Round 2 Overview
Round 2 participation is defined by vendors who participate in our upcoming APT29 evaluations. Participants in Round 2 will be those that execute a contract by July 31, 2019. All Round 2 evaluation results will be released simultaneously.
APT29We chose to emulate APT29 for our second round of evaluations based on the notoriety of the group as well as the variance in behaviors compared to APT3, our Round 1 emulation. APT29 has been attributed to major breaches targeting U.S. governments/organizations such as the Democratic National Committee, as well as various international ministries and agencies. APT29 has also been known to “cast a wide net” in terms of targeting, seemingly making this group a universal threat.
In terms of behaviors, APT29 is distinguished by their commitment to stealth and sophisticated implementations of techniques via an arsenal of custom malware. APT29 typically accomplishes goals via custom compiled binaries and alternate execution methods such as PowerShell and WMI. APT29 has also been known to employ various operational cadences (smash-and-grab vs. slow-and-deliberate) depending on the perceived intelligence value and/or infection method of victims.
All of these factors result in an adversary emulation that focuses on innovative implementations of ATT&CK techniques and behaviors. The focus of the emulation will be to provide an adversary profile that utilizes various behaviors to challenge the tool's ability to detect both common and less-common technique procedures, testing the flexibility and depth of detection capabilities against behaviors inspired by a mature threat actor.
For more information about APT29 and references about their targeting and behaviors, checkout:
- The Dukes: 7 years of Russian cyberespionage
- Who is COZY BEAR (APT 29)?
- Bears in the Midst: Intrusion into the Democratic National Committee
- FireEye - APT29
More methodology specific to Round 2: