1 of 61

1

@ DEFCON 30

Purple Teaming & Adversary Emulation

in the Cloud with Stratus Red Team

Christophe Tafani-Dereeper

@christophetd

2 of 61

Good morning!

2

Christophe Tafani-Dereeper

christophetd@datadoghq.com�@christophetd

we’re hiring! (35 security positions open)

3 of 61

Agenda

  • Detection engineering, purple teaming�
  • Pain points of purple teaming in the cloud�
  • Stratus Red Team�
  • Advanced usages�
  • Some exciting announcements

3

4 of 61

A Primer in Detection Engineering

a.k.a. “finding evil”

4

5 of 61

From detecting IoCs…

5

image source

6 of 61

… to detecting behaviors

6

Behavior (TTPs)

Tools

Network & host artifacts

Domain names

IP addresses

Hashes

harder to detect

harder to change

http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

Attackers

Defenders

7 of 61

MITRE ATT&CK

7

8 of 61

Threat matrix for Kubernetes

8

https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/

9 of 61

Azure Threat Research Matrix (released August 2022)

9

https://microsoft.github.io/Azure-Threat-Research-Matrix/

10 of 61

Purple Teaming

10

Blue team

Red team

Blue team

Red team

11 of 61

Purple Teaming

11

Empowering defenders to understand, reproduce,

and detect common attacker tactics (TTPs)

12 of 61

Kolb's learning cycle

12

Active experimentation

Concrete experience

Abstract conceptualization

Reflective observation

[Kolb & Fry (1975). Theories of group processes]

13 of 61

13

Reproduce attack

Observe generated data�logs, artifacts, analytics

Develop / improve detection

14 of 61

“Detect when VPC Flow Logs are removed”

How to reproduce this attack?

  1. Create a VPC (virtual network)
  2. Enable VPC Flow Logs
  3. Delete VPC Flow Logs

14

prerequisites

15 of 61

“Detect when VPC Flow Logs are removed”

15

16 of 61

“Detect when VPC Flow Logs are removed”

16

17 of 61

“Detect when VPC Flow Logs are removed”

17

?

?

18 of 61

“Detect when VPC Flow Logs are removed”

18

19 of 61

“Detect when VPC Flow Logs are removed”

19

20 of 61

“Detect when VPC Flow Logs are removed”

20

21 of 61

Challenges in Reproducing Cloud Attacks

  • Complex testing prerequisites

  • Emerging threat landscape

  • Little data available on cloud incidents

21

22 of 61

Stratus Red Team

22

23 of 61

23

24 of 61

Stratus Red Team

  • Atomic Red Team for the Cloud”�
  • Written in Go�
  • Packaged with cloud-native attacks�
  • Supports AWS, Azure and Kubernetes

24

25 of 61

Attack Techniques in Stratus Red Team

  • Threat-informed�
  • Actionable for defenders�
  • Granular�
  • Self-sufficient

25

stratus-red-team.cloud/attack-techniques/philosophy/

26 of 61

What does Stratus Red Team bring?

Catalog of cloud attack techniques�

Easy reproduction against a live environment

26

27 of 61

Operating model

27

Stratus Red Team

Detonate attack techniques

Your AWS account

Your K8s cluster

Your Azure subscription

28 of 61

Attack Techniques Library

  • AWS (27), Kubernetes (7), Azure (3)�
  • Full list at stratus-red-team.cloud/attack-techniques/

28

29 of 61

29

30 of 61

Anatomy of an Attack Technique

30

31 of 61

Anatomy of an Attack Technique

31

$ stratus show aws.defense-evasion.cloudtrail-stop

Stops a CloudTrail Trail from logging. Simulates an attacker disrupting CloudTrail logging.

Warm-up:

- Create a CloudTrail Trail.

Detonation:

- Call cloudtrail:StopLogging to stop CloudTrail logging.

32 of 61

Anatomy of an Attack Technique

32

https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-stop/

33 of 61

Anatomy of an Attack Technique

Terraform code that handles pre-requisite infrastructure�������

33

https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-stop/

34 of 61

Terraform instrumentation

  • Fully transparent for the end user
    • Doesn’t mess with your Terraform version
    • Uses the official Terraform go wrapper�������

34

https://github.com/hashicorp/terraform-exec

35 of 61

Anatomy of an Attack Technique

“Attack-as-code” (Go)

35

https://stratus-red-team.cloud/attack-techniques/AWS/aws.defense-evasion.cloudtrail-stop/

36 of 61

Lifecycle of an Attack Technique

“Stop a CloudTrail trail” (AWS)

36

COLD

WARM

DETONATED

Initial state

Prerequisite infrastructure ready

Attack technique has been “detonated”

Create S3 bucket

Create CloudTrail trail

Stop CloudTrail trail

37 of 61

Other tools

37

https://stratus-red-team.cloud/comparison/

38 of 61

Demo (3 minutes)

38

39 of 61

39

https://www.youtube.com/watch?v=GJENDhzO7j4

40 of 61

Stratus Red Team + automation = ❤️

40

41 of 61

Advanced usages

  • Programmatic interface (use it as a Go library)�
  • Automatically generating logs datasets using your SIEM’s API�
  • End-to-end testing of threat detection rules

41

42 of 61

Programmatic Interface

42

43 of 61

Programmatic Interface

43

https://pkg.go.dev/github.com/datadog/stratus-red-team/v2/pkg/stratus

44 of 61

Programmatic Interface

44

44

45 of 61

Generating logs datasets

If I launch an attack technique, which logs do I get?

  1. Detonate attack with Stratus Red Team

45

Stratus Red Team

Your AWS account

User-Agent: stratus-red-team_<uuid>

46 of 61

Generating logs datasets

If I reproduce an attack technique, which logs do I get?

2. Poll your SIEM for generated logs!

46

Give me all your logs where

userAgent := stratus-red-team_<uuid>

SIEM

47 of 61

Generating logs datasets

  • Sample code for Datadog on GitHub
  • Adapt to your own logs management platforms!

47

$ ./dump-logs aws.defense-evasion.cloudtrail-delete logs.json

Detonating 'aws.defense-evasion.cloudtrail-delete' with Stratus Red Team

Execution UID: b071a414-5f74-48d8-9346-31e3b01a24e3

Searching for logs in Datadog

No logs found. Sleeping for 1m0s

Searching for logs in Datadog

Dumped 1 matching logs to logs.json

48 of 61

End-to-end testing of threat detection

48

AWS Organization

CloudTrail trail

S3 bucket

Lambda function

AWS Accounts

logs

SIEM

Logs ingestion

Parsing

Aggregation

Detection rules

Alerts

What could possibly go wrong? 🙈

49 of 61

What could go wrong?

49

AWS Organization

CloudTrail trail

S3 bucket

Lambda function

AWS Accounts

logs

SIEM

Logs ingestion

Parsing

Aggregation

Detection rules

Alerts

Black box

Attacks

50 of 61

End-to-end detection testing

  1. Detonate Stratus Red Team programmatically�
  2. Poll your SIEM for an expected alert�
  3. Close the alert

50

51 of 61

End-to-end detection testing

51

52 of 61

Announcement! Released just today August 13th, 2022 @ Las Vegas

Open-sourcing Threatest

52

53 of 61

Threatest

53

github.com/datadog/threatest

54 of 61

Threatest

54

github.com/datadog/threatest

55 of 61

Threatest - demo!

55

https://youtu.be/rB-pN94vZdU

56 of 61

Wrapping up

56

57 of 61

What’s next

  • Increase attack techniques coverage�
  • Community participation
    • Seen in the wild
    • Used by red teams/pentesters/offensive tooling�
  • Thank you to the awesome contributors!
    • Ryan Marcotte Cobb
    • Markus Rollwagen
    • Adan Álvarez
    • Dakota Riley

57

58 of 61

One more thing…

58

59 of 61

Released just today August 13th, 2022 @ Las Vegas

GCP support in Stratus Red Team!thank you to Dakota Riley @ Aquia��

59

  • Create an Admin GCP Service Account�
  • Create a GCP Service Account Key�
  • Impersonate GCP Service Accounts�

stratus-red-team.cloud/attack-techniques/GCP

60 of 61

Thank you!

60

@ DEFCON 30

Christophe Tafani-Dereeper

@christophetd

slides: dtdg.co/stratusredteam-cloudvillage

Questions?

61 of 61

Modeling attacker behavior

61