Star 0

Abstract

Adversarial assessment of a network is a critical part of securing and hardening it; done successfully, an adversarial assessment will replicate the techniques of an adversary in a realistic way. Instead of exclusively leveraging exploits, real adversaries tend to take advantage of existing, benign system functionality during their post-compromise operations. This behavior is codified in MITRE's Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK;); a knowledge base of post-compromise actions of advanced persistent threats. ATT&CK; shifts the defensive focus from software patch levels, security controls, and known threat indicators to understanding and defending against common adversary behaviors.

CALDERA is a tool that can perform automated adversarial assessments against Windows enterprise networks, requiring zero prior knowledge about the environment to run. CALDERA works by leveraging its built in semantic model for how Windows enterprise domains are structured, an adversary model describing an attacker's goals and actions, and an artificially intelligent planner that makes decisions about which actions to perform. CALDERA does this all with real side effects: CALDERA features a RAT that performs adversary actions on infected hosts and copies itself over the network to increase its foothold. To most realistically emulate an adversary, CALDERA's model uses common Windows domain elements -- users, shares, credentials -- and features a library of executable techniques curated from ATT&CK;, including favorites such as running Mimikatz to dump credentials and remote execution with WMI.

As a fully automated tool, defenders can use CALDERA to verify their defenses are working appropriately and as a resource to test defensive tools and analytics. Additionally, CALDERA's modular design allows users to customize each individual operation and provides a flexible logic so that users can incorporate their own techniques into CALDERA's automated assessments.

This talk describes CALDERA in depth, covering use cases for defenders and a demo.

Slides