The breach and attack simulation (BAS) feature automates the simulation of the tactics and techniques in the MITRE ATT&CK framework for users to view various cloud security threats from an attacker's perspective. This helps users identify potential attack paths and significant security threats, uncover deficiencies in security products, and determine whether security policies are properly configured. This feature allows for optimal use of security resources to mitigate cloud security risks.
Use cases
Efficient penetration testing
BAS automates the execution of attack tasks for extensive testing of known attacks. It simplifies operations and reduces the workload for Ops personnel. By default, the system provides penetration testing playbooks based on the MITRE ATT&CK framework, which contain attack tactics such as Collection, Reconnaissance, Privilege Escalation, and Lateral Movement. These playbooks simulate the behavior of hackers and real-world adversaries.
Precision reliability assessment of security products
After simulating an attack on the target system, you can check the corresponding alert information on your existing security products, and compare their detection rates to assess their reliability.
BAS toolkit installation
1. Check whether the toolkit is installed for an asset
1. Log in to the CSC console and select Assets from the left sidebar.
2. Select Host assets and check whether the BAS toolkit is installed for assets.
2. Install the BAS toolkit
For an asset without the BAS toolkit installed, click More > Install toolkit in the Operation column on the Assets page for it. Then, use one of the following three methods to install the toolkit for the asset:
Method 1: Manually run commands
Log in to the target server and run the corresponding commands to download and run the BAS toolkit.
Method 2: Use TencentCloud Automation Tools
You can use this method only when the TencentCloud Automation Tools client is installed for the asset. After you run commands through the client, the BAS toolkit will be downloaded and run on the server.
Method 3: Use the Cloud Workload Protection Platform (CWPP) Agent
You can use this method only when the CWPP Agent is installed for the asset. After you run commands through the CWPP Agent, the BAS toolkit will be downloaded and run on the server.
Note
Currently, you can install the BAS toolkit only for Tencent Cloud servers running Linux.
3. Efficiently performing penetration testing
Viewing penetration testing playbooks
On the BAS page, view penetration testing playbooks. The system provides multiple penetration testing playbooks by default, which contain attack tactics such as Collection, Reconnaissance, Privilege Escalation, and Lateral Movement. These playbooks are designed to simulate the behavior of hackers and real-world adversaries.
On the BAS page, click ATT&CK matrix in the upper-right corner to learn about the tactics and techniques involved in a playbook, or the playbooks associated with a certain tactic or technique.
Selecting playbooks and assets
1. On the BAS page, select one or more playbooks and click Start attack.
2. In the pop-up window, select the assets for this attack, indicate your consent to agreements, and click OK.
Note
You can execute BAS playbooks only on assets that have the BAS toolkit installed.
Viewing playbook execution history
On the BAS > History page, view the execution results (successful, abnormal, stopped) of playbooks. You can stop an attack in progress, re-attack, and perform other operations.
4. Accurately assessing the reliability of security products
After successfully simulating attacks using playbooks, you can check the results on your existing security products (such as CWPP). By viewing the alerts generated by security products, you can identify the security gaps in the products and determine whether security policies are configured properly. You can compare the number and accuracy of alerts generated by multiple security products to assess their reliability.
FAQs
Why does the installation of the BAS toolkit fail?
Firewall blocking: It is recommended that the firewall policy allow the access to the CSC backend server (the public domain names are bas.tencentcs.com and csc-1300616671.cos.ap-guangzhou.myqcloud.com, and the public ports are 8001 and 443).
Network issues: Check whether the network connection is normal and try another network. The BAS toolkit requires downloading files from the internet, and an unstable or slow network connection may result in installation failure.
Permission issues: It is recommended to log in to the system using an admin account, or download/run the toolkit with the "Run as administrator" option. Administrator permissions are required to download/run the toolkit. Insufficient permissions of the current user may lead to installation failure.
System compatibility issues: Check the system requirements for the toolkit to ensure that the current operating system and software versions meet the requirements. The toolkit may not be compatible with the current operating system or other software, causing it to fail.
What is the source of the system default playbooks?
The system default playbooks are based on the tactics in MITRE ATT&CK. MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
System default playbooks (continuously updating)
Playbook Name
Description
Base64 command attack with Python
Simulates a scenario in which a hacker uses Python to decode Base64-encoded text strings to execute malicious code or steal sensitive info.
Password complexity policy check
Simulates a scenario in which a hacker checks the password complexity policy of a console on a Linux system in order to understand the password requirements and limits, which may be used to crack passwords or gain access to the system.
Shiro deserialization attack
Simulates a scenario in which a hacker exploits the Shiro deserialization vulnerability to gain remote command execution permissions on a target system, which can be used to execute malicious commands to gain access to the system or steal sensitive info.
DNS log collection
Simulates a scenario in which a hacker obtains the visitor IP from DNS logs to detect the target user's activities or perform other malicious behaviors.
Port forwarding attack
Simulates a scenario in which a hacker collects info about the target system to understand its weaknesses and vulnerabilities, installs malware on the target system or exploits vulnerabilities to maintain access to the target system, and uses the Netcat tool to bypass firewalls and other security products with the port forwarding technology in order to execute commands or transfer files on the target system.
Private network lateral movement attack
Simulates a scenario in which a hacker collects SSH info from a target system to understand the SSH configuration and security of the target system, and uses the Exploit Writing Toolkit tool to further attack other systems by exploiting the host already compromised to gain access to more sensitive info or control more systems in the private network.
Privilege persistence attack
Simulates a scenario in which a hacker transfers sensitive data from the target system to a server or other location controlled by the hacker to gain illegal benefits or cause losses. After reading sensitive info, the hacker writes malicious code to maintain access to the target system, so that the hacker can clear the historical records in the target system to hide the attack or mislead investigators.
Malicious file execution attack
Simulates a scenario in which a hacker writes malicious code into a file and executes it to carry out an attack. By collecting SUID info and executing Python reverse shell scripts on the target system, the hacker performs proxy lateral movement to gain more system permissions after setting up a connection with the target system. Then, the hacker tampers with the timestamp of the file to hide the attack or mislead investigators.
Reverse shell attack with Netcat
Simulates a scenario in which a hacker collects the info about CWPP processes on the target system to attempt to kill the processes, uses the Netcat tool to execute reverse shell commands on the target system, and connects the target system's shell to the hacker's machine. After setting up a connection with the target system, the hacker can execute commands or obtain system permissions.
Python reverse shell attack
Simulates a scenario in which a hacker collects info about the target system to understand its weaknesses and vulnerabilities. By executing Python reverse shell scripts on the target system, the hacker connects the target system's shell to the hacker's machine. After setting up a connection with the target system, the hacker can execute commands or obtain system permissions.
Malicious lateral movement
Simulates a scenario in which a hacker collects info about the target system to understand its weaknesses and vulnerabilities. The hacker uses the iox malicious tool for port traffic forwarding to control the target system. Then, using the permissions and features of the target system, the hacker further attacks other systems to gain more sensitive info or control more systems.
Yes
No
Was this page helpful?