Beyond Atomic Testing with Attack Flows

2022-09-15–AttackIQ–Beyond-Atomic-Testing-with-Attack-Flows

AttackIQ’s “Beyond Atomic Testing with Attack Flows” is a course that delves into testing EDR (Endpoint Detection and Response) or AI-based cybersecurity tools using the AttackIQ Security Optimization Platform. Let’s explore the key aspects of this course:

1. Importance of Attack Flows:
   • Many companies invest in technologies like EDR, which consider that a single atomic event doesn’t necessarily equate to an attack.
   • These technologies aim to monitor behaviors and actions while adding context through various methods.
   • Traditional atomic testing methodologies may not yield accurate results when applied to security tools designed to analyze additional context and behavior.
   • Attack Flows provide a more holistic approach to testing, considering the entire attack campaign rather than isolated events.
2. Alert Fatigue:
   • While it’s tempting to alert on every potential attacker action, excessive alerts lead to alert fatigue.
   • Alert fatigue occurs when analysts are overwhelmed by too much information, causing them to ignore critical alerts.
   • Some vendors address this by waiting for combinations of events before triggering alerts.
3. Designing an Assessment:
   • The course doesn’t delve deeply into assessment design theory.
   • It focuses on practical experience using the AttackIQ platform and MITRE ATT&CK to execute tests that accurately represent complex attack campaigns on host systems.
4. Realism and Testing:
   • AttackIQ collaborates with the Center for Threat-Informed Defense on the Attack Flow project.
   • AttackIQ’s Attack Graphs emulate adversaries with specificity and realism, enabling testing against multi-stage attacks¹²³⁴.

For more detailed information, you can refer to the Student Guide and explore practical exercises in the Lab Guide.