Many SCYTHE customers like to track their red and purple team exercises in a free reporting tool called VECTR. VECTR is maintained by Security Risk Advisors and we have been working with them on integrations for over a year. Naturally, we help our customers set up VECTR so that they can import SCYTHE campaigns more easily. Normally, you have to manually fill out each test case in VECTR. By importing from SCYTHE, you will get all of the Red Team details and only have to fill out the Blue Team side. This is a quick start guide that should help you set up VECTR with SCYTHE integration.
If you want a dedicated system for VECTR, then create an Ubuntu Virtual Machine wherever you want (AWS, Azure, GCP, Digital Ocean, etc). VECTR recommendation is an Amazon t3.medium instance which translates to:
- 2 vCPUs
- 4GB Memory
- 100+Gb free space
- Internet access to GitHub and DockerHub
If you want to use a distribution that already has VECTR, then check out the SANS Slingshot C2 Matrix Edition virtual machine.
For a new Ubuntu system, open a shell to prepare for the installation:
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository \
"deb [arch=amd64] https://download.docker.com/linux/ubuntu \
$(lsb_release -cs) \
sudo apt update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose unzip
sudo apt upgrade
sudo systemctl enable docker
Install VECTR with the following commands:
mkdir -p /opt/vectr
Now customize your install:
sudo vim .env
Edit these fields:
- APP_NAME= This is the "name" displayed by the application at the login screen.
- VECTR_HOSTNAME= This is the URL you will be accessing VECTR from
- VECTR_PORT= This is the port the Tomcat instance will be listening on for HTTPS
- VECTR_DATA_KEY= This is the encryption key for the Mongo database. Needed for future integrations or potentially data recovery. Change this and store in a safe place.
- JWS_KEY= JWT signing (JWS) Do not use the same value for both signing and encryption! It is recommended to use at least 16 characters. You may use any printable unicode character
- JWE_KEY= JWT Encryption Key(JWS) Do not use the same value for both signing and encryption! It is recommended to use at least 16 characters. You may use any printable unicode character
- MONGO_INITDB_ROOT_PASSWORD= This is the password for the default login of the MongoDB. You may need this in the future if manual access to your database is required. Change and store in a safe place.
- COMPOSE_PROJECT_NAME= project name you would like to name the containers
- Add this line so you can import SCYTHE campaigns:
docker-compose up -d
Using VECTR for the first time
Login to VECTR:
- Navigate to https://<VECTR_HOSTNAME>:<VECTR_PORT>
- Accept the invalid certificate.
- User: admin
- Password: 11_ThisIsTheFirstPassword_11
On the Select Your Organization screen:
- Click the +
- Fill out the information for your organization
On the Select Session Database screen:
- Click the +
- Give your new database a name
In the Assessments screen:
- Click Create New
- Provide a Name and Description
- Click Save
Import SCYTHE campaigns
To import your first SCYTHE campaign
- Click the assessment where you want to import a campaign
- Click Assessment Actions on the top right
- Import log
- Select the CSV from your SCYTHE campaign
Click on the new assessment that was imported and you will see the escalation path, timeline, and test cases.
Importing a SCYTHE log to VECTR provides the following information per TTP (called a Test Case in VECTR) that executed in your campaign:
- Test Case Name
- Attack Start
- Attack Stop
- MITRE ATT&CK Technique Mapping
- MITRE ATT&CK Tactic Mapping
- Operator Guidance
- Attacker Tool
- Target Asset
- Outcome notes
Now all you have to do is select the Blue Team outcome for the TTP. Was the TTP:
- Not Detected (but maybe logged locally)
You can also select the time of the detection and the security tool that detected the TTP.
As we have performed many Purple Team exercises using SCYTHE and importing it into VECTR, we have a few best practices:
- Download the CSV report per device/process ID, not the entire campaign. In the image below, you would download the CSV for DESKTOP-D6823U3~408 and GEORGYP1~20008
- Only tag one MITRE ATT&CK technique per action in SCYTHE. VECTR has a 1 to 1 mapping between a SCYTHE TTP and ATT&CK technique. To get around this limitation, you can copy the test case in VECTR after importing the log.
- Add a new case for Execution based on how the SCYTHE payload was executed. Here is a blog with test case ideas.
- Copy the “payload shutdown” test case and set it as the C2 channel. We generally set that for the time the initial execution happened. The “payload shutdown” is when the attack is completed.
- Create tags in VECTR for:
Logged but no alert
Alert but no Response
One of the best features of VECTR is how it can show historical trends over various adversary emulations. It is assumed you will run the emulation more than once to show the delta of what has improved. This is one of the reasons that SCYTHE is the leading purple team tool, it allows you to emulate the same TTPs consistently and reliably so you can focus on improving and training your people, process, and technology.
Run the same emulation again after you have performed some detection engineering and enabled logs and alerts. Import the CSV from SCYTHE, fill out the Blue Team side for the outcome and use the tags as outlined in the best practices. Next go to the Reports section on the left side of VECTR. There are multiple options to view the results of the emulations:
- Metrics - high level pie charts of total test cases, detected, blocked, and failed.
- Test Case Drilldown - list of all test cases
- Historical Trending - show the improvement emulation over emulation
- Heat Map - MITRE ATT&CK Heat Map (not a Bingo card) that shows
Importing SCYTHE campaigns into VECTR is simple thanks to the integrations we have created with Security Risk Advisors. Being able to emulate the same TTPs consistently and reliably will allow accurate metrics for showing how your program has tested, measured, and improved your people, process, and technology.