Skip to content

History and Terminology

History and Terminology

VECTR

Some history may be helpful to understand why some duplicate terminology exists, why things are named a certain way in VECTR, how cybersecurity language has changed as Purple Team exercises become more popular, and how to make use of VECTR. Prior to VECTR, SRA conducted engagements similar to what are now called Purple Team exercises and recorded results in Excel spreadsheeets. Recording data this way is challenging and difficult to maintain over time. Before the terminology of Purple Teaming became popular, we referred to these activities as a type of in-depth Threat Modeling or Threat Modeling and Simulation. Initial development of VECTR's Threat Modeling precursor tool began in 2014 and first use occurred in 2015.

Threat Modeling Tool

The reporting and results from this activity and tool were immediately popular with our clients. The software application was converted to a web application and VECTR was released publicly in 2016 as a free cybersecurity tool. Development continues as Purple Teaming, Adversary Emulation, and Cybersecurity in general becomes more important.

Kill Chains, Phases, Tactics, and Techniques

Initially, one of the most well-known frameworks for categorizing cyberattacks was the Lockheed Martin Cyber Kill-Chain discussed in 2011. You will see references to Killchains and Phases in VECTR because of the popularity of this taxonomy. MITRE Enterprise ATT&CK was created in 2013, but public awareness increased in 2017 and 2018 as the project published very useful cyber threat intelligence, web resources, and the intelligence sharing tool, Unfetter. The Cyber Killchain itself is roughly equivalent to a MITRE ATT&CK Framework's depiction of all its Tactics like the complete list of Enterprise ATT&CK Tactics, and a Killchain Phase is roughly equivalent to an ATT&CK Tactic.

MITRE to VECTR Terminology

Framework

Killchain - The MITRE Enterprise ATT&CK Framework or MITRE ATT&CK for Industrial Control Systems would be an example of a Killchain in VECTR. Non-MITRE examples would be the Unified Kill-Chain or Lockheed Martin Cyber Kill-Chain.

VECTR Kill Chains

Tactic

Phase - A MITRE Enterprise ATT&CK Tactic is equivalent to a Phase in VECTR. Some examples of these are Discovery, Exploitation, and Execution.

VECTR Phases

Technique and Sub-Technique

Technique or Method - A Technique or Sub-Technique in MITRE ATT&CK like T1053.005 - Scheduled Task is similarly called a Technique in VECTR. Additionally, VECTR has a specific Mitre ID field that is filled out when selecting a Technique. Before the popularity of MITRE ATT&CK, VECTR referred to a Technique as a "Method" or "Attack Method." You may see this phrasing in older publications.

VECTR Technique Heatmap

VECTR Technique Test Case

Procedure

Test Case, Variant, or Test Case Template - In some MITRE publications, specific instances of attack methods categorized by a Technique ID are described as Procedures. In VECTR, we record the Procedure in general as a Test Case Template. The specific use of a Procedure, such as what you would do during the simulated attacks comprising a Purple Team, would be recorded in VECTR as a Test Case. Older publications may use the word "Variant" or phrase "Attack Variant" to describe this as well.

VECTR Test Case Templates

Adversary Emulation and Simulation

Purple Team exercises can be focused on specific, common threats or can be designed to emulate adversaries or malware that may target an organization or industry. Using Cyber Threat Intelligence to inform and plan Purple Team activities was colloquially referred to as Risk-Based Assessment Planning or Industry-Specific Adversary Simulation. More recently, vocabulary such as Threat-Informed Defense is being evangelized by vendors and academic sources to cover these and other related activities.

VECTR Emotet Campaign

Methods of Purple Teaming

Different approaches to Purple Teaming can be seen in industry publications, continuing education courses, and vendor products. Some methods like Atomic Testing and Adversary Emulation will be described in later VECTR documentation.