Glossary Term

Adversarial Modeling

Adversarial modeling is the technique of identifying attackers based on mal-intent and suspicious behaviors, versus only searching for specific indicators of an attack. This requires an understanding of the entities in the network, identifying outliers and suspicious communication patterns, and serves to improve an organization’s capability of seeing and stopping attackers, especially that living-off-the-land.

How Adversarial Modeling Prevents Attacks and Reduces Risk

Attackers use a complex set of tactics, techniques, and procedures (TTPs) that are hard to detect because they involve abusing insider privileges, “living off the land”, and avoiding malware. When an attacker abuses insider credentials and uses tools already existing in the environment, they are hard to uncover reliably since they blend into normal business-justified activity. And, as attackers have realized TTPs such as these are successful, they are used repeatedly – only changing certain aspects like email addresses or domain names to avoid detection. Traditional approaches like signature-based detection or even anomaly detection fail in this case since there are often no anomalies or known indicators of compromise (IOC).

By deploying adversarial modeling techniques, organizations launch multi-dimensional analyses that span factors including time, entities, frequency, protocols, and attack stages to thwart attacks of this nature. This approach also makes an organization’s defense more effective and resilient since the detections are not based on ephemeral IOCs that the attacker can change at will. In fact, this gives the defense the upper hand by forcing attackers to invest the time and effort to adapt their core methods.

Consider for example a recent trend of using IoT devices as a gateway into the organization and moving laterally, escalating privileges and exfiltrating data from there. Identifying this behavior using conventional methods requires a tremendous amount of manual human effort by expert threat hunters. An adversarial model, on the other hand, could look for a combination of entities and behaviors (e.g., IoT devices) that connect to Twitter and Google Drive for command and control and exfiltration and also use Remote Desktop Protocol for lateral movement.

Types of Attacks Prevented

Adversarial modeling can be used to model and then uncover threat behaviors and align to frameworks such as MITRE ATT&CK™. When done well, this enables security analysts to do their jobs more easily and effectively, especially when faced with identifying attack techniques that are inherently difficult to uncover including:

Privileged Account Abuse

Privileged account abuse occurs when a particular user’s account privileges are used inappropriately. This can be a malicious or accidental act. Oftentimes, the abuse of insider privileges occurs as a direct result of poor access control – a lack of coordination between IT management and security teams. As a gateway to confidential data, privilege account abuse leads to the loss of sensitive files and system downtimes that can cause crippling effects on business operations.

“Living Off the Land”

Cybercriminals that launch “living off the land” techniques utilize trusted, preinstalled tools to carry out the attack. For instance, just on Microsoft Windows systems there are typically over 100 tools that can be used for this purpose. This allows attackers to operate undetected, making it difficult for companies to identify who is carrying out the malicious activity, if they discover the occurrence at all. The industry is seeing an increase in “living off the land” attacks given the reduced availability of zero-day vulnerabilities and the effort required to find them.


Malware attacks are one of the most well-known hacking techniques. Designed to disrupt and gain unauthorized access to an organization’s network, malware is comprised of malicious programs including spyware, computer viruses, Trojan horses or worms. All of which are designed to perform a variety of unauthorized functions—including stealing credentials through techniques like keystroke monitoring.

Why Adversarial Modeling Matters

Adversarial modeling is a huge step forward in security analysis, as it combines both offensive and defensive approaches. Historically, the security industry has been capable of modeling a digital environment – adversarial modeling goes further, allowing organizations to model the moves of its adversaries.

Essentially, this technique provides the ability to stitch together even the most complex of adversary behaviors. That type of understanding in today’s threat landscape creates a defense strategy that is increasingly difficult to breach.

Unparalleled Defense Advantages

Awake Security recently updated its platform to add several new features, including Adversarial Modeling™ capabilities that give defenders access to a massive “playbook” of the different TTPs that attackers use and mapping it to the MITRE ATT&CK™ framework. Further, the platform then autonomously hunts for these TTPs.

Awake’s security researchers continuously add adversarial models into the platform, giving organizations the power to detect new and evolving TTPs. Importantly, it also gives customers the ability to modify those models or build their own to more accurately identify threats aimed at their unique environment. Customers are able to use this capability without the need for their own data scientists and with even relatively junior security analysts.

Also See



If you liked what you just read, subscribe to hear about our threat research and security analysis.