Feature Overview
By imitating hackers' thinking and working methods, automated simulations of combat skills and tactics based on the MITRE ATT&CK framework allow users to view various cloud security threats from an attacker's perspective. This enables the identification of different potential attack paths and the most impactful security threats for users. It also helps in discovering any shortcomings in security protection products and whether the corresponding security policies are properly configured, allowing for the rational use of security resources to minimize cloud risks.
Use Cases
Efficient Penetration Testing
By automated execution of simulated attack tasks, numerous known attacks can be tested extensively, making operations easy and practical, thus reducing the workload for Ops personnel. The system provides penetration testing scripts based on the MITRE ATT&CK framework by default, including tactics such as information collection, vulnerability scanning, vulnerability exploitation, permission maintenance, and lateral movement, effectively imitating the behaviors of malicious hackers and real-world adversaries.
Accurate Comparison of Security Protection Product Reliability
After the simulation of attacks on the target system, go to the existing security protection products to check the corresponding alarm information. Compare the detection rates of multiple security protection products to test their reliability.
Installing the Attack Simulation Toolkit
Step 1: Querying the Toolkit Installation Status Corresponding to the Asset
1. Log in to the CSC console. In the left sidebar, click Assets. 2. On the assets page, select Servers to view the installation status of the simulation toolkit on the asset.
Step 2: Installing the Attack Simulation Toolkit
For assets without the attack simulation toolkit installed, you can see the following three installation methods:
Method 1: Manually Executing the Command
Log in to the target server and execute the corresponding command to download and run the attack simulation toolkit.
Method 2: Downloading and Running the Attack Simulation Toolkit via Tencent Cloud TAT by Executing Commands
Only assets with the Tencent Cloud TAT client installed are supported. After the command is executed via TAT, the attack simulation toolkit will be downloaded and run on the server.
Method 3: Downloading and Running the Attack Simulation Toolkit via CWPP Agent by Executing Commands
Only assets with the CWPP agent installed are supported. After the command is executed via CWPP agent, the attack simulation toolkit will be downloaded and run on the server.
On the assets page, select the target server assets. In the action bar, click More > Install toolkit.
Note:
Currently, only servers with Tencent Cloud's Linux operating systems are supported.
Step 3: How to Conduct Efficient Penetration Testing
Viewing Penetration Testing Scripts
On the breach and attack simulation page, you can view penetration testing scripts. The system provides multiple scripts by default, including tactics for information collection, vulnerability scanning, vulnerability exploitation, permission maintenance, and lateral movement, effectively imitating the behaviors of malicious hackers and real-world adversaries. On the breach and attack simulation page, click ATT&CK matrix to understand the tactics and techniques associated with each script at the upper right corner, or to learn about the scripts associated with a particular tactic or technique. Selecting Scripts and the Scope of Assets for Simulated Attacks
2. In the simulated attack script pop-up window, select the scope of assets for this simulated attack. Check the Letter of Commitment, and click OK.
Note:
You can only execute simulated attack scripts on assets with the toolkit installed.
Viewing the Simulated Attack Record of the Script
On the breach and attack simulation > Simulated Attack Record page, you can check the execution status of the current script (successful, exceptional, stopped) through the script execution status, stop ongoing simulated attacks, and resimulate attacks. Step 4: How to Accurately Compare the Reliability of Security Protection Products
After a successful script attack simulation, you can go to the existing security protection products to view the corresponding execution results of the attack simulation, such as T-Sec CWP. By checking the alarm content detected by the security protection products, you can identify any shortcomings and determine whether the corresponding security policies are properly configured. By comparing the number of alarms detected and the accuracy of the alarm content among multiple security protection products, you can evaluate their reliability. FAQs
Why Did the Installation of the Attack Simulation Toolkit Fail?
Firewall interception: It is recommended to allow CSC backend server access addresses in the firewall policy. The public domain names are bas.tencentcs.com and csc-1300616671.cos.ap-guangzhou.myqcloud.com. The public network ports are 8001 and 443.
Network issues: It is recommended to check whether the network connection is normal, and try using another network. The attack simulation toolkit needs to be downloaded from the internet. If the network is unstable or the download speed is too slow, it may cause the installation to fail.
Permission issues: It is recommended to log in to the system using an administrator account or use the option Run As An Administrator to download/run the attack simulation toolkit. Downloading/running the attack simulation toolkit requires the administrator permissions. If the current user does not have sufficient permissions, it may cause the installation to fail.
System compatibility issues: Check the System requirements of the attack simulation toolkit to ensure that the current operating system and other software version meet the requirements. The attack simulation toolkit may not be compatible with the current operating system or other software, leading to running failure.
What Is the Source for the System Default Script?
The system default script is based on the tactical phase in ATT&CK. You can see MITRE ATT&CK for more information. MITRE ATT&CK is a globally accessible knowledge base of opponent tactics and techniques based on real-world observation. The ATT&CK knowledge base is used as a foundation for developing specific threat models and methods by the private sector, government, and cybersecurity product and service communities. System Default Script (Continuously Updated)
|
Python base64 command attack | A simulator simulates a hacker using Python to decode a base64-encoded text string, which can be used to execute malicious code or steal sensitive information. |
Examine password complexity policies | A simulator simulates a hacker checking the password complexity policy on a Linux system's console to understand the password requirements and limitations, which might be used to crack passwords or obtain access to the system. |
Shiro deserialization attack | A simulator simulates a hacker exploiting a Shiro deserialization vulnerability to obtain remote command execution permissions on the target system, executing malicious commands to obtain system access or steal sensitive information. |
DNS log information collection | A simulator simulates a hacker obtaining visitor IP addresses through DNS logs to track target user activities or perform other malicious behaviors. |
Port forwarding attack | A simulator simulates a hacker collecting information about the target system's weaknesses and vulnerabilities, installing malicious software or exploiting vulnerabilities to maintain access to the target system and using the Netcat tool with port forwarding techniques to bypass firewalls and other security products to execute commands or transfer files on the target system. |
Private network lateral movement attack | A simulator simulates a hacker collecting host SSH information to understand the target system's SSH configuration and security, and using the Exploit Writing Toolkit (EW) to further attack other systems by exploiting an already compromised target system to obtain more sensitive information or control more systems within the private network. |
User permission persistence attack | A simulator simulates a hacker transferring sensitive data from the target system to a server controlled by the simulator or elsewhere to obtain illegal benefits or cause losses. After reading sensitive information, the simulator writes malicious code to maintain access permissions to the target system, and clears various history records in the target system to hide attack traces or mislead investigators. |
Malicious file execution attack | A simulator simulates a hacker writing malicious code into a file and executing the file to carry out the attack. The simulator collects SUID information on the target system and executes a Python reverse shell script on the target system. Upon receiving the connection from the target system, she or he performs lateral movement to obtain more system permissions. Subsequently, tamper with the file timestamps to hide attack traces or mislead investigators. |
NC reverse shell attack | A simulator simulates a hacker collecting CWPP process information on the target system to attempt killing CWPP relevant processes. The simulator uses the Netcat tool to execute a reverse shell command on the target system, connecting the target system's shell to the simulator's machine. Upon receiving the connection from the target system, the simulator can execute commands or obtain system permissions. |
Python reverse shell attack | A simulator simulates a hacker understanding the vulnerabilities and weaknesses of the target system by collecting information. Execute a Python reverse shell script on the target system, connecting the target system's shell to the simulator's machine. Upon receiving the connection from the target system, the simulator can execute commands or obtain system permissions. |
Malicious lateral movement | A simulator simulates a hacker understanding the vulnerabilities and weaknesses of the target system by collecting information. The simulator uses the iox malicious tool for port traffic forwarding to control the target system. Then, using the permissions and features of the target system, she or he further attacks other systems to ultimately obtain more sensitive information or control more systems. |
Was this page helpful?