Purple Team: Why all the fuss? (III). Vectr.io

As you can already guess from previous spoilers, in this third part of the series (see part one and part two), after having made clear the role that Threat Intelligence plays in the Purple Team methodology, we will go a bit more into details about the phases of preparation, execution and lessons learned in an exercise.

Disclaimer: As I mentioned in the first episode, I do not intend to set in stone anything in this article, but rather to give my point of view and provide an overview of a subject for which there is not much documentation, and what I found, is scattered in multiple sources.

After having developed an implementation plan based on the mapping of threats on the MITRE ATT&CK MATRIX, it is time to put all the use cases into practice. To do so, we will use Vectr.io, an open source web platform developed by Security Risk Advisors.

This tool is responsible for centralizing all the coordination tasks of the Red and Blue teams. But far from being a tool just for coordinating exercises, it is also prepared to be used as a sort of logbook of all operations executed in various exercises and their outcome over time, so that the evolution of the organization’s security posture can be tracked.

With an abstract description such as the above, it may be difficult to imagine how all of this is accomplished. Therefore, the aim of this post is to opt for a more practical approach.

For the sake of brevity, we will not detail all the functionalities of this tool but will show the possibilities it offers and how these can help us with our goal. It will then be up to you to explore the more advanced functions and evaluate whether they are useful for your particular use case.

[Read more…]

ATT&CK reconnaissance: críticas constructivas

Sin duda, MITRE ATT&CK se ha convertido en el marco de trabajo de referencia para la estructuración (y análisis, y detección…) de tácticas y técnicas ligadas a operaciones ofensivas. Este estándar de facto constituye un esfuerzo enorme que sirve de gran ayuda para todos los que trabajamos en seguridad, pero también tiene muchas opciones de mejora, al ser un trabajo en curso y permanente actualización. Algunas de las críticas a MITRE ATT&CK pasan por la estructura plana de técnicas asociadas a cada táctica, sin ningún tipo de estructura que facilite su análisis.

En particular, en el caso de la táctica Reconocimiento, en la que un actor hostil trata de obtener información sobre su objetivo a través de diferentes medios, MITRE ATT&CK proporciona igualmente una estructura plana para las técnicas, como en el resto de tácticas, pero en este caso mezcla conceptos que pueden inducir a error y que no constituirían técnicas en sí mismas. Veamos: MITRE ATT&CK define las siguientes técnicas para la táctica “Reconnaissance” (no detallamos al nivel de sub técnica):

T1595Active Scanning
T1592Gather Victim Host Information
T1589Gather Victim Identity Information
T1590Gather Victim Network Information
T1591Gather Victim Org Information
T1598Phishing for Information
T1597Search Closed Sources
T1596Search Open Technical Databases
T1593Search Open Websites/Domains
T1594Search Victim-Owned Websites
[Read more…]

Purple Team: Why all the fuss?(II). Threat Intelligence

After having made a brief introduction and exposition of the Purple Team methodology and listed the phases that constitute it in the first part of this series, in this second part I will go into more detail on how Cyber Threat Intelligence (CTI) integrates in the whole process of adversarial emulation, and therefore, in the Purple Team exercises or programs.

I feel obligated to repeat that (as stated in the first article) many of the content and methodology shown thereafter comes from Scythe and its Purple Team Exercise Framework and closely linked to the entire MITRE doctrine and tools. My goal with this article is to provide a comprehensive view of the topic along with my experience and opinion on some things.

First: understanding the target organization

Whether you are performing CTI as an outside consultant or as part of the organization, it is important to have as much information about the organization as possible.

To do this, the CTI team must conduct an intensive and extensive information gathering exercise, just as an enemy threat agent would. In addition to this, the information must be enriched with that obtained through interviews and inquires with the organization’s personnel.

[Read more…]