Skip to content

DataDog/threatest

Repository files navigation

Threatest

unit tests static analysis

Threatest

Threatest is a CLI and Go framework for testing threat detection end-to-end.

Threatest allows you to detonate an attack technique, and verify that the alert you expect was generated in your favorite security platform.

Read the announcement blog post: https://securitylabs.datadoghq.com/articles/threatest-end-to-end-testing-threat-detection/

Concepts

Detonators

A detonator describes how and where an attack technique is executed.

Supported detonators:

  • Local command execution
  • SSH command execution
  • Stratus Red Team
  • AWS CLI detonator
  • AWS detonator (programmatic only, does not work with the CLI)

Alert matchers

An alert matcher is a platform-specific integration that can check if an expected alert was triggered.

Supported alert matchers:

  • Datadog security signals

Detonation and alert correlation

Each detonation is assigned a UUID. This UUID is reflected in the detonation and used to ensure that the matched alert corresponds exactly to this detonation.

The way this is done depends on the detonator; for instance, Stratus Red Team and the AWS Detonator inject it in the user-agent; the SSH detonator uses a parent process containing the UUID.

Usage

Through the CLI

Threatest comes with a CLI that you can use to run test scenarios described as YAML, following a specific schema. You can configure this schema in your editor to benefit from in-IDE linting and autocompletion (see documentation for VSCode using the YAML extension).

Install the CLI by downloading a binary release or with Homebrew:

brew tap datadog/threatest https://github.com/datadog/threatest
brew install datadog/threatest/threatest

Sample usage:

$ threatest lint scenarios.threatest.yaml
All 6 scenarios are syntaxically valid

# Local detonation
$ threatest run local-scenarios.threatest.yaml

# Remote detonation over SSH
$ threatest run scenarios.threatest.yaml --ssh-host test-box --ssh-username vagrant

# Alternatively, specify SSH parameters from environment variables
$ export THREATEST_SSH_HOST=test-box
$ export THREATEST_SSH_USERNAME=vagrant
$ threatest run scenarios.threatest.yaml

Sample scenario definition files

  • Detonating over SSH
scenarios:
  # Remote detonation over SSH
  # Note: SSH configuration is provided using the --ssh-host, --ssh-username and --ssh-keyfile CLI arguments
  - name: curl metadata service
    detonate:
      remoteDetonator:
        commands: ["curl http://169.254.169.254 --connect-timeout 1"]
    expectations:
      - timeout: 1m
        datadogSecuritySignal:
          name: "Network utility accessed cloud metadata service"
          severity: medium
  • Detonating using Stratus Red Team
scenarios:
  # Stratus Red Team detonation
  # Note: You must be authenticated to the relevant cloud provider before running it
  # The example below is equivalent to manually running "stratus detonate aws.exfiltration.ec2-security-group-open-port-22-ingress"
  - name: opening a security group to the Internet
    detonate:
      stratusRedTeamDetonator:
        attackTechnique: aws.exfiltration.ec2-security-group-open-port-22-ingress
    expectations:
      - timeout: 15m
        datadogSecuritySignal:
          name: "Potential administrative port open to the world via AWS security group"
  • Detonating using AWS CLI commands
scenarios:
  # AWS CLI detonation
  # Note: You must be authenticated to AWS before running it and have the AWS CLI installed
  - name: opening a security group to the Internet
    detonate:
      awsCliDetonator:
        script: |
          set -e
          
          # Setup
          vpc=$(aws ec2 create-vpc --cidr-block 10.0.0.0/16 --query Vpc.VpcId --output text)
          sg=$(aws ec2 create-security-group --group-name sample-sg --description "Test security group" --vpc-id $vpc --query GroupId --output text)
          
          # Open security group
          aws ec2 authorize-security-group-ingress --group-id $sg --protocol tcp --port 22 --cidr 0.0.0.0/0
          
          # Cleanup
          aws ec2 delete-security-group --group-id $sg
          aws ec2 delete-vpc --vpc-id $vpc
    expectations:
      - timeout: 15m
        datadogSecuritySignal:
          name: "Potential administrative port open to the world via AWS security group"

You can output the test results to a JSON file:

$ threatest run scenarios.threatest.yaml --output test-results.json
$ cat test-results.json
[
  {
    "description": "change user password",
    "isSuccess": true,
    "errorMessage": "",
    "durationSeconds": 22.046627348,
    "timeDetonated": "2022-11-15T22:26:14.182844+01:00"
  },
  {
    "description": "adding an SSH key",
    "isSuccess": true,
    "errorMessage": "",
    "durationSeconds": 23.604699625,
    "timeDetonated": "2022-11-15T22:26:14.182832+01:00"
  },
  {
    "description": "change user password",
    "isSuccess": false,
    "errorMessage": "At least one scenario failed:\n\nchange user password returned: change user password: 1 assertions did not pass\n =\u003e Did not find Datadog security signal 'bar'\n",
    "durationSeconds": 3.505294235,
    "timeDetonated": "2022-11-15T22:26:36.229349+01:00"
  }
]

By default, scenarios are run with a maximum parallelism of 5. You can increase this setting using the --parallelism argument. Note that when using remote SSH detonators, each scenario running establishes a new SSH connection.

Using Threatest programmatically

See examples for complete programmatic usage example.

Testing Datadog Cloud SIEM signals triggered by Stratus Red Team

threatest := Threatest()

threatest.Scenario("AWS console login").
  WhenDetonating(StratusRedTeamTechnique("aws.initial-access.console-login-without-mfa")).
  Expect(DatadogSecuritySignal("AWS Console login without MFA").WithSeverity("medium")).
  WithTimeout(15 * time.Minute)

assert.NoError(t, threatest.Run())

Testing Datadog Cloud Workload Security signals triggered by running commands over SSH

ssh, _ := NewSSHCommandExecutor("test-box", "", "")

threatest := Threatest()

threatest.Scenario("curl to metadata service").
  WhenDetonating(NewCommandDetonator(ssh, "curl http://169.254.169.254 --connect-timeout 1")).
  Expect(DatadogSecuritySignal("EC2 Instance Metadata Service Accessed via Network Utility"))

assert.NoError(t, threatest.Run())