Atomic Red Team Tests: Catching Dragon Tail
Using Atomic Red Team to test detection coverage for advanced persistent threats and sophisticated attack campaigns.
Originally published on Red Canary Blog
Read the full article: Catching Dragon Tail
Testing Against APT Techniques
Advanced Persistent Threats (APTs) use sophisticated techniques that require comprehensive detection coverage. Atomic Red Team enables testing against these real-world attack patterns.
Dragon Tail Campaign
This post focuses on testing detection coverage for techniques observed in APT campaigns, specifically:
- Initial access methods
- Persistence mechanisms
- Credential access
- Lateral movement
- Data exfiltration
Test Methodology
Map Campaign to ATT&CK
Identify specific techniques used in the campaign.
Select Atomic Tests
Choose tests that match observed techniques.
Execute Tests
Run tests in controlled environment.
Validate Detection
Confirm your security controls detected the activity.
Coverage Gaps
Testing often reveals:
- Missing detection rules
- Insufficient telemetry
- Configuration issues
- Tool limitations
Continuous Validation
APT techniques evolve. Regular testing ensures:
- Detection coverage remains effective
- New techniques are covered
- Existing detections still work
- Team skills stay sharp
Building Detection Coverage
For each technique:
- Understand the technique
- Identify telemetry sources
- Write detection logic
- Test with Atomic Red Team
- Tune for false positives
- Document coverage
Read the full article: Catching Dragon Tail
Related Modules
Atomics on a Friday
Weekly YouTube show exploring atomic tests, detection engineering, and security research. Live demonstrations and deep dives into attack techniques.