We are proud to announce that SCYTHE campaigns can be imported into VECTR! VECTR is a free platform for planning and tracking your Red Team engagements and Purple Team Exercises by aligning to Blue Team detection and prevention capabilities across different attack scenarios. Many SCYTHE customers leverage VECTR to show the value of the overall Red and Purple Team programs and will now be able to import entire SCYTHE campaigns with just a few clicks. First, make sure to upgrade VECTR to the latest version.
Export the SCYTHE Campaign
The first step is to export the SCYTHE campaign you wish to import into VECTR. In your SCYTHE dashboard, click Reports on the left side panel, and click the CSV link for the Campaign you want to download. This will download the entire campaign in CSV format to your local system.
Enable SCYTHE Importing into VECTR
Enabling VETCR for SCYTHE importing is very easy and you only have to do these steps one time.
- Stop your VECTR docker instance: sudo docker-compose down
- Edit the .env file in the VECTR deployment directory to add the line: VECTR_FEATURES_SCYTHELOG=true
It should look like this:
- Bring back the VECTR docker instance backup: sudo docker-compose up
Import SCYTHE Campaign into VECTR
Log in to your VECTR instance and go to the Campaign Dashboard. Select Assessment Actions and click Import Log:
Drag and drop the CSV file you download from SCYTHE into the Import Logs window and click Submit:
You will see a message stating “SCYTHE event log imported, campaign created.” in your Campaign Dashboard and you will now see your imported campaign with 100% Progress:
Look at details of the imported campaign in VECTR by clicking the Action button. You will be taken to a dashboard of the imported campaign that shows the Escalation Path, Timeline, and Test Cases:
All the test cases will show completed as they were performed by SCYTHE. You can expand each test case to document the Blue Team fields as you usually would with VECTR. Note the Red Team side is completed with all the information from the SCYTHE campaign including Status, Start and Stop Time, Test Case Name, Technique, Phase, details, Attacker Tool, and Target Assets:
You can go to the Reports page to view the VECTR reports you have used in the past. For example the SCYTHE Campaign Heat Map in a MITRE ATT&CK matrix view:
VECTR provides the ability to create assessment groups, which consist of a collection of Campaigns and supporting Test Cases to simulate adversary threats. Campaigns can be broad and span activity across the kill chain or ATT&CK tactics, from initial access to privilege escalation and lateral movement and so on, or can be narrow in scope to focus on specific defensive controls, tools, and infrastructure. VECTR is designed to promote full transparency between offense and defense, encourage training between team members, and improve detection, prevention & response capabilities across cloud and on-premise environments.
Common use cases for VECTR are measuring your defenses over time against the MITRE ATT&CK framework, creating custom red team scenarios and adversary emulation plans, and assisting with toolset evaluations. VECTR is meant to be used over time with targeted campaigns, iteration, and measurable enhancements to both red team skills and blue team detection capabilities. Ultimately the goal of VECTR is to help organizations level up and promote a platform that encourages community sharing of CTI that is useful for red teamers, blue teamers, threat intel teams, security engineering, any number of other cyber roles, and helps management show increasing maturity in their programs and justification of what's working, what's not, and where additional investment might be needed in tools and team members to bring it all together.
For a deeper dive into VECTR, watch the video hat Jorge Orchilles from SCYTHE and Phil Wainwright from Security Risk Advisors did for a SANS Webcast:
Presentation Slides: https://www.slideshare.net/jorgeorchilles/managing-showing-value-during-red-team-engagements-purple-team-exercises-vectr-sans-webcast
SCYTHE provides an advanced attack emulation platform for the enterprise and cybersecurity consulting market. The SCYTHE platform enables Red, Blue, and Purple teams to build and emulate real-world adversarial campaigns in a matter of minutes. Customers are in turn enabled to validate the risk posture and exposure of their business and employees and the performance of enterprise security teams and existing security solutions. Based in Arlington, VA, the company is privately held and is funded by Gula Tech Adventures, Paladin Capital, Evolution Equity, and private industry investors. For more information email email@example.com, visit https://scythe.io, or follow on Twitter @scythe_io.