It is crazy to think it’s been a year since we launched our Atomic Red Team project! This has been a really fun project to be a part of—and there’s plenty more to come. In honor of the one-year anniversary, we wanted to share a look back at some of our favorite memories and milestones, lessons learned since the launch, and a preview of what’s ahead.
Looking Back: Memories & Milestones
At DerbyCon 2017, Keith McCammon and I gave a talk on testing called “Blue Team Keeping Tempo With Offense.” The talk alluded to the project, though it was not yet complete then.
Michael Haag and I would debut the project at the Carbon Black User Exchange later in October 2017. We announced it on Twitter after the event and saw a great response from the community.
Excited to release our test cases based on @MITREattack. Small and highly portable detection tests: https://t.co/OP8d7Ct6s4
— Red Canary (@redcanaryco) October 11, 2017
Genesis
The genesis behind this project was Michael Haag’s desire to conduct automated adversary simulation and make testing more effective and approachable for all security teams. We also wanted to also create a set of tools and scripts that allowed customers to test Red Canary and our platform. Mike originally pitched the project as “Charlie,” in a nod to the mythical creature.
One of the early talks that inspired us to create this project was the talk at Brucon 2016, by Chris Nickerson and Chris Gates. The concept was to have a way to write specific tests for the techniques ATT&CK described and to demystify the way the attacks are accomplished.
Guiding Principles
There were and are a couple guiding principles for Atomic Red Team.
1: Testing coverage is fundamental to improving outcomes.
We all believed that security teams need an approachable, affordable way to test a product’s performance in an industry that can be full of hype around “magical, mystical” new products.
2: Tests should be easy to use and understand.
Near to our hearts are the small security teams that just need a quick way to test some of the techniques. Even when we did the conversion to YAML (more on this later), we generated docs that preserved the quick “one liner” style tests.
3: Defenders need to keep learning how adversaries are operating.
Attacks can be studied and replicated. We wanted a way to put a technique under the microscope and understand what artifacts and telemetry were generated.
Community Engagement…Thank You All!
One of the most surprising (and exciting) aspects of this project has been the great conversations and contributions from the community. We now have a Slack Channel and several community contributions on GitHub.
We’ve had the privilege to share Atomic Red Team presentations at a number of events across the country, from ShmooCon and DerbyCon to BSides Charm, Knoxville, and Asheville.
Each time, it’s been thrilling to see teams embrace the concepts and make them their own.
Support from other security teams and media partners has helped Atomic Red Team reach a broader audience. We’ve had an opportunity to talk about the project with the crew at Security Weekly, local media outlets like Colorado = Security, and had some great shout-outs from Dave Herrald and the awesome crew at Splunk.
Last but certainly not least, we can’t say enough to express our gratitude and appreciation to the MITRE ATT&CK team, who have given us a great foundation to build on. Without their support and ongoing collaboration, this project would not have been a success.
Bottom line: defense is a community effort. We are thankful to those who have contributed…and need your help to keep improving! We know Atomic Red Team has gaps and are always open to ideas, contributions, and feedback on how we are doing.
Join us in Slack with your thoughts and ideas!
Major Milestones
- Initial Release, October 2017: The initial release had about 75 tests.
- YAML Conversion, Early to Mid 2018: The conversion allowed us to facilitate automation and still preserve the one-liners. A key part of this transition was using our CI/CD pipeline to automatically generate the Markdown docs we all know and love based on the YAML files.
- Execution Frameworks, Summer 2018: Added PowerShell and Python Execution tooling
Marketing Uplift
All along the way, we had the support of our marketing team. They have done an amazing job helping us transform our idea into actual events. From helping with blogs and resources to hosting webinars and trainings, we owe a large part of the success of the project to the creativity and innovation of our marketing team.
We thought our fans might like to peek into the vault to see some of the fun ideas and artwork behind the scenes…
Thank you to Brianne, Suzanne, Fox, Milan, Kelly, and Keya! And anyone else I may have missed 🙂
Be sure to contribute to the GitHub project to get some of the cool gear they created!
Lessons Learned
Casey: First, having an execution harness is really important. We should have attempted to add this earlier. But we now have a couple examples in Python and PowerShell, which is great.
I think I would have tried to better communicate that I don’t see Atomic Red Team as a competing project in any way. There are many variations of frameworks, from ours to Endgame RTA to paid solutions. Pick one that works for you.
Atomic tests are good, but don’t stop there. Tests need to be manipulated, altered, and run in chains to get the full effect of an adversary. Start with Atomic, then start expanding to more adaptive tests.
Mike: Looking back, I would have loved to have adopted Roberto Rodriguez’s spreadsheet a lot more and completely integrated it to project. I believe measuring is still one of the most important parts of the project in understanding your security posture.
As Casey said, there are a lot of options for adversary simulation. Take advantage of them! We can all learn from each other to keep improving.
Looking Ahead
Casey: I would like to extend tests beyond just “popping calc” and printing messages. We need to be a bit more “aggressive.” We started some of this when Mike and I created the chain reactions; however, moving forward this is an area where I think we can expand and improve.
Mike: The future of Atomic Red Team to me is more community involvement in regards to what everyone is seeing in the wild. Whether added to Atomic or not, create an issue for it to be added. Additionally, I’d like to focus some more of the project on the Command and Control Tactic.
Extending the Atomic Community
Tony: Being able to participate in this project has been an awesome experience for me because I get to contribute techniques I encounter daily from adversaries in the wild toward improving the security of someone who hasn’t encountered that particular brand of evil.
Something I’ve learned from this process is that people tend to view vendor-sponsored projects like Atomic Red Team as something to only test one corner of security that the vendor covers. We’ve taken great leaps to include tests that aren’t easily detected in endpoint data and others that can be detected using network controls like proxies or firewalls. This project isn’t just a vendor-sponsored safari to show off our service; it’s a heartfelt effort to improve security no matter what controls you use.
Closing Thoughts
I’m extremely grateful to everyone involved in Atomic Red Team who is making it possible for every security team to test their defenses. This is all possible because of my team at Red Canary, the community, and the MITRE ATT&CK team. I want to say a big thank you to everyone!
Atomic Red Team has already allowed hundreds of teams to quickly and easily learn about and test adversary techniques. Here’s to another Atomic Year!