SCYTHE and PlexTrac Integration

Enterprise-grade platforms have to integrate with other enterprise solutions in order to be effective and efficient for the end user. SCYTHE focuses on providing business value through adversary emulation and showing whether security tools and controls are properly implemented and tuned to detect malicious behavior. We go a step further as a Purple Team platform to help measure and train your people and process once those controls are in place. SCYTHE integrates with multiple solutions such as Splunk, PlexTrac, and any SIEM via syslog. SCYTHE 3.2, the current version, has fully documented APIs to integrate with SOAR platforms such as Splunk Phantom and Palo Alto Networks/Demisto xSOAR.

This post covers how to integrate your SCYTHE attack platform with PlexTrac’s reporting platform. The integration is very simple as the team at PlexTrac has released an update to easily import SCYTHE threats and attack logs.

What is PlexTrac?

PlexTrac is an engagement management and reporting platform. It helps facilitate collaboration for Purple Teams throughout the entire engagement lifecycle, most importantly the reporting and tracking phases. It automates the reporting process and supports real-time analytics for teams to gain immediate perspective on their current security posture. PlexTrac’s Runbooks module allows for teams to have a standard and consistent testing methodology while also allowing red and blue teams to collaborate on the TTPs during the engagement. The Runbooks module is perfectly suited for importing data from SCYTHE campaigns and allowing the blue teams to document their data and response efforts.

Purple Team Planning

As described in the Purple Team Exercise Framework, planning is an important part of Purple Teaming as it ensures the most efficient use of everyone’s time when collaborating. SCYTHE has the largest, public library of adversary emulation plans to provide new Purple Teams various attack chains and test cases to begin with. The SCYTHE threats in their machine readable format, JSON, can now be imported in PlexTrac as Runbooks prior to executing an exercise:

  • Using Conti as an example, download the “Conti_scythe_threat.json” from the GitHub page.
  • In your PlexTrac instance, select Runbooks on the left menu.
  • Click Import on the top right.
  • Select import type: Scythe Community Threat
  • Upload the JSON file

Run the SCYTHE Campaign

Import the same JSON threat into your SCYTHE instance and launch the campaign as outlined in the adversary emulation plan. As part of planning, the SCYTHE operator should run the campaign on a target system to ensure it executes correctly in the environment before the Purple Team exercise. An advantage of SCYTHE is the ability to run the same campaign on multiple hosts consistently and reliably. As you can see in the below screenshot, Conti ran twice on a system called VIOLET where it executed 39 TTPs and exactly 107MB of total traffic on both runs. The difference in this example is that the first run was before detection engineering and controls were applied:

Import Campaign to PlexTrac

Once the Purple Team exercise is in progress and the SCYTHE campaign is executed on the target hosts, the next step is to download the CSV and import it into PlexTrac:

  • Click the CSV report for each of these campaign executions from the Reports section of your SCYTHE instance
  • In PlexTrac, under the Runbook section, select Create Engagement
  • For the Engagement Title field we will call this one “Conti: 1st Run”
  • Provide the client name and click “Begin New Engagement”
  • In the ENgagement Overview screen, click Import on the top right
  • Select Source: Scythe
  • Upload the CSV of the first execution
  • Each TTP executed in the SCYTHE campaign will be imported in chronological order as it was executed in the target host.
  • Click the Edit Action button on the first TTP to see all the details imported from the SCYTHE campaign:

Blue Team Outcome

As the SCYTHE campaign provides all the Red Team details, we only need to complete the Blue Team outcome for each TTP. Organizations have various defensive stacks but the overall outcome will be:

  • Detected/Blocked
  • Detected/Alerted
  • Forensically Logged
  • No Evidence 

For each TTP, select the Detection Outcome based on what the Blue Team was able to see and display during the Purple Team Exercise. If you want to add the TTP as a finding select “Include as Finding” on the top right and select “Add to Report” for the Targeted Assets that were imported:

When all the TTPs have a Blue Team Outcome and/or Included as a Finding, you may Submit the Engagement at the top right of the Engagement screen. Do the same process for each run of the SCYTHE campaign you want to track. 

Showing Value

PlexTrac offers multiple Reports and Analytics to show the value. On the left side, you may select Reports. Here you can select the engagement you submitted to complete or review the Report Narrative, Readout View, Artifacts, and Report Procedures. You can edit any finding to add more details, change the severity, or status before generating the report. On the left side of PlexTrac is an Analytics section that can really illustrate the value of the Purple Team Exercise. Select Runbooks and click on the one you used for these engagements. Here you will see Runbook Stats and Client Engagement Analysis graphs. One of my favorite is the Blue Team Outcomes that shows the improvement over time from one engagement to the next. For Conti, we ran it twice, once before detection engineering and once after we enabled controls. Take a look at the improvement:

On the first run, only 9 TTPs were logged and 13 had No Evidence. On the second run, after tuning our security controls, we had 13 TTPs alerting and 9 forensically logging. This is a major improvement that shows the value of performing adversary emulations as purple team exercises. If you are interested in running an exercise but don’t know where to start, SCYTHE offers professional services leveraging our talented resources, the SCYTHE platform, and the PlexTrac engagement management and reporting platform to give you real-world insights into your organization faster than you think.

Conclusion

Performing adversary emulations in your production environment is a great way to test, measure, and improve your people, process, and technology. As you perform detection engineering and tune your security controls to detect adversary behavior, you will want to track the improvements over time. PlexTrac allows you to track how your red team and purple team programs are improving your overall security posture over time. Additionally, it is a natural transgression as you mature your vulnerability management program. Now you can easily import SCYTHE threats and attack logs into PlexTrac to visualize the adversary emulations you have performed along with the results of detection and response.