Purple Team: Why all the fuss? (III). Vectr.io

As you can already guess from previous spoilers, in this third part of the series (see part one and part two), after having made clear the role that Threat Intelligence plays in the Purple Team methodology, we will go a bit more into details about the phases of preparation, execution and lessons learned in an exercise.

Disclaimer: As I mentioned in the first episode, I do not intend to set in stone anything in this article, but rather to give my point of view and provide an overview of a subject for which there is not much documentation, and what I found, is scattered in multiple sources.

After having developed an implementation plan based on the mapping of threats on the MITRE ATT&CK MATRIX, it is time to put all the use cases into practice. To do so, we will use Vectr.io, an open source web platform developed by Security Risk Advisors.

This tool is responsible for centralizing all the coordination tasks of the Red and Blue teams. But far from being a tool just for coordinating exercises, it is also prepared to be used as a sort of logbook of all operations executed in various exercises and their outcome over time, so that the evolution of the organization’s security posture can be tracked.

With an abstract description such as the above, it may be difficult to imagine how all of this is accomplished. Therefore, the aim of this post is to opt for a more practical approach.

For the sake of brevity, we will not detail all the functionalities of this tool but will show the possibilities it offers and how these can help us with our goal. It will then be up to you to explore the more advanced functions and evaluate whether they are useful for your particular use case.

[Read more…]

Purple Team: Why all the fuss?(II). Threat Intelligence

After having made a brief introduction and exposition of the Purple Team methodology and listed the phases that constitute it in the first part of this series, in this second part I will go into more detail on how Cyber Threat Intelligence (CTI) integrates in the whole process of adversarial emulation, and therefore, in the Purple Team exercises or programs.

I feel obligated to repeat that (as stated in the first article) many of the content and methodology shown thereafter comes from Scythe and its Purple Team Exercise Framework and closely linked to the entire MITRE doctrine and tools. My goal with this article is to provide a comprehensive view of the topic along with my experience and opinion on some things.

First: understanding the target organization

Whether you are performing CTI as an outside consultant or as part of the organization, it is important to have as much information about the organization as possible.

To do this, the CTI team must conduct an intensive and extensive information gathering exercise, just as an enemy threat agent would. In addition to this, the information must be enriched with that obtained through interviews and inquires with the organization’s personnel.

[Read more…]

Purple Team: Why all the fuss? (I)

We often read or hear terms like Red, Blue, Purple, Adversarial Emulation and many others almost interchangeably, which often causes confusion in cybersecurity neophytes.

All these disciplines, often partially overlapping each other in their scope, have their place in an organization’s security plan, but it is important to be clear about their strengths and weaknesses in order to take advantage of the former and minimize the latter.

Throughout this article, or series of articles (let’s see how far down the rabbit hole I go), I will try to do my bit on this topic by ,firstly, introducing the Purple Team methodology and then looking into it with a bit more depth.

It is convenient to clarify that this article does not intend to be a lecture on the subject and only aims to make an exposition as educational as possible.

Some background

As organizations have matured and cybersecurity has become more and more important, different methodologies and approaches have been developed.

Several years ago (and unfortunately also in some organizations today) cybersecurity was reduced to hardening measures, and gradually detection and response technologies began to be appear.

[Read more…]