Unicorn Library

SCYTHE Library: Setting up SCYTHE-VECTR integration

Written by Jorge Orchilles | Apr 2, 2021 4:00:00 AM

Many SCYTHE customers like to track their red and purple team exercises in a free reporting tool called VECTR. VECTR is maintained by Security Risk Advisors and we have been working with them on integrations for over a year. Naturally, we help our customers set up VECTR so that they can import SCYTHE campaigns more easily. Normally, you have to manually fill out each test case in VECTR. By importing from SCYTHE, you will get all of the Red Team details and only have to fill out the Blue Team side. This is a quick start guide that should help you set up VECTR with SCYTHE integration.

Installing VECTR

If you want a dedicated system for VECTR, then create an Ubuntu Virtual Machine wherever you want (AWS, Azure, GCP, Digital Ocean, etc). VECTR recommendation is an Amazon t3.medium instance which translates to:

  • 2 vCPUs
  • 4GB Memory
  • 100+Gb free space
  • Internet access to GitHub and DockerHub

If you want to use a distribution that already has VECTR, then check out the SANS Slingshot C2 Matrix Edition virtual machine.

For a new Ubuntu system, open a shell to prepare for the installation:

curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -
sudo add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/ubuntu \
   $(lsb_release -cs) \
   stable"
sudo apt update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-compose unzip
sudo apt upgrade
sudo systemctl enable docker

Install VECTR with the following commands:

mkdir -p /opt/vectr
cd /opt/vectr
wget https://github.com/SecurityRiskAdvisors/VECTR/releases/download/ce-6.2.1/sra-vectr-runtime-6.2.1-ce.zip
unzip sra-vectr-runtime-6.2.1-ce.zip

Now customize your install:

sudo vim .env

Edit these fields:

  • APP_NAME= This is the "name" displayed by the application at the login screen.
  • VECTR_HOSTNAME= This is the URL you will be accessing VECTR from
  • VECTR_PORT= This is the port the Tomcat instance will be listening on for HTTPS
  • VECTR_DATA_KEY= This is the encryption key for the Mongo database. Needed for future integrations or potentially data recovery. Change this and store in a safe place.
  • JWS_KEY= JWT signing (JWS) Do not use the same value for both signing and encryption! It is recommended to use at least 16 characters. You may use any printable unicode character
  • JWE_KEY= JWT Encryption Key(JWS) Do not use the same value for both signing and encryption! It is recommended to use at least 16 characters. You may use any printable unicode character
  • MONGO_INITDB_ROOT_PASSWORD= This is the password for the default login of the MongoDB. You may need this in the future if manual access to your database is required. Change and store in a safe place.
  • COMPOSE_PROJECT_NAME= project name you would like to name the containers
  • Add this line so you can import SCYTHE campaigns:
VECTR_FEATURES_SCYTHELOG=true

Start VECTR

docker-compose up -d

Using VECTR for the first time

Login to VECTR:

  • Navigate to https://<VECTR_HOSTNAME>:<VECTR_PORT>
  • Accept the invalid certificate.
  • User: admin
  • Password: 11_ThisIsTheFirstPassword_11

On the Select Your Organization screen:

  • Click the +
  • Fill out the information for your organization

On the Select Session Database screen:

  • Click the +
  • Give your new database a name

In the Assessments screen:

  • Click Create New
  • Provide a Name and Description
  • Click Save

Import SCYTHE campaigns

To import your first SCYTHE campaign

  • Click the assessment where you want to import a campaign
  • Click Assessment Actions on the top right
  • Import log
  • Select the CSV from your SCYTHE campaign

Click on the new assessment that was imported and you will see the escalation path, timeline, and test cases.


Importing a SCYTHE log to VECTR provides the following information per TTP (called a Test Case in VECTR) that executed in your campaign:

  • Test Case Name
  • Description
  • Status
  • Attack Start
  • Attack Stop
  • MITRE ATT&CK Technique Mapping
  • MITRE ATT&CK Tactic Mapping
  • Operator Guidance
  • Attacker Tool
  • Target Asset
  • Outcome notes

Now all you have to do is select the Blue Team outcome for the TTP. Was the TTP:

  • Blocked
  • Not Detected (but maybe logged locally)
  • Detected

You can also select the time of the detection and the security tool that detected the TTP.

Best Practices

As we have performed many Purple Team exercises using SCYTHE and importing it into VECTR, we have a few best practices:

  • Download the CSV report per device/process ID, not the entire campaign. In the image below, you would download the CSV for DESKTOP-D6823U3~408 and GEORGYP1~20008
  • Only tag one MITRE ATT&CK technique per action in SCYTHE. VECTR has a 1 to 1 mapping between a SCYTHE TTP and ATT&CK technique. To get around this limitation, you can copy the test case in VECTR after importing the log.
  • Add a new case for Execution based on how the SCYTHE payload was executed. Here is a blog with test case ideas.
  • Copy the “payload shutdown” test case and set it as the C2 channel. We generally set that for the time the initial execution happened. The “payload shutdown” is when the attack is completed.
  • Create tags in VECTR for:
Not logged
Logged but no alert
Alert but no Response

Reporting

One of the best features of VECTR is how it can show historical trends over various adversary emulations. It is assumed you will run the emulation more than once to show the delta of what has improved. This is one of the reasons that SCYTHE is the leading purple team tool, it allows you to emulate the same TTPs consistently and reliably so you can focus on improving and training your people, process, and technology. 

Run the same emulation again after you have performed some detection engineering and enabled logs and alerts. Import the CSV from SCYTHE, fill out the Blue Team side for the outcome and use the tags as outlined in the best practices. Next go to the Reports section on the left side of VECTR. There are multiple options to view the results of the emulations:

  • Metrics - high level pie charts of total test cases, detected, blocked, and failed.
  • Test Case Drilldown - list of all test cases
  • Historical Trending - show the improvement emulation over emulation
  • Heat Map - MITRE ATT&CK Heat Map (not a Bingo card) that shows

Conclusion

Importing SCYTHE campaigns into VECTR is simple thanks to the integrations we have created with Security Risk Advisors. Being able to emulate the same TTPs consistently and reliably will allow accurate metrics for showing how your program has tested, measured, and improved your people, process, and technology.

References

https://www.scythe.io/library/vectr-integration 

https://docs.vectr.io/Installation/