Important VECTR Concepts¶
Goals of Purple Teaming¶
Purple teaming is a collaborative way to improve an organization's cyber defense. We commonly refer to it as an "open-book exam" because the Blue Team has knowledge of the actions being performed by the Red Team. Purple Teaming helps prioritize and demonstrate quantifiable improvements in defenses over time.
Specific Desired Outcomes¶
Define your purpose before planning and beginning a Purple Team. A typical Purple Team engagement is designed to measure actual response to simulated attacks and compare against expected defenses. Additionally, you may have more specific goals like improving log collection in your SIEM or evaluating the effectiveness of various EDR tools in a bake-off. Understanding your goals will help you name and organize your data.
VECTR Data Structure¶
A database is a Test Environment where you may track related tests over time. Content contained in a Database is isolated to that Database. Any red team attack tools, defense tools, sources, and targets you create to describe your test activities will be limited in use to the database where they are created.
Also simply referred to as Assessments, an Assessment Group is the scope of a security testing event. This includes a list of Campaigns and tests that are to be run in an environment. You can have multiple Assessments running at once. In VECTR it’s helpful to organize these by the name of the activity and when it’s being run.
Example Assessment Groups:
- Sep 2021 - Internal Red Team for Audit
- Nov 2021 - External Purple Team
- SOC - Ongoing Continuous Purple Team
It’s important to define total testing scope to help report on your activities later. A clear scope that you reuse and build on over time allows you to measure overall risk and quantify improvements to your defense tools and techniques. In VECTR, all of your test activity is required to be recorded in an Assessment.
A Campaign is a logical group of Tests to be run within an Assessment. This is a loose organizational data structure, similar in concept to a file folder in general computing or a test suite in software quality assurance. You can group tests into Campaigns by adversary, malware, test type, kill chain phases, and any other structure that makes sense for your organization.
- APT 39 Adversary Emulation
- Emotet 2019 Sample Malware Emulation
- Multiple Variations of Port Scans
- Multiple Variations of Downloaded Phishing Payloads
- MITRE ATT&CK Discovery
A Test Case is an individual Test to be run within a Campaign. A Test Case includes a set of commands or instructions and any necessary accompanying data designed to help a Purple Team operator perform a specific, repeatable security testing activity. Once a Test Case is performed, VECTR allows you to capture additional information like when the test was performed and if it was detected by defense tools.
In the context of the MITRE ATT&CK Framework, a Test Case represents a specific, repeatable instance of an attack technique. A Test Case Template may be considered similar to a "Procedure" in the MITRE Enterprise ATT&CK framework. Different Test Case variants can map to the same MITRE ATT&CK technique ID.
In VECTR it’s helpful to name the activity for either the exact activity you’re performing or the threat you’re attempting to emulate.
Example Test Cases:
- APT1 - Account Discovery using Net
- Wannacry Lateral Movement using DoublePulsar
- Noisy NMAP port scan of 1000 ports
- Compress Sensitive PCI data on Endpoint with CLI zip program