search

SecurityRiskAdvisors / VECTR

VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios
1.36k stars 161 forks source link

Tagging Issues #156

Closed arishwani closed 2 years ago

arishwani commented 2 years ago

Hi Team,

So when I perform the test case and command or activity does not get detected or alerted by the security tools there is an option called "Not Detected" that I have to choose and when I choose "Not Detected" option, it will part of the metric which is can be misleading. For example, let's say that an Atomic Red Team Test Case is about using WinRAR to encrypt data then upload to somewhere the user wants, this can be used maliciously part of exfiltration if it is accompanied with other malicious activities that is performed during the exploitation phase. Now, that WinRAR application has been used to encrypt the data but this wouldn't get detected in by our security tools but rather the event gets logged because WinRaR is a common tool it is not useful to create an alert to detect every activities that is done by this tool. This is just one example, there is other command and tool another example would using a command "whoami" this by itself wouldn't get detected and alert rather gets logged. Then when I choose that the event is logged I would still have choose that is not detect by our security tool this test. Therefore, when the metric is generated it creates a false sense of security that VECTR metric is showing that is "Not Detected" ?

Is there a way to use VECTR effectively and/or any suggestion that would limit this issue?

Regards, Thank you Ali

pwainwright commented 2 years ago

Hello Ali,

You bring up a good point. There are certainly many benign test cases you can run where there is a not an expected alert or block without further correlations or weaponized payloads. For the examples you noted I would use Vectr's tagging system to exclude these tests from metrics if you do not want them scorable. For example you can create tags such as "Informational", "Not Scored", "Benign", etc. and use the advanced reporting filters drown-down in the top right of the reporting screen to exclude these tags from metrics, heat map, and other reporting screens.

On a related note the upcoming release in 2022 of custom outcome reporting will allow you to define new top level outcome "buckets" such as "Not Detected, but Logged" or any custom ones, and show this in a custom color of your choosing in the reporting screens. Tag reporting exclusions sound more ideal for this scenario but this might be helpful in the future for other custom reporting needs.

arishwani commented 2 years ago

Great suggestion and thank you very much.