January 7, 2020 | Posted in Purple Teams by Mike Pinch
International political relationships sometimes have the potential to create an elevated risk of cyber-attacks. In light of recent events, there are escalated concerns about attacks from Iranian based APT groups, but regardless of whether these APT groups make an impact, there will continue to be threats from new and existing APT groups from around the world.
A well-designed threat intelligence program can help to understand the most likely and impactful threats to an organization to help drive program improvements. Many of our clients that utilize the VECTR™ platform do so not just as a purple team management tool, but also a way to operationalize threat intelligence against their defense success metrics. In an organization that records their results within the VECTR™ platform, they have a quick and simple method to understand where any gaps exist that need to be addressed.
In situations involving known threat actors, threat intel programs typically identify specific threat actor groups to consider. MITRE has an excellent repository of this information available as a starting point. A sample of relevant threat groups are listed below, with mappings to their MITRE group profiles:
- APT33 – https://attack.mitre.org/groups/G0064/
- OilRig / APT34 – https://attack.mitre.org/groups/G0049/
- APT39 – https://attack.mitre.org/groups/G0087/
- Charming Kitten – https://attack.mitre.org/groups/G0058/
- CopyKittens – https://attack.mitre.org/groups/G0052/
- MuddyWater – https://attack.mitre.org/groups/G0069/
MITRE continues to provide regular updates on the ATT&CK website for new and updated threat group activity, techniques, tools, and malware attributed to various threat groups. In addition to the wealth of information on the wiki, MITRE’s Cyber Threat Intelligence (CTI) from ATT&CK is available on GitHub (https://github.com/mitre/cti) in STIX 2.0 bundles that can be directly consumed by platforms like VECTR™. Because we have our existing purple team datasets active in VECTR, we can generate reports to show us how our existing purple team testing coverage stacks up against the techniques and procedures observed from selected threat actor groups or collectively across the entire ATT&CK framework. The following screenshots show how to do this with a sample dataset.
Sample dataset showing MITRE ATT&CK™ Heatmap Report filtering on one or more APT’s
When filtering is complete, we can see a filtered list of the attack techniques used by APT33, color coded by the most recent assessment status of each purple team test case mapped to the associated technique IDs. From this dataset, we can see that boxes in red/orange/yellow are areas the threat actors we selected tend to exploit and where the organization’s defenses need the most improvement. The grey boxes are those that haven’t yet been covered in purple team testing – so you know what to tackle next.
Given that an organization can instantly understand their expected defense success against these threat actors, this is a powerful tool to help prioritize mitigations and use cases for new alerts. It becomes both a tactical action plan for security operations teams and a strategic communication vehicle for leadership to convey your understanding of threats and demonstrate the vigilance of the information security program.
If you’re not already performing purple teams with VECTR™, but want to start modeling out these threat actor tactics, it’s not difficult to get started. VECTR™ includes the ability to drag and drop STIX 2.0 data from the MITRE ATT&CK™ framework and use this CTI to plan your own assessments and threat emulations. In the next major release of VECTR we will open a public TAXII server to enable community-driven sharing and enrichment of CTI data, including new assessment plans for threat analysts and red teamers, and detection rules & analytics for defenders.
In Administration, import from Enterprise ATT&CK (Full)
Select the specific APT groups you’d like to bring in
Filter test cases if desired
Create a dedicated campaign based on these threat actor groups’ techniques
You can use VECTR™ entirely for free, download the latest version on GitHub (https://github.com/SecurityRiskAdvisors/VECTR) and join the VECTR community mailing list at vectr.io to stay up to date with new releases and upcoming features.