openaev icon indicating copy to clipboard operation
openaev copied to clipboard
Published 4 days ago verified publisher icon OpenAEV-Platform

Manual execution of scenarios

Open initstring opened this issue 1 year ago • 0 comments

Use case

OpenBAS looks great at executing automated attack simulations. As an internal Red Team, we perform a variety of attack emulation services like:

  • Atomic testing (works well in OpenBAS)
  • Intelligence-driven purple teaming (nice in OpenBAS due to OpenCTI integration, but tough to automate all TTPs)
  • Stealth red team operations (work is mostly manual, hard to plan ahead in perfect detail, not realistic to fully automate)

There would be huge value in doing all of these things in one platform, particularly for the CTI integration and reporting and metrics/trends over time.

Scenarios right now that involve attack techniques look to mostly require an agent. It would be great if we could come and build a scenario, and the have it turn into a simulation where we can manually apply the timeline and outcomes. Our workflow here would be to perform the stealth operation over a great period of time (usually several months) and to use OpenBAS as a reporting tool. Then, once the stealth operation is disclosed the defenders can come in and log the prevention/detection results.

I can sort of do this right now by manually building the scenarion and clicking run, but there are some things which seem purpose-built for automated execution which make it not quite work, like:

  • I can't manually modify the timeline - it fills out when it thinks it is executing against an agent
  • When I "run" the scenario I'm stuck in "ongoing" and the injects are "pending", because there is no agents an no execution is happening
  • When a scenario goes to a simulation, I can't add detailed notes to the injects
  • Scenarios run injects on a specified timeline, I can't just say when things actually happened
  • From a planning and reporting perspective, the tool is missing a nice visual attack flow (MITRE's ATT&CK Flow is a nice example)

Current Workaround

Build a scenario, click run, and try my test to edit things manually, but end up in a weird state not compatible with manual operations.

Proposed Solution

There is a thread about this in the Filigran Slack here. I'm not sure what the mechanics would look like, but ideally a type of scenario meant for manually tracking the execution and outcome of attacks to work with typical red team stealth operations.

Additional Information

If the feature request is approved, would you be willing to submit a PR?

Possibly.

initstring avatar Oct 16 '24 00:10 initstring