Encripto has released the Blue Team Training Toolkit (BT3). Until the past decade, common threats against computer systems could be stopped by anti-virus software and firewalls. Nowadays, these two countermeasures can be easily bypassed by attackers, and they just offer a basic degree of protection. Moreover, IT personnel are required to have specialized skills within computer network defense analysis and incident response in order to detect, analyze and react effectively to computer threats.
Computer network defense analysis is a broad topic and skills can be acquired with different methods. Common training techniques are based on studying network traffic that could be either live or previously captured.
In any of these situations, the production and acquisition of network traffic requires an attack scenario with supporting infrastructure. The goal is to successfully monitor the network traffic while the attack is in progress. The result allows a blue team to improve their skills, test the detection tools deployed as part of an organization’s IT infrastructure, and ultimately exercise their incident response plan.
Currently, the possibilities for training and improving in these disciplines have important constraints.
What is Blue Team Training Toolkit (BT3)?
Blue Team Training Toolkit (BT3) is an attempt to introduce improvements in current computer network defense analysis training. Based on adversary replication techniques, and with reusability in mind, BT3 allows individuals and organizations to create realistic computer attack scenarios, while reducing infrastructure costs, implementation time and risk.
Blue Team Training Toolkit (BT3) is written in Python, and it follows an open source FreeBSD license.
The most important features of BT3 include:
- Adversary replication and malware simulation
BT3 includes the latest version of Encripto’s Maligno. This module is designed with a client-server architecture, and it allows blue teams to simulate malware infections or targeted attacks with specific C&C communications in a safe manner. BT3 is also shipped with multiple malware communication profiles that ensure a “plug & play” experience, when planning and preparing a training session. Furthermore, malware profiles can be developed easily, something that contributes to lower preparation costs and better cooperation.
- Network traffic manipulation and replay
BT3 includes Encripto’s Pcapteller, a module designed for traffic manipulation and replay. Pcapteller can customize and replay network traffic stored in PCAP files. This allows blue teams not only to re-create scenarios where computer attacks or malware infections occurred, but also make it look like everything is really happening in their own network.
- Ease of use and flat learning curve
Information security tools usually implement their own options, syntax and commands. Mastering a tool can therefore take some time. To ensure usability from the first moment, and not waste lots of valuable time, BT3 uses an interactive command-line interface inspired by Rapid7’s Metasploit Framework (MSF). Since MSF is a tool well-known by information security professionals, it makes sense to provide some degree of familiarity. This means that learning how to use BT3 should take a minimum effort, and most blue teams will be able to focus on their training session, rather than figuring out how to use a new tool.
- Blue team cooperation and network traffic reusability
On one hand, BT3 can contribute with flexible malware communication profiles that can be exchanged or distributed among organizations. Also, it helps blue teams train with a high degree of realism, without the need of using real malware. This is a key area that solves the “Risk versus Realism” dilemma. On the other hand, BT3 offers a platform that improves efficiency, by reducing preparation time and infrastructure costs. The ability to customize captured network traffic can allow organizations to reuse and exchange PCAP files, while keeping a decent degree of realism. This reusability also ensures a better Return On Investment, since the network traffic of a training session can be customized and reused without setting up the whole original attack scenario. This addresses the “Efficiency versus Realism” dilemma.
Despite BT3 aims for blue teams, it could also become a powerful resource for red teams. In such context, BT3 module could assist with the creation of a decoy or a diversion during an engagement.
Let’s consider advanced security assessments that result in access to the target’s internal network. Such access could be obtained in multiple ways, for example by using social engineering against employees, compromising weak internet-facing systems, or just as starting point if the engagement assumes compromise.
In environments with tight network countermeasures and a (proactive) blue team in place, red teams must measure their movements across the target network, in order to fly under the radar.
Occasionally, red teams may perform actions in the network that could draw a blue team’s attention. Using BT3 in combination with VPN pivoting, red teams could create a network diversion. In other words, this could make a blue team see ghosts, letting a red team hide in plain sight.
Who Should Use Blue Team Training Toolkit (BT3)?
Blue Team Training Toolkit has been designed for computer network defense analysis training, and it could be used by public and private organizations, as well as training institutions such as universities.
In addition, BT3 could assist red teams during specific scenarios that may occur during the course of a security engagement.