System Administration

Security Incidents In A Box – DumpsterFire Toolset

The DumpsterFire Toolset is a modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Turn paper tabletop exercises into controlled “live fire” range events. Build event sequences (“narratives”) to simulate realistic scenarios and generate corresponding network and filesystem artifacts.

The toolset is designed to be dynamically extensible, allowing you to create your own Fires (event modules) to add to the included collection of toolset Fires. Just write your own Fire module and drop it into the FireModules directory. The DumpsterFire toolset will auto-detect your custom Fires at startup and make them available for use.

 

Why

Red Teams and Blue Teams are typically overextended. What’s missing is a way to scale each team’s capabilities, providing more effective Red Team activity, and more realistic (and helpful) Blue Team / Purple Team exercises. Automation to the rescue! The DumpsterFire Toolset is a cross-platform menu-driven solution that allows you to easily create custom security incidents by combining modular, chained events into a consistent narrative. Those collection of events (DumpsterFires) can then be executed as time-delayed, automated processes. (They can also be triggered immediately, of course.)

The result? While you’re in a meeting or out enjoying life, your DumpsterFire is waiting for its date-time trigger to activate. On a Red Team engagement, while you’re busy exploiting that exposed service on a forgotten B2B server, your cloned & time-sychronized DumpsterFires are busy lighting up the target organization’s SIEM on a far-away subnet, distracting their response team. Blue Teamers can turn table-top paper exercises into “live fire” range events, with controlled, pre-approved DumpsterFire event chains to trigger sensors and alerts, and train your analysts using their actual operational environment. Purple Team operations can now execute methodical, repeatable event chains to consistently map out their sensor and alerting posture. You can generate novel scenarios to test and train your teams, getting ahead of the threat space to be prepared for security contingencies.

Ever wondered how your Blue Team would respond to Mirai bot activity on your internal network? Now you can find out! (Don’t worry, the Mirai bot Fire module doesn’t pivot, but it does use the same usernames & passwords to brute-force telnet sessions across the target network.)

Don’t have a Red Team but wish you had an easy way to run controlled, repeatable, customized drills against all of your SOC shift teams? Done!

Wish you could support a Red Team engagement against a remote team that’s 7 timezones away, without waking up at 3:00am? Hit that snooze button!

Ever wanted to simultaneously rickroll all of your opponents’ systems during your annual cyberwarfare exercise? “Never gonna let you down!”

 

Overview

The DumpsterFire toolset workflow is designed to be user-friendly and robust. Everything can be done from within the menu-driven dumpsterFireFactory.py script. Launch the script and the tool will guide you as you go. You can start by browsing the existing Fire modules and saved DumpsterFires. When you’re ready to create your own DumpsterFires, the tool will lead through the workflow to get the job done. Finally it will be time to ignite your DumpsterFire. After selecting the DumpsterFire of your choice, you’ll review the DumpsterFire’s Fire modules and settings. If everything looks good, light it up!

When you’re building a DumpsterFire, after you’ve chosen all of the Fire modules you wish to include, the tool will loop through the list of Fires. If a Fire has options for custom settings, the tool will call that Fire’s Configure() method to present you with prompts for its settings (e.g. a target network’s IP address).

Once all of the Fires have been configured, you’ll then be given the option to assign individual time delays to your Fires. This allows the DumpsterFire to better mimic real operations when executing its chain of events. For example, the first Fire may visit various hacking Websites, the next Fire then downloads a few common hacking tools before launching the third Fire which starts scanning the local network. If this all happened within seconds of each other, no SOC analyst is going to believe it was a human. By adding several minutes or even hours between those events, you create a more realistic chain of events.

After all of the Fires have been configured and optional individual Fire delays assigned, you’ll be asked to name your DumpsterFire. Do not use spaces or odd special characterse, just stick to letters, numbers, underscores, and hyphens.

Voila! You have now created your first DumpsterFire. Time to light one up!

When you’re ready to ignite a DumpsterFire, the tool will first show you the DumpsterFire’s settings. If everything looks good, you’ll be asked if you want to assign a date-time delay before igniting. All date-time processing is done in UTC to ensure consistent execution regardless of your DumpsterFire’s location of execution. Otherwise you can decline the date-time delay and execution will begin immediately after you give final confirmation.

As the DumpsterFire executes, you’ll be given regular date-time stamped feedback on each Fire’s status and critical events. This not only helps you track progress, but also provides a chronological record of your DumpsterFire’s activities – critical in coordinating and deconflicting your events from the general background noise that floods every SOC. You can also hand over the chronological record to your external clients after your operations are complete, as a value-added record of your activites that they can use to review their sensor and alert settings. All with no extra effort on your part.

 

Files & Directories

dumpsterFireFactory.py – Menu-driven tool for creating, configuring, scheduling, and executing DumpsterFires

FireModules/ – Directory that contains subdirectories of Fires, each subdirectory is a specific Category of Fires to keep your Fire modules organized. Fires are added to a DumpsterFire to create a chain of events and actions.

DumpsterFires/ – Directory containing your collection of DumpsterFires

igniteDumpsterFire.py – Headless script, invoked at command line with the filename of the DumpsterFire you wish to execute. Useful for igniting distributed DumpsterFires.

testFireModule.py – Utility script for unit testing the Class methods of your custom Fire modules, without the hassle of running through the entire DumpsterFire Factory process to debug. Also useful for running a single Fire to check your settings. testFireModule.py will prompt you for configuration settings were applicable.

__init__.py files – Required to make Python treat directories as containing Python packages, allows DumpsterFire toolset to find and load Fire modules.

 

Requirements

Python 2.7.x

 

Run DumpsterFire Factory

$ ./dumpsterFireFactory.py

Download DumpsterFire

About the author

Icarus

Add Comment

Click here to post a comment

Leave a Reply

Advertisement

%d bloggers like this:
000webhost logo