Purple Team: Why all the fuss? (III). Vectr.io

As you can already guess from previous spoilers, in this third part of the series (see part one and part two), after having made clear the role that Threat Intelligence plays in the Purple Team methodology, we will go a bit more into details about the phases of preparation, execution and lessons learned in an exercise.

Disclaimer: As I mentioned in the first episode, I do not intend to set in stone anything in this article, but rather to give my point of view and provide an overview of a subject for which there is not much documentation, and what I found, is scattered in multiple sources.

After having developed an implementation plan based on the mapping of threats on the MITRE ATT&CK MATRIX, it is time to put all the use cases into practice. To do so, we will use Vectr.io, an open source web platform developed by Security Risk Advisors.

This tool is responsible for centralizing all the coordination tasks of the Red and Blue teams. But far from being a tool just for coordinating exercises, it is also prepared to be used as a sort of logbook of all operations executed in various exercises and their outcome over time, so that the evolution of the organization’s security posture can be tracked.

With an abstract description such as the above, it may be difficult to imagine how all of this is accomplished. Therefore, the aim of this post is to opt for a more practical approach.

For the sake of brevity, we will not detail all the functionalities of this tool but will show the possibilities it offers and how these can help us with our goal. It will then be up to you to explore the more advanced functions and evaluate whether they are useful for your particular use case.

[Read more…]

Purple Team: Why all the fuss?(II). Threat Intelligence

After having made a brief introduction and exposition of the Purple Team methodology and listed the phases that constitute it in the first part of this series, in this second part I will go into more detail on how Cyber Threat Intelligence (CTI) integrates in the whole process of adversarial emulation, and therefore, in the Purple Team exercises or programs.

I feel obligated to repeat that (as stated in the first article) many of the content and methodology shown thereafter comes from Scythe and its Purple Team Exercise Framework and closely linked to the entire MITRE doctrine and tools. My goal with this article is to provide a comprehensive view of the topic along with my experience and opinion on some things.

First: understanding the target organization

Whether you are performing CTI as an outside consultant or as part of the organization, it is important to have as much information about the organization as possible.

To do this, the CTI team must conduct an intensive and extensive information gathering exercise, just as an enemy threat agent would. In addition to this, the information must be enriched with that obtained through interviews and inquires with the organization’s personnel.

[Read more…]

MQTT: risks and threats in healthcare environments

This post has been elaborated together with Alex Alhambra Delgado.

Since 2020, many changes have been made in the way we interact with each other, as well as with computer systems. In the wake of the pandemic, all companies had to upgrade their network infrastructures to provide better performance, speed and availability, given the large amount of work that suddenly had to be done remotely.

In the same way, companies needed a way to monitor all their processes remotely, in order to reduce travel and the potential exposure to viruses. In this situation, all types of industries took advantage of the benefits of the IoT (Internet of Things), which provided a new way to control the processes of a company remotely.

Illustration 1. IoT and IIoT
[Read more…]

“Spam Nation,” a portrait of 2014 cybercrime

For those interested in cybersecurity, journalist Brian Krebs is a more or less standard reference. Krebs, who used to cover cybercrime cases for the Washington Post, left his position in the newsroom and set up his own blog to continue investigating what is behind some of the most notorious cases or the most common crimes.

In his first (and so far only) book, “Spam Nation,” Krebs tells us about the so-called “Pharmaceutical Wars” between the leaders of two criminal “families”, who between 2007 and 2013 competed for the market of spamming and selling counterfeit drugs.

The two spammers, Pavel Vrublevsky and Dimitry Nechvolod, escalated their rivalry by leaking information about each other, bribing authorities, competing on price and, finally, even ordering the assault and physical elimination of their rivals. All in a six-year “war” that ended with the defeat of both.

Krebs, who tells in first person his inquiries about this rivalry, even learned Russian and traveled to the Russian Federation to interview them in person and, along the way, gives us a portrait of how the mafias that use the Internet for their purposes act and organize themselves.

[Read more…]

Purple Team: Why all the fuss? (I)

We often read or hear terms like Red, Blue, Purple, Adversarial Emulation and many others almost interchangeably, which often causes confusion in cybersecurity neophytes.

All these disciplines, often partially overlapping each other in their scope, have their place in an organization’s security plan, but it is important to be clear about their strengths and weaknesses in order to take advantage of the former and minimize the latter.

Throughout this article, or series of articles (let’s see how far down the rabbit hole I go), I will try to do my bit on this topic by ,firstly, introducing the Purple Team methodology and then looking into it with a bit more depth.

It is convenient to clarify that this article does not intend to be a lecture on the subject and only aims to make an exposition as educational as possible.

Some background

As organizations have matured and cybersecurity has become more and more important, different methodologies and approaches have been developed.

Several years ago (and unfortunately also in some organizations today) cybersecurity was reduced to hardening measures, and gradually detection and response technologies began to be appear.

[Read more…]

Is Windows SID registry important?

Within the Windows universe there are countless features and details that, given their magnitude and depth, could in turn make up multiple universes in which to wander, learn and, above all, get lost.

In today’s article we are going to take a break from Windows Security Identifiers, hoping to reveal (or remind) some of the possibilities it offers us. First, a bit of theory.

What is the SID? The SID (Security Identifier), briefly explained, is the equivalent of our National ID Card. That is, Windows generates a unique and unalterable SID for each of its entities. An entity is understood as everything that can be authenticated by the Operating System (users, groups, processes, etc.). Ultimately, thanks to this mechanism, the domain user Paco will forever have his own identifier, as will the group of Domain Administrators.

[Read more…]

So you want to go into cybersecurity…

This post has been prepared with the invaluable (and necessary) help of Maite Moreno (@mmorenog) and the cybersecurity team of S2 Grupo.

One of the good things that Information Security shares with other IT disciplines is the wide variety of training resources available, both free and for tight budgets.

Without a large financial investment, anyone with time and desire (and a minimum knowledge of technical knowledge, for which there is another large number of resources that we will not cover here) can be trained from practically zero to expert levels in practically any area of cybersecurity.

Below are some of the resources available on the Internet for free or for a reduced cost, bearing in mind that:

  • This list is not intended to be exhaustive. Feel free to comment on any content you think is missing and we will add it as soon as we can.
  • Some platforms have a freemium approach, combining free content and functionalities with paid ones.
  • Although the less technical areas of Information Security such as GRC are less (very little) represented in the list, the more generalist training sites include courses on data protection, control frameworks, risk management, etc.
  • Most of the courses are in English, so a minimum level is required to understand instructions and texts. This level is essential nowadays in the field of information technology.
  • Blogs, vblogs and podcasts on Information Security are left out, but there are plenty of extremely useful resources. This includes the thousands of webinars on every conceivable topic.
  • Nor have we included more general platforms such as edX or Coursera, which nonetheless contain many courses from prestigious universities and organizations.
  • Finally, we have not included courses from the device manufacturers, software or cloud providers, which in some cases are free, and which sometimes also provide free versions (with limitations) of their products. AWS, Tenable or Splunk come to mind, but there are many others.
[Read more…]

Omnium against Omnes (II): Towards political realism

In the previous article we commented on the impact of the possibility of anonymity in cyberspace. In this post we are going to investigate this issue and expose the details that explain the existence of anonymity, as well as the consequences in the geopolitical context.


The five factors make it impossible to directly attribute a cyberwarfare action to a nation are the following:

1.  The fact that the virtual environment is made up of information allows all types of users to create and modify artifacts, limited only by permissions. This means that there is no complete translation of the physical element to the virtual one and, therefore, there is no total control over it. Consequently, it is not possible to guarantee the immutability of the elements of the environment, i.e. what actions have been performed or by whom.

2. There is the factual impossibility of assigning a virtual profile of a nation. The problems related to attribution, based on the previous point, make it impossible to relate two campaigns separated in time only on the basis of their tactics, techniques and procedures. Even with an indicator such as the hash, there is no 100% guarantee that it is exactly the same actor, since the code could have been stolen or manipulated beforehand.

[Read more…]

Omnium against omnes (I): Foucault in cyberwarfare

There is no doubt that, in recent years, the number of politically motivated cyberspace operations has been increasing. Under the analysis of the geopolitical context, we can find one of the causes of the rise of this new model of warfare.

Not since World War II has there been a warlike conflict between two First World nations. This shows how the major nations have shifted the clash of interests to less classical methodologies, such as the use of subsidiary wars, commercial warfare and, in recent years, cyberwarfare.

However, it is the use of cyberwarfare that makes it possible to interpret the current geopolitical context, since it offers a series of particularities, as a conflict, that allow it to be adapted to contemporary international relations.

[Read more…]

Bypassing AV/EDR with Nim


Nim is a not too well known language that has interesting features that make it very appealing in attack scenarios. Here is a demonstration of its capabilities to bypass AV/EDRs and a journey into learning the language.


The knights who say Nim

For quite some time now there had been a strange talk around in the cybersec community that often reminded me of the scene at the Monty Python and the Holy Grial movie. For whatever reason, these cybersec knights kept saying “Nim” all the time. When I finally found the time I took a deep look at this weird talk to try to decipher it’s meaning. And to find out whether or not this hype held the key to any kind of Holy Grial. Once I did, I can say that I do believe it does. Now, I myself have joined these knight’s peculiar order’s ranks. Out of that trip an interesting tool was born, and here’s what I found out in that journey.

Figure 1: Monty Python and the Holy Grail, The knights who say Ni scene
[Read more…]