Intelligence-Led Adversarial Threat Modelling with VECTR

More and more organisations are beginning to realise the value of ATT&CK. But how can you bring your teams together to help nurture, develop and deploy a framework which consistently yields results?

This presentation details the approach developed by the Cyber Threat Intelligence team of a global bank, and how it worked together with defensive and offensive teams to deliver a compelling solution to uplift the organisations' security posture; one adversary TTP at a time.

The corresponding workshop is designed to provide practical guidance to practitioners that they can adapt for their organisations. Key learning objectives will include transforming countermeasure initiatives to be intelligence-led, and developing and deploying a threat library.

by Sajid Nawaz Khan, Principal Cyber Threat Intelligence Analyst

---

UPDATED: This README is designed to support the above workshop, originally titled Adversarial Threat Modelling — A Practical Approach to Purple Teaming in the Enterprise, which took place on Friday 11th September 2020 as part of x33fcon, and which was significantly refreshed and revised in September 2024.

System Requirements

Please ensure you have installed VirtualBox (or your preferred hypervisor) with its corresponding Extension Pack, followed by Ubuntu 22.04 LTS. Ideally, the virtual machine should be configured with at least 8GB of RAM, and 80GB of disk space. Note that this workshop is not compatible with Apple Silicon processors.

Installing VECTR

Detailed installation instructions are available on the VECTR Documentation site. The code below is provided for convenience, and is correct for version 9.4.0 of the Community Edition.

Installing Dependencies

sudo apt-get update
sudo apt-get install ca-certificates curl git wget


# Add Docker’s official GPG key
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc


echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null


# Install Docker
sudo apt-get update
sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

Installing VECTR

To minimise issues during the workshop, please continue with default configuration options when installing VECTR. In production environments, configuring additional options within the .env file is strongly recommended.

sudo mkdir -p /opt/vectr
cd /opt/vectr

sudo wget https://github.com/SecurityRiskAdvisors/VECTR/releases/download/ce-9.4.0/sra-vectr-runtime-9.4.0-ce.zip 
sudo unzip sra-vectr-runtime-9.4.0-ce.zip

Updating the Hosts File

For a default install, add sravectr.internal to your hosts file as follows:

sudo nano /etc/hosts
127.0.0.1   localhost   sravectr.internal

Using VECTR

Launching VECTR

Run a docker compose command to bring up the containers. This will take a few minutes as Docker will need to download the images and then build the containers.

cd /opt/vectr
sudo docker compose up -d

Struggling to launch VECTR? Run sudo docker ps, sudo docker stop {containerID} (or sudo docker stop $(docker ps -a -q)) and sudo docker system prune and try again.

Logging into VECTR

You should be able to access VECTR at https://sravectr.internal:8081/. The default username is admin and the password is 11_ThisIsTheFirstPassword_11.

Safely Shutting Down VECTR

cd /opt/vectr
sudo docker-compose down

Add Bash Aliases (Optional)

nano ~/.bashrc

# Add these entries
alias startvectr="cd /opt/vectr && sudo docker compose up -d"
alias stopvectr="cd /opt/vectr && sudo docker compose down"

---

Exercises

Importing Existing Datasets

Not recommended for production deployments!

1. Atomic Red Team
2. MITRE Enterprise ATT&CK CTI Bundle
3. SRA Iran TTPs

Developing your Threat Library

Creating your own adversary emulation plan draws on the greatest strength of combining red teaming with your own threat intelligence: the behaviors are seen from real-world adversaries targeting you! — Mitre

1. Malpedia
2. MITRE Engenuity Adversary Emulation Library
3. APT & Cybercriminals Campaign Collection
4. Palo Alto Networks Unit 42 Playbooks

---

Further Reading

Cyber threat intelligence is all about knowing what your adversaries do and using that information to improve decision-making. — MITRE

1. Getting Started with ATT&CK: Threat Intelligence
2. Getting Started with ATT&CK: Adversary Emulation and Red Teaming
3. Thai CERT Threat Actor Encyclopedia
4. Recorded Future Threat Intelligence Handbook
5. Adversary Emulation using CALDERA by Erik Van Buggenhout
6. Assess Your Data Potential with ATT&CK Datamap by Olaf Hartong
7. Purple Team Exercise Framework by SCYTHE
8. Threat Modeling: As Easy as OATMEAL by Elastic

Tools

1. Mitre ATT&CK Navigator
2. Threat Report ATT&CK Mapping (TRAM) - For rapid triage
3. Sigma

Support

1. VECTR Documentation
2. VECTR Video Guides
3. VECTR Issues on Github
4. SRA VECTR Homepage

---

I'd love to hear your thoughts and feedback. Feel free to say hello at @snkhan@infosec.exchange or via LinkedIn.

---

#cti #threatintelligence #purpleteam #redteam #blueteam #adversaryemulation #adversarysimulation #vectr #mitre