This post is part of a series, see links at the bottom for further info.
Attack simulation is one of those key ideas that I’ve seen customers using with varied success. There are quite a number of commercial and open source products in what is a rapidly growing field.
I think it’s worth defining adversary (or attack) simulation, and why it’s a key pillar in a defender’s arsenal.
What is adversary simulation?
To put it simply, adversary simulation is a technique to take attacker techniques and apply them against a network or system, in order to further understand and defend against weaknesses. It may be a once-off activity, or more likely part of a continuous automated process. Adversary simulation is a key part of a threat informed defence, as well as assume breach, where a defender knows that in order to truly guard a system, they must always assume that an attacker has already breached their defences.
What is Splunk Attack Range?
On to the main topic of this post. I’ve come across Attack Range a number of times over the last few years, typically customers using it in an automated manner to run a series of tests against their environments. When I was re-learning Splunk after an extended break, I used Attack Range to allow me to quickly build, break and re-build lab environments without having to worry about the underlying software install.
Attack Range is an open source tool, primarily built by the Splunk Threat Research Team (STRT), that provides security teams a way to rapidly and consistently build lab environments to simulate attacks, allowing for detection validation and engineering.
Attack Range can build locally or in cloud environments (AWS and Azure). It can be run from Windows, Linux, MacOS or a container. It can be integrated into an existing CI CD pipeline.
How do I use Attack Range?
You can deploy using a container (preferred), or on a Linux or MacOS host. You could even do an install via Windows with WSL, if you were so inclined.
You can see the documentation here. I’ll put up a followup post and video shortly showing different deployment options, and how to actually use the tool.
A footnote on defining simulation and emulation
These words both come up a lot in this topic, so it’s important to differentiate them.
Cambridge Dictionary defines emulate as to copy something achieved by someone else and try to do it as well as they have.
Cambridge Dictionary defines simulate as to do or make something that looks real but is not real
For the purpose of this post, I’ll describe emulating as copying the behaviour of an attacker as closely as possible, and performing it at least as well as they would. Simulating is to represent the function or behaviour of an attacker, without necessarily doing it as well as the real world – close enough is good enough.