如何使用Threatest測試端到端威脅檢測規則的有效性
VSole2022-11-14 17:29:29
關于Threatest
Threatest是一個基于Go開發的安全測試框架,該框架可以幫助廣大研究人員測試端到端威脅檢測規則的有效性與可用性。
Threatest允許我們使用各種滲透測試技術對目標進行安全檢測,并以此驗證是否能夠觸發期望的安全警報。
檢測工程
從廣義上講,檢測工程是識別與組織相關的威脅、深入了解它們并提出可靠的策略來檢測它們的學科。盡管沒有標準化流程,但檢測工程通常遵循幾個階段:
構思:哪些攻擊技術與我們的組織相關?
研究:攻擊技術是如何工作的?它生成什么日志或遙測數據?
收集要求:實現檢測需要哪些日志?我們是否需要更多的可見性或更廣泛的范圍來實施檢測?
開發:定義具體的檢測策略以制定檢測規則。
測試和部署:測試規則,最好是針對真實世界的數據,以確保它按預期工作,不會產生太多誤報。
維護:持續收集檢測規則生成的警報指標,并根據需要采取修改和維護。
支持的滲透測試技術和警報匹配器
1、本地命令執行
2、SSH命令執行
3、Stratus紅隊相關
4、AWS相關
5、Datadog Security信號警報匹配
工具下載
由于該工具基于Go開發,因此我們首先需要在本地設備上安裝并配置好Golang環境。接下來,廣大研究人員可以使用下列命令將該項目源碼克隆至本地:
git clone https://github.com/DataDog/threatest.git
工具使用
測試Cloud SIEM規則
go test -timeout 99999s cloudsiem_alerts_test.go -v
輸出樣例:
=== RUN TestCloudSIEMAWSAlertsDetonating 'aws.initial-access.console-login-without-mfa' with Stratus Red Team2022/06/16 16:31:08 AWS console login: Confirmed that the expected signal (Datadog security signal 'An IAM user was created') was created in Datadog (took 17 seconds).2022/06/16 16:31:08 AWS console login: Confirmed that the expected signal (Datadog security signal 'AWS Console login without MFA') was created in Datadog (took 17 seconds).2022/06/16 16:31:08 AWS console login: All assertions passedDetonating 'aws.persistence.iam-create-admin-user' with Stratus Red Team2022/06/16 16:31:14 AWS persistence IAM user: Confirmed that the expected signal (Datadog security signal 'An IAM user was created') was created in Datadog (took 0 seconds).2022/06/16 16:31:14 AWS persistence IAM user: All assertions passed--- PASS: TestCloudSIEMAWSAlerts (126.53s)PASS
測試CWS規則
go test cws_alerts_test.go -v
輸出樣例:
=== RUN TestCWSAlertsConnecting over SSHConnection succeeded2022/06/16 16:25:20 curl to metadata service: Confirmed that the expected signal (Datadog security signal 'EC2 Instance Metadata Service Accessed via Network Utility') was created in Datadog (took 12 seconds).2022/06/16 16:25:20 curl to metadata service: All assertions passed2022/06/16 16:25:42 Java spawning shell: Confirmed that the expected signal (Datadog security signal 'Java process spawned shell/utility') was created in Datadog (took 19 seconds).2022/06/16 16:25:42 Java spawning shell: All assertions passed--- PASS: TestCWSAlerts (45.64s)=== RUN TestCWSAlertsV2Connecting over SSHConnection succeeded=== RUN TestCWSAlertsV2/curl_to_metadata_service=== PAUSE TestCWSAlertsV2/curl_to_metadata_service=== RUN TestCWSAlertsV2/java_spawns_shell=== PAUSE TestCWSAlertsV2/java_spawns_shell=== CONT TestCWSAlertsV2/java_spawns_shell=== CONT TestCWSAlertsV2/curl_to_metadata_service2022/06/16 16:26:02 curl to metadata service: Confirmed that the expected signal (Datadog security signal 'EC2 Instance Metadata Service Accessed via Network Utility') was created in Datadog (took 11 seconds).2022/06/16 16:26:02 curl to metadata service: All assertions passed2022/06/16 16:26:02 java spawns shell: Confirmed that the expected signal (Datadog security signal 'Java process spawned shell/utility') was created in Datadog (took 17 seconds).2022/06/16 16:26:02 java spawns shell: All assertions passed--- PASS: TestCWSAlertsV2 (0.06s) --- PASS: TestCWSAlertsV2/java_spawns_shell (20.12s) --- PASS: TestCWSAlertsV2/curl_to_metadata_service (20.24s)PASS
測試Stratus Red團隊觸發的Datdog Cloud SIEM信號
threatest := Threatest()threatest.Scenario("AWS console login"). WhenDetonating(StratusRedTeamTechnique("aws.initial-access.console-login-without-mfa")). Expect(DatadogSecuritySignal("AWS Console login without MFA").WithSeverity("medium")). WithTimeout(15 * time.Minute)assert.NoError(t, threatest.Run())
測試通過SSH運行命令觸發的Datadog Cloud Workload Security信號
ssh, _ := NewSSHCommandExecutor("test-box", "", "")threatest := Threatest()threatest.Scenario("curl to metadata service"). WhenDetonating(NewCommandDetonator(ssh, "curl http://169.254.169.254 --connect-timeout 1")). Expect(DatadogSecuritySignal("EC2 Instance Metadata Service Accessed via Network Utility"))assert.NoError(t, threatest.Run())
許可證協議
本項目的開發與發布遵循Apache-2.0開源許可證協議。
VSole
網絡安全專家