Quantifying Cyber Fitness with Active Exposure Testing

Organizations are constantly under threat from increasingly agile and creative adversaries. Malware, ransomware, insider threat, and other common attack methods continue to bypass traditional security controls and inflict severe damage, from financial losses to reputational harm. As cyber attackers evolve their techniques, organizations must move beyond legacy, reactive defense methods and embrace proactive approaches to validate their resilience against real-world threats.

Adversarial Exposure Validation (AEV), as highlighted in Gartner’s Hype Cycle for Security Operations, plays a vital role in quantifying and enhancing an organization's cyber fitness through active exposure hunting. This proactive process leverages adversarial threat emulation and validation to identify and assess vulnerabilities within an organization’s cyber defenses, determining their susceptibility to successful attacks and ensuring that security teams can remediate weaknesses before adversaries exploit them. By focusing on key techniques across the Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, and Discovery tactics of the MITRE ATT&CK framework, organizations can effectively assess and enhance their capacity to detect, block, or mitigate cyber threats before they escalate into significant incidents.

By emulating and validating adversary tactics, techniques, and procedures (TTPs), AEV enables security teams to:

• Measure the effectiveness of their security defenses in detecting and responding to real-world threats.
• Quantify cyber fitness by comparing behavioral detections across a baseline of attack simulations.
• Provide actionable insights to enhance threat detection and response capabilities.

This paper will provide an overview of using threat emulation to baseline and improve behavioral detections across critical MITRE ATT&CK techniques, mainly focusing on common threats like malware, ransomware, and insider threats. By establishing a robust baseline, security teams can measure their effectiveness and make data-driven decisions on how to improve their security posture.

The Cyber Kill Chain and MITRE ATT&CK Framework

To fully understand where AEV fits, it is essential to review the tactics and stages of a cyber attack. The Cyber Kill Chain—a model that describes the stages of an attack from reconnaissance to exfiltration across eight stages—is one of the foundational frameworks used. Another is the SCYTHE BAM Model, which is dramatically more focused and has only three stages. The MITRE ATT&CK framework builds upon these attack chains by cataloging specific TTPs that adversaries employ at each stage of an attack.

Focusing on the early stages of the kill chain, from Initial Access to Discovery, presents an opportunity for organizations to intercept attacks before they can lead to more devastating actions like lateral movement, data exfiltration, and command and control. By addressing the early stages, organizations can greatly reduce the likelihood of successful cyber incidents, such as malware, ransomware, or insider threat attacks, and improve their cyber fitness.

Using Adversarial Exposure Validation for Cyber Fitness

When quantifying cyber fitness, the focus should be on identifying and mitigating techniques that adversaries commonly use to gain an initial foothold and move through an environment undetected. This process is like going to the doctor for your annual physical—checking your vitals, blood work, and weight for any signs of potential issues. AVE provides a comprehensive and continuous "cyber physical" of your security defenses.

For example, suppose an organization can detect and respond to behaviors associated with Initial Access, Execution, Persistence, and Discovery. In that case, it can significantly reduce or eliminate the adversary's ability to carry out more damaging actions such as Lateral Movement, Data Exfiltration, and Command and Control. By utilizing AEV, organizations can emulate real-world adversarial techniques and identify exposures or weaknesses in their security posture. This process allows teams to test their detection capabilities, endpoint defenses, and response times, highlighting gaps that could enable an adversary to gain a foothold within the organization.

Once these gaps are identified, organizations can take action to remediate and strengthen their defenses. Furthermore, the benefits of AEV exercises:

• Provide a key performance metric for tracking cyber fitness. Regular testing enables the organization to monitor whether their cyber fitness is improving or declining over time, providing actionable insights into the effectiveness of implemented security measures and the overall resilience of the organization's defenses against real-world threats.
• Well-aligned with Gartner's Continuous Threat Exposure Management (CTEM) framework, which continuously assesses and improves an organization's ability to defend against real-world attacks through structured processes.?

How to baseline, check, and improve cyber fitness:

Step 1: Baseline Your Cyber Fitness

The first step toward improving cyber fitness is establishing a baseline of the organization's current security posture. This involves performing an initial assessment that measures how well the organization can detect, respond, and mitigate threats at various stages of the attack lifecycle.

Key Activities:

• Run Initial Cyber Hygiene Assessments: Utilize AEV to run cyber hygiene tests across your deployed gold images for workstation and servers.
• Run Attack Surface Recon Scans: Scan your network for architectural audit and connected assets.
• Run Initial Threat Emulations: Utilize AEV to simulate real-world attack scenarios, starting with Initial Access techniques (such as phishing or vulnerability exploitation) and progressing through Execution, Persistence, Privilege Escalation, and Discovery tactics as described in the MITRE ATT&CK framework. These tactics represent the steps attackers commonly use to gain a foothold in an organization.
• Evaluate Security Controls: AEV will assess how effectively the organization's security tools (e.g., EDR, SIEM, firewalls) and defenses detect or block each tactic and technique used by the adversary. This helps identify blind spots, misconfigurations, or areas where existing tools are underperforming.
• Collect Baseline Metrics: Track key metrics during the initial threat emulation such as the Mean Time to Detect (MTTD), Mean Time to Respond (MTTR), and the percentage of adversarial behaviors that were detected, logged, or blocked. These metrics form the baseline of the organization's cyber fitness and will be used for continuous comparison in later stages.
• Map to MITRE ATT&CK Framework: Use the MITRE ATT&CK framework as a reference to identify which tactics and techniques were successfully detected or prevented. AEV platforms like SCYTHE provide detailed mappings to MITRE, showing which attack techniques were used and whether the organization's controls caught them.
• Initial Cyber Fitness Score: Based on the detection capabilities, defense gaps, and overall performance, create an initial cyber fitness score. This score represents the organization's current ability to defend against adversarial behaviors.

To measure an organization's cyber fitness preparedness, use the following equation that takes into account cyber hygiene compliance and exposure preparedness scores:

Cyber Fitness Preparedness Score (CFPS) = (CHC X CEP) / 100

Where:

• CFPS (Cyber Fitness Preparedness Score): The overall score reflecting the organization's cyber preparedness on a scale of 0 to 100.
• CHC (Cyber Hygiene Compliance): A score representing the compliance level with a primary standard such as CIS Benchmarks, measured on a scale of 0 to 100.
• CEP (Cyber Exposure Preparedness): An aggregate score measuring exposure preparedness across phishing, malware, ransomware, and insider threats, on a scale of 0 to 100. The CEP can be calculated as:

CEP = (P + M + R + I) / 4

Where:

• P (Phishing Preparedness Score): The organization's readiness to detect and prevent phishing attacks.
• M (Malware Preparedness Score): The ability to identify and stop malware threats.
• R (Ransomware Preparedness Score): The level of readiness to handle ransomware incidents.
• I (Insider Threat Preparedness Score): The capability to detect and respond to insider threat activities.

Step 2: Check Cyber Fitness Regularly

Once the baseline is established, organizations must regularly test and assess their cyber defenses to maintain and improve their fitness levels. By running frequent emulations, teams can continuously check the effectiveness of their defenses and adapt to new or emerging threats.

Key Activities:

• Continuous Threat Emulation: Set up recurring or periodic AEV exercises to simulate new and evolving threats and techniques. These simulations should focus on newly identified vulnerabilities, changes in the environment, or critical systems that require validation.
• Monitor Environmental Drift: As environments change over time (e.g., due to patches, upgrades, or configuration adjustments), security controls may become less effective. Use AEV to check for security drift by comparing results from new emulations with the baseline performance. This allows teams to identify gaps that have arisen due to system or software changes.
• Alignment with Gartner's CTEM Framework: According to Gartner's CTEM framework, the fourth phase of continuous threat exposure management involves establishing continuous validation of controls and processes. By running AEV simulations regularly, teams can validate whether their security measures can withstand adversary techniques and make necessary adjustments to maintain a secure environment.
• Track KPIs for Cyber Fitness: Continuously monitor critical KPIs like:
• Comparing these KPIs over time helps determine whether the organization's cyber fitness is improving or declining.

Step 3: Improve Cyber Fitness and Adapt to New Threats

Once the team has gathered insights from AEV exercises, the next step is to make informed decisions on how to improve cyber defenses, address identified weaknesses, and boost overall cyber fitness.

Key Activities:

• Actionable Insights for Remediation: AEV exercises provide actionable insights into which areas of the defense are lacking, whether due to poorly configured security controls, insufficient detection capabilities, or lack of staff awareness. This information can be used to directly improve the effectiveness of specific controls or processes.
• Gaps in Defensive Tools and Processes: Based on threat emulation data, identify critical gaps in security tools (EDRs, SIEMs, etc.) or processes (incident response, detection engineering). Once identified, prioritize remediation of high-impact gaps that adversaries are most likely to exploit.
• Implement Security Hardening: Strengthen security controls based on feedback from AEV exercises. This could involve tightening access controls, improving detection rule sets, and better configuring existing tools to catch behaviors associated with early-stage attack techniques (e.g., Initial Access, Privilege Escalation).
• Continuous Optimization and Tuning: AEV platforms like SCYTHE allow you to replay attacks and test remediations to validate whether changes have been effective. Security teams can automate this process using continuous validation to ensure security improvements over time.
• Redefine Cyber Fitness Goals: After improvements are implemented, redefine your cyber fitness goals to ensure continuous alignment with organizational objectives. For example, if an organization is in the financial sector, emphasize techniques related to insider threats and credential-based attacks, such as OS Credential Dumping (T1003) and Account Discovery (T1087).
• Adaptive Adversarial Simulation: As adversaries evolve their tactics, ensure that the team stays up to date with new adversarial behaviors by leveraging threat intelligence feeds. This allows organizations to simulate and validate new attack vectors before they become widely exploited in the wild.

Step 4: Measure Success and Quantify Improvements

To demonstrate the value of adversarial threat emulation and validation, organizations must measure the success of their cyber fitness program and quantify improvements over time.

Key Activities:

• Continuous Metrics Reporting: After each AEV session, summarize the outcomes of the exercise. Metrics such as the number of adversarial behaviors detected, time-to-detection, and the effectiveness of security controls should be tracked and compared to the baseline metrics.
• ROI and Risk Reduction: Leverage the data from AEV simulations to quantify return on investment (ROI) for security improvements. For example, by measuring how often certain ransomware or phishing techniques were blocked after implementing specific security controls, the organization can demonstrate reduced risk exposure.
• Continuous Cyber Fitness Scoring: Track the improvement in the organization's cyber fitness score over time and benchmark it against industry standards or competitors. Regularly assess whether the organization's cyber fitness is improving and adjust tactics accordingly.

The Benefits of Improving Cyber Fitness Across Common Attack Vectors - Malware, Ransomware, and Insider Threat

Malware Risk Reduction Malware can be introduced through compromised websites, email attachments, or infected software. Once inside, malware can deploy harmful payloads that steal data, corrupt systems, or create backdoors. AEV provides a way to emulate malware TTPs (e.g., T1071: Application Layer Protocol) to ensure that existing security controls can detect, log, and block malicious software before it causes significant damage. Continuous testing helps validate security measures to protect against both known and evolving malware threats.

Ransomware Risk Reduction

Many ransomware attacks begin with phishing (T1566) or exploit known vulnerabilities (T1190). Early detection and mitigation of these techniques, especially in Initial Access and Execution, can drastically reduce ransomware risk. Emulating ransomware TTPs through AEV allows security teams to see how well their tools can detect common ransomware behaviors.

Insider Threat Risk Reduction Insider threats, whether malicious or inadvertent, present a unique challenge to organizations. Such threats often involve bypassing security measures through legitimate credentials or abusing access to sensitive data. AEV enables organizations to simulate insider threat scenarios, testing how well the security controls respond to actions like unauthorized data access or the misuse of privileges (T1078). This proactive testing helps security teams develop better policies and strengthen monitoring capabilities to reduce the risk of insider-driven incidents.

Phishing Risk Reduction

Phishing attacks are among the most common attack vectors, and they typically lead to credential theft or execution of malicious payloads (T1059). AEV can help by regularly validating how well security controls handle phishing simulations and identifying gaps in detection and response.

Other Common Attacks

In addition to common attacks, attackers often rely on weaknesses in Persistence and Privilege Escalation to maintain control over a compromised system. By using AEV to validate these techniques (e.g., T1078, T1136), security teams can catch attackers early and prevent lateral movement.

Conclusion: Building a Healthier Security Posture

Quantifying Cyber Health Improvements: AEV helps establish a baseline by simulating adversarial actions across MITRE ATT&CK techniques. Security teams can compare baseline results over time to quantify improvements in their cyber fitness.

Behavioral Detection Maturity: By continuously running campaigns focused on critical MITRE ATT&CK techniques, organizations can measure the maturity of their behavioral detections against malware, ransomware, and insider threat attack types. The more effectively an organization can detect techniques across Initial Access, Execution, Persistence, and Discovery, the less likely an attack will escalate to more severe stages like Lateral Movement or Data Exfiltration.

Feedback Loop for Continuous Improvement: AEV creates a feedback loop for continuous improvement. Each simulation provides actionable insights into where detections failed, enabling security teams to fine-tune security controls, training, and processes to close gaps.

By focusing on key Initial Access to Discovery MITRE ATT&CK techniques, organizations can proactively defend against the most common attack vectors, including malware, ransomware, and insider threats.. With Adversarial Threat Emulation and Validation, security teams can baseline their current defenses, implement improvements, and monitor their progress over time in a quantifiable manner, ensuring that their security posture evolves in a positive direction with measurable ROI.

Appendix - Common Pre-Attack Adversarial Behaviors

By focusing on a limited number of pre-attack techniques, security teams can prioritize stopping adversaries in the early stages of an attack, preventing ransomware (or phishing, malware, insider threat, etc.) from accessing critical assets and executing its payload. Disrupting tactics like Initial Access, Execution, and Persistence enables security teams to contain or mitigate ransomware threats before they escalate to the more damaging stages, such as Lateral Movement, Collection, Exfiltration, and Impact.

Of course, detecting and stopping ransomware, many additional critical detections are necessary to ensure comprehensive security and operational defense, including T1490: Inhibit System Recovery (Impact) and T1021: Remote Services (Lateral Movement).

The goal of these assessments is to identify and address critical early-stage behaviors that pave the way for later-stage tactics like lateral movement, data exfiltration, command-and-control, and impact. Identifying and mitigating these early behaviors strengthens the organization’s resilience and reduces the likelihood of a successful ransomware attack.

Top 10 MITRE ATT&CK Techniques to Help Stop or Reduce the Risks of Ransomware:

1. T1190: Exploit Public-Facing Application (Initial Access)
2. T1078: Valid Accounts (Initial Access/Persistence)
3. T1203: Exploitation for Client Execution (Execution)
4. T1059: Command and Scripting Interpreter (Execution)
5. T1543: Create or Modify System Process (Persistence)
6. T1136: Create Account (Persistence)
7. T1055: Process Injection (Defense Evasion/Privilege Escalation)
8. T1087: Account Discovery (Discovery)
9. T1003: Credential Dumping (Credential Access)
10. T1083: File and Directory Discovery (Discovery)

Top 10 MITRE ATT&CK Techniques to Help Stop or Reduce the Risks of Malware:

1. T1071: Application Layer Protocol (Command and Control)
2. T1204: User Execution (Execution)
3. T1566: Phishing (Initial Access)
4. T1027: Obfuscated Files or Information (Defense Evasion)
5. T1053: Scheduled Task/Job (Persistence)
6. T1105: Ingress Tool Transfer (Command and Control)
7. T1497: Virtualization/Sandbox Evasion (Defense Evasion)
8. T1036: Masquerading (Defense Evasion)
9. T1059: Command and Scripting Interpreter (Execution)
10. T1547.001: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder (Persistence)

Top 10 MITRE ATT&CK Techniques to Help Stop or Reduce the Risks of Insider Threats:

1. T1078: Valid Accounts (Initial Access/Persistence)
2. T1213: Data from Information Repositories (Collection)
3. T1052: Exfiltration over Physical Medium (Exfiltration)
4. T1056: Input Capture (Credential Access)
5. T1087: Account Discovery (Discovery)
6. T1134: Access Token Manipulation (Defense Evasion)
7. T1059: Command and Scripting Interpreter (Execution)
8. T1027: Obfuscated Files or Information (Defense Evasion)
9. T1036: Masquerading (Defense Evasion)
10. T1074: Data Staged (Collection)