SoK: A Survey of Open-Source Threat Emulators

Abstract: Threat emulators are tools or sets of scripts that emulate cyber attacks or malicious behavior. They can be used to create and launch single procedure attacks and multi-step attacks; the resulting attacks may be known or unknown cyber attacks. The motivation for using threat emulators varies and includes the need to perform automated security audits in organizations or reduce the size of red teams in order to lower pen testing costs; or the desire to create baseline tests for security tools under development or supply pen testers with another tool in their arsenal. In this paper, we review and compare various open-source threat emulators. We focus on tactics and techniques from the MITRE ATT&CK Enterprise matrix and determine whether they can be performed and tested with the emulators. We develop a comprehensive methodology for our qualitative and quantitative comparison of threat emulators with respect to general features, such as prerequisites, attack definition, cleanup, and more. Finally, we discuss the circumstances in which one threat emulator is preferred over another. This survey can help security teams, security developers, and product deployment teams examine their network environment or products with the most suitable threat emulator. Using the guidelines provided, a team can select the threat emulator that best meets their needs without evaluating all of them.