Analyzing capacities and drawbacks of Breach Attack Simulation (BAS) solutions

It is a pleasure for me to introduce Juan, Nicolás and Professor Daniel Díaz. They will be talking about BAS platforms, which are simulated and automated environments that support us in two very important processes. which is the offensive security part and the incident response part in that first part of preparation, which is fundamental. So we are going to be seeing through their talk a comparison they make of those platforms and some results of interest. So I ask you for a big applause for them, please. Good morning everyone, how are you? Well, let's start today's session We have the pleasure and honor to open it with the first talk. The presentation is a presentation about, as Luis said, BaaS solutions, which are

basically solutions for attack simulation, Bridge Attack Simulation. So this is a very special presentation because basically we are going to do the analysis of BaaS solution capabilities. Our team is made up of Juan Daniel and Nicolás. They are students of the last year of the Applied Mathematics and Computing program of the University of El Rosario. Carlos Castañeda. who is a doctor in IT. He is currently working on cybersecurity issues as well, and is particularly linked to CERBAL Networks. And well, Daniel Díaz, who is me, who is a professor at the University of Rosario. Well, first we will start by explaining what is VAS and then we will see a little bit of the platforms that exist,

the most popular at least. Then we will establish some comparison criteria. We try to establish them in the most objective way possible, trying to remove the commercial bias. And then we will do some demos with Caldera and with Keysights. Finally, we will finish with some conclusions. Well, the first thing is to define what is BaaS. Does anyone know what is BaaS? Do you have an idea of what a BaaS solution is? A solution of Bridge Attack Simulation? Or do you imagine what it is, more or less? Yes, right? So, of course, there are several things there important that one can deduce by the semantics of the acronym, right? Simulation. Does simulation mean that they are not real attacks, but simulated? And

Bridge Attack, does it mean that it refers vulnerability analysis or vulnerability exploitation, that is, how far it goes. So there are some conceptual situations that must be defined first. And what happens is that this is such a new concept or relatively new, that many manufacturers define in a different way. So that's why it's important before establishing a comparison, first define what it is, what it should be, or how we should understand a BAS solution before starting to do the analysis of each one of them. So, the first thing we can say, sorry, I'm going to point here with this one. The first thing we can say is that it is part of the offensive security methods. is effectively part of the offensive security

component. There are several types of methods, there are several methods of offensive security. This is one of them, which basically consists of the use of automated tools. Basically, they are automated tools that make the attack that a person would do manually. That there already begins to be very revolutionary because we go from doing operations manually to operations in large part or in large extent automated. That is very interesting because it allows you to obviously do activities that will last for a while. I can run a BaaS solution for a long time and it will be doing re-tries, re-tries and it will explore different ways to make an attack, right? If I put a human to do an activity of those, then obviously he will get

tired. So the fact that it is automated, that they are automated attacks, basically already sounds very promising, right? Not necessarily better, but at least promising. Now, we also know that these solutions are not managed alone, they are not managed alone, they are not maintained alone. So that's why it's very important here and that's why we put it from the first slide. They are solutions that require human intervention. The human intervenes. in many parts of the deployment of these types of solutions, from the moment of configuration, but also later when it is being used in an operational way, because it is needed that the human points it to a specific target that defines what will be

the level of criticism, the level of impact that will explode, the level of detail that the report requires. There are many activities that require human intervention. This is not a BaaS solution, it is not basically an artificial intelligence doing everything from behind, but on the contrary, it is a machine, a platform, sorry, automated of attacks, but it requires human intervention to effectively be effective. Well, what else is a BaaS solution? A BaaS solution is a solution that allows you to execute different types of attacks. So, if you have seen Probably a catalog of attacks, they will find attacks on different layers, for example, if we think of a TCP/IP architecture, attacks at the level of

the application layer, of transport, of network, right? Or if we talk about an OSI model, then surely we also think of attacks on the different seven layers of the OSI model. Basically, a BaaS solution effectively has incorporated within its arsenal attacks within those layers. So we have attacks in the application layer, attacks also focused on data filtering, data breaches. We have attacks based, for example, on email. very similar to what was presented in the CTF, which are basically campaigns, for example, of mail that carry adjuncts that are malicious or mail that are supplanted, of supplantation, abuse of systems, for example, where it is done, elevation of privileges or where it is done, for example, Cross-site scripting or cross-site request forgery, any

type of these typical attacks based on web applications, side movements, all this has it. But the interesting thing is that it has it automated. That is, there is already a set of scripts that do this type of activities in a consecutive way. And being a little more formal in limiting what does include and what does not include, basically most BAS solutions include TTPs, the tactics, techniques and procedures included in the MITRE. So if you check the MITRE or the vulnerability database, you will find a tree, well, many TTP-type trees. Well, many, sorry, will find a tree of TTPs that contains tactics and procedures with that same level of depth. First there are the tactics, then the techniques and then the

procedures. So, in this case, we, for example, in today's presentation, we are going to show two platforms, Caldera and Keysight, that implement the TTPs of Mitre. The TTPs that are already defined in Mitre are implemented automatically in the form of scripts. And what else does a BaaS solution do? The BaaS solution is able to test different types of devices. So basically servers can be tested, final user devices can be tested, mobile phones too, in some cases, they could reach, there are some types of endpoints, also cloud infrastructures can be tested, solutions also, for example, API REST type, servers that have API services. In conclusion, all this, which sounds very interesting, basically, what is it for? What is the final purpose of a base solution?

In addition to being something automated, always the word automated is synonymous with less effort, right? But in addition to that, to be automated, to be a set of large attacks directed towards different targets that I define, the purpose at the end of all this is not only to reduce the effort, really that is not the main purpose, but it is ultimately to contribute to the discovery of failures in security controls that can be different types of controls. Organizations have traffic detectors, right? Anomalous traffic detectors, vulnerability detectors, they have authentication engines that in theory should work well, event correlators. The idea is, in the end, to discover the flaws in all those security controls, okay? So that's basically what a BaaS solution

does. That's it, basically. That's good, right? Or is there any comment about what a BaaS solution is? The BaaS solution sounds very good, but really the most interesting way to understand in depth what a BaaS solution is, is to compare it with Pentesting. Both are security methods offensive security. See that by definition this was also an offensive security method. Pentesting is also an offensive security method, but then we are going to make a very quick comparison here to understand what is the difference between a traditional pentesting and a technique, to an offensive security method using BAS. The first thing, the type of tests that are done. In the case of BaaS solutions, they are automated tests,

automated procedures. The attacks are already automated. In the case of traditional pentesting, although we use tools, at the end of the day it is a manual process. Each one of us has to lift the security tools, configure them, deploy them, attack them, and it also obviously involves a lot of payload construction, exploits. It's all a mainly manual procedure. Mainly manual. With respect to the continuity issue, a BaaS solution can be continuous, that is, I can run it continuously Right now we are going to talk about licensing of this type of solutions, but basically some of them work in renting mode. You pay for an agent of a solution of these to be launching attacks for 24, 36 hours, for a month, up to three months,

for example, continuously. So it has some continuity capabilities that are interesting. probably does not have all that capacity to be doing so many tests continuously, right? And on the other hand, a traditional pentesting is contracted every time there is a budget, right? Every time there is a need in a company. So it can be, for example, every three or every six months, the frequency depends on the contract defined between the contractor and the company that makes the pentesting. So, well, here we already have two differences. The third difference basically corresponds, and this, well, sorry, I'm going to skip first to the scope, okay? Because this one here is a little more difficult to understand. The

fourth, the scope, It turns out that here there are different types of BaaS platforms. So what we have done is define four levels of BaaS platforms. Those platforms that simply install the agent inside a machine, which can be a server, a virtual machine, and basically the agent analyzes the security of that machine. That is, the scope is limited only to the machine or the instance where the agent is installed, only there. Those are the most basic solutions. They are very similar to a local vulnerability analysis solution, let's call it that, because it only analyzes the machine where it is installed. They are the L1. The next level of BaaS solutions are the L2, which are

the L1, but with the ability to generate internal attacks. That is, it is installed inside the machine, but it can also generate attacks towards other machines inside the internal network. So, look, there we are expanding a little bit the scope of the platform. But then, Here we are already talking about type L2 solutions, level 2. Then we move on to level 3. Level 3 are equal to level 2, but in addition to having the ability to analyze the security of the machine itself where the agent is installed, to analyze the internal network where the machine is configured, it is also capable of generating attacks from outside. That is, it can generate attacks from the extranet to the intranet and in that way I can validate where the malicious traffic

is entering. And then there are the L4, which are the most advanced, which basically do everything of the previous ones, that is, they analyze the machine where the agent is installed, they make internal attacks, they make external attacks, but also they give me visibility as a user, as a user of the BaaS platform, they give me visibility of the attack vectors that were found and that were exploited. So, not only does it, but also shares what it found, shares it with me generously to that I, as the platform administrator, can understand what happened. So, when they talk to us about a BaaS solution, one has to ask themselves, what level is that BaaS solution at?

Because there, just as there are different types of security products, and everyone can probably call themselves or assume that they have a similar functionality, in this case it is also important to know that there are different categories. It is from the Renault 4 to the Mercedes over here. It has different types of capacities. They all do something similar, but really this one here has much more advanced capacities. So the solutions of E4 What we have tried to do today is to bring two platforms of the most advanced level, which are Caldera and Keysight, which are located between E3 and E4, mainly E4. They are category level 4. And these solutions, what do they compare to a traditional pentesting? The traditional pentesting, effectively, a team of

ethical hackers can perfectly do these same types of activities. Indeed, the ethical hacker can analyze the network from the inside, from the outside, can analyze the machines that are that are also being targets, that are part of the analysis. So, the attacker, the ethical hacker, can make that security analysis of the machines and also launch external attacks. Here I have put, with a question mark, the internal, because what will it depend on that it can launch internal attacks? Well, that it first manages to make the external attack. If it manages to enter from outside, then already being inside, well, surely there it can exploit attacks within the internal network, okay? Now we can talk about the exposure window. There is a

fundamental difference in terms of traditional BAS and pen testing with the exposure window. You can probably deduce it. What is the problem of automated solutions? Almost always. Or always. What is the problem of an automated solution? It depends on what? Someone said it depends on something, but no. What is the problem of an automated solution? It is a solution that, like any software, does not come into production immediately. I have to have a solution, like any software, I have to make a design of an implementation, I have to do some tests and finally, I put it into production. So, the BaaS solution has an attack database, but those attacks are not updated immediately. Because if a company, for example, Caldera or Keysights, well, we are

particularly talking about Keysights, if that company, for example, detects an attack in an instant T0, will not do the load of the attack procedure immediately, because it has to first understand it, right? If it discovers that an attack is happening, for example, towards a company, in particular towards the bank, for example, that the CTF colleague mentioned to us, then the company has to first identify how the attack was given, and then there it is to be able to automate it and put it into a database. So how much time can it take? Perfectly can pass 5, 10, 20, 30 days, right? While understands the attack, automates it and loads it in the database of attacks

of the BaaS solution. So that's a very long time, right? Because within 30 days can happen a lot of things. On the other hand, if we have a person doing manual testing, traditional testing, let's say it will take time also understanding the attack but almost immediately can start to validate the attack because he does not have to automate it. His job is not to automate an attack. So he can simply start to do the analysis immediately. So look here In many things, a BAS solution sounds very attractive, but also in others, for example, in this area here, it also has some disadvantages, some very big disadvantages, and in this area here, it can also have

them depending on the type of BAS that is acquired. Not all BAS are the same. In the end, basically, after making this comparison, we have that, for example, a BAS solution can have several positive false, right? In the case of pentesting, there may also be false negatives. Now, what would you prefer? That in a security issue, they warn you of the false, that is, that there are more false positives or that there are more false negatives? . discard a possible attack, but I prefer to have more positive phases than have false negatives, because the worst that can happen is a false sense of tranquility. Now, this is mainly, because here there may also be false negatives. I want to clarify that

here there may also be false negatives, here there may also be false positives, only that it is more likely, speaking in terms of probability, it is more likely that here there are false positives, because it is an automated solution. Ready, very good. Let's talk about the platforms. Do you want to use the pointer? Good morning. I'm going to talk about the most famous platforms. We chose six, although there are many. And what we did to compare them was to classify them first in the five most important aspects that we found. We have deployment ease or platform where you can deploy. We have attacks, its ability to remedy, a little bit of its history and finally the price. So I'm going to

start talking about ATTACKIQ. This tool can be deployed both in on-premise systems and in Nube. Unfortunately, this only allows EDR attacks, that is, Endpoint Detection and Response. We also have that its recommendations are quite basic compared to the rest of its competitors. We have a little bit of its history. It is based on Mitre, CrowdStrike and Red Canary systems. Its price starts at $5,000 per endpoint, although it can start to grow according to the amount of simulations and required endpoints for the company. Then we can talk about SafeBridge. This has a specific quality with the rest of its competitors, and that is that you have to install a a virtual environment in the victim machine, in the machine that was decided to simulate.

This allows the reports to be a little more detailed and realistic and fortunately allows it to be displayed in Nube and in On-Premise. We also have this, unlike the previous one, unlike Takaikyu, this allows both NDR and EDR And it also allows testing the network, this is a quality that very few of these tools have. This is based on the fact that it has a repetition of packages to be able to analyze this. Unfortunately, this also has basic remedies for its analysis and only focuses on security protocols for EDR systems. A little bit of its history. It has been 5 years, more than 5 years with its database, collecting information of attacks to provide a more specialized support to the companies that hire it. And

we have an initial price of $70,000 for 3 endpoints and $5,000 additional according to the endpoint. Although this can increase according to the number of simulations that are required or if more endpoints are needed, there are different types of packages that can be found on its platform. Now we are going to talk about simulate. This has an advantage and it works as soon as you install it, the simulations are running in a matter of minutes. We have that it supports agentless attack simulation, this means that it does not require an agent, agent is a term that I will explain later, agent is the code that is injected into the victim machine to perform the different tests. In this

case, it allows simulations without an agent, which is a great advantage that its competitors do not have, since these do require an agent to perform their simulations. This allows both to perform simulations in EDR and EDR, apart from email, and it can test WAFs. For their remediation, they are considered basic with respect to their competitors, because of the same reason, they only have recommendations and remediation for EDR systems. Then we talk about Threat Intelligence, it was founded in 2016 and for its database they are collecting and constantly updating their information. Then always for your users they will have a database almost every day. Its initial price is from $40,000, although as always it can scale according to the

number of simulations and endpoints that are needed. Then we are going to talk about Picus. This one does have a defect and that is that to work it requires a hard installation in its virtual environment that can take from 5 hours onwards. But once installed, its use and deployment is quite easy. It even provides immediate remedies. It also offers both EDR and NDR, but its main defect is that it only handles agents that communicate through HTTP. Unlike the rest, there are agents that communicate through TCP, even through Python. Its remediation is quite similar to its competitors, such as Thread Simulator, because it is based on third party data. A little bit of its history, its main point is in Turkey, although it is

completely unknown, but it is in charge of updating its database constantly. Its initial price is between $ 50,000 for two endpoints, although this price can increase according to what is needed, according to the endpoints or according to the amount of simulations.

And now the two of us decided to do a more exhaustive analysis that we are going to explain a little later, but we are going to focus on the same thing, the first five points. To begin with, we have Threat Simulator. This operates in a different way from the rest, since it is managed by service-to-service, although comparing it with the rest, the rest does require a virtual system implemented as a server. This is based directly on the main server. It also handles NDR and EDR scenarios and also allows IMELE simulations. It guarantees very efficient recommendations and remedies for the vulnerabilities found. Unlike the rest, which only handle EDR remedies, this one also handles recommendations and remedies for NDR.

We have an initial price of $60,000 per year for five agents, although it can increase, like the rest, due to what is needed in the company, whether they are more endpoints, more agents, or more simulations. Then we proceed to the last one, the cauldron, to clarify the first five. They simulate attacks, while cauldron emulates attacks. It will be an explained concept later by my colleagues. So, let's talk about cauldron. Does anyone know cauldron? Like the rest, Caldera is a BaaS platform, but unlike the rest, this is open source. It was created by Mitre, but its database is constantly updated by the community. We have to make simulations of opponents, but unlike its competitors, this allows us to

make both Red Team simulations, that is, Pentester, and Blue Team for certain occasions. We have feedback from recommendations to remedy the different vulnerabilities found and it is constantly updated thanks to the community. It was created by Mitre and as it is open source it has no cost and can be installed in almost any virtual environment. Well, in this idea we decided to define 10 criteria, as the professor and my colleague had already mentioned. So, I'm going to mention the first criterion, which is the method used for the connection between the platform and the machines to which the test is performed. Which is a software agent, as I explained to my colleague, or if it can be connected from

virtual machines, connected to the network, or if it uses a different type of connection. So, well, in the second criterion we define if the platform emulates or simulates the campaigns or the tests. The difference between these two is that emulating is basically trying to replicate what a real person would do, a real attacker. If I try an attack, it worked for me, I go on with the next step. If not, I pass and try another method. Emulating is basically going straight to the point. I know what the vulnerability is that I have to do, I go straight. As my colleague has already mentioned, most platforms simulate, they don't emulate. In the third criterion we decided to check if the platforms generate multiple steps

attacks or a single step attack, as it is linked to the previous criterion, as I mentioned. So, in this way, basically, multiple steps would be to generate one tactic, pass the other and so on. The other is simply to attack with a single tactic and stop counting. In the fourth criterion we evaluate if the platform can generate multiple attacks at the same time to different devices. In the fifth criteria, we check if the platform implements the tactics, techniques and procedures table. We will see it later, I want to talk about it later with the results of the comparisons. And in the sixth criteria, what types of attacks does the platform support? If it simply does an

internal review, simple, or it can also do network attacks, it can do attacks to specific operating systems, or it can generate phishing, email attacks, port looting, etc. In the seventh criteria, we review what devices the platform I mean, if it can do attacks to routers, if it can handle switches, servers, personal computers. We even had a sub-criteria that was Android devices, but we didn't focus on that. In the eighth criterion we have the quality of the report. This is, I think, one of the most important criteria we have. Because I have a platform that automates everything. If I put a lot of data that is not summarized, that I will not understand quickly. So, in this we check if it gives me suggestions, how it did the attacks,

why it happened and why it did not happen. In the ninth criterion, we check the metrics that the platform uses to determine the vulnerability level. In these, we check if the platform uses the criteria of CBE, CSBE, or VPR, or uses its own criterion. As we will see later in the results of the comparison of the two platforms that we already mentioned. And finally, the tenth criterion is the attack cycle. If all the Saber Keychain is implemented or not. First of all, we are going to show the results obtained between the conversion of Caldera and Keysight. In the first one, the boiler can be installed in virtual machines, but always with a software agent, which is basically a code for this case, that provides the same boiler, you connect

it and that's it. In Keysight we have the same thing, the difference is that in Keysight you download a program, you install it, and from there you connect to the cloud, which is where you will generate the attacks. Basically the platform is not installed, it's just the people for the connection. I mentioned my partner, Caldera emulates and Kisai basically simulates. Both have multiple steps to perform the attacks. Caldera, as Demitra, follows the whole table. Kisai too, but they also implement their own attack vectors. Caldera can only make one attack at a time. per platform. If I install the platform on a computer A, I can only attack a single computer B. I have to have two cauldrons running at the same time

to execute more attacks. The difference is that in Keysight, in Keysight all agents can... For example, if I have a maximum of 100 agents, I can perform 100 attacks at the same time without having to have several open Keysight platforms. Both implement the entire Mitre board, as I already mentioned, the difference is the thickness. In the DxSight, it doesn't implement all the tactics that each Mitre provides, but in the tactics that they implement, as we'll see later in a demo, it's always quite rigorous. Both of the attacks it supports compete with each other, however, Caldera does network attacks, operating systems, and even cloud. Keysight does the same, but it also has the plus of doing email attacks. And

in the devices it supports, in both cases they are the same, which are network, servers, and personal computers. In the quality of the report, although we have here both generate the same data, Keysight has more detail in the report level. That is, both tell you: "We have this vulnerability and I go through this." The difference is that Keysight tells you how you can remedy this. On the other hand, Kaldhera uses Mitre's own metrics. Kisai also uses their own judgment. We'll see it in the demo report. And both implement the CyberKeychain.

Well, now we are going to talk in depth about both tools. We are going to start first with Caldera. So, what is Caldera? I repeat, it is an open source breach and attack simulation tool created by Mitre. We have to allow organizations to do simulation of attacks in order to be prevented from any possible threat. Its main objective was to find vulnerabilities and security gaps that were presented on any device. It's basically handled by Mitre metrics, although it's currently updated with the database of the cybersecurity community. It can be downloaded from the official Caldera website or simply clone the Caldera official repository and in two steps the requirements are installed and it is deployed at Serpior and it would be working. Let's

talk a little bit more about how Caldera would work. As I mentioned at the beginning, all these tools use a system called agents. What is an agent? It's a code that is deployed in a victim machine to do the different tests. Caldera has three types of agents. We have the SANCAT, which is the name they decided to give it. It is managed by HTTPS and HTTP medium connection. We have Ragdoll, which has Python connections, and we have Manx, which has TCP connections. Not all of them allow you to manage all the operating systems. For example, we have that Sandcat allows both Linux, Windows and Mac. While Ragdoll only allows Linux and Mac, or Emax, it also allows both. How

does it work? We choose the agent we want to deploy, and Caldera will show us different options of the agent we want. So we have the basic one, which I'm going to show you a little more in the video how it works, and other different ones, depending on what you want. For example, if you want to change the name, or if you want to have it as background processes. So, depending on what you need, choose the deployment you need. One advantage that Caldera has with respect to the rest of the tools is that Caldera allows you to do simulations from the Blue Team side. Now we're going to talk about The abilities are the procedures that the agent will perform. Here we can find basic commands like

"huami" or even bigger ones like the one that could be the simulation of an Eternal Blue attack. Here we have, in total, Caldera has more than 1700 abilities that are owned by the Caldera database, although the user can create his own abilities as he requires. We have adversaries, which is the collection of skills for the simulation. That is, the pen tester or the person who requires to do the simulation will create his own adversary or even use the adversaries by default, collecting the necessary skills for his test. It should be clarified that not all skills are used for all operating systems. Although originally Caldera handles skills for Windows, Linux and Mac, they can also be created

own abilities for systems in the cloud or mobile device systems, among others. Finally, as my colleague said, Caldera emulates the attacks and makes them one by one, that is, until it completes the procedure of an ability, it will not go to the next one. Here we can see more or less how it works, it would let us see the command from which the ability is handled and the respective output once the procedure is completed. Now we are going to show the video of how Caldera works. This is the interface Caldera itself. The first thing you do is go to people, choose profile, you can upload the quality to the video please. I think it's because of

the size of the screen. So, we have the interface of Caldera. The first thing you do is go to the agents tab and choose the agent you are going to deploy. We have Zancat, Max and the other one. In this case, we are going to deploy the agent Zancat and what you do is grab the basic one and all you have to do is grab the victim machine, even the machine from which you want to do the test, and inject the agent's code. It's just copy-paste and it's executed. Once executed, you will see that there is a live agent. If you want, you can pause for a moment. Here we can see the agent ID. It is an random ID, unless

you need or require to add a specific name. For that, there are all the different options to display the agent. We have the host. In this case, it is the machine. It was displayed in a Linux padlock. We have the group, this is the system that belongs, that is, this agent belongs to a network deployment team, although if it were to deploy for a security system of Blue Team, well, there I would say Blue. The platform is Linux, since it is a security password. We have the contact, this is going to communicate through TCP, the PID, the user privilege. This is interesting since here it will let us see the privileges that it has. That

is, if you deploy it from root, it will be root, but if you deploy it from a normal user, due to the quality that you want to do the test, it will tell you the user. In this case, it's just a normal user. We see that the status is that it is alive and the last time it was used, that is, when it was implemented. Ready. The next thing you do is go to the abilities tab to see the abilities that you want to use. Then you go to the testing tab and you can choose between all the options that appear there. That is to do GitHub tests, but you can also create your own adversaries. We have the option to add a skill

to an already created adversary or even combine two adversaries to do a test or even a little more extensive. In this case, these are the tools that are going to be analyzed.

And as you can see, here it allows you to see in which operating system you can deploy. It decides to add a little more skills in the video. Once you have all the skills added and all the adversaries that you need, we go to the operations tab where we simply click on create new operation, we choose the name we want to give the operation, the adversaries that are going to be used. You can even add obfuscators, but since it's a long process, it's decided to do it without them. As you can see, the process starts running, the first process is added, the first added ability, and until it's not in status success, it won't let

us see the output. But it will let us see the input. One advantage is that even if we see that we forgot to add a command, we can add it manually from this tab. Well, there you have to wait a moment because, as I told you, this takes its time. In this case we have to identify the active user, this is simply a command from Huami. In the end what I did was cut the video, it took more than three hours to do all the necessary steps. There we can see the outputs given. Professor, if you want to pause for a moment. Here in ViewCommand it lets us see the command executed and the name lets us see what type of attack it was.

It shows all the systems, the output with its respective result, and the last thing you do is download the PDF report. In the PDF report you will find different things, such as the agent used, we also have the topology of the attacks. This topology is created as the attacks are made. The tactics, the skills are classified by tactics according to what you need. They are classified by discovery, collection, exfiltration, dictionary attacks, among others. The same, techniques, facts, graphics, the result, there are outputs that simply show the output, while there are others that offer the result in a picture. For example, if you have The ETC password will show us a picture with the passwords obtained. We have here each of these Preview operations, the name

of the operation and its respective output and the command that works to run. Not all of them work at the moment, there are some that can present errors due to the privileges used by the So, in our ideas now we are going to pass with Keysight. Kisai, basically, as I mentioned, they don't work on their platform as such, they don't download, they don't connect directly to the cloud. So, you buy the license, they give you the account, you connect, and then you download the agent to connect the machines to which you are going to do the test. One of the advantages is that this Software Agent allows all the machines that have it to attack each other. That is, the attack does not have to be directed

directly from one point to all the others, but between all they can perform the attack. In the interface we can see that when you enter, the first thing you find is a Launchpad in which they implement several tactics and vulnerability tests that you can carry out. And a little information. For them, they call the tests "scenarios". So, to create a scenario, basically you choose between... well, first you choose a filter, which is basically one of the sections that they name, in this case we're going to have "instrumentation", you give it a name, in step two you basically choose the agent that is going to perform the test, in step three, in some cases, you can add or choose a port, if it is an attack specifically to

HTTP ports or HTTPS. And in step 3, in step 4, the scenario is named. It should be noted that in step 3, a DNS of the Dark Cloud can also be activated, which I will explain later, which is the Dark Cloud of Xite. We can also see a summary of the tests that we have carried out. We can also see it gives us a prevention score, in this case, 55. We can also generate multiple reports, such as the executive, such as the scenario we are doing, or recommendations, one that is a little more personalized. We are going to show you the QSite test.

As I mentioned, we found Launchpad, which are basically campaigns that they propose. Quite simple, we can see that they have network, malware injection, we can see that they have email, the cyber kill chain. Quite simple, there are not many, but they always serve to give an idea of how the platform works. We go to the campaigns that they propose are more based on the real life. For example, here we can see a Pakistani APT. It also provides us with information on how it was done, also a little bit about the specific vulnerabilities or the steps they take. And there we go to the Mitre table that I mentioned before. Here we can see that not all the ones that are on the Mitre page are implemented, but

all the tactics that they propose. They also have their own assessments or their own scenarios, which can be carried out. As you can see here, there are several created by the user and by me, and most of them are created by themselves. Those are the ones that are used to perform the tests because XAI doesn't allow you to create your own code, so to speak. Everything you can create is under what they allow you to do, not as a boiler that fails in that aspect. Next, I'm going to generate an attack based on the Mitre table, in which we can see the techniques that are used, the tactics, and we can go deeper into the

procedures. Basically, we choose the... I'm going to generate one from here, from Initial Access. We can see that they are all random. I didn't choose them arbitrarily. I didn't choose them arbitrarily, I didn't specifically choose which one. To see precisely how far these tests they propose will take me. Since I can't create my own ones. From scratch. Well, here, as I show you, you can see more of the whole table. I choose brute force, etc. Here you can see the rest of the table and the scenario is created. Basically, just like Caldera, the campaign or the assessment is named, it gives you a description, it tells you how many tactics you are implementing, the audits you are doing, in this case

we call it 98, and we execute them. I want to highlight that here Keysight is quite efficient when performing these tests. Keep in mind that I'm doing almost 100 tests and I didn't take more than an hour to perform these tests. Once the scenario is created, we can see a little bit of the topology between the connection, we can see the dark cloud. The dark cloud is basically where Keysight or Threat Simulator is installed. and from here you can generate test attacks to the agent you are assigning. As I mentioned before, in step 1 we can see where we can section the test, the instrumentation, the name, the agent and the stage name. Here you can see what I was telling you about

DNS and Cloud basically for... more related to the 9th but in this case we are not going to do it because it is within the range that I am executing the chrysalis once the test is executed it provides us with a bit of information the first thing is to show where the attack is going to be generated in this case from the agent to the attack card that can be a rail we can see the total of two operations because they have already been mentioned that are the tests that will happen In this case it is a bit confusing, but the ones that passed means that the system was vulnerable. The ones that passed are the ones

that vulnerable the system. Yes, we are going to report it. Exactly. Yes, a little further back. No, further back. Here, well, we are going to see the report. They generated a report of the scenario that we are going to see next. One of the ways to present it, we chose the case that we are doing here.

and it downloads, where the report is. Here we can see all the information about the process, the network topology, the score, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from

the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from

the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from the past, the data from

the past, the data from the past, the data It's quite complete in that aspect. Well, here the report executive is not shown, but this executive looks a little more like the one that we have a partner in Caldera. And he basically tells you, with a little text in it, he tells you: "Well, I'm going to prevent this vulnerability in this way, or in this way." Quite simple. There, basically, the last reports.