menuPass Adversary Emulation Plan

Published

Problem

Understanding defenses from the perspective of the adversary is critical, but often teams lack the resources (expertise and funding) to conduct adversary emulation exercises.

Solution

Establish a library of standardized intelligence driven adversary emulation plans that can be easily leveraged by cyber defenders.

Impact

Enables cyber defenders to see their defenses from the perspective of the adversary.

Funding Research Participants

Project Summary

menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security’s (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company. menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university. This project developed an adversary emulation plan for menuPass and added it to the Adversary Emulation Library.

The Adversary Emulation Library is a freely available resource to help red teams and other cyber defenders systematically test their defenses based on real-world adversary TTPs. Each adversary emulation plan is rooted in intelligence reports and other artifacts that capture and describe breaches and campaigns publicly attributed to a specific named threat actor. We research and model each threat actor, focusing not only on what they do but also how and when. We then develop emulation content that mimics the underlying behaviors utilized by the threat actor. This approach results in nuanced emulation plans, each capturing unique scenarios and perspectives that we can leverage as threat-informed defenders.