Discover more from f33d by Prelude
Holding yourself ransom
A real-world use case for simulating ransomware with Prelude Operator
The primary use case for the Operator platform is to make red team technology more accessible. There are other cases, such as being a supplemental tool for advanced red teams or a training tool for SOC analysts, but accessibly is the number one goal.
Red teams are expensive and inconsistent. And oftentimes, a red team is called in to conduct a security assessment after conclusions have been made. But it doesn’t have to be that way. There are several ways to use Operator as your internal red team for free, or a fraction of the cost of manual testing.
Let’s work through a simple, real-world Operator scenario.
You are the systems administrator for a 50-person accounting firm. You handle all the individual laptops for the employees, maintain the backend servers and set the security policies to ensure the staff stays safe.
You have antivirus running on all the devices at your firm, with the results piped to a central dashboard so you can track any malware or malicious activities that pop up.
If you are really on your game, you run occasional vulnerability scanners to ensure all the critical software installed on employee devices is up to date. Or at least that none have significant vulnerabilities in the version installed.
Despite these measures, you are still nervous about getting hacked. You know some employees click on links they shouldn’t. They go to websites that may be shady. They plug in USB drives from home. They’re human beings, and human beings can be hacked.
Your goal is easy, find a tool that:
Can run periodically - and autonomously - to flesh out the real security holes you have, beyond the scope of antivirus.
Does not create more work for you to maintain yet another thing.
Gives you actionable recommendations that help you secure your organization.
Fits within your budget.
You set out to find such a tool and come across Prelude Operator. After installing it from the website, you open it up, register for an account and log in.
Three minutes later, you’re staring at the dashboard, thinking ok, how can I achieve my goals?
Step #1: Get permission
Before you start testing, your first step should be to determine cadence. How often do you want to run red-team engagements at your organization?
In most large organizations, including the military and giant tech firms, running assessments 1-2 times a year is customary - but only because they are so expensive and time consuming. Using Operator, you can solve these problems, so you can up your game and go more frequently.
Let’s aim for once per quarter.
With that determined, the next step is to get permission. Sure, you are “the” IT person for the company but since you’ll be doing advanced white-hat hacking, ensuring you get the OK from the highest levels in your organization is a must.
Step #2: Build your adversary
As you are getting the OK to conduct your first assessment, it’ll be helpful to pass along what your goals of the assessment will be.
Click into the Emulate section in order to create a profile. As we reviewed earlier, adversary profiles are collections of tactics, techniques and procedures (TTPs). These are individual hacks which, when combined, create advanced hacking missions.
Click + to build a new profile and then select the tags drop-down and select a pre-built option.
Let’s say you want to test your organization's ability to defend and respond to a ransomware attack. Selecting the “ransomware” tag will filter the procedures down to only the relevant procedures. Go through and click ADD on each visible procedure to build your adversary.
Have the professional license? You should spend the time reading the included training manuals for each TTP so you can learn along the way. The more you learn the ins-and-outs of what you’re doing, the better you’ll be able to protect your organization.
Once complete, click the X to close the window, then give your adversary a descriptive name, let’s call the adversary “The Encryptor”.
Step #3: Deploy your agents
Next, we need to deploy an agent on a select number of employee laptops.
You have two options when it comes to this, with or without their knowledge. Because this is your first assessment, we will go the former route. No reason to make any enemies with co-workers by autonomously testing their computers without their knowledge, even if it is for their own benefit at work.
Now, for this part, we want a realistic test. Most adversaries when they attack a network do not have access to everyone’s laptop. They only infultrate a few people and then try to spread. We need to simulate this behavior.
Picking a few employees, talk to them about the exercise and, along with your company leadership, determine who would be best to participate. Since we determined we would have a quarterly cadence, we should plan on rotating our “initial foothold” employees each time, to round out more viable results each time.
Look to perform this test on ~5-10% of your employees per assessment. Since you have 50 employees at your accounting firm, we’ll look for 3-5 to help with this exercise.
Once you have your chosen employees, ask what operating system they use for their work computers. Then, in your Operator, navigate to the AgentLibrary plugin and download a Pneuma agent for each operating system you will be running the assessment against.
Put the Pneuma agent file(s) on a USB drive and go to each employee and start the agent, ensuring it connects to your Operator desktop application.
If the connection fails, remember to ensure the computer with the agent has connectivity to the host/port of your Operator instance. This is a requirement for continuing. You can either directly connect or use the reverse-SSH tunnel described in a prior chapter to ensure connectivity.
Don’t forget to serve your Operator desktop app on all interfaces (0.0.0.0). You can make this change in the Settings section, if you haven’t yet. This enables remote agents to connect to your Operator instance.
Here is what it would look like to start the agent on a Windows computer, assuming your IP address is 184.108.40.206:
./pneuma.exe -address 220.127.116.11
Back in your Operator desktop app, you should see all agents beaconing in through the Emulate section, after selecting the “red” range.
Step #4: Launch an attack
Now comes the fun part, launching the attack.
From your Emulate section, with the “red” range selected, click DEPLOY on your “The Encryptor” adversary. Depending on several factors, such as network speed and time to execute each procedure, the adversary may take anywhere from a few seconds to several minutes to complete. You may see the agents flicker between green/orange on the left panel during the test.
Once all agents are stable at green, you know the operation is over. You can instruct the employees to stop their agents, or you can go to each employee and delete the agent for them.
Step #5: Analyze the results
With the assessment over, you can click into the Report section. After filtering by range and dates, you should see a full report of what occurred during the test.
Depending on what actually happened during the assessment, your results will differ drastically from what you see here.
Operator automatically creates an executive summary based on what happened and shows you here. Using this information, you can make determinations about what security solutions you need to implement - whether technology (improved antivirus) or process (stop employees from using plain-text passwords).
If you have a paid license, you will see actionable (prevention and detection) recommendations.
You are now complete. Next quarter, you can build a new adversary, maybe using The Encryptor again, but maybe you’re interested in running a Surveillance adversary to record microphones, video calls and attempt to collect critical data right from under an employee's nose.
With Operator, there are several use cases centered around autonomous red teaming. Here, we walked through a simple case for a small business, wanting to leverage the power of red team tech without the hefty price tag. There will always be a need for manual red teaming at the highest levels but with Prelude Operator more people, and small businesses, can reap the rewards.
Our mission is to make this technology more accessible to more people. We hope you take it for a spin and let us know how it's helping you!