-
Notifications
You must be signed in to change notification settings - Fork 313
Home
In collaboration with Center Participants, the Center for Threat-Informed Defense (Center) maintains a library of adversary emulation plans to allow organizations to evaluate their defensive capabilities against the real-world threats they face. Emulation plans are an essential component in testing current defenses for organizations that are looking to prioritize their defenses around actual adversary behavior. Focusing our energies on developing a set of common emulation plans that are available to all means that organizations can use their limited time and resources to focus on understanding how their defenses actually fare against real-world threats.
The library contains two types of adversary emulation plans: full emulation and micro emulation.
Full emulation plans are a comprehensive approach to emulating a specific adversary, e.g. FIN6, from initial access to exfiltration. These plans emulate a wide range of ATT&CK tactics & techniques and are designed to emulate a real breach from the designated adversary.
Micro emulation plans are a focused approach to emulating compound behaviors seen across multiple adversaries, e.g. webshells. These plans emulate a small amount of ATT&CK techniques that are typically performed as part of one adversary action.
Also see our blogs on the Adversary Emulation Library and Micro Emulation Plans.
Available adversary emulation plans are listed on the README, as well as how to get started using them.
Thanks for contributing to the Adversary Emulation Library! You are welcome to comment on issues, open new issues, and open pull requests.
Pull requests should target the develop branch of the repository.
Also, if you contribute any source code, we need you to agree to the following Developer's Certificate of Origin below.
We are also seeking intelligence contributions, e.g., additional techniques, variations on one already covered, examples of techniques in use, log data, and other technical information. The pilot for this is our OceanLotus Contributions page. We are currently focused on macOS and Linux information. Visit that page to contribute.
By making a contribution to this project, I certify that:
(a) The contribution was created in whole or in part by me and I
have the right to submit it under the open source license
indicated in the file; or
(b) The contribution is based upon previous work that, to the best
of my knowledge, is covered under an appropriate open source
license and I have the right under that license to submit that
work with modifications, whether created in whole or in part
by me, under the same open source license (unless I am
permitted to submit under a different license), as indicated
in the file; or
(c) The contribution was provided directly to me by some other
person who certified (a), (b) or (c) and I have not modified
it.
(d) I understand and agree that this project and the contribution
are public and that a record of the contribution (including all
personal information I submit with it, including my sign-off) is
maintained indefinitely and may be redistributed consistent with
this project or the open source license(s) involved.