CALDERA: Automating Adversary Emulation

Presented at Black Hat Europe 2017, Dec. 7, 2017, 10:15 a.m. (60 minutes)

Adversarial assessment of a network is a critical part of securing and hardening it; done successfully, an adversarial assessment will replicate the techniques of an adversary in a realistic way. Instead of exclusively leveraging exploits, real adversaries tend to take advantage of existing, benign system functionality during their post-compromise operations. This behavior is codified in MITRE's Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK); a knowledge base of post-compromise actions of advanced persistent threats. ATT&CK shifts the defensive focus from software patch levels, security controls, and known threat indicators to understanding and defending against common adversary behaviors. CALDERA is a tool that can perform automated adversarial assessments against Windows enterprise networks, requiring zero prior knowledge about the environment to run. CALDERA works by leveraging its built in semantic model for how Windows enterprise domains are structured, an adversary model describing an attacker's goals and actions, and an artificially intelligent planner that makes decisions about which actions to perform. CALDERA does this all with real side effects: CALDERA features a RAT that performs adversary actions on infected hosts and copies itself over the network to increase its foothold. To most realistically emulate an adversary, CALDERA's model uses common Windows domain elements -- users, shares, credentials -- and features a library of executable techniques curated from ATT&CK, including favorites such as running Mimikatz to dump credentials and remote execution with WMI. As a fully automated tool, defenders can use CALDERA to verify their defenses are working appropriately and as a resource to test defensive tools and analytics. Additionally, CALDERA's modular design allows users to customize each individual operation and provides a flexible logic so that users can incorporate their own techniques into CALDERA's automated assessments. This talk describes CALDERA in depth, covering use cases for defenders and a demo.

Presenters:

• Douglas Miller - Senior Cyber Security Engineer, The MITRE Corporation
  Douglas Miller is a researcher at The MITRE Corporation. Holding degrees in Electrical and Computer Engineering and Information Security, he researches artificial intelligence, red teaming, and adversary emulation. He was involved in the creation of the MITRE ATT&CK model and continues to contribute to its development.
• Andy Applebaum - Lead Cyber Security Engineer, The MITRE Corporation
  Andy Applebaum is a lead cyber security engineer at The MITRE Corporation. He currently works on applied and theoretical security research problems, primarily in the realms of security automation and reasoning under uncertainty. Prior to working at MITRE, Andy received his PhD in computer science from the University of California Davis, where his dissertation topic was using argumentation logic for reasoning in cyber security.

Links:

• https://www.blackhat.com/eu-17/briefings/schedule/#caldera-automating-adversary-emulation-8844
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2017/videos/CALDERA - Automating Adversary Emulation.mp4
• https://infocon.org/cons/Black Hat/Black Hat Europe/Black Hat Europe 2017/videos/CALDERA - Automating Adversary Emulation.eng.srt (subtitles)
• https://www.youtube.com/watch?v=fx3635hLewg

Similar Presentations:

• Objective by the Sea version 4.0 (2021) / Becoming a Yogi on Mac ATT&CK with OceanLotus Postures
• BSidesLV 2019 / Hands-on: How to Use CALDERA's Chain Mode
• Wild West Hackin' Fest 2019 / Adversarial Emulation