Complete Guide to Threat Emulation Using Caldera | TryHackMe CALDERA
We covered threat emulation using Caldera which is a popular tool that can be used to emulate adversary and attacker’s behavious as well as execute detection and response actions. Caldera works as agent and server mode in which the agent is installed on the target machine and pulls instructions from the Caldera server that either execute TTPs or blue team response actions. This was part of TryHackMe Caldera room.
What is Caldera in Threat Emulation
CALDERA™ is an open-source framework designed to run autonomous adversary emulation exercises efficiently. It enables users to emulate real-world attack scenarios and assess the effectiveness of their security defences.
In addition, it provides a modular environment for red team engagements, supporting red team operators for the manual execution of TTPs and blue teamers for automated incident response actions.
Lastly, CALDERA is built on the MITRE ATT&CK framework and is an active research project at MITRE. All the credit goes to MITRE for creating this fantastic framework.
Caldera Use Cases
Security analysts can leverage the CALDERA framework in different cases, but the common usages of CALDERA are as follows:
- Autonomous Red Team Engagements: The original CALDERA use case. The framework is built to emulate known adversary profiles to see gaps across your organisation’s infrastructure. This use case allows you to test your defences and train your team on detecting threats.
- Manual Red Team Engagements: Aside from automating adversary profiles, CALDERA can be customised based on your red team engagement needs. It allows you to replace or extend the attack capabilities in case a custom set of TTPs are needed to be executed.
- Autonomous Incident Response: As mentioned, blue teamers can also use CALDERA to perform automated incident response actions through deployed agents. This functionality aids in identifying TTPs that other security tools may not detect or prevent.
Caldera Red Team Components
- Agents are programs continuously connecting to the CALDERA server to pull and execute instructions.
- Abilities are TTP implementations, which the agents execute.
- Adversaries are groups of abilities that are attributed to a known threat group.
- Operations run abilities on agent groups.
- Plugins provide additional functionality over the core usage of the framework.
Running Caldera Instance
ubuntu@tryhackme:~$ cd Rooms/caldera/calderaubuntu@tryhackme:~/Rooms/caldera/caldera$ source ../caldera_venv/bin/activate(caldera_venv) ubuntu@tryhackme:~/Rooms/caldera/caldera$ python3 server.py --insecure
Caldera Blue Team Components
The Response Plugin
The Response plugin is the counterpart of the threat emulation plugins of CALDERA. It mainly contains abilities that focus on detection and response actions. You may view the summary of the response plugin by navigating to the response tab in the sidebar.
Response Plugin Abilities
Compared to the adversaries’ abilities that are mapped with MITRE ATT&CK Tactics and Techniques, the Response Plugin Abilities are classified by four different tactics, such as:
- Setup — Abilities that prepare information, such as baselines, that assists other abilities in determining outliers.
- Detect — Abilities that focus on finding suspicious behaviour by continuously acquiring information. Abilities under this tactic have the Repeatable field configured, meaning they will run and hunt as long as the operation runs.
- Response — Abilities that act on behalf of the user to initiate actions, such as killing a process, modifying firewall rules, or deleting a file.
- Hunt — Abilities that focus on searching for malicious Indicators of Compromise (IOCs) via logs or file hashes.
Check out the video below for detailed explanation.
Room Answers | TryHackMe CALDERA
Room answers can be found here.
