How are Blue Teams utilizing SCYTHE? One way the Blue Team can use SCYTHE is by reviewing its reporting. SCYTHE’s reports can be used by the Blue Team in determining how gaps in security controls can be mitigated.
In this post, we will be discussing the MITRE ATT&CK Navigator and NIST 800 Navigator Summary reports. These are very beneficial reports for Blue Teamers to review after a SCYTHE campaign completes to understand detection and response. These two reports generate a JSON file that can be imported into MITRE’s ATT&CK Navigator.
What is NIST SP 800-53?
NIST SP 800-53, Security and Privacy Controls for Information Systems and Organizations, is a detailed document that describes multiple security and privacy controls. These are controls that should be in place to protect both the Federal Government and Critical Infrastructure Information Systems. Other industries also use these guidelines in an effort to protect their systems from threats. Risk assessments incorporate the NIST SP 800-53 because it is so detailed and covers many of the security domains. The most current version is NIST SP 800-53 Revision 5.
ATT&CK Navigator is fully customizable with multiple layers of the ATT&CK knowledge base that can be added to build out specific adversary techniques and tactics. While the ATT&CK Navigator we link to is hosted on Github, there is an option to host on premises if that is preferred. Instructions are in the README.md
Use ATT&CK Navigator with the SCYTHE Summary reports
1. Download the ATT&CK Navigator JSON file from SCYTHE
- Reports and Summaries are available upon successful run of a campaign. Click Reports on the left and see that all Campaigns are viewable in this section. Select the ATT&CK Navigator summary for the respective campaign. This will download the summary in a .JSON file.
2. Go to the Mitre ATT&CK Navigator and select Open Existing Layer.
3. Select Upload from local and import the ATT&CK Navigator JSON file
4. The techniques that are highlighted in red were successfully run within the campaign; meaning, there were no security controls in place to block their execution.
5. Right click on one of the red highlighted boxes for more options. Clicking on Select Technique or Select Tactic will take you to the MITRE ATT&CK page.
6. The MITRE ATT&CK page for the respective technique or sub-technique will have all the information a Blue Teamer needs to detect and respond to the TTP.
Utilize the NIST Summary reports generated by SCYTHE
- Download the NIST 800 JSON file from SCYTHE
Reports and Summaries are available upon successful run of a campaign. Click Reports on the left and see that all Campaigns are viewable in this section. Select the NIST 800 summary for the respective campaign. This will download the summary in a .JSON file.
- Follow the same steps to import the NIST 800 JSON file into ATT&CK Navigator.
- Techniques highlighted in red have been successfully executed and run in the campaign.
- Techniques highlighted in teal failed to run in the campaign. They may have been blocked by security controls and or an error occurred that caused it to fail.
- Techniques highlighted in light or dark blue indicate that they have mitigating NIST security controls and did not successfully execute.
- Techniques highlighted in white are not covered under NIST / technique was not used in the campaign
In order to view the NIST security controls that will mitigate each technique, mouse over the technique. Investigation into the mitigation controls will enable the Blue Team to determine how they can add the most feasible controls in order to protect against the specified technique.
Which techniques should the Blue Team focus on?
For both the ATT&CK Navigator and the NIST 800 Navigator Summary report, the Blue Team should focus on the techniques that are highlighted red. These are the techniques that successfully ran in the SCYTHE campaign and were not blocked by any security controls. Once the mitigation controls have been put in place, re-run the campaign and review the summaries to see if they reflect the changes. Team members who are working on a NIST SP 800-53 Risk Assessment would want to focus on the red, light and dark blue techniques. Risk Assessments must document both mitigated and non mitigated controls.
Blue Teams will find the summaries and integration with MITRE’s ATT&CK Navigator valuable because it integrates with the MITRE ATT&CK matrices and lists out the applicable NIST controls. This information will save the Blue Team time investigating to discover which controls apply to which technique.
SCYTHE's offers Blue Teams a way to gain real-world experience with new threat methodologies without putting the organization at risk.
SCYTHE adds value in knowing where you stand and speeding up the remediation process. Once the Blue Team has implemented the missing security controls and is ready to retest to see if any gaps remain; re-running the same campaign is ideal for consistency. The new summary will highlight anything that may have been missed in the mitigation. The Blue Team will not need to waste time reviewing every control and step to determine whether their defenses still have gaps; the SCYTHE reports will do this for them.
About the Author
Elaine Harrison-Neukirch has over 10 years of experience in cyber security working in the healthcare and financial services industries. She currently runs the customer support program at SCYTHE. Elaine loves giving back to the community and volunteers for the Cyber Security Non Profit (CSNP.org) and has written several blogs for them. Elaine advocates for Women in Cybersecurity; she is a member of both Women in Cybersecurity and Women’s Society of Cyberjutsu. Elaine has multiple certifications including CEH, Security + and Cyberops CCNA.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.