More and more organisations are beginning to realise the value of ATT&CK. But how can you bring your teams together to help nurture, develop and deploy a framework which consistently yields results?
This presentation details the approach developed by the Cyber Threat Intelligence team of a global bank, and how it worked together with defensive and offensive teams to deliver a compelling solution to uplift the organisations' security posture; one adversarial TTP at a time.
The corresponding workshop is designed to provide practical guidance to practitioners that they can adapt for their organisations. Key learning objectives include transforming countermeasure initiatives to be intelligence-led, and developing and deploying a threat library.
by Sajid Nawaz Khan, Principal Cyber Threat Intelligence Analyst
UPDATED: This README is designed to support the above workshop, originally titled Adversarial Threat Modelling — A Practical Approach to Purple Teaming in the Enterprise, which took place on Friday 11th September 2020 as part of x33fcon, and which was significantly refreshed and revised in September 2024.
Please ensure you have installed VirtualBox (or your preferred hypervisor) with its corresponding Extension Pack, followed by Ubuntu 22.04 LTS. Ideally, the virtual machine should be configured with at least 8GB of RAM, and 80GB of disk space. Note that this workshop is not compatible with Apple Silicon processors.
Detailed installation instructions are available on the VECTR Documentation site. The code below is provided for convenience, and is correct for version 9.6.5 of the Community Edition.
sudo apt-get update
sudo apt-get install ca-certificates curl git wget
# Add Docker’s official GPG key
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# Install Docker
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
To minimise issues during the workshop, please continue with default configuration options when installing VECTR. In production environments, configuring additional options within the .env file is strongly recommended.
sudo mkdir -p /opt/vectr && cd /opt/vectr
sudo wget https://github.com/SecurityRiskAdvisors/VECTR/releases/download/ce-9.6.5/sra-vectr-runtime-9.6.5-ce.zip
sudo unzip sra-vectr-runtime-9.6.5-ce.zip
For a default install, add sravectr.internal to your hosts file as follows:
sudo nano /etc/hosts
127.0.0.1 localhost sravectr.internal
Run a docker compose command to bring up the containers. This will take a few minutes as Docker will need to download the images and then build the containers.
cd /opt/vectr
sudo docker compose up -d
Struggling to launch VECTR? Run sudo docker ps, sudo docker stop {containerID} (or sudo docker stop $(docker ps -a -q)) and sudo docker system prune and try again.
You should be able to access VECTR at https://sravectr.internal:8081/. The default username is admin and the password is 11_ThisIsTheFirstPassword_11.
cd /opt/vectr
sudo docker-compose down
nano ~/.bashrc
# Add these entries
alias startvectr="cd /opt/vectr && sudo docker compose up -d"
alias stopvectr="cd /opt/vectr && sudo docker compose down"
VECTR is actively maintained, with new features and bug fixes being made available throughout the year. In most cases, upgrading VECTR is as simple as replacing the existing docker-compose.yml file within your installation directory (usually /opt/vectr), with its newer version — published under the Releases section of VECTR’s Github repository.
# Safely shut down VECTR
cd /opt/vectr && sudo docker-compose down
# Download the latest .zip release package via your browser
# https://github.com/SecurityRiskAdvisors/VECTR/releases
# e.g., sra-vectr-runtime-9.6.5-ce.zip
# Extract, optionally inspect docker-compose.yml
unzip ~/Downloads/sra-vectr-runtime-9.6.5-ce.zip
cat docker-compose.yml
# Move the new docker file to your VECTR install directory, and deploy
sudo mv ./docker-compose.yml /opt/vectr
sudo docker compose up -d
Not recommended for production deployments!
Creating your own adversary emulation plan draws on the greatest strength of combining red teaming with your own threat intelligence: the behaviors are seen from real-world adversaries targeting you! — MITRE
Gephi and other link analysis tools can be used to surface trends within a VECTR dataset, allowing defenders to focus their efforts on prevalent techniques observed across a range of threat groups.
- Export your VECTR database via Environment ▶ Export Active Environment, and save it as
VECTR.csv - Create a Python venv, and install dependencies via
pip install ipysigma networkx pandas - Optionally, update
threat_actor_include,threat_actor_excludeandyear, and uncomment# vectr_df = vectr_filtered_df - Run
VECTR_Gephi_Directed.ipynb, and viewVECTR_Directed.html
Cyber threat intelligence is all about knowing what your adversaries do and using that information to improve decision-making. — MITRE
- Getting Started with ATT&CK: Threat Intelligence
- Getting Started with ATT&CK: Adversary Emulation and Red Teaming
- Thai CERT Threat Actor Encyclopedia
- Recorded Future Threat Intelligence Handbook
- Adversary Emulation using CALDERA by Erik Van Buggenhout
- Assess Your Data Potential with ATT&CK Datamap by Olaf Hartong
- Purple Team Exercise Framework by SCYTHE
- Threat Modeling: As Easy as OATMEAL by Elastic
- MITRE ATT&CK Navigator
- ATT&CK Powered Suit -- Browser extension / ATT&CK reference
- Threat Report ATT&CK Mapping (TRAM) -- For rapid triage
- MACAT
- Sigma
I'd love to hear your thoughts and feedback. Feel free to say hello at @snkhan@infosec.exchange or via LinkedIn.
#cti #threatintelligence #purpleteam #redteam #blueteam #adversaryemulation #adversarysimulation #vectr #mitre