A look at an open source tool from DataDog that looks to visualise a system’s Security Posture and remediate any gaps found against the MITRE ATT&CK® framework.
Security tooling for the new age
In this day and age, Security and InfoSec teams are coming out of their ivory towers and even starting to move with their development teams. The modern and fast-paced security environment is defined by its incorporation of the same tool chains that have been powering Developers in their agile environment for the last decade and DevSecOps is thankfully becoming more and more prevalent within the industry to cope with all the new challenges. In this article, we hone in on some tooling to provide some ideas for your own infrastructure.
What is Stratus Red Team?
From the team at DataDogHQ, the Stratus Red Team project looks to go a step further than the Atomic Red Team project that creates an array of tests to compare your infrastructure to the MITRE ATT&CK® Framework. While providing working exploits for some of the framework, it can also be extended with a little bit of Go knowledge to create a more holistic attack platform and prove the security of your environment.
How can Stratus Red Team be used?
In its very basic element, the Stratus Red Team project is a well-contained suite of tests that allows you to measure your security posture. Its modular approach allows users to extend its attack repertoire and even contribute back to the community so more of the MITRE ATT&CK® Framework can be covered for a variety of topologies used today.
With its simple UI and concepts, it is easy to use as an adhoc tool or something to add to your CI/CD environment to run the suite of behaviour tests against your environment. It can also be used to gain an understanding of potential threats to your Cloud Environment as a result of changes within the infrastructure mapped to a commonly understood framework.
Adding your own customizations
Since the project is Open Source (and of course where possible!), it would be good to contribute back to this cool little project, especially as customization has been made extremely simple with a little bit of Go knowledge.
Just clone the project and add your use case under the “internal” folder. Two interesting directories are nested:
- The attacktechniques directory is where we will store our attack scenarios
- The providers directory will contain the code necessary to interface with the target(s) on which to run the listed techniques.
At present, there is only AWS and Kubenetes but this could be expanded to look at Azure or Google Cloud Platform to perform similar duties.
To create your first attack technique, clone down the project and direct your IDE to /internal/attacktechniques/ then choose the type of technique you are going to create and make a folder to hold your code.
Create a main.go file and create an “init” and “detonate” function:
Which will interact with the main program to display detailed information about the attack technique and describe its usage.
This is where we code our payload to test our attack against the system returning nil back to the parent function when successfully defended and the operation has succeeded.
Don’t forget to declare and variables and imports for your customization to use them:
(You will require the internal packages for obvious reasons!)
There is much more customization possible within this little project, but beyond scope for this article. I encourage you to take a look through the code base for yourself to discover more customizations to be made – like the elegant way it will handle Terraform to deploy prerequisites.
Proving your security posture
As the MITRE ATT&CK® Framework and this tool grows, it could provide a simulation of possible attacks, demonstrate how the environment will react and provide a contained bundle of both code and results to illustrate how an enterprise is actively maintaining its security posture.
With the common language provided by the Attack Matrix, it links a wide range of detailed documents for auditors to be able to validate for themselves – which could help already overburdened InfoSec Teams to operate more efficiently by offsetting a lot of the already done boiler plate administration.
Give Stratus Red Team a try!
Head on over to https://github.com/DataDog/stratus-red-team and give the repository a clone yourself and see what it might uncover from your environment!
Paul Hardy is a Principal Systems Developer at Cloudreach with a passion for Offensive Security. Having worked with Cloudreach for almost a decade, he has built up expertise over a wide range of technologies, often finding new and creative ways to improve the security for Cloudreach’s customers. Contact us to learn more.