CyberRange: An Open-source Offensive Security Lab In AWS

great first thank you everybody first time over in London so I really appreciate the invite first time attending b-side so really appreciate being able to join the community and first time I'm presenting the project so you know if the demo gods are able to grace me with three first-time things that'd be great I do have a live demo that I'll start up it takes me maybe about five minutes to get everything up and running there's some configuration aspects of it that if I can I'll dive into it and actually do a demo or actually do the configuration and and show you everything that I can so this is cypher range the inspiration of this project really came when I was working

at JP Morgan Chase a few years ago between 2009 2014 we have a large enterprise environment very complex and I thought there was we were seeing a lot of issues within the the environment and we always needed to figure out a way to recreate those environments those issues the technologies that we were using and we noticed step back start with the demo because it's gonna take a few minutes so bear with me all right so again going back to the inspiration working in a large enterprise environment you have a lot of complexities and one of the challenges that you have is always trying to replicate those environments and being able to reproduce things right from a

quality assurance perspective environments differ from development to production we know that quite often so the goal here was to really invest in DevOps tooling and being able to take that tooling and constantly reproduce assets environments and things of that nature so I spawned or I went into cloud computing with Cisco and OpenStack when they were doing their OpenStack deployments we very quickly learned why very quickly learned that OpenStack was well behind a double less and so I switched over and actually joined tenable who I'm a part of now and I've really started diving into cloud computing since that time I've really embraced the DevOps methodology I've thrown a little bit of security aspect into it so we've got this new coined

phrase of SEC DevOps I'd like to say I'm really helping spearhead that movement so cyber range is really a the goal of this is an offensive defensive security environment a safe environment for folks that do research you know you use your laptops quite often like I do your memory your compute it's always getting over utilized we need the ability to leverage and tap into the cloud to really expand our capabilities right so that said if you're interested go ahead to the github it's right on cyber range and it's a fork of the circle see I example right there so a few thank-yous these are folks that might not have known that they've contributed in some way shape or form

right off the bat I mentioned on Tom kappa tammeh vulnerability research engineer I work for tenable I'm part of the tenable research organization so they're the ones that really sponsored being in getting me over here I want to send a big THANK YOU to them Serkis University I mentioned JPMorgan Chase when I was with Chase I was sitting on the Serkis University campus we had a Tech Center there great collaboration they don't know that I'm gonna be applying to their masters program my goal there is to go into their cybersecurity master's program and to take this project and kind of bring it to the next level so I'm gonna thank them in advance if they get a copy of

the record and hopefully they say hey good kudos to that guy right and then there's a few other folks as well that I want to call out form assembly a great company they have a really nice way of streamlining your data with forms the owner is actually a French so I've got if you go to the github there's a sign-up link I'll explain why there's a sign-up and why I need your information I share some of the tools with you but I'm using a forum assembly form so I'll give them a quick shout out a few other folks so nessus is Central's just a quick touch I know we can't really pitch products here I'm

a terrible guy so I don't want to be overly biased I've included a bunch of other folks that we've collaborated with and compete with at the same time or in the market with us but tenable has done some really interesting things just a few weeks ago they announced nessus essentials the goal here with neces essentials is they've rebranded necess home and they're trying to take that and say hey look we're involved in learning aspect of it cybersecurity is always going to be constantly learning understanding what's going on in environment learning new tools alert and learning new procedures things of that nature nessus essentials is really trying to help you break into that market of our

nobility management and the tooling we all know Callie rapid7 they have a well known footprint and then we have a few other folks fireEye they've come out with some really interesting stuff that I've leveraged and I've tapped onto they don't really they might not know them I'm leveraging them but commando VM and flair you know are really the two tools they're a commando VM is is a it's a windows-based penetration testing system so it's similar to Kali Linux just windows-based and flair is a is a malware analysis toolkit all right so let's see how we're doing on this of course demo guys crushed me oh there you go that's an easy fix in one second GZ

what we have created first all right so the general goal of the project is to be able to create a ton of different vulnerable assets in an environment in AWS and in February AWS announced that they were gonna allow folks to do penetration testing within the environment there we go we do have some asset so I'm going to ignore the errors just for sake of time and not going through a debugging session live on on a demo it just doesn't work well typically so I'll ignore whatever errors I have if I can't jump into configuration that's fine but AWS back in February we went ahead and said they recognize that people are using their platforms they

recognize that they have a process for allowing you to do penetration test and analysis on your own systems and they've gone ahead and opened that up to say if you're doing testing on your own systems we're gonna just allow you to do whatever you want to do so two weeks prior to that I was building this project he really know that I knew that they had a process of asking for permission but I'm not necessarily and asked for a permission type of guy I'm more of a sent me the email tell me that I'm doing something abusive and then I'll go ahead and step back so two weeks before they announced that they were allowing us to do that I was already

working on this project so I believe I'm the first in the market right now and it's all open source and like I said it's gonna be used for education on my own benefit hopefully it's something that you guys can all get get something out of it so in general I'm using a bunch of tools let's go - apologies I'll be jumping around here now so I'm using a bunch of tooling to go ahead and create all of these different assets and I've actually leveraged a few different tools one of them is cloud craft you can see that on the right hand side cloud CREF is a excellent architectural blueprint and tool it allows you to not only spec

out your architecture it allows you to also build it or even connect your environment hold back what you have in your environment and give you a relatively accurate analysis of the cost so right hand side what we're seeing is this toolkit in general when you spawn everything up it cost you about a dollar an hour I think that's relatively reasonable given everything that we have you know roughly 3035 assets on the left-hand side like you saw in the ec2 console on the left hand side we just have a whole bunch of different assets I realized that it's very small I don't expect you to really be able to see it apologies for that but I wanted to just give you a

little bit of an insight into the size and scale the goal of this the goal of this really is to create a few different areas that you can work in so we know that red teamers have a dedicated network that they typically work in a bunch of assets that they need to have control over and their goal the goal there and the thought there is we're going to go ahead and give you a separate subnet up there in top left corner on the over to the right see if this works there you go hey you think at a nice little point over here we've got just a bunch of vulnerable assets look I'm no expert I'd like to leverage tools

okay I leverage tools quite often and I believe leveraging tools allows me to get up to speed quicker and faster a lot of these vulnerable assets that are over there on in that section are all things that I've gotten offline it's not something that I've actually built myself so I don't want to take authorship of that these are things that I found on Vong hob Metasploit both two and three I've been able to leverage and I've had to do some building to be able to get these things up to Amazon so there's a little bit of work it's not as easy as coming in and being able to say hey look I take this and I just put it

up there and it works fine out of the box I've gone through a bunch of different assets and at times there are challenges in some areas I tried get in Windows XP up there unfortunately Amazon doesn't like Windows XP I'm not really sure why but I was hoping that they would like it so you know in that green area we have a whole bunch of targets these are all purposely vulnerable assets that you know the red teamers can actually use to go ahead and target all of the assets that are there that are listed there are quite you know quite documented right so if you are like me and your research and our offensive security the thought here

is you're going to be doing a lot of research into how do i exploit things what am I looking at and having folks tell you using a model try harder is great but when you constantly hit brick walls it's it's frustrating and so really the benefit of the project in general is to help you identify how to get through those walls right so if we give you some assets and we tell you hey look you can spawn off this environment you can create these assets you can go ahead and attack your own assets and you can do the research that you need to do to be able to understand how to get through and how to

compromise those systems I think that becomes something that's a value add to expand on that I've started looking into what do I want to do next right where do I want to focus how do I want to educate myself next and these are the things that I'm highlighting are going to be in the yellow area as well as the malware so now where's a very big area of opportunity for myself as well as many other folks and the biggest concern that I have with malware is we really don't know what's going on there I don't don't trust any type of malware on my home network I don't trust any type of malware on my computer even in a

virtualized environment I'm kind of nervous about that so the thought here is I went ahead and put that up into the cloud I completed I created a completely separate and segregated environment that was isolated that would allow you to do your own level of malware analysis and so that's that malware subnet this detection lab the goal here is for the blue teamers that detection lab is something that I found just recently that's quite interesting a gentleman by the name of Chris Long created a project and that project out there on github the challenge that I have with being able to take that project and fully incorporate it into the solution is it requires a bunch of reconfigurations they use a ton

of different scripts I have no problem parsing through those scripts but the challenge there is getting that to work with the currently existent environment it's going to be somewhat of a challenge and then the honeypot network we were just talking about Magna Carta mad cart a few moments ago the gentleman that was right before me honey pot honey tokens I think those are always valuable tools that you can leverage from an intelligence perspective so the thought here is you have a fully comprehensive Red Team Blue team intelligence collection network toolset that you can leverage to advance your own training knowledge and understanding I've touched briefly on some of the technologies used here obviously we've got AWS for those

that do cloud computing in any way shape or form please take note of get secrets any repository that you are working in any code repository that you are working in where you are leveraging your API keys please use this tool this tool will help you prevent committing those keys to your repository and just in case you're not aware when folks scan github and they see your keys you're probably looking at less than a minute or two before your entire accounts compromised so get secrets huge tool definitely leverage it is very simple to get up and running I'm a big believer in terraform terraform has been doing amazing things for me I also like vagrant quite often I

used the - but terraform seems to work a little bit better at scale I've recently been talking about and excuse me I've recently been introduced and inspect inspect is a testament ology if you will or test and tool set that you can go and you can define infrastructure and leverage that those definitions to confirm that your systems and your applications are up and running the way that you expect so I'm gonna introduce some inspect and the goal here is when you go ahead and boot up this range I want to make sure that everything is up and running exactly as I would expect it so Kali is pretty standard Packers another great tool Packer was used for the Metasploit

2 & 3 stuff so rapid7 does publish the Metasploit on their github and you're able to actually go ahead and build that and a lot of that uses packer chocolaty windows package manager and cloud in it is basically just a start up for Amazon I start up script for Amazon it allows you to just go ahead and define a few scripts saying get those assets up and running with a few definitions that are used at boot and that's really the benefit of cloud annette the more Norvell assets I covered that I'm not going to really go too deep into that and then the researcher assets I touched on Kali in the end commando one of our

reverse engineers introduced us to REM Knox I'm just starting to get this introduced into the environment I have one slight issue where I can't get SSH connectivity but I'll be working on that over the next few days and getting that in there and then the only other thing I'll really call out because I think this is quite interested in is teapot teapot is t-mobile's honeypot system it's been quite advanced since I last used it which was about a year ago and they've gone ahead and updated recently so I am reintroducing that hopefully that'll be up and running in a second the cloud init scripts does take quite a while to get that up and running

so let's dive into some of the code aspects of it if you're not familiar with terraform you need to kind of understand what terraform requires both from a manifest and an asset declaration perspective so in the project we need to start navigating through some of the code you'll see a terraform folder in that terraform folder there's a few environments these environments are where I have the AWS ami set up these a.m. eyes again I've had to take these systems I've had to go ahead and get them up and running on my own system I've had to export them then I've had to import them into AWS sometimes I'm successful and we have an ami sometimes

I'm not and I can't add that to our repository so there are some reasons why we don't have all the a.m. eyes or all the images vulnerabilities that I'd like within those environments we have a few different manifests one is the main manifest and one is the variables we'll go through that in just a second so from a main manifest perspective it's pretty straightforward we've got an AWS provider that we go ahead and identify and I just want to call out a proper way of leveraging your credentials within these manifests I when I first got introduced into terraform I was hard coding my credentials in a provider and now I've gone ahead and used this I

think this is just a little bit more secure I'm sure there's probably even a more better more secure way of introducing your credentials into terraform but right now that seems to be the best option for me we have the modules that are being defined the stages stage and a terraform back in the terraform back end really just allows you to say I'm gonna go ahead and create a bunch of assets and when I create those assets we're going to create a file that says these assets are in this state and that's where that stored it's stored in an s3 bucket and then on a final piece down below we have the stage and infrastructure that's

really just calling the actual infrastructure itself the infrastructure manifests itself I would say it's inherited in those declarations and then it's taken those declarations and going ahead and and creating the assets like you just saw a few minutes ago variables we have a lot of variables that are being defined across the board but these are pretty straightforward and in the in the main terraform folder these are there's just a few couple variables there but in the second folder which is a if it's on the next page in a setup folder we do have variables here and that has many more declarations it not only defines all of the different ami look ups but it also defines a few other

things such as instance size and things of that nature I mentioned good in bed I covered this just a minute ago but this was a just a very good example of the good in a bed please don't do this this is horrible if you're gonna leverage sheriff um and commit your your keys that's probably a bad thing this is where it gets secrets would help you okay just to call attention to that so if you implement kit secrets and you're using terraform please go ahead and run a scan against your repo within the infrastructure folder we have a bunch of definitions again this is a Sabra range the goal of the range is to be able to define a

bunch of assets and get those assets up and running so how do we do that well we do that with two different sets of modules one of those modules is a network module and the other is a sec devops module again you know I'm embracing the sec DevOps of mentality and I'm saying hey look let's go ahead and start coining that phrase and really promoting it obviously within the network stuff we have network based assets that are going to be created I'll show the you those in a few minutes and then with intersective ops stuff we're just calling everything together sharing all the information prompt that was previously created in a network layer over to that particular module so

that the instances that are being created actually understand where are they going you know what subnets are they going in and whatnot

okay github repo has quite a few folders want to read Me's as well as a bunch of other things I've gone ahead and identified the network in a sec DevOps asset folders that we were just talking about I do leverage a bunch of cloud and NIT stuff the one thing I would say here is I've pulled away from leveraging cloud in it and I've gone into a snapshot in the instances once I have them up and running the benefit of the snapshot in is I can get these assets up and running quicker so when I come to the stage and I say hey I can do this in less than five minutes it's because I've done all

of the work and I've taken the snapshots and really all I'm doing is saying hey let me just boot up an asset instead of let me do all of the configuration that's necessary for that asset a good example of the amount excuse me teapot is a good example of an asset that I have to configure on the fly every time it gets booted up so it doesn't come up right away and when it comes up it probably takes about five or ten minutes for that teapot asset to really come up I would say closer to ten and then once it does you actually have to reboot it so again the cloud Annette stuff is there it's for examples but the

challenge there is that it's going to increase the amount of time that it takes to actually get this system up and running for you within a network folder in the sec ops folder sector bops folder we have a bunch of different manifest obviously in a network in space we have a bunch of VIPs gateways routes subnets and the variables doesn't really have anything in it and a VPC so the benefit here is you take this repository this code repository this project you go ahead and spawn and up in your own AWS environment hopefully you don't use a corporate environment I personally use my own personal environment simply because I don't want to corrupt the corporate

would would crap so this allows you to define everything that's going on in that network what your network looks like in that sector Pop's folder there's a bunch of other things right I think we can clearly see some attacker stuff we've got some compares this AWS ami is just a data lookup it tells me all of the different ami is that I'm going to be using for creating the assets I've got a CTF playground some honey pods malware security groups are our rules on networking rules that allow assets to talk to each other as well as assets to talk to the outside and then I have a bunch of different targets both Windows and Linux that if you go to the github

repository I'll take a quick second to go there on github there is a to get started go here link okay and it's very straightforward I had this signup form and I don't want you to think that I'm sitting here trying to pitch something or trying to collect your data I really don't want to collect any information but there's a reason why I need your account number these images the windows images I have a concern with Windows licensing I can't open these images up to the public unless somebody and Microsoft is here and can go ahead and give me that little note my concern there is that I can have the repo taken down I could have my

account lock down and I want to avoid some Windows license and stuff so if this is a project that interests you just trust that I'm not going to be taking any of your information and using it in any bad way it's just I need your account number to be able to share those images with you so that you can actually create these assets on your own okay I also have I mentioned at the very beginning there was a circle CI project that I leveraged that circle CI project was fantastic it gave me a multi-tiered AWS environment and I've leveraged that to go ahead and build multiple layers of builds the project itself was upgraded to terraform vo 0.12 just recently as I

was preparing for this over the past two weeks that was released on the 23rd that was I found a few bugs as a result of the CI builds I did find a few bugs this last bill just came in I think last night I opened it up and the one before that was just earlier in this week they're not blockers but if you are using terraform and you're having an issue go ahead and do diligence and just make sure that you're on on the same version the concern that I have with that V 12 version is once you upgrade to V 12 V 0.12 it looks like terraform creates a file that says you must have a minimum

terraform version so there are some changes that are going on there I think we're still to some degree at an early testing phase of 0.12 but everything seems to be working so if you do download the project and you find hey this is not working for me I can't get terraform the function as as I would expect just go ahead and double check your versions there within the circle CI workflow we've got a bunch of different steps that circle CI workflow is in a project the declarations are under the circle SIA the dot circle CI folder and there are a bunch of different steps that are being done here the thing that I want to draw

attention to when I say that I'm able to go ahead and create these assets in a very short period of time is that terraform apply step it only takes about two minutes to go ahead and get all those assets up and running what's interesting is it takes about six minutes to get them destroyed so I'll walk you through the destruction aspect of it because I've noticed that terraform doesn't necessarily clean up all of your assets in the environment as much as you'd like I found that terraform in general has lingering volumes and sometimes there are some other things for sake of not going through all of the configurations and not spend an ample amount of time

trying to bug this while everybody's looking at me and staring at my screen I'm just going to show you a little bit of a visual I just created this earlier today I got the system up and running it boots up quite like I said it boots up the errors that I saw before was just because I reconfigured a volume size that I don't know why I reduced it apparently I broke things so I just have to revert that back but once you get the system up and running you now have a playground full of vulnerable things and as you can see here you've got quite a few loops as you can see there you've got quite a few Reds on a few of those

different assets I'm gonna suspect that this is one of those Metasploit able assets and the thought here is is twofold right again it's an open source project that thought with open source projects and open source knowledge is that you have the ability to see things without having to fear a black box scenario so if you know the assets that are going to be created if you know the assets that you're going to be looking at and you want to practice and fine-tune some of your skills you can leverage a scanner in this case necess or rapid7 or open files or whatever other scanner you want to leverage but I've included necess and rapid7 in here but you can leverage the

scanners to go ahead and just do a quick scan of your system to say hey what do I have here right and what can I start research and that gives you information on the software that's being installed the versions as well as any other indicators of vulnerabilities the benefit here for obviously for red teamers is you have the ability to very easily see some of the low-hanging fruit as well as some of the more challenging things that you can focus on as well AWS nuke this is a great tool let me very quickly show you AWS nuke so we're gonna go ahead and run it and AWS nuke is a fantastic little tool what it

allows you to do is completely wipe out your environment the thing that I would caution you on is wiping out your environment can be very destructive if you're in an enterprise and AWS milk does not discriminate against what you have in your environment if you do not have termination protection on your assets and you go ahead and there were just tooling and start wiping out your very likely you're gonna have severity 1 P 1 whatever incident you might think of in your environment but one of the benefits is if you're using your own personal invite your own personal account like I do I can go ahead and nuke my account quite often and I have

no concerns new cannon I destroy absolutely everything the account has nothing in it and then I can go ahead and get started again right from scratch so AWS nuke is a fantastic tool the caution here is that you really need to be careful with what you're you're doing and what your new can I'll come back to that in just a minute so a few tips right if you are in an enterprise the environment my suggestion would be talk with your cloud security folks or your cloud architects I believe if you've gone ahead and set up a separate organization or account ID I believe you should be safe because AWS nuke can look at just a count ID and you could say

okay I'm just gonna wipe everything out at that account it will do a global scan if you define all of the different regions so my suggestion is go ahead and just target one region at a time drive run output so when you run at AWS nuke you can go ahead and just say hey just show me everything that I'm gonna be wiping out and you can just do a simple dry run you can take that output you can analyze it there is a white listing approach so when you leverage that dry run and you go ahead and see all the things that you don't want to delete there's a way that you can go ahead and

define those things in a configuration file and that white list an approach for me I whitelist my a.m. eyes and I've whitelist my volumes and my snapshots beyond that I pretty much delete everything in Sep for my account right and then my thought there is my final thought here is initialized early and purged often like I said terraform is a fantastic tool but I've noticed that there's some opportunity in a terraform destroy phase where it does destroy instances altogether but I do notice that there are sometimes lingering volumes and snapshots and things of that nature that are hanging around and so AWS new just comes in right behind it and it wipes out why is AWS nuke important well if you're

using your own environment your own account and you have a bunch of assets that are lingering you're gonna end up accumulating costs right so one thing I would suggest is go ahead and do that Persian and a little tip just because we're all here and I have the opportunity to mention it if you are interested in getting your own AWS account set up and running you can set up a free tier account I believe and I'll double check I believe every definition of assets is defined as a t2 micro so I believe it should all be underneath that free tier but the one thing I would say is don't hesitate to go onto eBay and grab a few AWS credits

you could get like $150 AWS credit for like 20 bucks 30 bucks USD so I don't know what that converts into town wise but very simple I often get AWS credits and I just stack them on to my account and I have a minimal bill at the end of the month but really AWS nuke really helps you maintain your calls or at least reduce your cost so next steps and what I'm looking to do I mentioned inspect the gold would inspect is really to be able to make sure that the things that I'm spawning up and the things that I'm creating are actually being created and set up the way that I'm hoping that they are so I believe inspect is going

to be huge area an investment for me the goal there is I want to learn about the tooling I think there's a lot of benefit in being able to say hey I need to define infrastructure and assets and web apps and I need to define and make sure that they are set up in certain ways from a secure set DevOps perspective I believe that tooling is going to be relatively key it should be something that you can introduce into your environment if you have insecure code configurations you should be able to introduce that you should be able to define what those configurations are that you want on the system and you should be able to monitor that system in

that environment on a regular basis I will be looking to get those tests into the CI CD pipeline and the goal there is during a build phase a doing a build process I already have definitions of what my systems are going to look like I want to make sure that everything is passing some of the additional next steps is the malware stuff I'm going to be focusing more on the malware area I think the thought there is I want to have an environment where I can really do some some deeper reverse engineering and I think these are some of the things that I've seen that I'm going to be looking at and doing some research on fuzzing on the

very bottom having a separate pleasant environment is going to be kind of key as well being able to actually spawn something up in AWS put an application there and being able to just run and execute and see what comes out of that after a day or two weeks whatever it might be of analysis I think that's going to be relatively key and then you know Packer and compile explode explorers as well as a honeypot Network the honeypot network is something that I think is really quite interesting if you haven't explored or played with honey pots i really suggest you to take a look at that teapot asset you can download it as an OVA on your own system hopefully

with this you'll be able to get it up and running in your own AWS environment last year for an Asia conference I did a embracing the rise of Sec DevOps presentation one of my peers actually presented it but I helped construct the presentation and I set up the honeypot over in Australia and I just wanted to see what was going on like what are people doing and and I got to tell you it was it was alarming it was interesting as you were able to track the different threat actors across the world and where they were coming from and I've got to imagine that folks were cloaking where their location was but it's just interesting to see the

different types of things are coming over the network and how these honey pots are able to capture that information that said 525 I think I've ever done wrote relatively well I did not at all dive into the configuration and actually getting a live demo up and running um too deeply but I let's go back really quick to your destruction of all the assets so it took about five minutes here last time it took just about two-and-a-half so it took about five minutes to do the full AWS nuke and just to confirm again alright let's go ahead and make sure all these things are destroyed alright so basically the tool here that I'm trying to introduce you to

is something that you can use to be able to get your own security environment security lab up and running it should be bootstrap about my goal is get you to download it you go ahead and do a little bit of a configuration hook in your AWS keys or make sure that you have connectivity to that give you access to the MIS and boom you're up and running from a collaboration perspective if you go ahead and do poke and prod at this project and you find any issues I'm more than willing to look into them I'm more than willing to fix them because I do leverage some third-party tools it might be outside of the scope of what I can do

or what I can fix but by all means if you see an issue open it up against the project ping me on LinkedIn I don't know if you see me in the streets tapped me on the shoulder whatever it might be I'm definitely willing to to look into it and continue to enhance this project that said we got about five minutes I assume in towards the end of the day we can go ahead and break out and allow everybody to take a few drinks but if anybody has any questions by all means raise your hand ask it otherwise I appreciate your time [Applause]