Professional Documents
Culture Documents
Attack IQ
Attack IQ
Terrain Analysis
Turn the screws on your IT architecture review to more fully understand how
it supports your organizational mission. Why was it built the way it is?
Prioritize assets based on business outcome and recurse into business
process<-capability <-asset<-infrastructure chains that support them; this
enables threat picture development and actor assessments by helping you
understand probable attack paths and targets. IT Ops should be able to help
here, if not hand you something that answers most of it.
Threat Selection
From your understanding of the mission, architecture, and the interaction
between them, turn the table around and ask “how would I attack this?” and
“who would attack this?” This answer should be informed by the self-
targeting you did 2 steps back. Consider APTs, consider commodity malware,
and consider the tools various actors are known to use and their capabilities.
There will be A LOT. Based on your prioritization of business-critical assets
and/or controls, narrow it down to no more than 2 actors mixed in phasing and
tempo to train both Ops and Intelligence functions.
Establish Goals
Begin planning in earnest by deciding what you want to achieve: Baseline (or
better yet, up-gun) your tools, procedures, and team? Validate controls in the
wake of a major reorg or infrastructure update? Test new capabilities?
Success Criteria
Determine your standard of success. This is generally detection, prevention, or
both.
Success Criteria
Determine your standard of success. This is generally detection, prevention, or both.
Exercise Judgement
Safety, Exercise Flow, and PRODUCTION are all subject to a degree of risk
when emulating badness. EXCON should be an experienced practitioner-
leader who knows Red, Blue, and Intel as fluently as IT architecture (very).
Threat intelligence analysis is taking existing intelligence data like TTPs, malware
hashes, or domain names and applying human intelligence to harden cyber defenses and
improve ways to anticipate, prevent, detect, and respond to cyber-attacks.
MITRE CRITS
Let’s look at CRITS as an example of what goes into cyber threat intelligence analysis.
CRITS is a tool developed by MITRE and stands for Collaborative Research Into
Threats. It’s open-source and freely available here. CRITS does a handful of things that
assist with intelligence analysis such as:
Defensive engagement of the threat takes what you’ve discovered from intelligence
analysis and allows you to look for indicators of a pending, active, or successful cyber
attack. Breach and attack simulation tools fit in well here because we can take the
behavioral models uncovered during intel analysis and use BAS to automate testing and
reporting on what those behavior patterns look like in our enterprise.
These simulation results can feed back into your threat intelligence analysis and into the
next element we’re going to talk about, which is focused sharing and collaboration.
By sharing threat actor TTPs through standards such as STIX and TAXII the security
community benefits together, or if you are part of a large organization with different
security groups information shared between groups in a standard format can help your
enterprise build a threat informed defense.
Groups like MITRE’s Center for Threat Informed Defense (CTID) bring together
sophisticated security teams from leading organizations around the world to expand the
global understanding of adversary behaviors by creating focus, collaboration, and
coordination to accelerate innovation in threat-informed defense, building on the
MITRE ATT&CK framework.
Now that we’ve talked about the methodology of a threat informed defense we can
begin to talk about Breach and Attack Simulation as a way to operationalize and take a
lot of the manual work out of implementing a threat informed defense.
The general idea between breach and attack simulation tools is similar:
Organizations can choose attacker behaviors they want to see executed in their
environment.
Behaviors are executed by the BAS tool.
Operators observe the response from security controls.
How these ideas are implemented and additional features provided vary from vendor to
vendor. We’re going to talk about things to consider when you’re investigating BAS
solutions in a little bit, but before we do that I want to talk about Why BAS has become
important.
Before breach and attack simulation tools existed, there were still plenty of
organizations implementing or at least partially implementing a threat informed defense.
This work was originally done through purple teaming activities where red teams and
blue teams would work together to improve their security posture. Purple teams still
exist and are beginning to become more popular, but BAS tools can be used to help with
some deficiencies of a manual process.
Time/FTE
Red Team members are generally highly skilled individuals whose time could be better
spent innovating instead of running scripts and building reports.
Coordination and sharing of information between red teams and blue teams consumes
time that could be spent implementing projects and defending the enterprise.
Documentation
Documentation during manual efforts is often lacking because of the time commitment
or lack of resources to document what was done, how it was done, when it was done,
and by who.
Safety
Without tight collaboration or understanding between red teams and blue teams on what
exercises are run by who, against what assets, and when the idea of testing the security
of your network begins to feel more like a liability than an asset.
When we get into Breach and Attack Simulation use cases later in this course we will
explore in more detail how BAS tools help alleviate at least some of these burdens.
When considering the use of a breach and attack simulation tool for your team, there are a few
different ways that deployment can be done.
If you are deploying agents in a production environment, you’ll want to have a good
understanding of how safe this is from your vendor. We’re going to go into testing and
transparency approaches in a bit, and having this understanding will allow you to better
understand the safety of running a BAS tool in your production environment.
The main reason you would choose to deploy in production instead of a lab is that it will
give you more accurate results to measure against.
Understand what your use cases are before investigating BAS tools. This will give you
an understanding of how many hosts, VLANs, operating systems, departments, and
security domains you will test on.
Do you need just a sample from your enterprise or do you want to be able to execute on
any host in your environment?
Having the answers to these questions in mind, talk to your vendors about how they
license and scale so that they can fit your needs.
Virtual Based Deployment Approach
A virtual based deployment can be executed in a multitude of different ways. This could
be a deployment where agents are being used but as part of an OVA. This could also be
an agentless deployment where packets are replayed to see how the environment
responds.
The main theme across a virtual deployment is that it involves lab components and
should be designed to simulate your production network.
Although this type of deployment allows you to execute actual malicious activity in a
safe manner, it does have some limitations.
Accuracy – The accuracy of the tests is only as reliable as the environment the tests are
executing in. If you are executing in a virtual or lab environment and not a production
environment, you risk not having an accurate measure of your production enterprise.
Complexity – The complexity of a virtual environment can definitely provide you with
testing flexibility in the future. However, the complexity of virtual based deployment
can often add time and expense to BAS projects.
The deployment for services based BAS tools is easy because there usually isn’t
anything to deploy.
One of the limitations of a services-based BAS deployment is that they are often limited
in how robust the testing can be.
Let’s talk about four of the main approaches BAS tools take in how they execute
testing.
It’s important to remember that some BAS tools may incorporate more than one of
these approaches in how they run their tests, so you need to understand what is
important to your use cases and how that works with the BAS tools you are
investigating.
Testing actual behavior with actual exploitation can also be a drawback if you desire to
test your production assets since these tests are much harder to make safe.
Malware Detonation Testing Approach
Malware detonation is similar to sandboxing, but with a focus on how efficiently your
security controls respond instead of understanding how the malware operates. Malware
detonation is essentially taking known malware samples and executing them in your test
environment. This is good if you have a targeted use case for understanding how your
security controls stand up to the exploitation phase in a very real way. Obviously, this
carries a large risk of impacting the environment it is run in and is not safe for
production.
Services based testing approaches vary widely and can use a combination of all of these
testing approaches. They may even include human elements that analyze or assist in the
operation of the test.
Because services based testing can be so different from provider to provider, it’s
important to have a grasp of what is in scope and out of scope for testing and how often
testing will be done.
How transparent the actual tests you are executing can vary from solution to solution. Some
BAS solutions may even take multiple approaches or variate the degree of approach to how
transparent they are with their content.
Blackbox Approach
A blackbox approach leaves little visibility to the operator. Limited flexibility of testing
and the uncomplicated nature of a blackbox approach may be valuable to less mature
security organizations looking to put some sort of security control validation project in
place. However, larger or more experienced organizations may experience difficulty in
the lack of detail offered by a blackbox approach.
This type of approach can also limit red team involvement, leaving their experience out
of the validation project.
Glassbox Approach
A glass box approach is a much more open approach than a blackbox approach. In a
glass box approach, operators can view details of how the test is being run. They can get
a deeper understanding and in some cases make changes to the configuration of how
tests are executed. An example of a glassbox approach would be packet capture replay
solutions. In this case, you are able to see the traffic being used as part of the test, but
there is little to no modification available.
A glassbox approach is useful for organizations that are larger or more mature that
would like to implement a breach and attack simulation tool, but may not have the
resources or desire to manage an Openbox approach. This may also become a scalability
limitation. If your organization does have resources and expertise to achieve more
control over how tests are executed, a glassbox approach may be somewhat limiting.
Openbox Approach
An open box approach takes the same approach as a glass box approach, however, the
source code of the tests is made available to operators. This allows for full transparency
and customization of how the tests are executed.
Although there are a few frameworks you could lay on top of BAS testing tools, the
most prevalent is the MITRE ATT&CK Framework. Along with many defensive tools,
breach and attack simulation tools often align themselves with the MITRE ATT&CK
Framework.
This makes sense for organizations that are trying to find a way to match security
controls to offensive tactics.
MITRE has organized attacker techniques into multiple categories along the attack
chain. On the MITRE ATT&CK website, you can drill into techniques under each
category to get a better understanding of how a technique works, threat groups known to
use the technique, how to mitigate and detect the technique, and references to articles on
the technique.
Some breach and attack simulation tools allow you to understand where your defensive
gaps may lie in the context of MITRE ATT&CK.
If the tool aligns to ATT&CK, you should be able to design your test based on
techniques that are used by known threat actors.
If the tool doesn’t have direct MITRE ATT&CK alignment, you can use a freely
available online tool like the MITRE ATT&CK Navigator to understand the attack
patterns of known threat actors and then find tests within your BAS tool that align to
those techniques.
As a reminder, labs are restarted and all data in the labs will be lost every Monday,
Wednesday, and Friday between 7 pm - 10 pm PDT.
It is not advised for you to continue if you are close to the restart window, but
rather wait until the restart window is closed.
It is not advised for you to continue if you do not have the next 45 - 90 minutes
available to work on the labs.
Continuous security validation is the process of taking your existing individual security
controls, creating unit tests for those controls, executing those tests, and analyzing the
results
For example:
You have a DLP solution or a Firewall, and you are using it to block a specific
rule or action.
For every rule or action you create, you should also design a test for that rule.
If I’m blocking a specific domain or URL, I would create a test that tries to
reach that domain or URL.
If I’m blocking a specific text pattern in my DLP, I would create a test that would try
and mimic that pattern and exfiltrate data.
Let’s keep it simple and stick to the Firewall example with a blocked URL. We will call
it www.blockme.com.
Once my rule has been created and the policy has been pushed to block
www.blockme.com on the firewall, I create a test using a BAS tool or even scripting to
try to make a connection from my network through the firewall and out to
www.blockme.com.
Now I execute the test and make sure that the results come back that it could not
connect.
It’s important to remember to execute this sort of testing against all firewalls to validate
that the policy you pushed was deployed correctly.
Once we’ve validated that our test to www.blockme.com is actually being blocked, we
need to schedule this test to occur regularly so that we can be certain that the rule we put
in place continues to work as desired.
Alright, so you’ve identified your deficiencies while performing GAP Analysis. It’s
time to put your plan into action and start selecting tools you will purchase to cover
those gaps. Here’s the problem – you want to be as certain as possible that the tool you
are about to spend a lot of money on actually follows through on the promises to fill
those gaps.
By taking a scientific approach that is measured and repeatable with each solution to be
tested, you can make sure that you are choosing the best tool to meet your needs. BAS
tools fit in well here because they allow you to take a lot of the manual process and
documentation out of the equation.
Here are some suggestions I’ve given security teams in the past:
Make sure your testing scope only includes tests that make sense for the solution
you are evaluating. It doesn’t make sense to run credential theft testing against a
network firewall solution and can skew results.
If possible, execute your testing in production to get the most accurate picture of
how the product will perform in your environment
Use a control – For example: If you are testing endpoint solutions, make sure
that one of the hosts you are testing does not have that endpoint solution
installed. This allows you to see where there may already be some overlap in
coverage or a false reading in your testing.
Another side benefit of performing testing this way is that when you do choose a
solution to purchase and implement, you will already have the test designed that will
help to verify that your implementation is correct. You can also use this same test plan
continuously with that security control to ensure that environmental changes to your
enterprise do not affect how the security control operates.
Red Teams are expensive and highly specialized. They should be innovating, not
playing gotcha! Blue Teams are overworked and spread too thinly. They should be
hunting, not maintaining.
Purple Teaming is an organizational concept by which red and blue functions occur
simultaneously, continuously, tightly coupled, and with full knowledge of each other’s
capabilities, limitations, and intent at any given time.
Given reliable access to red capabilities, this methodology allows security teams to
iteratively increase program maturity as a product of continuously clearing low-effort
attacks from the board.
Breach and Attack simulation tools can help with Red Team execution by
providing a platform to make sure test procedures are safe, controlled, and
documented.
Integrations with other defensive security tools like EDR, Firewalls, AV, and
IDS/IPS can allow BAS tools to provide instant feedback in a centralized
manner to the Red Team
Those same integrations can provide instant feedback and centralization for Blue
Team members as well. Some BAS platforms will also provide mitigation
information to the Blue Team as well.
During the joint debrief, data collected by the BAS tool can be analyzed by both
Blue and Red team members. This data can be used as suggestions for both sides
on the next piece, which is
Continuous testing and improvement. Breach and attack simulation tools allow
you to begin automating many of the low-level tasks the red team is doing so
that they can continue to innovate. Blue teams are also provided with a way to
run those lower-level red team tasks themselves to validate that the measures
taken to resolve red team discoveries are always working.
Quality Assurance testing can utilize BAS tools to help make sure security
configuration on golden images or new server deployments is correct. Testing your
golden image with a BAS tool can greatly decrease the risk of deploying new
workstations with improper configuration.
Design your tests to match the security controls you put on the host. This may
include things like bypassing UAC, privilege escalation, registry modification,
or credential theft.
Don’t just focus on security tool testing. Consider testing operating system
policy and other native controls.
Utilizing a BAS tool with RBAC features can allow Desktop QA engineers to
execute testing without having access to results for separation of duties.
Utilizing a BAS tool with an API can allow the process of testing to be baked
into QA automation tools
In a world where we are seeing more and more automated deployment of servers, it
makes sense that security teams are becoming more and more involved with the quality
assurance of these servers. Breach and Attack simulation tools can allow security teams
and server deployment teams to feel confident in the configuration and setup of new
assets.
Some things to consider when using BAS in conjunction with server deployment;
Don’t forget about a threat informed defense – keep tests lightweight and fast by
only testing what you’ve discovered from intel analysis.
Utilize a BAS tool with an API to automate the process and test rapidly
Using a BAS tool that integrates with your security stack can help security
operations teams quickly pinpoint what failed if a test does not pass
Correção
Assessment Design Theory
Before opening any sort of breach and attack tool, you should have a plan. Put this plan
on paper first so that everyone involved knows what is involved in testing. You will
eventually have multiple test plans that will each translate into different assessments.
Questions To Be Answered
Assets To Be Tested
Scenarios To Run
Testing Schedule
Questions To Be Answered
It’s pointless to run any sort of testing if you don’t know what you are testing for. If you
are still in that don’t know what you don’t know phase, that’s fine. Here are some
thought starters that might help you out.
If you work for a law firm, you may be concerned about groups like APT19. Try
understanding the techniques that are commonly used by APT19 by reviewing the threat
intelligence data provided by MITRE ATT&CK.
With the understanding that APT19 will often use Powershell, it may help to dig deeper
into the procedures used in the PowerShell sub-technique. Even in a general sense, you
now may have some questions about how well your PowerShell deployment is secured.
Creating A Test Statement
Combine your questions with a hypothesis to make a test statement. I suggest starting
by being more specific with test statements in the beginning. Eventually, you may find
that you don’t need to be as specific. The idea is to generate as many test statements as
you can on the first run.
Test Statement: Any user with rights less than a local administrator cannot execute
encoded PowerShell commands in our environment.
-OR-
Test Statement: Any user with rights less than a local administrator cannot execute
ANY PowerShell commands in our environment.
-OR-
Assets To Be Tested
Based on the test statements you’ve created, you will want to identify all of the assets in
your environment that should be involved in testing. Do your statements involve the
entire enterprise, a specific business unit, or a specific technology? With each test
statement, add in assets that would prove or disprove the statement. Remember, all of
these guidelines are flexible as you are creating your plans.
For example:
Test Statement: Any user with rights less than a local administrator cannot execute
encoded PowerShell commands in our environment.
Assets: 2 Workstations from each business unit, one with policy A and one with Policy
B
-OR-
Deciding which scenarios to run for each test statement may seem daunting. There’s a
lot to choose from. The good news is this is iterative. That’s right, if you combine your
test planning with Purple Teaming, you are only going to get better. Here are some
things to consider when planning which scenarios to run for your test statement:
Do my test statements align at all with any ATT&CK techniques, what about tactics?
Which security tools do my test statements include?
What types of security controls do my test statements include?
What operating systems are included in my assets to be tested?
Are there any special considerations on the assets to be tested?
Does the scenario prove or disprove the test statement?
For each test statement, you will need to find at least one scenario that proves or
disproves the test statement. Add these scenarios to your test plan.
For example:
Assets: 2 Workstations from each business unit, one with policy A and one with Policy
B
The schedule of when assessments are executed may seem like a minor consideration.
However, when an assessment is scheduled to run can ultimately impact your results.
Here are some things to think about when determining when and how often to run an
assessment:
Add the testing schedule to each test statement in your testing plan.
For example:
Test Statement: Any user with rights less than a local administrator cannot execute
encoded PowerShell commands in our environment.
Assets: 2 Workstations from each business unit, one with policy A and one with Policy
B
The ability to import and export to and from other tools provides interactivity with the
ATT&CK® matrix for security teams and features like risk scoring and coloring allow
security teams to better understand how their organization maps to the ATT&CK®
matrix.
Who is ATT&CK® Navigator for?
ATT&CK® Navigator has features that can help with nearly any job roll in Information
Security. For example:
CISO’s will find the visualization, scoring, and reporting features useful when trying to
calculate and explain risk to other executives.
Red Teams, Blue Teams, or the combination of the two in a Purple Team will find the
visualization, scoring, commenting, imports, exports, and pretty much all of the features
of ATT&CK® Navigator to be incredibly useful.
Cyber Threat Intelligence (CTI) Analysts and teams can use ATT&CK® Navigator to
map and synchronize their intelligence reports to other departments so that they are
actionable.
2. Open the terminal application from the launch bar on the left-hand side of the screen
to enter the ‘Home’ directory.
cd Navigator/
git clone https://github.com/mitre-attack/attack-navigator.git .
npm install
ng serve
What Is a Sub-Technique?
Navigator Layers
Layers can be used to organize your Navigator, think of each layer as a fresh worksheet
that already has the Navigator template waiting for you to fill in. Layers are modular in
the sense that they can be imported and exported, independent of each other.
Layers can also be combined to help better align risk scoring for your organization to
the MITRE ATT&CK® Framework.
The Create New Layer option allows you to create a layer using ATT&CK® version 4
- 8, it also provides the option of choosing the domain.
ATT&CK® Navigator allows you to upload JSON formatted files that contain layer
information from your local hard drive or a remote URL. Importing from a remote URL
is handy when you are doing things like using the Center for Threat Informed Defense’s
ATT&CK® to NIST 800-53 control mappings.
Domain - this is the domain you are choosing to use for the new layer you are creating
from your existing layers. You can also choose the ATT&CK® version.
Score Expression - can be used to combine scores formulaically from multiple layers
into a single layer.
Gradient - allows you to choose the layer the color gradient for heat mapping will be
assigned from.
Coloring - allows you to choose which imported layer you will use manual coloring
from when creating your new layer.
Comments - allows you to choose which layer you would like to import comments from
States - allows you to choose if and where enabled and disabled states need to be
imported from a layer
Filters - allows you to choose the layer filters will be applied from.
Legend - allows you to choose which layer to import the legend from.
Default Layers
Add a layer link allows you to enter the URLs of layers hosted on the web. The custom
navigator will open these layers by default. If the layers you wish to display are hosted
in different locations, you add in a URL of each of the layers you want to be displayed
by default on your customized Navigator.
Navigator Features
The options in this section allow you to enable and disable features such as:
Tabs
Technique selection
The ‘MITRE ATT&CK® Navigator’ header
Subtechniques
Selection Controls
The options in this section allow you to enable and disable features such as:
Search panel
Multiselect panel
Deselect all button
Layer Controls
The options in this section allow you to enable and disable features such as:
Technique Controls
The options in this section allow you to enable and disable features such as:
Selection Controls - These controls are used to select the different techniques or sub-
techniques in ATT&CK® Navigator that you wish to work with.
Layer Controls - These controls apply to the entire layer that you are working on.
Technique Controls - This set of controls allows you to work with the different
techniques you have selected with selection controls.
Selection Controls
Selection Behavior
Selection behavior allows you to select the same technique across all tactics by only
selecting it under a single tactic.
The other option available under selection behaviors is to select sub-techniques with
parent. This allows you to select all sub-techniques under a parent-technique by only
selecting the parent technique or visa-versa as seen in the image below.
Search
Search techniques allow you to search across all of the techniques in the MITRE
ATT&CK® matrix by:
Name
ATT&CK® ID
Description
Data Sources
Multi-Select
The multi-select button allows you to select multiple techniques based on:
Threat groups
Software
Mitigations
Deselect
The deselect button clears out any of the techniques you currently have selected.
Layer Controls
Layer Information
Information about the layer such as a name and description can be set in this panel.
Additionally, you will find the domain type and ATT&CK® version information on this
panel.
Custom metadata name and value pairs can also be added by clicking the add more
metadata button.
This button gives you the ability to download your Navigator mappings as
a JSON formatted file.
Export to Excel
This button gives you the ability to download your Navigator mappings as an xlsx
compatible file.
This button allows you to download your Navigator mappings as a vector graphic file.
Filters
The filter button allows you to toggle between showing/hiding the techniques related to
the following platforms:
Linux
macOS
Windows
Office 365
Azure AD
AWS
GCP
Azure
SaaS
PRE
Network
Sorting
Color Setup
The color setup panel allows you to select your color palette for scoring techniques.
You can assign low and high values along with colors that match those values to build a
color gradient into your mappings when applying scores.
This panel also comes with some pre-built color palettes to make changes and
modifications easier.
Show/Hide Disabled
The show/hide disabled button allows you to toggle between showing and hiding
techniques that you have set the state of to disabled through the use of the toggle state
button.
Expand Sub-techniques
The expand sub-techniques button allows you to expand sub-techniques from under the
parent techniques.
In the example below, we can see that the Malicious Link and Malicious File sub-
techniques are shown as expanded from under thair parent technique of User Execution.
Collapse Sub-techniques
The collapse sub-techniques button allows you to collapse the sub-techniques back
under the parent techniques if they are already expanded.
Continuing with the example from the Expand Sub-techniques section, you can see that
both the Malicious Link and Malicious File sub-techniques have been collapsed back
under the parent technique of User Execution.
Matrix Layout
The matrix layout panel gives you a few options when setting up the layout of your
Navigator ATT&CK® Matrix. It allows you to toggle the display of both technique ID
and/or Technique name. It also allows you three options, chosen by drop-down for how
the matrix is actually laid out in Navigator.
side layout - This is the default layout for ATT&CK® Navigator. It sets up the parent
techniques to have their sub-techniques expanded from the side.
flat layout - This layout sets up the parent techniques to have their sub-techniques
expanded from the bottom.
mini layout - This technique sets up the entire matrix to be minimal, using a reliance on
tooltips that pop-up when you hover your mouse over a technique. Very light visual
cues, such as light and dark box outlines show a parent-technique and how many sub-
techniques it contains.
Technique Controls
Technique controls are used to manipulate and add context to selected techniques.
Toggle State
The toggle state button sets the selected technique(s) as disabled or enabled. The view
of disabled techniques can be toggled with the Show/Hide Disabled button
Background Color
The background color button opens a panel that allows you to choose a background
color to apply to a selected technique(s).
Scoring
This button allows you to apply a score to a selected technique(s). When combined with
the options in the color setup panel, this feature brings strong visualizations when it
comes to prioritizing ATT&CK® techniques.
Comment
Select Section
1. Click on Create New Layer
2. Expand More Options
3. Set the version to ATT&CK v8
4. Click the Enterprise button
5. Use the search button under selection controls and search for the term Password
6. Click the select all button
7. Using the background color button under technique controls, change the
background color of your selection from steps 5 and 6 to red.
8. Click the toggle state button to disable the selected techniques.
9. Click the show/hide disabled button to hide the disabled techniques from view.
10. Click the x next on the tab at the top of your layer to close it out
Click on the color selection icon under the layer controls menu.
11. On the presets drop-down, at the bottom of the menu, click on blue to red to
change the score gradient to blue for a low score and red for a high score.
12.Select Multiple Techniques For A Threat Group
13. Under selection controls, choose the multi-select icon
14. Find APT29 under Threat Groups, and click the select button.
1. From the Sable Bluff layer, click on the render layer to SVG icon under layer controls.
2. Remove the filters display from the report. Click on the display settings button and
uncheck the box for show filters.
3. Click the download svg icon.
4. Choose to save the file and then click the Ok button.