Atomic Red Team: Testing Your Security Posture

sweet alright my name is Michael Hague and I work for red canary we created a project thank you we created a project last summer so called atomic red team and the idea of the project is to help organizations test their security posture and focus on the endpoint because we're an endpoint company and so what it is is a pretty open there's an open source project you can go and get it today it's atomic red team title they download it and use it so this talk is gonna highlight a lot about that and a little bit about myself as well so again my name is Michael Hague I did not have a beard the last year and a half we've been traveling the

country we lived in an RV for about 19 months we actually just settled here in Boise and this is where we've been this is our map on our RV and so we've been kind of all over the place lots of different states Maine and Florida our idea was to find a place where we want to and settle and raise our kids and so during that whole time we were working on atomic red team and other things within the organization but an aware atomic comes from overview of this talk just going to discuss why testing is important stop making feedback come roadblocks with that and look at part of the tolson that we produce within the

project itself and hopefully the end of this talk you walk away with the ability to test herself within your own organization and see how your posture brilliance and mapping into minor attack part of our travel we went to as he saw a most every state one of them was Nevada and Nevada actually has the National atomic testing museum has anybody ever been there awesome anybody ever traveled the country in an RV so this museum is great it highlights a lot of stuff I didn't even know about atomic testing and what we did in the past and how we tested our nuclear weapons and build things and blew all kinds of things up and how we did it and atomic

testing for us as is not meant to be make the biggest explosion in your organization with atomic right team we're not saying calling the red team Colin or have your own apt or your own internal pen test or whatever it may be we're not looking to blow it up that over there is the Trinity test site that's a picture from the museum but the Google Trinity test site it's out in New Mexico it's how in the middle of nowhere and they allow like once a year tours of the actual site which was this at the time was the largest atomic bomb that had went on but we're not going to do that with an organization

what we want to do is have more granular test more single early tests where you're able to test a particular part of the biter attack matrix does everybody heard of a minor attack okay so minor attack minor came out with this attack framework it has different tactics and then underneath each tactic is techniques and the technique can be PowerShell execution it can be registered thirty-two different things built in with Windows Mac and Linux you're able to test it and with atomic read team with the way we mapped it you seen a little bit and you can execute simple tests just like they did with atomic testing and young a class so when you have the flats they are instead of

blowing them up on land or stratospheric atomic bombs they move the two underground atomic testing and so they did about I'm going to say eight hundred and fifty different atomic tests underground and so the idea is within your organization instead of calling in a pen test or red team paying lots of money you can use atomic red team to come in you guys can execute it yourself perform your own testing within your business so the atomic test is a small one attack a technique that you're able to pick you want to focus on our show this week get your team together find some PowerShell techniques different methods that people use it out there whatever you're seeing

in the wild go through that they're all easy to execute most of the the most of the frameworks filled out today I think there's about two hundred let me say two hundred and twenty makes that minor attack we have about 115 and each one is very important and then also to be able to measure because you want to be able to take this up to management and show them that you're running these paths you're showing that we have coverage little coverage or no coverage on these types of techniques so that's kind of the goal in this project it's helped me be able to take that to the top so testing your coverage is fundamental to improving your security

outcomes the idea is that you shouldn't have to pay 20 30 50 grand or 10 grand for a giant test to come in and tell you a point-in-time scenario about your environment the idea is to continuously test your organization understand what's being prevented coming in and then what's being prevented going out so it's all open source and free and easy right you just need to build out a quick little lab and then you're more or less get started so we all have significant investment in our products I ran a fortune 150 security program and it was a million dollar program and tons and tons of money to blow and everything but we did it we took this approach of where

do we need coverage what's most important in our program that we need to have a new product and we have to buy the product is there something built and that we can use and so kind of like a lot of paths built into why we build the topic this resonates with everybody on the team who works with us so hope is a feeling it's not a strategy we all hope our products are working we all hope preventing everything that they say they're going to per band with their moai unicorns and everything like that right so this isn't my quote but I feel really bad for these guys down there watching this atomic blast right yeah it

just couldn't imagine there's other pictures you ever looked at your google atomic test pictures it's super interesting dudes just hiding behind cement barriers with military out there some of the background images doing those that tale so how do I know it's working missing text there you test yourself you know but happened there's a button so we need ongoing iterative testing objective measurement low buried for injury introducing a tomography which is guessing so it's open source discrete tests all mapped to minor attack framework Roberto Rodriguez produced a spreadsheet you can find it we have am on our blog focus and whatnot his spreadsheet covers how to hunt against minor attack so hunting these types of techniques within your

environment so you're easily able to get that spreadsheet execute these tests with the topic red team and then you're able to kind of go back and measure how good or how low your covered your environment so again testing super important who's gonna hop up because this next one gets more cool all right so this is our atomic red team landing page it's just atomic Red Team IO and you can see all the different links we have our philosophy on there we do have a slack group so if you're interested and is just talking to people who are using it how everyone's using the product and then also just for discussion about new techniques and yesterday we we do

monthly webinars called atomic Friday's so yesterday we have our first second atomic Friday you can join them on these little webinars learn we're just talking about different techniques out there what else is happening I'm gonna drill in this is what one of the techniques look like we've broke everything out into Yambol more recently yet another markup language so what yan will allows us to do is for organisations and other people to consume all of our logic that we've built into atomic right team and there are markdown files which is what we're going to drill into next this is just tea 1117 on mitre and this is register 32 we pull in all the description data from from attack the

attack framework and then you have the ability to kind of continued it down on that page you see the different three tests that we provide for this you can add as many more as you want and that's a big contributor piece to this is this is highly community driven we initially pushed this out with maybe 17 techniques build the rest has been all community and one side the community ones open a issue saying hey your guys's matrix is it's back to the date we're updating the matrix by hand guy opens the misuses you need to update the maintenance they have pushed out like 30 new techniques and we're just like okay I was on vacation

Casey was just kind of staring at it and I'm like give me a minute it's all manual so anyway the game will help out with all the automation of building these things out again you can execute these there any kind of automation platform you have you can literally copy and paste this into your command line execute it did your a/v triggered if your firewall detect that be me cats coming down that your any other product you can think of that anybody see this happening that's kind of the cool part a lot of people think is very endpoint focused I would start to challenge you to look at it from the network side some of these things are actually downloading

cool payloads and today AV products are starting to just flag atomic red teeth because there's a lot of interesting things written in there right it doesn't have to be hard it can be just as simple as this tweet says it is this is Keith he's one of our co-founders how do you approach testing just pick a technique execute one of them and just see what happens he even produced like a simple little spreadsheet at the bottom of his tweet and just make a simple spreadsheet you start tracking it based on attack techniques whether you detected it or not whether any of your products solid or anybody telling you about it probably the most interesting is like given MSSP

and you go through two different tack techniques phone call anybody email you about it get tickets more recently we saw another vendor picking up atomic red team just somebody accessing the webpage not even downloading it they're starting to fly people going to it and it's not even you can also level up your chain reactions this is an RV I saw out in Nevada this thing is awesome that even has a trailer in fact but I think he sleeps in here and it just rolls up it's super sweet so what we call chain reactions is just the ability to take different parts of your techniques so you want to run a PowerShell you wanna run register you

want to do some other things some count memory and some neck commands whatever it may be it's just like putting Legos together maybe like this heartbeat but it's just like this this is a simple chain reaction all we're doing is like a basic floor loop doing some accountant umer ation across the network I'm gonna take that you know just generates telemetry or traces as we call them then down here we try to outline everything within the table actually so you know you're getting so the tactic is discovery detecting the technique is looking for different AV products right and this is generating this those traces that that telemetry within your environment you know are you looking for

people enumerator your security software are you are you picking up the fact that somebody is querying your domain controller out there running net use commands pulling all this telemetry you know are you getting all those event logs are you getting all those are all very interesting points to be looking for the other thing we recently pushed out was this roll the dice you can use this with chain reactions if you're just I don't know where to begin with atomic red team I just want to do the copy paste method super awesome you can go to our Tomic red team io / roll the dice everything they become anything it's / I think it's / the guitarist for some reason but go

to roll the dice you click the button it will give you a new technique of the day you just keep clicking it you'll get more and more you can start building out of your chain reaction in a batch file PowerShell script it's that simple or just your copy paste method just brought it and see what happens then more recently last few months Casey and just mostly Casey if a couple guys internally built out the PowerShell framework for atomic Red Team it's called invoke atomic red team this allows for execution and generation of the test from all the yellow files so you want to just generate all the tests you can copy and paste them straight from command

line output to a text file whatever you want to do you can generate or you can actually just execute in this example you just want to execute T 1117 the red circle area to what execute red stick 32 it immediately pops your calculator and you can modify the test however you want to pop something else or actually so very easy to do with the powershell framework there is also a Python framework that you can run very similar pattern it'll generate the test and execute the test obviously better there are other products out there or other open-source projects out there like meta from uber Meadows another one that Chris Gates had generated which uses I think

at the time he wasn't using our Yambol file but that was one of the main reasons why we went to gamble so that he couldn't begin to ingest them into his product there are enterprise products out there as well so if you want to do Enterprise testing you can deploy agents agents will execute everything for you it'll pull back all that telemetry very similar so this is this the open source method and you can see the communities where they're growing so biggest thing is always be testing we can't trust everything we hear there's so much marketing out there in this industry and if you go to more cons and this you'll see a lot of it right so biggest thing

is just trying run it see what happens write down what you have in your security stack what you think should be learning within your environment pull down some maybe cats and just see what happens does anybody learn on it and we're constantly pushing and publishing new things different hypotheses or just different ways to run parts of atomic Red Team on our blog and whatnot so highly recommend checking it out and join us if you feel that there should be something added to Atami just add it do a pull request ship it over open a github issue tell us some slack whatever it may be we're here to help we are all atomic yeah Tommy grid team IO our great canary

blogs down here as well you can subscribe they'll ship your atomic routine emails but yeah that's all there

[Applause]