When you think about offensive security work, what comes to mind?
Hackers? Red team operations? Penetration testing? Purple team assessments? Adversary emulation?
What does each have in common? To complete them you execute various adversarial actions against a computer/server/network/person to find, and potentially exploit, vulnerabilities.
When talking about vulnerabilities, I don’t mean just CVEs. I am also including human vulnerabilities, like a person’s habit of clicking arbitrary links in emails, or configuration vulnerabilities, like a sysadmin using a default password by mistake.
Ok, so this begs the question: what exactly is an adversarial action?
An adversarial action could be:
Using a piece of malware. Adversaries write malicious software and use it to attack systems. This malware (over time) will be caught and tracked by security researchers and then those working in offensive security will use defanged versions of it within security assessments.
Using a system command. Each major operating system, like Windows or MacOS, have built-in terminals that allow for a wide-array of powerful commands. These shell languages, such as bash or PowerShell, can be used in security assessments to test the defensive team’s (or products) ability to detect malicious behavior.
Looking for a misconfigured piece of technology or taking advantage of a known vulnerability in a software version.
Each of these actions have something in common: they’re reactive. Known adversarial actions are categorized inside frameworks like Common Vulnerabilities and Exposures (CVE), the Atomic Red Team project, our own Community repository or online databases like ExploitDB.
Because they’re categorized, defensive tools - such as EDR or AV - are able to easily hook into them and apply detection or response actions against them when they’re seen. For example, a known piece of malware will be signatured and when it’s seen in the wild it’ll be immediately quarantined.
This is great from the defensive tooling perspective but being reactive doesn’t get you in front of the attacks a real adversary will launch tomorrow.
When performing a security assessment, you should look at it from two perspectives: reactive and proactive.
To catch the proactive actions, consider the following:
If you’re at point A, what is the best way to get to point B?
Consider point A is your initial access (foothold) on a target system and point B is your need to exfiltrate a currently unknown text file full of passwords from the computer back to your command and control center.
You may find a piece of malware that - in one swoop - can locate all text files on a computer and exfiltrate them in a batch. However, this piece of software may have been signatured by VirusTotal and the defense is capable of detecting your use of it.
So you may opt to run a series of individually benign actions that a defensive tool can’t distinguish between good and bad. At Prelude, we call this series a “chain” and every action inside it a “link.”
Did you know we’re also the developers of the MITRE CALDERA (v2) framework, where we first published this concept?
In this case, you may have a chain that contains the following links:
Locate all text files on the computer
Download a password dump file from the Internet, such as the popular rockyou.txt file, which holds millions of real passwords from public dumps.
Match the words in each text file with the password dump file and look for a high correlation of known passwords to text strings in order to determine which files likely contain passwords.
Exfiltrate only the files with a high correlation.
So the best way to get from point A to B is not necessarily a straight line. It could require you going through points C, D, E and F first, as you launch a series of individually benign actions that all link together to create the same output as if I had used the known piece of malware.
Modern defensive tools struggle to catch this type of adversarial behavior because it’s difficult to gauge bad from good. Triggering detection rules on benign actions creates too many false positives, so adversaries take advantage by creatively linking the benign actions together in a chained attack.
At Prelude, we take this a step further by invoking our autonomous planning engine behind the scenes, which handles the linking of all your actions automatically.
So instead of running each action and manually evaluating the responses in order to determine the next link, our planning engine will parse out any indicators of compromise (among other things) and link your attack for you immediately.
Let’s look at this in the above chain:
Locate all text files on the computer
This will output a list of absolute paths to text files.
Download a password dump file from the Internet, such as the popular rockyou.txt file, which holds millions of real passwords from public dumps.
This will not output anything.
Match the words in each text file with the password dump file and look for a high correlation of known passwords to text strings in order to determine which files likely contain passwords.
This will output a filtered version of the text file list from step #1.
Exfiltrate only the files with a high correlation.
This will not output anything.
If you were to run this chain within the Operator C2, you would watch it run end-to-end automatically connecting the output of each link to the input of links further down the chain. This autonomous chaining removes the need for you to evaluate each response and manually connect the dots to the next links you can run.
Instead, you can focus on the larger goal of each chain and run (and quickly re-run) each in order to do end-to-end proactive security assessments.
We believe that combining reactive and proactive security testing will make your defense stronger.
So what happens if your defensive team or product(s) fail to catch various chained attacks? Tune them. Instead of relying on annual red team operations, which may use a variety of proactive and reactive attacks, run a chain every week to see how your defense reacts and then make the appropriate adjustments.
Continuously test. Continuously tune.
At Prelude, our mission is to make security accessible to more people and more organizations. This includes taking advanced topics, such as proactive security assessments, and distilling them into simple, bite-sized ways to apply them.
Every Tuesday, we publish a new chain of TTPs, containing anywhere from 1 to 10 links, to those with Professional Operator licenses. We call this #TTPTuesday. We hope these chains help you form the habit of continuous security testing at your organization and if we’re lucky, even give you the confidence to start writing your own custom chains.
Join the discussion in our Discord server.