Practically speaking, they offer security teams with at least an intermediate level of technical proficiency and maturity a place to begin their journey with end-to-end testing.
Why should I use it?
Security teams can benefit from using chain reactions because they will enable them to test their detection coverage against simulated attacks and also identify where opportunities for detection exist within a chain of attack techniques.
As we all know, very few (if any) detection techniques work perfectly in the real world, no matter how well they perform in a lab. This is because the actual context around an attack introduces unexpected variables that can cause detection rules to fall down, reducing their scope and effectiveness. When you test against individual techniques, you are testing without this critical context, and chain reactions are designed to provide some of that additional context.
Who is this for and how long will it take to set up?
Chain reactions are particularly helpful for offensive and defensive security practitioners who are looking to validate and improve visibility, detection, and response capabilities. Atomic Red Team has been mapped directly to ATT&CK since the very beginning, so running tests with the platform will make you and your team more familiar with the way these techniques manifest in actual attacks. In turn, this will help everyone start discovering opportunities for detection as they run tests.
Atomic Red Team was designed to be low drag, so that you just need to clone the repository down and begin executing tests!
Is there anything other than tools to help get started with ATT&CK?
Of course! We’re hosting a webinar this coming Tuesday, April 23 at 11 a.m. (MT). The authors of our 2019 Threat Detection Report will discuss prevalent ATT&CK techniques and how you can build out strategies for stopping the adversaries who leverage them. Click the link in the big red box beneath this text for more information and to register!