Offensive security professionals and program coordinators have a learning curve as they mature through the different ethical hacking assessment types. In Vulnerability Assessment/Management and Penetration Testing, we use Common Vulnerabilities and Exposures (CVE IDs) and the Common Vulnerability Scoring System (CVSS) to report a finding using two criteria:
When emulating Tactics Techniques and Procedures (TTPs), we rarely use “open” and “closed” because we are testing adversary behaviors, not vulnerabilities in technology. We have to look at different criteria:
In Adversary Emulation, whether Red Team Engagement or Purple Team Exercise, we have a list of behaviors that we are going to emulate. Each behavior will execute a particular action at a particular time. If we log the time of each of these actions, we have an additional metrics for both the Red Team and the Blue Team:
Red Teams spend a significant amount of time gaining Initial Access which requires performing Reconnaissance and Resource Development. A metric to measure the Red Team is the time it takes them to gain initial access to an environment. Calculate the engagement start time with the time of the first call back to the Command and Control (C2) server.
Both adversaries and red teams have objectives. Based on the predefined objective, the Red Team can tag a particular TTP as the objective and calculate the time between initial access and the successful execution of said objective. We can use ransomware as an example. The objective for these malicious threat actors is to get paid. The calculation can be from initial access to getting paid. There are a number of incident response teams using the term Time to Ransom (TTR) in examples like ICEDID and Ryuk to track how adversaries are doing. Red teams should be doing similar times.
For a red team, we generally don’t go all the way to getting paid. Instead, we may exfiltrate data and/or encrypt/delete data on one or more systems. Often, a ransom note is downloaded and displayed to the end user for impact. Any of those can be agreed on as the objective and time calculated.
We recently released and ran Maze v2 during a Purple Team Exercise. Note that we configured a very quick and noisy C2 with 5 second heartbeats and no jitter. We tagged step 47 as the objective and can calculate Time to Objective or Time to Ransom by subtracting the time that step 47 was successful to the initial C2 connection:
Of course we can make the heartbeats and jitter more realistic but that is generally not the main goal of a Purple Team Exercise. If this was a red team engagement, then the times would be different.
Apart from having a goal of detecting and responding to an attack before the objective is met, there are other detection metrics we can track. Dmitri Alperovitch, the founder of CrowdStrike, introduced the 1-10-60 rule. These are goals around attacker break out times that the Blue Team will want to meet to stay ahead of malicious actors:
Measuring these times during a red team engagement requires coordination with Trusted Agents to ensure the proper times are logged and tracked.
Measuring detection and response from blue teams is a key differentiator from penetration tests and a big reason why “open” and “closed” are not ideal measurements for adversary emulations.
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors.