Introduction of cyber security framework "MITRE CALDERA": Functional overview / Operating environment construction

Red team screen	Blue team screen

The above image is the web client screen of MITER CALDERA version 2.6.6.

Introduction

Effect

My job is cyber security research, and I am particularly interested in human resource development. During my research, I came across an OSS (open source software) called "MITRE CALDERA" and it was a promising tool that could be used for human resource development, so I would like everyone to know, use, and make this article. writing.

Constitution

Since there are many introductions, I will introduce them in the following four articles.

Function overview / Operating environment construction (this article)
How to use: Red team edition
How to use: Blue Team Edition
How to use: Training

Glossary:

Red team: A team that simulates a cyber attack
Blue Team: A team that responds to cyber attacks (incidents and responses)

Target person

People who are interested in cyber security
People who are interested in cyber security human resource development
People who are interested in plug-in programming

Caution / Disclaimer

This article includes a way to simulate a cyber attack. The purpose of this is to confirm, examine, and improve what kind of events will occur due to cyber attacks and how to deal with them, and to utilize them for cyber security human resource development. Create a closed network environment so that it does not affect other systems or networks. If you do this for someone who does not have permission, it will violate laws such as the Unauthorized Computer Access Law, so please do not do so.

The content of this article is my personal opinion, not the official opinion of the organization to which I belong. The author and the organization to which he belongs are not responsible for any trouble, damage, or damage caused to the user or a third party by trying what is described in this article.

Overview introduction

What is MITER CALDERA?

MITER CALDERA is a "cyber security framework" that provides various functions as plug-ins. It is a tool that is characterized by simulating (emulating) cyber attacks using the cyber attack technology and attack scenarios that were actually used. The US MITER Corporation has released OSS under the Apache license. The main functions provided are listed below.

Simulate a cyber attack
Observe the events caused by cyber attacks, consider how to deal with them, and deal with them.
Check if cyber attacks can be detected automatically, and improve so that they can be detected and dealt with automatically.

The above functions can also be executed automatically based on the scenario prepared in advance. We support security improvement and human resource development with the following work loop.

活用サイクル

MITER CALDERA related projects

MITRE is a non-profit organization (NPO) in the United States, a variety of projects that generate public interest and innovative ideas for industry and academia through the operation of a US government-funded research and development center (FFRDC) and private partnerships. there is. Please see the MITER website for details. https://www.mitre.org/about/corporate-overview

Here are some related projects you should know about using MITER CALDERA:

MITRE ATT & CK: Knowledge base of cyber attack technology
MITRE ATT & CK NAVIGATOR: A tool for visualizing and extracting MITER ATTACK information.

Functional overview

The main body of MITER CALDERA is a Python script that provides a Web service by incorporating a plug-in. The basic functions of MITER CALDERA are provided as plug-ins. The plugin is also a Python script. MITER CALDERA is a project that started in 2017, but it has been updated frequently these days, and new feature plugins are being added actively. You can also incorporate plugins created by other projects. (See Comment) Some plugins are disabled immediately after installation, but you can enable them from the Configure menu.

Basic plugin function

The following is a list of MITER CALDERA version 2.6.6 plug-ins released on March 20, 2020.

Plugin name	Valid version	Standard valid	Description
sandcat	all	◯	Agent, RAT/BOT
stockpile	all	◯	Basic scenario
compass	2.5	◯	Scenario creation
response	2.5	◯	Incident response scenario
terminal	2.6		Reverse shell terminal
gameboard	2.6	◯	Red team vs blue team score display
mock	all	×	Pseudo agent
ssl	all	×	HTTPS proxy
access	2.6	×	Remote access settings
atomic	2.6	◯	Scenario prepared by the Atomic Red Canary team

MITER CALDERA Agent

When simulating a cyber attack with MITER CALDERA, it starts from the state of being invaded by the terminal. We will not search for vulnerabilities and invade them. It is the MITER CALDERA agent that creates the state of being intruded into the terminal. It is a program commonly called RAT (Remote Access Trojan). You can download several agent programs by accessing the MITER CALDERA server. Select and download the appropriate agent according to the OS and purpose, or copy and paste the script to execute the agent. The agent connects to the MITER CALDERA server and executes the remote control command instructed by the server.

Operating environment construction

You can follow the instructions in the README.md file in the GitHub repository, but there are some confusing parts, so I will explain it.

Required environment / tools

Linux or MacOS

When I installed it on my MacOSX Catalina, the installation shell script ended with an error and I couldn't install it. We recommend that you install Linux in a virtual environment such as VirtualBox and run it in that virtual environment. Please refer to other people's articles for how to build a virtual environment.

Required tools

git command
Python Version 3.6.1 or later
Google Chrome web browser (currently only Google Chrome is guaranteed to work)

Please refer to other people's articles for how to install each tool.

Installation procedure

The latest version of MITER CALDERA is 2.6.65, but since the training plugin only works with 2.6.6, here are the steps to install 2.6.6. Execute the following command on the shell terminal.

$ git clone https://github.com/mitre/caldera.git --recursive --branch 2.6.6
$ cd caldera
$ sudo ./install.sh

During the execution of install.sh, the Python virtual environment and the required Python modules will be installed in the virtual environment. At the end of the message, you will see that you can start the web service by doing the following:

Web service startup procedure

$ source calderaenv/bin/activate
$ python server.py

The web server starts and waits for access from the web browser.

Web login procedure

Launch the Google Chrome web browser on the host where you launched the web service and enter http: // localhost: 8888 / in the URL field to access the MITER CALDERA server. When accessing from another host, change the localhost part to the IP address of the host that launched the web service.

There are two types of login accounts. Select the user name according to the purpose.

User name	password	Use
red	admin	For red team Attack scenario execution. Check attack detection and countermeasures
blue	admin	For blue team Defensive scenario execution. Perform Incident & Response

Depending on the user name, the background image and tool name will change as shown in the first image of this article. (In MITER CALDERA version 2.6.64, only the color of the window frame is different.) You can use various functions from the menu.

How to exit

Type CTRL + C on the terminal running the python script on the MITER CALDERA server and exit the python script with.

Uninstall procedure

Delete everything under the git clone directory. The Python virtual environment will be deleted as well.

at the end

This concludes the functional overview and operating environment construction. If you are interested, please install and touch it. Regarding how to use it, we are planning to release the red team edition, blue team edition, and training edition. I hope you look forward to it.

Introduction of cyber security framework "MITRE CALDERA", function outline, operating environment construction