In collaboration with Center Participants, the Center for Threat-Informed Defense (Center) has built a library of adversary emulation plans to allow organizations to evaluate their defensive capabilities against real-world threats. Emulation plans are an essential component in testing current defenses for organizations that are looking to prioritize their defenses around actual adversary behavior. Focusing our energies on developing a set of common emulation plans that are available to all means that organizations can use their limited time and resources to focus on understanding how their defenses fare against real-world threats.
The library contains two adversary emulation plans: full emulation and micro emulation.
Full emulation plans are a comprehensive approach to emulating a specific adversary, e.g., FIN6, from initial access to exfiltration. These plans emulate a wide range of ATT&CK tactics & techniques and are designed to emulate a real breach from the designated adversary.
Micro emulation plans are focused on emulating compound behaviors seen across multiple adversaries, e.g., webshells. These plans emulate a small amount of ATT&CK techniques typically performed as part of one adversary action.
More information and source code can be found here: https://github.com/center-for-threat-informed-defense/adversary_emulation_library