Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Incubation Engineering - Breach and Attack Simulation / 1 Feb 2023
GitLab / Incubation Engineering - Breach and Attack Simulation / 1 Feb 2023
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Incubation Engineering - Breach and Attack Simulation - January 2023 Showcase

Description

Hi y'all it's Erran Carey kicking off Black History Month with a showcase of Breach and Attack Simulation (BAS) Single-Engineer Group progress from January.

I've been working with the Threat Insights, Dynamic Analysis, and Vulnerability Research teams.

Check for written updates in this GitLab issue: https://gitlab.com/gitlab-org/incubation-engineering/breach-and-attack-simulation/meta/-/issues/1

A

Hey y'all welcome to the preaching attack simulation showcase for January 2023.. Today, I'm going to be rolling through the progress I've made so far on the bridge and attack simulation seg and how we plan to integrate for uh going forward.

A

So what is breach attack simulation um assuming you have no prior knowledge of the stock simulation.

A

We can consider Bridge attack simulation to be a security testing method for validating application and Point Security controls that includes things like Relic running web applications, where you're running maybe Ruby on Rails application or PHP application, or uh if you have an endpoint deployed where you actually deploy inside of a Docker container or you deploy inside of AWS ec2 instance, any type of infrastructure you're deploying to being able to test the different security controls on that to make sure your operating system.

A

Your actual application that you're running on top of that are running in a secure manner. um Boss differentiates itself from things like Dynamic analysis, because it's more as opposed to looking at purely the application side. uh Bass is focusing on whether you can actually exploit a particular vulnerability. So for vulnerability, it's been detected by a dast scanner. uh You'd typically take that report. If you're a penetration, tester or a red, teamer you'd actually go through and test hey. Are there any mitigations in place or can I actually exploit this vulnerability?

A

That we think, is a possibility, so bass is sort of all about helping prioritize the risk and risk management and doing some on top of your vulnerability assessment, so the vision for bridge and stock simulation at gilab, so the vision consists of allowing organizations to simulate attacker techniques as part of the their Dev secops life cycle.

A

So that's sort of looking at say if you use gitlab CI you'd be able to integrate directly into that with your existing vulnerability Tools.

A

In some way, were you able to take those vulnerability tools and then, on top of that, adding the ability for attacker techniques and use simulating those attacker techniques as part of that life cycle, so that can be through gitlab Ci or it could potentially be um other things similar to how we run the kubernetes agent, for example, um where we can have continuous testing and breach and attack simulation against the mitigations you've been in place for vulnerabilities you've detected previous in a prior part of your security testing cycle.

A

The goals for this uh are essentially to curate attack scenarios, so we want to be able to create a inventory of different attack techniques that are being used um similar. If you look at the meter attack framework, it sort of enumerates all various uh techniques that can be used by attackers, um and on top of that, it's sort of picking and choosing which one of those uh are going to be efficient at testing security controls in our place.

A

uh That could be things like command injection if we use Dynamic analysis we're able to detect command injection so when you've detected command injection, that's a good attacker scenario to simulate where you would simulate: hey, I've, injected arbitrary command.

A

Now, on top of that, exfiltrate, some data and simulating that will allow us to report on exploited vulnerabilities and what vulnerabilities have been mitigated and where risk has been mitigated, because some type of security control that you put in place where we can report that as being hey, it's a mitigated vulnerability because there's something in place that actually prevented it in my test environment to be exploited.

A

On top of that, I've been going ahead and collaborating so the bridge and stock simulation tag has been uh welcomed with open arms in gitlab, it's been pretty fun. I've been working with the threat insights to even govern uh in terms of vulnerability, dashboards and creating a generic reports for Bass and adding on my existing the existing capabilities, I've created with the nuclear analyzer, where I'm able to integrate directly into the existing reports.

A

Through uh what threat insights have provided me, um the dynamic analysis team has been super helpful I've been collaborating with them quite a lot on how I display vulnerabilities and exploit information and then vulnerability. Research has been super helpful in terms of how I've been planning my Approach at creating these different exploits and even injecting Uh custom exploit payloads and, on top of things like active checks that Dost supports.

A

So uh next I'll throw a jump right into a demo of some of the existing functionality. uh That's been deployed.

A

um So if I go to this nuclei templates job that I've created, we can see that it's using my custom uh nuclei, analyzer uh Docker image and this nuclear nuclei analyzer. uh What this is is a custom scanner, which is a compliance with the gitlab security report format. So this is a generic format that you can use for any security tool as long as you export and then uh so.

A

A nuclei export the Json lines report from nuclei and I'm able to take that and import it into gitlab by running this nuclei, analyzer Tool, uh to get it into the appropriate formats. I've updated this to recently. It's include the request and response information, as well as adding the ability to use the interact, sh uh extension for nuclei, so that integration for nuclei actually goes ahead and provides uh using the interact.sh service it tests for out-of-bound connections.

A

So it will dynamically provision a unique payload against uh OST dot me and Os dot me well, that will do. Is it's a unique payload and that unique payload I inject into the template using a custom nuclei template and that payload will actually in the command injection portion. They'll actually have a callback to that unique payload against the uh the interact, sh server, and so doing this I'm able to go ahead and add some additional details into the vulnerability report.

A

um So if I come here, we can see that we have these. uh This DVD downloadable web app command injection vulnerability. If we look at that, we can see here's our existing information that we get in any type of Dos report.

A

But on the evidence section we can see that I've injected you're using thread inside generic report format. We can see that I've done a post request to interact sh and I've included the contents of etsy password just to prove that I was able to read a file off the file system. Through my exploits that I uh provided and then we can see here that interact. Sh responded with this custom payload, which allows me to verify that in this job, I was able to get that callbacks end-to-end out of bound uh testing being done here.

A

So you can see here, there's a payload which I'm using that custom. uh That's for IP in this command injection the way I've structured the exploit is for Ping. It will operate again still do a DNS request against the host name and then on top of that I've injected some custom uh PHP, which we'll go ahead and actually do a post request, including the contents of etsy password and so doing that I'm able to validate that we've got these additional details.

A

We're able to validate that there's an interact, sh request with that unique payload at the particular time stamp. During the the testing of this pipeline, we can see that we can also go ahead and create an issue based off of this, where we can create the issue that has details and the identifiers.

A

So I've created a custom, namespace called nuclei template, so so there's no collisions with existing templates and dust, and so what what I intend to do is have customers start adding this additional jaw bin, where they're, adding an additional Dash report artifact, which will amend or append to the end of their dosed report, so they'll see event vulnerabilities from nuclei on top of their existing vulnerabilities, which I think will be quite good. There's some uh templates in nuclei that I want to add around command injection.

A

Were we take more active approach and I've already talked to the dynamic analysis team for having them uh come on board and start using uh the uh interact.sh, whether it's self-hosted or creating a our own command server for proving out of band connections.

A

Appendix uh there's the links to the handbook issues and the new nuclei analyzer custom scanner for dust, which is adding some region attack simulation capabilities.

A

If we look at the handbook page, we can see the product affinity and we can see a list here of the jobs to be done where I go through different attacks scenarios that we want to be capturing um and in terms of metrics, uh very much want to look at I noticed that there's a new guy uh action, uh that's been created recently uh for gitlab actions, GitHub actions and so with GitHub actions.

A

uh I want to be able to see if we can uh get a similar uptake in that forget lab users.

A

uh If there's any questions or anything, uh you can contact me on slack internally or you can go ahead and uh submit a gitlab issue in my personal project uh to get in touch thanks, see you.