Simple, measurable ATT&CK testing with Atomic Red Team

Updated January 2025 to support ATT&CK v16.1.

This Google Sheets template aims to make it easy to perform simple, measurable testing of MITRE ATT&CK techniques using Atomic Red Team or an adversary emulation solution of your choosing.

To get started:

1. Choose the technique that you wish to test. To help prioritize your testing, incorporate rankings from public threat reports, your own intelligence, or any other mechanism that you choose. The top techniques from Red Canary’s annual Threat Detection Report are incorporated into this template for convenience.
2. Select a corresponding Atomic Red Team test. You can search for or browse tests by tactic, technique, or target platform here.

3. Document whether the test was:

   • Observed in any manner, from system logs to network events
   • Detected by any of your controls, which could be SIEM analytics, alerts from any of your security products, or activity detected by partners or service providers
   • Mitigated by an existing secuirty control

This is based on the “ATT&CK in Excel” spreadsheet provided by MITRE, one of several resources for working with ATT&CK.

Get the template!

The most prolific ransomware groups in 2022

It’s 2023 and security firms are starting to release findings from 2022 threat data, notably their lists of the most active, impactful ransomware groups.

As with all threat reports, the findings and prevalence are subject to each firms’ visibility, methodology, etc. The data isn’t perfect and it’s not particularly actionable on its own, but it’s interesting and in aggregate can be a useful starting point for other types of analysis.

The leaderboard

This is not the product of original intelligence analysis. I’ve aggregated data from reports that contain ransomware group rankings, assigned points based on relative ranking, and this is the result.

Read on for some thoughts re: how this type of data can be useful, followed by summary data and charts from each report.

The case for imperfect threat data

A good use case for these types of lists–and a way to make them actionable–is to look at tactics starting with initial access and progressing through the intrusion lifecycle. For each tactic, look for common vectors and MITRE ATT&CK techniques (some of this is readily available in the source reports below). The goal is to see whether we can glean good enough insights and do it quickly, assess risks, and take preventative measures.

This sounds simple and obvious because it is. The short list of “how ransomware happens” isn’t terribly long and few TTPs are novel. Unfortunately, it’s easy and common for teams to get wrapped up in the minutiae of threat modeling, risk quantification, etc.–perfect over plenty good enough–and in doing so they waste valuable time addressing high impact, high likelihood risks that are staring us right in the face.

Reports and summary data

Coalition, Inc

1. ALPHV/BlackCat
2. LockBit
3. Royal
4. Hive

IBM X-Force

1. LockBit
2. Phobos, WannaCry (tie)
3. ALPHV/BlackCat
4. Conti, Djvu, Babuk (tie)

Intel471

1. LockBit 2.0
2. LockBit 3.0
3. ALPHV/BlackCat
4. Black Basta

GuidePoint

1. LockBit
2. ALPHV/BlackCat
3. Hive
4. Black Basta

Sophos

1. LockBit
2. ALPHV/BlackCat
3. Phobos
4. Conti

Cisco Talos

1. LockBit
2. Hive
3. Black Basta
4. Vice Society

Recorded Future

1. LockBit
2. Conti
3. Pyaa
4. REvil

BlackFog

1. LockBit
2. ALPHV/BlackCat
3. Hive
4. Conti

TrustWave

1. LockBit
2. Black Basta
3. Hive
4. ALPHV/BlackCat

Discussion on LinkedIn, Twitter

LastPass: The breach that keeps on giving Permalink

LastPass was breached in August, and has since updated their breach disclosure several times, each update just a little bit worse and more concerning than the last. Unfortunately, for a business with a large consumer customer base, it’s almost impossible to use these disclosures to determine whether LastPass should be trusted. For security practitioners, it’s much eeasier:

The cloud storage service accessed by the threat actor is physically separate from our production environment.

Unless there are zero employees or systems having access to both cloud storage and production, and there are never zero employees or systems with access to both, this statement may be technically accurate but is a clear lie of ommission.

And then there’s these two statements, which are together terrifying:

[T]he threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers.

The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

Set aside the fact that the threat actor has everyone’s vault to sort, prioritize, and attack at their leisure. They also have each customer’s email address, mailing address, telephone number, and a convenient list of services used. Combine this with data and information from unrelated breaches, and this is a targeting bonanza.

No one’s perfect, but this is lucky number seven for LastPass as of this writing. It’s time to suggest to those who trust you that they should no longer trust LastPass.

The Open Source Security Index Permalink

The Open Source Security Index tracks the most popular and fastest growing open source security projects on GitHub. This project is the brainchild of Chenxi Wang of Rain Capital fame.

Of course, it’s great to see Atomic Red Team hovering near the top at #14, and in some predictably great company.

Discussion on Twitter