Purple teaming should always be intelligence-lead adversary emulation. If it isn’t then quite frankly you aren’t doing it right. It’s hard to defend against something you have never seen, and it’s pointless spending resources defending against something you likely will never see.
Intelligence lead purple teaming simply means you are acting on knowledge you have acquired about threat actors, which therefore better equips you in a purple teaming exercise. The reason for this is to avoid a wide scoped, vague or non-targeted purple team exercise.
Adversary emulation is the act of attacking by using the same methodology and approach as your most likely attackers would. We do this not only to test the resiliency of our environment but also to better equip ourselves to harden our environment against the malicious methods we are most likely to face.
Not all teams are fortunate enough to have a budget that covers threat intelligence (TI), so here is a little something you can do to gather your own pre-purple TI data.
The tool I am using was created by MITRE ATT&CK, you can find it here.
A simple way to find which attacking groups may be targeting you, and which methodologies that are applicable to you is to search from the main page welcome bar for keywords, such as your industry. Below I searched telecommunications as an example.
When you arrive on the home page of attack-navigator you will be presented with a pretty exhaustive list of Tactics, Techniques and Procedures (TTP’s) grouped in to a series of categories based on attack types.
In this example we are acting as a telecommunications company, we are presented with intelligence to inform us that deep panda and APT 28 were particularly active at the moment, and we want to asses our likelihood for facing attacks with specific TTP’s from these two threat actors.
Using the multi tool (I have added a red dot for visibility) scroll down and select Deep Panda. You will notice all TTP’s known to be used by Deep panda will be made more prominent with a box surround.
Lets make that even more prominent and give it a threat score, with aligning colours. In the search bar go to the paint pallet.
I know it’s quite common to class a number 1 as high, but my brain just does not work that way. For me number 1 is a low value so I represent that in my colour palate. Feel free to fiddle about with the colour settings to meet whatever need you may have.
Be sure to high light the ‘show’ box so that the settings are reflected in your work.
Move on to the graph icon, here we are assigning a score to the TTP’s based on the prevalence of the threat actor and how applicable they are to us.
The layer named Deep Panda now visually shows us that it’s TTP’s are of high priority to us. Very useful for presentations, reports and subsequent emulation plans for purple team exercises.
We assign Deep Panda a high score because we are aware that Deep Panda target telco’s and we want to make ourselves aware of how they do that. We go ahead and give them a score of 3/3.
After a quick search on MITRE ATT&CK framework and google we discover that APT 28, although notorious and prolific aren’t likely to find us an appealing target, we’er not US based and aren’t a government body.
We want to avoid giving APT 28 the same level of prioritisation as Deep Panda, but we still want to remain savvy to the TTP’S because this hypothetical telco company provides services to several 3rd parties of government that just so happen to be based in the US.
Compromising our telco is a step in the right direction for attackers that want to gain access to critical national infrastructure (CNI) through a supply chain attack. Let’s go ahead and give it a low score of 1. We want to defend ourselves against APT 28, but not before we defend ourselves against Deep Panda.
Create a different work space for APT 28, this is referred to as a layer and new layers can be created by clicking the + button on the top left.
Now all of the APT 28 TTP’s are green, this is an indication of the priority status to us, but you can change the colour to suit your own needs.
Lets combined the 2 layers now so that they are presented in the same layer for easy viewing.
Add a new tab/layer and select ‘create layer from layers’.
You will notice that our two layers are assigned labels ‘a’ and ‘b’.
You have the ability now to add the two layers together. Both groups may use the same TTP’s and because I don’t want the priority of the TTP’s to visually change I need to add my layers together to reflect this.
I want the TTP to remain critical (red) to show that the infrastructure needs hardening against the TTP, so I will add b to a, rather than a to b. This prioritises Deep Panda’s coloured threat settings and presents any TTP used by APT 28 AND Deep Panda as red and not green.
We are presented with the below layer that shows the differences in methodologies between the two groups.
If you want to export this data set you can do so in a number of formats, here I downloaded the information in to excel format.
I’ll remove all non-coloured fields so that I am left with only the TTP’s I want to go in to my adversary emulation plan.
Thanks to the community work done by @MITRE ATTACK we all have a wealth of easily digestible information about known threat actors at our finger tips. Enjoy exploring!