CRYTON BREACH AND ATTACK SIMULATION Thursday 4 th October, 2018 Ivo Nutár
Outline Breach & Attack Simulation Cryton Cryton Page 2 / 22
About me Where I work CSIRT-MU KYPO What I Do Cryton B&S Penetration testing CyberEx GT/RT http://a.openalt.cz/33 Cryton Page 3 / 22
Terminology Comparison Vulnerability Scanning Low hanging fruits False positives Cheap Penetration Testing Real attacker tools Depends on tester’s skill Once in a while/once a year/ ... External Red Teaming Pentest + social engineering, physical attacks ... Silent, aims to also test detection capabilities May be also internal Skilled personnel Cryton Page 4 / 22
Breach & Attack Simulation Cryton Page 5 / 22
Breach & Attack Simulation According to Gartner, " BAS tools simulate a broad range of malicious activities (including attacks that would circumvent their current controls), enabling customers to determine the current state of their security posture. " Gartner also granted the first patent for BAS to tool SafeBreach . Automatization of Killchain to: Detect soft spots Test detection systems Train blue teams https://www.esecurityplanet.com/threats/ breach-and-attack-simulation.html Cryton Page 6 / 22
Breach & Attack Simulation Figure: Cyber Kill Chain by Lockheed Martin Cryton Page 7 / 22
Turn this ... Cryton Page 8 / 22
... into this Cryton Page 9 / 22
B&S tools Open source Metta Uber Local execution MITRE attack matrix DumpsterFire "Security Incidents In A Box!" Local execution Simulate infected hosts APTSimulator ... Commercial AttackI Q, Cymulate, Safebreach, ThreatCare ... https://www.esecurityplanet.com/threats/ breach-and-attack-simulation.html Cryton Page 10 / 22
Cryton Cryton Page 11 / 22
Cryton Description Cryton is being developed at CSIRT-MU as a part of KYPO project. It’s original objective was to automate some of Red Team tasks during CyberEx. Create JSON/YAML describing attack scenario Feed to Cryton Execute Wait... Read report Original thesis on https://is.muni.cz/th/cry3j/ Cryton Page 12 / 22
Cryton Attack scenario Plan - Stage - Step Plan has a start time Stage has a delta (diff from plan start time) Steps are organized into attack trees Successors based on success or string result Execution of attack module Sessions management (using msfrpc) Various attributes Cryton Page 13 / 22
Cryton Plan Plan contains a description of whole attack scenario . Name Owner (optional) Start time (optional) Slave List of Stages Cryton Page 14 / 22
Cryton Stage One logical part of attack scenario, typically oriented on one specific target . Name Delta (optional) Target (optional) Slave List of Steps Cryton Page 15 / 22
Cryton Step Step in context of Cryton is an execution of attack module . It might be a nmap scan, vuln scanner run or a metasploit module execution. Name Action (optional) List of Successors (optional) Target (optional) Slave Cryton Page 16 / 22
Cryton Session management Heavily depends on Metasploit framework msfrpcd + pyMetasploit Can create and use sessions create_session use_session vs use_named_session Shared throughout the Plan Cryton Page 17 / 22
Cryton Slaves Figure: Master - Slave Cryton Page 18 / 22
Cryton Attack scenario Figure: Example topology Cryton Page 19 / 22
Cryton Attack scenario Example Cryton Page 20 / 22
Cryton Execution Example Cryton Page 21 / 22
THANK YOU Ivo Nutár https://csirt.muni.cz/ @csirtmu nutar@ics.muni.cz
Recommend
More recommend