Adversarial Threat Modelling — A Practical Approach to Purple Teaming in the Enterprise

More and more organisations are beginning to realise the value of Mitre ATT&CK. But how can you bring your teams together to help nurture, develop and deploy a framework which consistently yields results?

This presentation details the approach developed by the Threat Intelligence team of a global bank, and how it worked together with defensive and offensive teams to deliver a compelling solution to uplift the organisations' security posture; one adversary TTP at a time.

The corresponding workshop is designed to provide practical guidance to practitioners that they can adapt for their organisations. Key learning objectives will include transforming Purple Team initiatives to be intelligence-led, and developing and deploying a Threat Library.

by Sajid Nawaz Khan, Cyber Threat Intelligence Analyst

This README is designed to support the above workshop which took place on Friday 11th September 2020 as part of x33fcon. The presentation and README were subsequently updated in November 2021 to incorporate recent changes to VECTR.

System Requirements

Please ensure you have installed VirtualBox with the Extension Pack, followed by a virtual machine running x64 Ubuntu 20.04 LTS. Ideally, the machine should be configured with at least 4GB of RAM with multi-core support.

Installing VECTR

Detailed installation instructions are available on the VECTR Documentation site. The code below is provided for convenience to help support the workshop, and is correct for version 8.1.4 of the Community Edition.

Installing Dependencies

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

sudo add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
   $(lsb_release -cs) \
   stable"

sudo apt update

sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose unzip

sudo apt upgrade

sudo systemctl enable docker

On a minimal install of Ubuntu, you may need to install cURL sudo apt install curl.

Installing VECTR

To minimise issues during the workshop, please continue with default configuration options when installing VECTR. In production environments, configuring additional options within the .env file is strongly recommended.

sudo mkdir -p /opt/vectr
cd /opt/vectr

sudo wget https://github.com/SecurityRiskAdvisors/VECTR/releases/download/ce-8.1.4/sra-vectr-runtime-8.1.4-ce.zip -P /opt/vectr
sudo unzip sra-vectr-runtime-8.1.4-ce.zip

sudo docker-compose up -d

Updating the Hosts File

For a default install, add sravectr.internal to your hosts file as follows:

sudo nano /etc/hosts
127.0.0.1   localhost   sravectr.internal

Using VECTR

Launching VECTR

Use the helper scripts start_vectr.sh and shutdown_vectr.sh within this repo (be sure to chmod +x), or run the following directly from your home folder. The very first launch will take a few minutes as VECTR initialises, so please be patient.

cd /opt/vectr
sudo docker-compose up -d

Struggling to launch VECTR? Run sudo docker ps, sudo docker stop {containerID} (or sudo docker stop $(docker ps -a -q)) and sudo docker system prune and try again.

Logging into VECTR

You should be able to access VECTR at https://sravectr.internal:8081/. The default username is admin and the password is 11_ThisIsTheFirstPassword_11.

Safely Shutting Down VECTR

cd /opt/vectr
sudo docker-compose down

Exercises

Importing Existing Datasets

1. Atomic Red Team
2. Mitre Enterprise ATT&CK CTI Bundle
3. SRA Iran TTPs

Developing your Threat Library for Adversary Simulation

Creating your own adversary emulation plan draws on the greatest strength of combining red teaming with your own threat intelligence: the behaviors are seen from real-world adversaries targeting you! — Mitre

1. Palo Alto Networks Unit 42 Playbooks
2. APT & Cybercriminals Campaign Collection
3. Malpedia

Further Reading

Cyber threat intelligence is all about knowing what your adversaries do and using that information to improve decision-making. — Mitre

1. Getting Started with ATT&CK: Threat Intelligence
2. Getting Started with ATT&CK: Adversary Emulation and Red Teaming
3. Thai CERT Threat Actor Encyclopedia
4. Recorded Future Threat Intelligence Handbook
5. Adversary Emulation using CALDERA by Erik Van Buggenhout
6. Assess your data potential with ATT&CK Datamap by Olaf Hartong
7. Purple Team Exercise Framework by SCYTHE

Tools

1. Mitre ATT&CK Navigator
2. Threat Report ATT&CK Mapping (TRAM) - For rapid triage
3. Atomic Red Team Specification
4. Sigma
5. ATT&CK Techniques Mapped to Data Sources
6. SOC Prime - Sigma Rules Mapped to TTPs

Support

1. VECTR Documentation
2. VECTR Video Guides
3. VECTR Issues on Github
4. SRA VECTR Homepage

I'd love to hear your thoughts and feedback. Feel free to say hello on Twitter @snkhan or via LinkedIn.

#cti #threatintelligence #purpleteam #redteam #blueteam #adversaryemulation #adversarysimulation #vectr #mitre