Black Hat USA Arsenal sessions open with the mantra of ‘attack is the best form of defense’
A new security tool designed to emulate adversaries conducting malware campaigns or probing networks for secrets was presented at Black Hat USA today.
ATTPwn, developed by Telefonica security researchers Pablo Gonzalez and Francisco Ramirez Vicente, aims to enable penetration testers to identify potential weaknesses impacting an organization, based on techniques and tactics from the MITRE ATT&CK framework.
The tool was demonstrated during the Arsenal track of the conference today, which is being held online this year due to the worldwide coronavirus pandemic.
ATTPwn can be used to emulate a number of known attacks against Windows systems, including the exploits that were used as part of the NotPetya and WannaCry malware campaigns.
It can also be customized to mimic threats and attack chains involving privilege escalation, lateral movement across a network, and credential dumping.
Gonzalez told The Daily Swig: “Our idea is quite simple. Just set up a known adversary or threat and emulate it against your computers.
“In this way, you can test how your security controls work. Also, you can use ATTPwn to test a specific MITRE ATT&CK technique.”
He said the open source tool was developed both to enable red teams and pen testers to identify problems, and help blue teams to find ways to defend against them.
Gonzalez said: “We believe that the tool can be used by a red team to emulate opponents, but also by a blue team to verify the effectiveness of security controls.
“It must be taken into consideration that the security controls will be ‘mapped’ with MITRE ATT&CK techniques.
“In this way, the company can then validate, when executing a technique, if the security controls are working correctly or need to be reviewed.”
The MITRE ATT&CK framework, developed by the US government funded body, is a worldwide knowledge base of attacks based on real-world observations.
It can be used to help organizations identify problems and assess their security risk.
Gonzalez said they chose to this frame of reference because it is increasingly being used as a standard among security professionals.
He added: “Besides, it is constantly changing and updating. MITRE is constantly enriching the framework.
“We believe there is still a long way to go, but we are very happy about the tool and what it can provide.”
The researcher offered some details on future updates to the tool, including the opportunity for a user to create “their own WannaCry” or other threat.
He explained: “[We will be] implementing the Powershell functions necessary to have a new version of a MITRE ATT&CK technique. This is very exciting.
“ATTPwn proposes a collaborative model in which any user can make the implementation of a technique and share it with others.
“In this way, it is possible to have your version of any threat and share it, creating threat or adversary intelligence.”