As you can already guess from previous spoilers, in this third part of the series (see part one and part two), after having made clear the role that Threat Intelligence plays in the Purple Team methodology, we will go a bit more into details about the phases of preparation, execution and lessons learned in an exercise.

Disclaimer: As I mentioned in the first episode, I do not intend to set in stone anything in this article, but rather to give my point of view and provide an overview of a subject for which there is not much documentation, and what I found, is scattered in multiple sources.

After having developed an implementation plan based on the mapping of threats on the MITRE ATT&CK MATRIX, it is time to put all the use cases into practice. To do so, we will use Vectr.io, an open source web platform developed by Security Risk Advisors.

This tool is responsible for centralizing all the coordination tasks of the Red and Blue teams. But far from being a tool just for coordinating exercises, it is also prepared to be used as a sort of logbook of all operations executed in various exercises and their outcome over time, so that the evolution of the organization’s security posture can be tracked.

With an abstract description such as the above, it may be difficult to imagine how all of this is accomplished. Therefore, the aim of this post is to opt for a more practical approach.

For the sake of brevity, we will not detail all the functionalities of this tool but will show the possibilities it offers and how these can help us with our goal. It will then be up to you to explore the more advanced functions and evaluate whether they are useful for your particular use case.

After having made a brief introduction and exposition of the Purple Team methodology and listed the phases that constitute it in the first part of this series, in this second part I will go into more detail on how Cyber Threat Intelligence (CTI) integrates in the whole process of adversarial emulation, and therefore, in the Purple Team exercises or programs.

I feel obligated to repeat that (as stated in the first article) many of the content and methodology shown thereafter comes from Scythe and its Purple Team Exercise Framework and closely linked to the entire MITRE doctrine and tools. My goal with this article is to provide a comprehensive view of the topic along with my experience and opinion on some things.

First: understanding the target organization

Whether you are performing CTI as an outside consultant or as part of the organization, it is important to have as much information about the organization as possible.

To do this, the CTI team must conduct an intensive and extensive information gathering exercise, just as an enemy threat agent would. In addition to this, the information must be enriched with that obtained through interviews and inquires with the organization’s personnel.