MITRE ATT&CK and Purple Team
The Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) project by MITRE is
an initiative started in 2015 with the goal of providing a “globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.” Since its inception, ATT&CK has taken the information security industry by storm. Many vendors and information security teams the world over have moved to adopt it with blinding speed— and for good reason: It is one of the most exciting, useful and needed efforts within InfoSec in recent memory. ATT&CK provides a key capability that many organizations have struggled with in the past: a way to develop, organize and use a threat-informed defensive strategy that can be communicated in a standardized way across partner organizations, industries, vendors and products.
Comparing Layers in ATT&CK Navigator
URL:https://mitre-attack.github.io/attack-navigator/
This document provides a walkthrough of how to use the ATT&CK Navigator (https://mitreattack.github.io/attack-navigator/enterprise/) to compare two different layers. (Navigator
source code is available at https://github.com/mitre-attack/attack-navigator). This comparison
method is useful if you want to compare techniques used by two different groups, but could be
applied in many ways – to compare a group to your defensive coverage, your defensive
coverage from one week to the next…whatever you want to do!
For this Exercise, you’ll compare APT39 techniques to OceanLotus techniques to build upon the
previous exercises in the ATT&CK for CTI training. (OceanLotus is the group identified as being
behind the Cobalt Kitty campaign according to Cybereason.) To do this, you will:
1. Create a layer and assign a score to techniques used by APT39 in one layer
2. Create a second layer and assign a different score to techniques used by OceanLotus
3. Combine the two using “Create Layer from other layers” using the expression “a + b”
4. Export the layer in the format of your choice
1. Create an APT39 layer and assign a score to techniques used by APT39
Go to the ATT&CK Navigator (https://mitre-attack.github.io/attack-navigator/enterprise/). By
default, Navigator will start with a new layer called “layer,” so you’ll work with that. To help
keep yourself organized, you will rename the layer to “APT39” by clicking on the name at the
top
Next, you will assign a score to these highlighted techniques. You do this by clicking the
“Scoring” button and choosing a score. Make the score 1 for this exercise.
You may choose to give your techniques a different color, such as blue in this example, by
clicking on the “color setup” button, selecting each value, and making each value blue. This will
change all your techniques to the selected color
2. Create an OceanLotus layer and assign a score to techniques used by OceanLotus
Now, you will create a new layer and repeat this process with OceanLotus techniques. You will
click the plus sign at the top of the Navigator to create a new layer.
Now you’ll repeat what you did with APT39, but with OceanLotus this time. Toggle the “multitactic technique” selection, name your layer, and select the following 21 techniques (holding
down “Ctrl” as you do this). Give your techniques a different score than you did in the APT39
layer (use 2 for this exercise), and then color them as you choose
If you did this as we described above, you will get a layer that looks like the below.
3. Combine the existing APT39 and OceanLotus layers
But this time you will select the option to “Create Layer from other layers” to expand the
dropdown. When you expand the dropdown, Navigator helpfully gives letter names for each of
your existing layers in yellow. So, you know that Navigator identifies your APT39 layer as “a”
and your OceanLotus layer as “b.” You want to combine the scores you have in your two layers,
so you choose addition and enter the expression “a + b” into the score expression field.
Now you have your combined layer. Initially, all the techniques may appear as various colors
depending on the color setup.
However, if you scroll over techniques, you’ll see that some techniques have a score of 1 (these
are the ones used by APT39 only), some have a score of 2 (these are the ones used by
OceanLotus only), and some of have a score of 3 (these are the ones used by both APT39 and
OceanLotus).
You can change the colors that appear for each score by clicking the “Color setup” button. You
know the values are 1, 2, and 3, so make the low value 1 and the high value 3. Navigator knows
2 is halfway between 1 and 3 so will automatically use the middle color for the value of 2.
4. Export the layer
You have a couple options for how you can export the Navigator layer, and which one you
choose will depend on how you want to work with it. You can export to Excel (arguably the best
analyst tool of all time). This option will just export colors, not scores.
You can also download the layer as JSON, which might be useful if you want to script a layer’s
ingest into another tool or save it for later manipulation in the Navigator.
Maybe you want to download it as an image for a PowerPoint so you can show off what you
know about adversary groups. You can export the layer as an SVG image file.
As you export to SVG, you have lots of options on what you want to include as well as the
format, text, size, etc. Click the download button to get a copy of your SVG to use however you
see fit.
Purple Team and How it works
Blue Team - The organization responsible for defending a larger organization’s assets/business/operations in cyberspace.
Red Team - An organization that tests cyber defenses by emulating adversary attacks against them.
Purple Teaming - An organizational concept that seeks to maximize defensive capabilities by coordinating and coupling the activities of red and blue teams.
How it works:
Blue Teams are specifically charged with defending an organization against cyber threats. They are well-read in the business processes and outcomes they defend and (should) work closely with IT Operations to ensure they enact the correct controls in alignment with mission needs. They should have commensurate familiarity with the architecture they defend as a matter of necessity. Blue Teams are specialists in detecting, investigating, and resolving anomalous behavior and out-of-the-ordinary events in an IT infrastructure. They execute their mission through a variety of disciplines and continuously work to harden their posture.
Red Teams emulate cyber threats in a carefully targeted fashion to test an organization’s defenses against truly malicious actors, but without all the inconvenient data theft, loss of institutional credibility, and/or catastrophic business disruption. By nature, they are deeply threat-informed, and pair that knowledge with a “Red” mindset—one that’s inherently devious, tricky, and subversive, always thinking laterally and trying to figure out how to break things. Red Teams are Threat Emulation Specialists, able to adapt threat intelligence reports and/or sample code into safe, workable emulations that realistically test defenders and defenses.
Purple Teaming couples and coordinates red and blue to maximize the capabilities and impact of both. It aligns the blue team’s mission focus with relevant threats, allowing them to base defensive architectures on Business Critical needs. It applies “Red” thinking to carefully balanced and curated enterprises to show (not tell) stakeholders how their most critical capabilities can be compromised and give clear guidance on defending them. Fundamentally, Purple Teaming offers operators and analysts the means to align detection to threats in a structured way.
Purple Teaming is the most straightforward practical expression of threat-informed defense.
Workflow:
1) Red Team executes iterative attacks against friendly cyberspace, tuned to replicate adversary capabilities and prevent irrecoverable disruption
● Stopped attacks generate reports of detection and mitigation details back to the Red Team
● Successful attacks generate reports of attack method and exposure details back to the Blue Team.
2) Red and Blue Teams jointly debrief all actions in coordination with IT Ops; mitigations emplaced, attack techniques refined, attack surface reduced
3) Continuous testing and improvement refines detection capabilities and enables ever-more difficult scenario execution, which refines detection capabilities…
You don’t create a purple team(noun), you purple team(verb). Purple Teaming is the optimization of the relationship between adversary emulation and defense teams and capabilities. Its significance is conceptual in that we’re combining the colors blue and red into something whole and consistent, and practical in that there are new disciplines, tools, and procedures to consider. The concept is simple, but there’s no free lunch when it comes to gaining the full benefits.
How to Start Purple Teaming
Identity Stakeholders
Planning Calendar
Give yourself at least a month to make an exercise happen, from the start of planning to Outbrief delivery.
2-4 weeks for planning is generally enough time to:
1) Properly engage stakeholders and gain approval
2) Conduct terrain and threat analysis
3) Generate a solid emulation plan
4) Define exercise administration and sequencing for final approval
1 week is enough time to run a good exercise, but you can go as long as you like if you have the manpower and cycles to support it. Plan the last day for remedial emulations that were missed, incompletely addressed, or which present special training value. Be ready to deliver an immediate Outbrief to your stakeholders after the final hot wash. Confirm to them that you’re delivering on their investment of time and money and preview the detailed findings that will come out in a week’s time. The final Outbrief should happen no less than a week after exercise completion, but fully detailed reports on mitigation plans and continuous defense plans can take as long as needed to make them properly actionable.
A plan and some way to document execution
It could be as simple as a few .doc and .xls files (I’ve seen people run fantastic operations that way), or it could be as complex as your own vectr.io instance (check it out, a great tool for planning and documenting Purple Team Exercises)
Model the Threat
Threat Assessment Worksheet
If you do nothing else, do this. What you see here is a summarized version of Orienting to the target (you) and threat selection. Once you’re answered the
questions:
- What does this organization do?
- How does it do it?
- Who might want to disrupt it?
- Who might profit from our data/IP?
Run your results through the google machine and you’ll be surprised what comes up. Simply using your vertical as a search term can yield good information.
“[your vertical] cyber threats”
“Apt targeting [your vertical]”
“Cyber attack trends [your vertical]”
I recommend starting with the MITRE ATT&CK website: https://attack.mitre.org/
Click on “Groups” at the top of the page and reading up on each to understand their targeting tendencies. More importantly, you get a list of all the techniques and tools they are known to use or have used!
FireEye maintains an excellent collection of free information on all known APTs as well.
Once you know what your threat looks like, jump into the ATT&CK Navigator and pick out techniques to emulate!!
https://mitre-attack.github.io/attack-navigator/enterprise/
Exercise Map:
The Emulation Plan:
Most teams don’t automate and there are a variety of reasons why.
Consider Automation: Purple Team engagements specifically and Threat-Informed Defense, in general, lend themselves to automation because the alternative is a too-small sample size and restricted test scopes Red Teams remain threat experts who can plan and shape emulation plans, incorporate focused threat intelligence, and validate findings better than just about anyone.
Some kind of Blue Team
Whatever your organization calls it, you need dedicated defenders to work their part of the exercise, and enough of them to dedicate at least a few entirely to the exercise while the others hold the line in reality-land.
Some kind of Red Capability
Note that I didn’t say “team.” Engaging a Red Team is a good way to go but isn’t absolutely necessary—you’ve got options. There are open source and commercial tech out there that can do your emulations with relative safety and control (covered in exquisite detail in our Foundations of Breach & Attack Simulation course), but you’ll need someone at the helm with experience in Red tactics without regard to your choice of manual or automated.
Get Started:
- Start, and start small.
- Execute in small, tight OODA loops; be agile/safe/ready to fail
- Begin your investment in the testing automation continuum
- Find/Name an expert to own the exercise, testing, and threats
• Director of Threat-Informed Defense
• We will be teaching courses on what this means
- Be sure to grab the templates on the LMS
CISO/Head of Infosec: Strategic Goals & Concerns
SOC Director: Controls gaps, procedural strengths and weaknesses
EXCON/DTID: Current posture of the organization as aligned to the threat
IR Lead: Workflows and Information Channels
Red Team Lead: Most likely attack vectors
Threat Intel Lead: Updated Threat Profile for the organization
IT Ops Management: Issues with Security, Most Updated documentation
Taking Actions
Purple Teaming in 4 Questions:
- Who wants to hack me?
- How might they do it?
- Are my controls set up to stop it?
- How can I emulate it and test them?
Before You Do Anything
Get management in your corner. How? Tell them that Purple Teaming Can:
- Maximize Security Program ROI
- Maximize Security Program ROI by aligning controls to relevant threats and making good mitigations into measurable, dashboard-able effects
Phases:
Phase I - Orientation
Understand your Org’s Mission
Develop your understanding of your organization’s mission. What does it do? How does it create value? What are its success conditions? Who are its competitors? What is its vertical? Market Impact? Geographic placement? Geopolitical considerations for all of the above (as applicable)? What we’re doing here is thinking like an attacker would, and essentially Targeting your organization. There’s something about Sun Tzu in here, I just know it.
Understand Your Environment
Ask yourself: From a technical perspective, what are we testing against? What will make this strange? What are the idiosyncrasies of your org’s service, data, transport, and security architectures? Use this time in the schedule to ensure you have the most recent and accurate documentation possible on all testable facets of your enterprise.
Terrain Analysis
Turn the screws on your IT architecture review to more fully understand how it supports your organizational mission. Why was it built the way it is? Prioritize assets based on business outcome and recurse into business process<-capability <-asset<-infrastructure chains that support them; this enables threat picture development and actor assessments by helping you understand probable attack paths and targets. IT Ops should be able to help here, if not hand you something that answers most of it.
Threat Selection
From your understanding of the mission, architecture, and the interaction between them, turn the table around and ask “how would I attack this?” and “who would attack this?” This answer should be informed by the self-targeting you did 2 steps back. Consider APTs, consider commodity malware, and consider the tools various actors are known to use and their capabilities. There will be A LOT. Based on your prioritization of business-critical assets and/or controls, narrow it down to no more than 2 actors mixed in phasing and tempo to train both Ops and Intelligence functions.
Know Your Controls
Ask yourself: “What is happening where security intersects with infrastructure at critical points in the architecture? Do my controls work against baseline threats (i.e. dirty dozen)? What is the full list of controls and capabilities operating in the enterprise? Are they enabled? The output of this step will later combine with that from threat selection to produce your emulation plan.
Phase II - Planning and Preparation
Scope The Exercise
Establish Goals
Begin planning in earnest by deciding what you want to achieve: Baseline (or better yet, up-gun) your tools, procedures, and team? Validate controls in the wake of a major reorg or infrastructure update? Test new capabilities?
Establish Emulation Control Measures
Control measures fence off areas, assets, identities, and people whose criticality or sensitivity is such that the risk incurred by testing them directly is unacceptable to management. Risk is management business and it’s the job of the infosec and IT ops teams to present them with the data needed to make informed risk decisions. Speak plainly with the best available analysis and avoid overstating risk, just qualify it and, where possible, quantify it. Control measures can be as simple as lists of subnets, hosts, services, identities, or people.
Determine Controls Under Evaluation
Based on the time and resources available, you may need to limit the number of controls being tested. Remember that every control, regardless of test outcome, needs.
Set Timing, Sequencing, and Flow Control
Timing And Schedule:
Planning factors*: 3-4 Weeks for prep, 1 week for execution. Plan for 4 days’ worth of work per shift. Plan for 1 more day of execution than you think you’ll need to complete all of your emulations. Shift, Daily, and Final reporting should be specified. Phase I threat selections become Master Scenario Event List items (Assuming Approved budget and personnel)
Establish the Battle Rhythm
This is where you make money. Don’t skip this part. Bananas. I’m going to ask a question about fruit, later on, to make sure you read this. Note: the critical element of purple teaming is in continuous interaction between red and blue, regardless of whether or not red is automated. Exercise Control should be leading debriefs of effects, detects, and protects at least twice daily with all Do-ers in the room.
Effect (test)-based time constraints and debriefs
Set time gates for the blue team to detect and action each effect. If they blow a gate, advise the red team to move to the next OR provide “threat intel” to point blue in the right direction. It’s EXCON’s responsibility to understand the relative value of each scenario and keep the exercise moving. Both a blown gate and immediate alert have training value and need a debrief.
Empower Trusted Agents
ID and in-brief trusted agents
Senior stakeholders and leadership of red and blue should have full knowledge of the exercise scenario, specifically red actions and their timing. NDA them as needed, but be more certain to impress the importance of limiting what the Do-ers know as a matter of training value. From the perspective of safety, TAs will know that something is happening and will deconflict confusion on the analyst floors when reality pokes its nose in.
Establish Deconfliction Procedures
The exercise controller should have quick access and a close relationship with IT Ops Leaders and at least 2 (one per shift) IT Ops tech should be TAs IOT effect quick deconfliction of emulation effects which may impact production. Be sure that everyone who has cease-fire authority can contact the red team on a moment’s notice and that the red team knows who they are.
Create the Emulation Plan
Align Emulations to Controls
Every Emulated Adversary technique should align to a control or set of controls totest—this is the core of the emulation plan. There will be A LOT to choose from, so narrow it down to about 4 days of work for each shift involved in the exercise. As you think about what those detections are and how they will look, consider the sigma project as a reference point for designing rules: https://github.com/Neo23x0/sigma
Success Criteria
Determine your standard of success. This is generally detection, prevention, or both.
Prepare a Hint Bank
There’s going to be more than one time when the blue team is stumped—this is ok and actually good. A blown gate is worth more in training value than an immediate detection, just be ready to keep the action moving with specifically crafted “threat intel” notes and packages that can put them back on the right track or help slide the last piece into place.
Phase III - Execution
Execute the Emulation Plan
…and make sure it counts. You’ll have found a way to get your emulations executed professionally and ensuring the debriefs happen is paramount
Manage the Ebb and Flow
This is the iterative and on-call portion of the exercise. You’ll quickly see where SOC teams and red teams alike find their friction points and the art to this Purple stuff is in nudging the schedule and emulation timing to take advantage of it. EXCON should be everywhere at once, assessing processes, information flows, and general competency on both sides.
Exercise Judgement
Safety, Exercise Flow, and PRODUCTION are all subject to a degree of risk when emulating badness. EXCON should be an experienced practitioner-leader who knows Red, Blue, and Intel as fluently as IT architecture (very).
…and remember, No Discomfort, No Expansion
Phase IV - Reporting & Remediation
Debrief in Detail and Report
Hot Wash and Deliver the Initial Outbrief
Every day gets a rundown of catches and misses with both red and blue in the room. Address the how and why of each, be candid, call out individual successes and failures constructively.
Produce Audience-Appropriate Reports
Every stakeholder has both a boss and a job to handle; produce reports accordingly. Some technical reports will require extra time and analysis to make useful with compensating controls and mitigation plans. Some EXSUMs will need savvy VPs to weigh in and executize© things into the language of risk as opposed to vulnerabilities in libc. Talk to people about the things they care about.
Mitigate and Revalidate Control Gaps
Assess and Enact Mitigations
Ask yourself and your team: Wherever the pipeline failed, how do we fix it and what are the best compensating controls to stand between now and that fix? Where do controls so repeatedly overlap as to lose value in maintaining both rather than dropping one and compensating somewhere else? Security Architecture analysis comes back into play as red and blue refine both failed processes and tech. A mitigation is anything that The Risk Mitigation Plan is a framework for describing and prioritizing exercise outputs.
Revalidate Updated Controls
Startup whatever Red capability you used to execute the emulation plan and throw it at your fresh mitigations to see how they took.
Plan for future iterations
Identify Persistent Gaps
There will still be holes, but they shouldn’t be so big or numerous as before, and you’ve stepped up your team’s capabilities to the point that the ones you filled are matters of policy and procedure to cover rather than intense effort. The ones left over are the subject of compensating controls, longer-term investments, and the starting point for the next round.
Level Up The Next Exercise
A successful Purple Teaming exercise so plainly demonstrates value that every stakeholder is going to want more. This is a process that finds maximum ROI when executed in a spiral of increasing scenario complexity. Any Blue team becomes purple with the proper measure of Red capabilities mixed in.
共有 0 条评论