The Splunk Threat Research Team (STRT) is happy to release v3.0 of the Splunk Attack Range.
Splunk Attack Range is an open source project that allows security teams to spin up a detection development environment to emulate adversary behavior and use the generated telemetry data to build detections in Splunk. This blog highlights the new features introduced in version 3.0 to help build resilient, high-quality detections.
Splunk Attack Range
The Splunk Attack Range provides the following capabilities for detection engineering:
- The user is able to quickly build a small lab infrastructure as close as possible to a production environment.
- The Attack Range performs attack simulation using different engines, such as Atomic Red Team or Prelude Operator, in order to generate real attack data.
- It integrates seamlessly into any Continuous Integration / Continuous Delivery (CI/CD) pipeline to automate the detection rule testing process.
Optimized Build Process
We optimized the build time of Attack Range from 30 minutes to 5 minutes by using pre-built images which were generated with the tool Packer. Packer standardizes and automates the process of building Golden images which are templates for virtual machines. Previously, building an Attack Range with a Splunk Server and a Windows Server took around 30 minutes every time. By introducing Packer to pre-build images, the build time of Attack Range is reduced to 5 minutes or less. Generating the pre-built images takes around 20 minutes per server, which only needs to be performed once. Afterwards, you can build Attack Ranges within 5 minutes.
Based on your feedback, we learned that the Attack Range is often used in training and workshops in which the trainer prepared the Attack Ranges for their students. Providing Attack Range access to students was difficult. This is now simplified by integrating Apache Guacamole into the Attack Range. Apache Guacamole is a clientless remote desktop application which is installed on the Splunk Server. It supports standard protocols such as SSH and RDP. During the Attack Range build, Apache Guacamole is installed and completely configured. You can access Apache Guacamole on port 8080 and use the Attack Range password to log in. Subsequently, you can access the windows server over RDP or the other servers with SSH using the browser.
During detection, engineering teams want to know if a specific attack technique is detected by a certain Endpoint Detection and Response (EDR) product. In order to easily answer this question, we integrated Crowdstrike Falcon and VMware Carbon Black Cloud into the Attack Range. You will need a subscription for these products in order to integrate them into the Attack Range. By specifying some configuration parameters in Attack Range, you can automatically install the agent on the Windows Server and onboard the logs into the Splunk Server.
Attack Range Local Integrated into Attack Range
Previously, we decided to split Attack Range Local into its own GitHub project. Attack Range Local builds an Attack Range on either Virtualbox or VMware Fusion installed on your computer. It leverages Vagrant and Ansible to build and configure it.
We received a lot of customer feedback that Attack Range Local is very important. Therefore, we decided to integrate the Attack Range Local into Attack Range with all its features. By setting the cloud_provider to local in attack_range.yml, you can build an Attack Range on your local workstation or server.
Attack Range Cloud Integrated into Attack Range
Attack Range Cloud can be used to develop detections for AWS and Azure. It automatically onboards the logs from the cloud providers. We integrated these features into the Attack Range.
Atomic Red Team supports the execution of cloud atomics, which allows it to execute attacks against a cloud environment. The execution of cloud atomics in Atomic Red Team and the automated onboarding of cloud logs makes the Attack Range a perfect environment for developing cloud detections. By integrating all these features into one project, the Attack Range can be used to build endpoint, network and cloud detections.
Get Started with Attack Range 3.0
In this release, we improved the documentation and created an own documentation website which helps you to get started with Attack Range.The preferred installation method is using a docker container and you can run it on Mac, Windows or Linux.
By leveraging pre-built images with Packer, the time needed to build an Attack Range is reduced tremendously. Building the Attack Range, simulating an attack and destroying the Attack Range can be performed within 15 minutes. This allows us in the future to use the Attack Range in an automated way to generate attack data.
Please let us know what features you want to see added to the Attack Range by opening an issue in the Attack Range Github project with a feature request.