More and more organisations are beginning to realise the value of ATT&CK. But how can you bring your teams together to help nurture, develop and deploy a framework which consistently yields results?
This presentation details the approach developed by the Cyber Threat Intelligence team of a global bank, and how it worked together with defensive and offensive teams to deliver a compelling solution to uplift the organisations' security posture; one adversary TTP at a time.
The corresponding workshop is designed to provide practical guidance to practitioners that they can adapt for their organisations. Key learning objectives will include transforming countermeasure initiatives to be intelligence-led, and developing and deploying a threat library.
by Sajid Nawaz Khan, Principal Cyber Threat Intelligence Analyst
UPDATED: This README is designed to support the above workshop, originally titled Adversarial Threat Modelling — A Practical Approach to Purple Teaming in the Enterprise, which took place on Friday 11th September 2020 as part of x33fcon, and which was significantly refreshed and revised in September 2024.
Please ensure you have installed VirtualBox (or your preferred hypervisor) with its corresponding Extension Pack, followed by Ubuntu 22.04 LTS. Ideally, the virtual machine should be configured with at least 8GB of RAM, and 80GB of disk space. Note that this workshop is not compatible with Apple Silicon processors.
Detailed installation instructions are available on the VECTR Documentation site. The code below is provided for convenience, and is correct for version 9.5.3 of the Community Edition.
sudo apt-get update
sudo apt-get install ca-certificates curl git wget
# Add Docker’s official GPG key
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc
echo \
"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
# Install Docker
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
To minimise issues during the workshop, please continue with default configuration options when installing VECTR. In production environments, configuring additional options within the .env
file is strongly recommended.
sudo mkdir -p /opt/vectr
cd /opt/vectr
sudo wget https://github.com/SecurityRiskAdvisors/VECTR/releases/download/ce-9.5.3/sra-vectr-runtime-9.5.3-ce.zip
sudo unzip sra-vectr-runtime-9.5.3-ce.zip
For a default install, add sravectr.internal
to your hosts file as follows:
sudo nano /etc/hosts
127.0.0.1 localhost sravectr.internal
Run a docker compose command to bring up the containers. This will take a few minutes as Docker will need to download the images and then build the containers.
cd /opt/vectr
sudo docker compose up -d
Struggling to launch VECTR? Run sudo docker ps
, sudo docker stop {containerID}
(or sudo docker stop $(docker ps -a -q)
) and sudo docker system prune
and try again.
You should be able to access VECTR at https://sravectr.internal:8081/. The default username is admin
and the password is 11_ThisIsTheFirstPassword_11
.
cd /opt/vectr
sudo docker-compose down
nano ~/.bashrc
# Add these entries
alias startvectr="cd /opt/vectr && sudo docker compose up -d"
alias stopvectr="cd /opt/vectr && sudo docker compose down"
Not recommended for production deployments!
Creating your own adversary emulation plan draws on the greatest strength of combining red teaming with your own threat intelligence: the behaviors are seen from real-world adversaries targeting you! — Mitre
- Malpedia
- MITRE Engenuity Adversary Emulation Library
- APT & Cybercriminals Campaign Collection
- Palo Alto Networks Unit 42 Playbooks
Cyber threat intelligence is all about knowing what your adversaries do and using that information to improve decision-making. — MITRE
- Getting Started with ATT&CK: Threat Intelligence
- Getting Started with ATT&CK: Adversary Emulation and Red Teaming
- Thai CERT Threat Actor Encyclopedia
- Recorded Future Threat Intelligence Handbook
- Adversary Emulation using CALDERA by Erik Van Buggenhout
- Assess Your Data Potential with ATT&CK Datamap by Olaf Hartong
- Purple Team Exercise Framework by SCYTHE
- Threat Modeling: As Easy as OATMEAL by Elastic
- MITRE ATT&CK Navigator
- ATT&CK Powered Suit -- Browser extension / ATT&CK reference
- Threat Report ATT&CK Mapping (TRAM) -- For rapid triage
- Sigma
I'd love to hear your thoughts and feedback. Feel free to say hello at @snkhan@infosec.exchange or via LinkedIn.
#cti #threatintelligence #purpleteam #redteam #blueteam #adversaryemulation #adversarysimulation #vectr #mitre