Red Team operations

[WJDigby]

I wanted to start a dialogue regarding potential / future use of Unfetter for recording red team operations. As I'm sure you're aware, many red teams (both internal teams and consultants) now use the MITRE ATT&CK framework as a means to organize assessments and report findings (not in terms of specific vulnerabilities, but rather strengths and weaknesses in defensive coverage across the enterprise). From what I gather in researching and exploring Unfetter Discover, this is not its intended use, but may be part of a future development path (https://nsacyber.github.io/unfetter/unfetter-future.html - Purple Team Operations Planner).

A tool like this is definitely needed to move red teams away from spreadsheets, and possibly bring them in to closer alignment with blue teams, hunt teams, analysts, etc. Let me know if it would be beneficial for the Unfetter team to continue this discussion in greater detail, or if I could assist by documenting needs, testing, etc.

Thank you for the excellent tool.

[thebleucheese]

@WJDigby Hey we have an unfetter install locally in our lab and really like it for planning/initial risk analysis. I don't mean to hijack or take away from what's being done here at all since unfetter is an awesome project for the community so hopefully they'll let me know if this is the inappropriate place for this... We have a tool we've been working on for the past few years that we use on our purple teams called VECTR (https://vectr.io/) it's meant for operator tracking and tool effectiveness reporting. I think that may be closer to what you're looking for right now? It's free to download and use but the source is proprietary (at least for the moment).

Our roadmap has STIX compatibility coming really soon - allowing you to import STIX data to generate test case skeletons and assessments from community threat intel. I just wrote a taxii server that we're going to use for interoperability between us and other tools out there (like unfetter). We're always looking for feedback and how to work better with other tools and teams in the security space. I think it serves as a pretty good companion next to unfetter if you're doing active red or purple teaming.

[infosec-alchemist]

Thanks for the great questions. And I'll certainly check out vectr

We have done some board drawings of how we could extend Unfetter to support purple teams planning. I think what I want to know is what is the outcome you wish to get from a purple team tracking system. And how could you see those results be used to improve a network's protections?

Also, we do have Taxii servers and clients coming out in the next release. So you could push/pull from products like vectr. We have to create extended objects to support our assessments, but there are a lots of stix objects, like Campaigns, that are great for purple team systems.

[WJDigby]

Thanks for the quick response.

At a high level, the outcome from a purple team tracking system would likely be a sort of heat map of what ATT&CK techniques have been tested, and the results of those tests. Results could be used to improve a network's protections by helping the organization identify gaps in defensive tooling and analytics, or weaknesses in the processes that support those defenses.

More specifically, a system might track:

• What ATT&CK techniques were tested in a given campaign / operation / exercise?
• What was the result of those techniques? (e.g. were they successful? detected? prevented?)
• An aggregate view of all techniques tested across all campaigns and the results (producing the comprehensive heat map)

CMMI-like maturity levels seem common for measuring elements like prevention and detection, even if the ratings are qualitative at some level.

Let me know if that makes sense, and where I could provide more detail.

[infosec-alchemist]

thanks, that is some good feedback.

Tracking the given campaign / operation / excercise could be done now with the Threat Dashboard. However, we are about to redesign it to be easier for data entry.

Tracking the "Results", I would assume would be text, maybe with a pass/fail rating to see if objective was met? That might be the one thing we don't have, but we could support it. The threat dashboard is assuming that its tracking successful campaigns. Unsuccessful would be just as interesting also.

[WJDigby]

I will have to revisit the Threat Dashboard in the existing release.

Often I think results are scored on a somewhat qualitative 0-5 or 1-5 grade scale.

Here's an example using 0-5 (None, Poor, Fair, Good, Very Good, Excellent). Though that heat map was built for Threat Hunting, the same principle applies. "0" would imply the ATT&CK technique was successful and went undetected, whereas "5" would imply the technique was detected and prevented as well as one could hope it to be. I suspect individual teams might want the flexibility to define or incorporate their organization's scale. Not sure how hard that flexibility would be to incorporate.

[ghost]

Hi,

I too am interested in how this could be used to track purple team style engagements and this seems a great tool. However I am struggling to find a way to add techniques to a intrusion set. I have created a new Intrusion Set from the STIX Section, then go to the Intrusion Set Dashboard choose my Intrusion Set i have just created but there does not seem a way to add/drag the Technique from the heatmap to the Intrusion Set? Am I missing something.

This way you could build your purple team exercise up adding a new intrusion set each detailing only those techniques used in the attack and track the ability of the blue team to detect and respond through an assessment.

[ghost]

@mpgough, the Intrusion Set Dashboard only shows the relationship between intrusion sets and attack patterns; it does not allow you to perform any edits of those relationships. You will need to add a STIX relationship in the database to associate an intrusion set to the attack patterns it uses. You will have to do this manually, as there is currently no way to add relationships using the UI.

[ghost]

OK thanks will take a look in the DB. This would make a great feature for the UI.

[infosec-alchemist]

Unfetter is going into hiatus for the time being. Since this request is beyond scope, I am going to close it. Hopefully the team can pick it up again one day.