Enterprise Advanced Security test expanded

The Enterprise Advanced Security testing programme includes new attack groups.

Our Enterprise Advanced Security (EAS) tests can assess any security software, hardware appliance, cloud service or combination thereof. Always evolving, these tests have expanded to include new attacks.

(These tests were originally called the Breach Response test. We renamed them for a number of reasons.)

Hackers and way they hack

Research on real attacker behaviour is a fundamental element of our EAS testing. Our team looks at the real-world behaviour of advanced threat groups, known as Advanced Persistent Threats (APTs).

While useful, MITRE’s ATT&CK framework does not provide a full list of how the bad guys operate. The Tactics, Techniques and Procedures (TTPs) used by an APT vary widely and we go further than using solely those listed in the ATT&CK database.

To improve the accuracy and relevance of our tests, the team investigates other sources of research, as well as performing their own on malware samples and tools attributed to different APTs. Over time, often years, our knowledge of an APT can change as our research, and the research of others, progresses. The more eyes there are on a threat, the more information comes to light.

Enterprise Advanced Security Threat Series

During a test we choose a range of APTs and create attacks similar to those seen in the real world as used by those attackers. We organise these threats by creating a series, or menu, of different threat groups. We’ve previously written in detail about the first three Threat Series.

Since then we doubled the number of Threat Series to six. Here is a summary of all current Threat Series and the attack groups within each.

Threat Series groups

Threat Series	APT Groups
1	APT29, APT3, OilRig, APT33
2	FIN4, FIN7 & Carbanak, FIN10, Silence
3	APT19, Deep Panda, Dragonfly & Dragonfly 2.0
4 (NEW)	APT29, FIN7 & Carbanak, Dragonfly & Dragonfly 2.0, OilRig
5 (NEW)	APT29, OilRig, FIN7 & Carbanak, APT3
6 (NEW)	Wizard Spider, Sandworm, Dragonfly & Dragonfly 2.0

For detailed information on Threat Series 1, 2 and 3 please refer to our previous article.

New Threat Series Details

Threat Series 4

Background: APT29, FIN7 & Carbanak, Dragonfly & Dragonfly 2.0, Oilrig

These groups were combined to form a “Best of” compilation of the previous APTs used in our tests. It has the biggest diversity of TTPs tested at the time, with APT29 and ‘FIN7 & Carbanak’ being the two used in the most recent MITRE Engenuity evaluations.

We topped up the Threat Series with ‘Dragonfly & Dragonfly 2.0’ and OilRig to add a wider range of threats.

Threat Series 5

Background: APT29, FIN7 & Carbanak, Oilrig, APT3 

This Threat Series was created for our new Network Detection and Response (NDR) test. These APTs allowed us to better showcase NDR capabilities. The most well-known report is the one we created for VMware. This report goes some way to highlighting the wide range of solutions compatible with our testing.

We are expecting more NDR reports focused on this series later this year.

Threat Series 6

Background: Wizard Spider, Sandworm, Dragonfly & Dragonfly 2.0 

The newest addition to our Threat Series contains our take on Wizard Spider and Sandworm from the MITRE Engenuity Evaluation, coupled with the APTs we have in Dragonfly & Dragonfly 2.0. These provide the widest range of techniques of all the groups we include in the tests.

What’s next for the test? 

Our first public comparative of endpoint detection and response (EDR) products will take place in Q2 of 2022, with publication expected in June. We will announce a new Threat Series and the exact dates later this month (February 2022). Throughout the year we expect to publish at least one comparative report, multiple NDR reports out and our first extended detection and response (XDR) reports.