Splunk Cloud Attack Range ⚔️

Purpose 🛡

The Cloud Attack Range is a detection development platform, which solves three main challenges in detection engineering. First, the user is able to build quickly a small lab infrastructure as close as possible to a cloud environment. Second, the Attack Range performs attack simulation using different engines such as Atomic Red Team in order to generate real attack data.

Building 👷‍♂️

Cloud Attack Range can be built is currently:

• cloud-only, Specifically simulate attacks against AWS

Architecture 🏯

The Cloud Attack Range consists of:

• pre-configured Splunk server with AWS Cloudtrail logs and Kubernetes logs

• pre-configured Phantom server

• AWS Elastic Kubernetes Service with a Wordpress app and Splunk Connect for Kubernetes

• integrated Atomic Red Team cloud attacks

Logging

The following log sources are collected from the machines:

• Cloudtrail logs (index=aws)
• Kubernetes logs (index=kubernetes)
• Kubernetes metrics (index=kubernetes-metrics)
• AWS Elastic Kubernetes Service logs (index=aws sourcetype=aws:cloudwatchlogs)

Running 🏃‍♀️

Follow Getting Started to configure Cloud Attack Range.
Cloud Attack Range supports different actions:

• Build Cloud Attack Range
• Perform Cloud Attack Simulation
• Destroy Cloud Attack Range
• Stop Cloud Attack Range
• Resume Cloud Attack Range

Cloud Attack Range Commands

• Configure your Cloud Attack Range .conf

- [x] python cloud_attack_range.py configure

Cloud Attack Range Commands

• Build Cloud Attack Range

- [x] python cloud_attack_range.py build

Perform Cloud Attack Simulation

[Work in Progress]

• Perform Cloud Attack Simulation by Mitre technique

python cloud_attack_range.py simulate -st T1136.003

Destroy Cloud Attack Range

• Destroy Cloud Attack Range

python cloud_attack_range.py destroy

Stop Cloud Attack Range

• Stop Cloud Attack Range

python cloud_attack_range.py stop

Resume Cloud Attack Range

• Resume Cloud Attack Range

python cloud_attack_range.py resume

Features 💍

• Splunk Server

  • Preconfigured with multiple TAs for field extractions
  • Out of the box Splunk detections with Enterprise Security Content Update (ESCU) App
  • Preinstalled Machine Learning Toolkit (MLTK)
  • Splunk UI available through port 8000 with user admin
  • ssh connection over configured ssh key

• Splunk Enterprise Security

  • Splunk Enterprise Security is a premium security solution requiring a paid license.
  • Enable or disable Splunk Enterprise Security in cloud_attack_range.conf
  • Purchase a license, download it and store it in the apps folder to use it.

• Splunk Phantom

  • Splunk Phantom is a Security Orchestration and Automation platform
  • For a free development license (100 actions per day) register here
  • Enable or disable Splunk Phantom in cloud_attack_range.conf

• Atomic Red Team

• Attack Simulation with Atomic Red Team
• Uses Attack TTPs from Cloud ATT&CK Mitre IDs

Support 📞

Please use the GitHub issue tracker to submit bugs or request features.

If you have questions or need support, you can:

• Post a question to Splunk Answers
• Join the #security-research room in the Splunk Slack channel
• If you are a Splunk Enterprise customer with a valid support entitlement contract and have a Splunk-related question, you can also open a support case on the https://www.splunk.com/ support portal

Author

• Patrick Bareiß
• Bhavin Patel
• Jose Hernandez

License

Copyright 2020 Splunk Inc.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.