[PYTHON] Introduction of cyber security framework "MITRE CALDERA", function outline, operating environment construction
Introduction of cyber security framework "MITRE CALDERA": Functional overview / Operating environment construction
| Red team screen | Blue team screen |
|---|---|
 |
 |
- The above image is the web client screen of MITER CALDERA version 2.6.6.
Introduction
Effect
My job is cyber security research, and I am particularly interested in human resource development. During my research, I came across an OSS (open source software) called "MITRE CALDERA" and it was a promising tool that could be used for human resource development, so I would like everyone to know, use, and make this article. writing.
Constitution
Since there are many introductions, I will introduce them in the following four articles.
- Function overview / Operating environment construction (this article)
- How to use: Red team edition
- How to use: Blue Team Edition
- How to use: Training
Glossary:
- Red team: A team that simulates a cyber attack
- Blue Team: A team that responds to cyber attacks (incidents and responses)
Target person
- People who are interested in cyber security
- People who are interested in cyber security human resource development
- People who are interested in plug-in programming
Caution / Disclaimer
This article includes a way to simulate a cyber attack. The purpose of this is to confirm, examine, and improve what kind of events will occur due to cyber attacks and how to deal with them, and to utilize them for cyber security human resource development. Create a closed network environment so that it does not affect other systems or networks. If you do this for someone who does not have permission, it will violate laws such as the Unauthorized Computer Access Law, so please do not do so.
The content of this article is my personal opinion, not the official opinion of the organization to which I belong. The author and the organization to which he belongs are not responsible for any trouble, damage, or damage caused to the user or a third party by trying what is described in this article.
Overview introduction
What is MITER CALDERA?
MITER CALDERA is a "cyber security framework" that provides various functions as plug-ins. It is a tool that is characterized by simulating (emulating) cyber attacks using the cyber attack technology and attack scenarios that were actually used. The US MITER Corporation has released OSS under the Apache license. The main functions provided are listed below.
- Simulate a cyber attack
- Observe the events caused by cyber attacks, consider how to deal with them, and deal with them.
- Check if cyber attacks can be detected automatically, and improve so that they can be detected and dealt with automatically.
The above functions can also be executed automatically based on the scenario prepared in advance. We support security improvement and human resource development with the following work loop.
MITER CALDERA related projects
MITRE is a non-profit organization (NPO) in the United States, a variety of projects that generate public interest and innovative ideas for industry and academia through the operation of a US government-funded research and development center (FFRDC) and private partnerships. there is. Please see the MITER website for details. https://www.mitre.org/about/corporate-overview
Here are some related projects you should know about using MITER CALDERA:
- MITRE ATT & CK: Knowledge base of cyber attack technology
- MITRE ATT & CK NAVIGATOR: A tool for visualizing and extracting MITER ATTACK information.
Functional overview
The main body of MITER CALDERA is a Python script that provides a Web service by incorporating a plug-in. The basic functions of MITER CALDERA are provided as plug-ins. The plugin is also a Python script. MITER CALDERA is a project that started in 2017, but it has been updated frequently these days, and new feature plugins are being added actively. You can also incorporate plugins created by other projects. (See Comment) Some plugins are disabled immediately after installation, but you can enable them from the Configure menu.
Basic plugin function
The following is a list of MITER CALDERA version 2.6.6 plug-ins released on March 20, 2020.
| Plugin name | Valid version | Standard valid | Description |
|---|---|---|---|
| sandcat | all | ◯ | Agent, RAT/BOT |
| stockpile | all | ◯ | Basic scenario |
| compass | 2.5 | ◯ | Scenario creation |
| response | 2.5 | ◯ | Incident response scenario |
| terminal | 2.6 | Reverse shell terminal | |
| gameboard | 2.6 | ◯ | Red team vs blue team score display |
| mock | all | × | Pseudo agent |
| ssl | all | × | HTTPS proxy |
| access | 2.6 | × | Remote access settings |
| atomic | 2.6 | ◯ | Scenario prepared by the Atomic Red Canary team |
MITER CALDERA Agent
When simulating a cyber attack with MITER CALDERA, it starts from the state of being invaded by the terminal. We will not search for vulnerabilities and invade them. It is the MITER CALDERA agent that creates the state of being intruded into the terminal. It is a program commonly called RAT (Remote Access Trojan). You can download several agent programs by accessing the MITER CALDERA server. Select and download the appropriate agent according to the OS and purpose, or copy and paste the script to execute the agent. The agent connects to the MITER CALDERA server and executes the remote control command instructed by the server.
Operating environment construction
You can follow the instructions in the README.md file in the GitHub repository, but there are some confusing parts, so I will explain it.
Required environment / tools
OS
- Linux or MacOS
When I installed it on my MacOSX Catalina, the installation shell script ended with an error and I couldn't install it. We recommend that you install Linux in a virtual environment such as VirtualBox and run it in that virtual environment. Please refer to other people's articles for how to build a virtual environment.
Required tools
- git command
- Python Version 3.6.1 or later
- Google Chrome web browser (currently only Google Chrome is guaranteed to work)
Please refer to other people's articles for how to install each tool.
Installation procedure
The latest version of MITER CALDERA is 2.6.65, but since the training plugin only works with 2.6.6, here are the steps to install 2.6.6. Execute the following command on the shell terminal.
$ git clone https://github.com/mitre/caldera.git --recursive --branch 2.6.6
$ cd caldera
$ sudo ./install.sh
During the execution of install.sh, the Python virtual environment and the required Python modules will be installed in the virtual environment. At the end of the message, you will see that you can start the web service by doing the following:
Web service startup procedure
$ source calderaenv/bin/activate
$ python server.py
The web server starts and waits for access from the web browser.
Web login procedure
Launch the Google Chrome web browser on the host where you launched the web service and enter http: // localhost: 8888 / in the URL field to access the MITER CALDERA server.
When accessing from another host, change the localhost part to the IP address of the host that launched the web service.
There are two types of login accounts. Select the user name according to the purpose.
| User name | password | Use |
|---|---|---|
| red | admin | For red team Attack scenario execution. Check attack detection and countermeasures |
| blue | admin | For blue team Defensive scenario execution. Perform Incident & Response |
Depending on the user name, the background image and tool name will change as shown in the first image of this article. (In MITER CALDERA version 2.6.64, only the color of the window frame is different.) You can use various functions from the menu.
How to exit
Type CTRL + C on the terminal running the python script on the MITER CALDERA server and exit the python script with.
Uninstall procedure
Delete everything under the git clone directory. The Python virtual environment will be deleted as well.
at the end
This concludes the functional overview and operating environment construction. If you are interested, please install and touch it. Regarding how to use it, we are planning to release the red team edition, blue team edition, and training edition. I hope you look forward to it.
Reference material
Official site
- GitHub repository
- Documentation
- Tutorial video (MITRE CALDERA 2.6.2)
- Introduction to MITER CALDERA
- MITRE CALDERA Project Introduction (October 2019)
Security conference presentation materials / videos
- Black Hat Europe 2017: CALDERA: Automating Adversary Emulation (PDF)
- Black Hat Europe 2017: CALDERA: Automating Adversary Emulation (Video)
- 2018.01.03 CALDERA automated cyber adversary emulation system - mitrecorp
- 2019.03.06 Live Adversary Simulation: Red and Blue Team Tactics - RSA Conference
- 2019.06.19 BSides London: The Imitation Game: Emulating Attackers - Wietze Beukema
- 2019.10.10 BruCON 0x0B: Automated adversary emulation using Caldera - Erik Van Buggenhout
- 2019.11.04 MITRE Tech Talks: CALDERA
External plugin
- ATT & CK Evaluations Round 1: APT3 Attack Scenario
- ATT & CK Evaluations Round 2: APT29 Attack Scenario