hi everyone today I'm excited to present an executive level summary of miter Caldera along with a high level demonstration of its capabilities in executing adversary playbooks automatically this session is designed to talk about the core benefits of Caldera and showcas of Simplicity and Power in automating these adversary simulations without diving too deeply into the technical intricacies of the tool so let's begin with a broad overview of why Caldera might be of interest to you there is a tool that was developed by miter that enables the automatic execution of realistic adversary activities on your network in order to assess your ability to protect detect and respond to those threats so you can think of it as an automated offensive security assessment it has built-in playbooks but you can also easily create custom playbooks that are tailored to your environment and then after the execution of that Playbook is complete you can review the results and make the necessary changes to your defensive architecture to enhance your overall security posture the tool runs with minimal hardare requirements it offers fully Dynamic operations and maybe best of all it is completely open source and completely free accessible to anybody on GitHub so let's talk about some of caldera's core use cases one of the main use cases that we see with Caldera is the development and testing of defensive detections and analytics so by running an adversary Playbook you can observe which alerts are trigger triggered and what logs are generated and that then allows you to create analytics that can automatically detect and respond to these activities additionally Caldera is valuable for evaluating the effectiveness of your defensive products and tools that exist within your ecosystem it allows you to validate that your existing tool set is configured correctly and functioning as expected because a lot of the time these tools are set up without uh any verification process to determine if it will actually fire off against the threat that you think it will fire off against and that ends up burning you in the long run because you thought that you were protected against this attack when you really weren't so Cera helps you to ensure that your defenses are robust and reliable additionally it also AIDS in the assessment of potential tools that you are considering for your environment so you know whether you have an open source solution that you're looking at or maybe a free trial version of a tool from a vendor you can put these tools through their ringer with Caldera before you actually decide whether or not you want to add them to your security stack another significant use case with Caldera is training for both the blue and red team so red team members might you know study the adversary playbooks within Caldera uh review the abilities get an understanding of existing attack chains that adversaries are performing but then they can also challenge themselves by creating their own playbooks to uh test their effectiveness against their intended targets and then on the blue side we'll often see teams execute C playbooks and then task their blue team with conducting a postmortem analysis to determine what actually happened during that attack now there's also some additional benefits like you know um prototyping new research ideas so for example after a lot of research went into operational technology we determined that cder would be a great tool for also emulating OT attacks alongside our Fleet of it based attacks and then you'll also see cder set up in a lot of cyber ranges this lets other people get their hands on the tool and start performing their own assessments and their own types of analysis against different infrastructure now let's discuss why cder is a compelling Choice compared to a manual handon keyboard assessment so first and foremost as we all probably know adversary emulation and Red Team operations are very costly and they are also very timec consuming by the time you actually conclude NE negotiating your contract scoping the work conducting the assessment writing the report making the enhancements to your defensive tool set and then performing the remediation testing you might have already gotten breached the results of these manual assessments will also vary based on the expertise of the Personnel involved in them and you also once the assessment is complete you'll need to either be able to replicate the Assessor's actions to verify that your remed your remediation is working correctly ly or you'll have to incur the additional cost for further remediation testing and then the design phase also contributes to that overall cost and time investment so if you plan on doing extensive cyber threat intelligence research before executing your plan that's going to add more cost and more time so Cadera addresses these challenges by reducing the cost of running these exercises so once again this tool is completely free but it also um helps to make this less time intensive so with the pre-made plans um they can be executed automatically you know no longer need to worry about someone sitting behind the keyboard typing in all these commands manually you also no longer need to worry about the capabilities of the team that you hire because you will be relying on the threaten formed attacks that are currently within Caldera to be accurate remediation testing also becomes as simple as just hitting a button so you just should execute the exact same Playbook that you ran and then you can make sure that you know the exact same test is running to check if your remediations are working as you plann them to and then again with the designs you know they can all be edited they can all be saved reused and shared however you seem fit now before we continue I do want to emphasize that I'm not suggesting that you eliminate third party contracts um for these exercises engaging with these external experts offers significant benefits and for many many is a regulatory requirement anyway what I am saying is that Caldera can serve as an excellent supplement to these tests especially if budget constraints prevent you from doing Red Team engagements as frequently as you would like to you also get the benefit with Caldera that it provides full transparency into every step that's executed on your network every attack it gets logged and so that would eliminate any concern of the red team's ability to have to recall every single command that they executed on your network and makes mediation testing much easier so if you are interested in learning more about Caldera this slide includes our contact information and also some additional resources such as our website it includes the GitHub repository that you can go to right now and download Caldera 100% free it also includes the full documentation on how Caldera works and also our blog so with all this being said let's go ahead and dive into the demo all right Welcome to the demo portion of this presentation so like I mentioned um early on this is going to be a very highlevel overview of Caldera this is not meant to go into any of the technical details of how Caldera Works we're going to try to avoid going into any Caldera specific terminology this is just a high level overview what it looks like what it looks like when it runs some of the output that you can play around with and maybe give you an idea of how this could be useful to you and your organization if you want a more technical breakdown of Caldera and some more details about you know the the plugins and things like that there will be more videos for that but this is just going to be very high level so when you first log into Caldera you're going to be brought to this dashboard we won't spend too much time here we're going to go directly into the agents tab now the only thing that you need to understand about agents is that these are what run on our victim host that give us control over them so in this case we have this single agent kfnw and it's currently running on a Linux host right now and because of that we can launch commands against this Linux host it could be uh Windows Linux Darwin doesn't matter but in this case we just have this one single agent running on one single Linux host so what are the actual things that we can do against this host well we'll go into the abilities tab here here and abilities are just the attacks and the commands that you can run against that victim host that we have control over so by default Caldera has almost 1,800 of them you can actually expand this number if you install some of the Caldera plugins those are also completely free but just by default you'll have 1,800 abilities to launch on your victim host you can also Al uh categorize these and sort them in different ways and you can create your own abilities but we won't go too much into that in this video but it is a very simple process to create um your own abilities it's just a gooey window that you fill in but it's cool that we can run these one-off abilities and we have all these built-in commands but that's not exactly the purpose of Caldera the purpose of Caldera is to automate these attack chains and so I'm going to bring you to the adversaries tab here so adversaries are just a collection of those abilities that are put into a logical order that when run in that order will kind of give you the idea of a attack chain that an attacker might actually do on your network so I actually built one for this demo called demo adversary and again all this is is five of the abilities that we just looked at five of the 1800 abilities that are put into a logical order that when run will complete a task so in this case the task is exfiltrating data from that victim poost so we're going to create a folder we're going to find files we're going to put the files in that folder that we created in step one we're going to zip that folder up and then we're going to exfiltrate it back to us back to our cowder server where we can look at that data now you can create your own adversaries as well but we're not going to get into that you can also um you can add abilities to this if you'd like to create an adversary from scratch using the abilities but again um out of scope for this video but I do want to show you now so we have this address here we have this demo address here that we made how do we actually go ahead and run it well we'll go to this operations tab right here so the operations tab is how you actually run these adversaries so we're going to press new operation I'm going to name it demo I'm going to choose the demo adversary that I just um showed you and I'm going to press start now you get to this view right here this view is not super helpful for us right now because we only have one host running if you had multiple agents running on multiple Host this would kind of graph out a network topology for you but we're not interested in that right now because we only have one agent running on one host so we're going to get rid of this for now and what you see happen right now is Caldera is running in real time and it's executing those steps that I showed you in the adversary profile so creating the staging directory finding the files moving those files into the staging directory and this is moving very quickly um that's just for the purpose of this demo I have the agent to run these commands very quickly um in a real scenario this would you know maybe be much slower you might want to you know take your time when you're running these commands but just for the purpose of this demonstration I have it running very quickly but you can change that if you you need to now within this view right here we see that we're running these commands you can see the actual command that's being ran on the victim host you can see the output you can see whether it was successful or if it failed in this case everything is successful and so it automatically executed all of those steps with the click of a button so you can see that we have successfully exfiltrated the staging directory so cool so now we have access ACC to the files that we just stole off that Linux host and we can actually see those here so if we expand this right here you can see that we have this kfnw and if you remember that is the name of the agent that we currently have running on that host and if we if we expand it we can see that we now have that staging directory with all the files in it so we can actually look at these files we can download them and we can see what we just stole from that victim host the other plugin that I just like to touch on really briefly is this debrief plugin so after you run an operation cder will automatically create a report for you and so you can actually get that report so demo is the operation that we just ran we can download the PDF report we can select all then we can down download the report and then you can see that this report just kind of gives you an overview of what you just ran what was successful what failed what did you collect what details did you find about the um host that you just attacked and then the only other thing that I'll touch on is the training plugin right here so uh when you first download Cera and you're first using it you might not really know what you're doing you might not really know how to use the tool and so we have a built-in training plugin that basically walks you through knowing nothing to knowing a good majority of what you'll need to know to actually confidently run um Cera playbooks on your network uh they walk you through step by step you can get more hints into how to actually um complete each step it's a really good guide to walk you through how to actually use Caldera so that's all I want to go over in this video just want to keep a very um very light very um simple overview of Caldera works so yeah thank you for watching I hope this was helpful