Security

January 13, 2023

3 Minute Read

Introducing Attack Range v3.0

The Splunk Threat Research Team (STRT) is happy to release v3.0 of the Splunk Attack Range.

Splunk Attack Range is an open source project that allows security teams to spin up a detection development environment to emulate adversary behavior and use the generated telemetry data to build detections in Splunk. This blog highlights the new features introduced in version 3.0 to help build resilient, high-quality detections.

Splunk Attack Range

The Splunk Attack Range provides the following capabilities for detection engineering:

The user is able to quickly build a small lab infrastructure as close as possible to a production environment.
The Attack Range performs attack simulation using different engines, such as Atomic Red Team or Prelude Operator, in order to generate real attack data.
It integrates seamlessly into any Continuous Integration / Continuous Delivery (CI/CD) pipeline to automate the detection rule testing process.

What’s New?

Optimized Build Process

We optimized the build time of Attack Range from 30 minutes to 5 minutes by using pre-built images which were generated with the tool Packer. Packer standardizes and automates the process of building Golden images which are templates for virtual machines. Previously, building an Attack Range with a Splunk Server and a Windows Server took around 30 minutes every time. By introducing Packer to pre-build images, the build time of Attack Range is reduced to 5 minutes or less. Generating the pre-built images takes around 20 minutes per server, which only needs to be performed once. Afterwards, you can build Attack Ranges within 5 minutes.

Apache Guacamole

Based on your feedback, we learned that the Attack Range is often used in training and workshops in which the trainer prepared the Attack Ranges for their students. Providing Attack Range access to students was difficult. This is now simplified by integrating Apache Guacamole into the Attack Range. Apache Guacamole is a clientless remote desktop application which is installed on the Splunk Server. It supports standard protocols such as SSH and RDP. During the Attack Range build, Apache Guacamole is installed and completely configured. You can access Apache Guacamole on port 8080 and use the Attack Range password to log in. Subsequently, you can access the windows server over RDP or the other servers with SSH using the browser.

EDR Support

During detection, engineering teams want to know if a specific attack technique is detected by a certain Endpoint Detection and Response (EDR) product. In order to easily answer this question, we integrated Crowdstrike Falcon and VMware Carbon Black Cloud into the Attack Range. You will need a subscription for these products in order to integrate them into the Attack Range. By specifying some configuration parameters in Attack Range, you can automatically install the agent on the Windows Server and onboard the logs into the Splunk Server.

Attack Range Local Integrated into Attack Range

Previously, we decided to split Attack Range Local into its own GitHub project. Attack Range Local builds an Attack Range on either Virtualbox or VMware Fusion installed on your computer. It leverages Vagrant and Ansible to build and configure it.

We received a lot of customer feedback that Attack Range Local is very important. Therefore, we decided to integrate the Attack Range Local into Attack Range with all its features. By setting the cloud_provider to local in attack_range.yml, you can build an Attack Range on your local workstation or server.

Attack Range Cloud Integrated into Attack Range

Attack Range Cloud can be used to develop detections for AWS and Azure. It automatically onboards the logs from the cloud providers. We integrated these features into the Attack Range.

Atomic Red Team supports the execution of cloud atomics, which allows it to execute attacks against a cloud environment. The execution of cloud atomics in Atomic Red Team and the automated onboarding of cloud logs makes the Attack Range a perfect environment for developing cloud detections. By integrating all these features into one project, the Attack Range can be used to build endpoint, network and cloud detections.

Get Started with Attack Range 3.0

In this release, we improved the documentation and created an own documentation website which helps you to get started with Attack Range.The preferred installation method is using a docker container and you can run it on Mac, Windows or Linux.

By leveraging pre-built images with Packer, the time needed to build an Attack Range is reduced tremendously. Building the Attack Range, simulating an attack and destroying the Attack Range can be performed within 15 minutes. This allows us in the future to use the Attack Range in an automated way to generate attack data.

Please let us know what features you want to see added to the Attack Range by opening an issue in the Attack Range Github project with a feature request.

Splunk Threat Research Team

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository.

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.

Q&A Follow-Up: How Datev uses MITRE ATT&CK & Splunk in its SOC

Following our webinar with Datev on how they use MITRE ATT&CK & Splunk in its SOC, we compiled all of the questions left unanswered in this blog post. Read all of it here,

Security 5 Min Read

Staff Picks for Splunk Security Reading November 2019

These monthly postings will feature the favorite security-centric presentations, white papers and customer case studies from various peeps in the Splunk (or not) security world that WE think everyone should read. If you would like to read other months, please take a peek at previous posts in the "Staff Picks" series!

Security 7 Min Read

Approaching Linux Post-Exploitation with Splunk Attack Range

An introduction to linux post exploitation simulation and threat detection using Splunk Attack Range and linux Sysmon.

About Splunk

The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.

Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.

Learn more about Splunk