One way to learn how to better defend your enterprise is to train a red team to simulate attacks. The Mitre ATT&CK framework, which can be a very useful collection of threat tactics and techniques for such a team. The frameworkclassifies and describes a wide range of attacks. To make it even more effective, various commercial and open-source general testing tools have been built to complement its schemas.
Adversarial Tactics, Techniques & Common Knowledge
MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.
https://attack.mitre.org/wiki/Main_Page
Video: Post-Exploit Threat Modeling with ATT&CK
Red Team Automation (RTA)
RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.
RTA is composed of python scripts that generate evidence of over 50 different ATT&CK tactics, as well as a compiled binary application that performs activities such as file timestopping, process injections, and beacon simulation as needed.
Where possible, RTA attempts to perform the actual malicious activity described. In other cases, the RTAs will emulate all or parts of the activity. For example, some lateral movement will by default target local host (though with parameters typically allow for multi-host testing). In other cases, executables such as cmd.exe or python.exe will be renamed to make it appeas as if a Windows binary is doing non-standard activities.
Introduction: https://www.endgame.com/blog/technical-blog/introducing-endgame-red-team-automation
Download: https://github.com/endgameinc/RTA
CALDERA
CALDERA is an automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) project. These features allow CALDERA to dynamically operate over a set of systems using variable behavior, which better represents how human adversaries perform operations than systems that follow prescribed sequences of actions.
Introduction: https://www.mitre.org/research/technology-transfer/open-source-software/caldera
Download: https://github.com/mitre/caldera
Atomic Red Team
Small and highly portable detection tests mapped to the Mitre ATT&CK Framework.
Our Atomic Red Team tests are small, highly portable detection tests mapped to the MITRE ATT&CK Framework. Each test is designed to map back to a particular tactic. We hope that this gives defenders a highly actionable way to immediately start testing their defenses against a broad spectrum of attacks.
Introduction: https://www.redcanary.com/blog/atomic-red-team-testing/
Download: https://github.com/redcanaryco/atomic-red-team
Metta
Metta is an information security preparedness tool.
This project uses Redis/Celery, python, and vagrant with virtualbox to do adversarial simulation. This allows you to test (mostly) your host based instrumentation but may also allow you to test any network based detection and controls depending on how you set up your vagrants.
Introduction: https://medium.com/uber-security-privacy/uber-security-metta-open-source-a8a49613b4a
Download: https://github.com/uber-common/metta
Reference:
Recent Comments