The Red Team Project incubates open source cybersecurity tools that support cyber range automation, containerized pentesting utilities, binary risk analysis, and standards validation.
Sponsored by the Linux Foundation, the Red Team Project's goal is to make open source software safer to use. Our approach is to use the same tools, techniques, and procedures as our adversaries — but in a constructive way — in order to provide feedback to open source projects that will make those projects more secure.
Ever wonder what people mean when they talk about “cyber ranges?” Well, if you've ever been to a gun range you've already got an idea. Like gun ranges, cyber ranges are used for training, testing, research and development -- but instead of kinetic devices, cyber ranges specialize in offensive and defensive simulation in the cyber domain.
To continue with the gun range analogy, consider the Aristotelian physical accidents of such a range. They likely have a berm at the back, followed by lanes, benches, lockers, parking, etc.. The physical accidents of a cyber range are the computers themselves, virtualization frameworks, and network topologies.
In today’s world of public and private cloud services, cyber range virtualization is easy to come by. But physical accidents aren’t enough -- kinetically speaking, a gun range lacks the essence of a gun range until you add firearms, ammunition, targets, shooters, range officers, and so forth. Similarly, a cyber range isn’t actually useful until you add vulnerable machine images, vulnerable application configs, attack platforms, exploits, and operators. Even with those added ingredients, a cyber range can’t actually be used for training until you have scenarios that are representative of real world situations that your red and blue teams will be facing.
At Def Con 24, Sarah Zatko and Mudge unveiled their Cyber Independent Test Lab (Cyber-ITL), an effort to quantitatively analyze binaries for safety features, code complexity, and code hygiene. After their project update the following year at Def Con 25, sensing how vastly important the Cyber-ITL work would become, some engineers working with the Fedora Project decided to make an open source implementation of the Cyber-ITL’s methodology. The resultant project, the Cyber Test Lab, has been migrated to the Red Team Project, and is working on adding support of other Linux distributions.
The Cyber Test Lab (CTL) gives open source projects a way to analyze their code so they have some insight into how the Cyber-ITL will score their binaries. We also plan to make CTL easier to integrate into the SDLC so end users can prevent poorly-built binaries from going to production.
Our findings are published here.
Have you ever had to comply with FISMA requirements, write a System Security Plan, pursue an Authority To Operate? If so, you’ve probably come across NIST SP 800-53. The daunting scope of what NIST set out to do with enumerating all the security controls necessary to assure confidentiality, integrity, and availability yielded the yardstick by which Information Assurance is measured.
If you’ve gone through an accreditation process before, you’ve probably questioned the efficacy of some of the 800-53 controls. With the Red Team Project’s cyber range automation, it’s now possible to explore whether or not individual 800-53 controls actually work.
For a given control, we can:
• Map the control to certain classes of exploits
• Create a cyber range with systems vulnerable to those exploits
• Automatically implement the control with our Compliant Ansible role
• Test the mapped exploits against systems with and without the control implemented
We plan to provide empirical feedback to NIST regarding control efficacy in order to make more efficient standards going forward.
LEM scans a Linux system for local exploits and maps them to known exploit code.
LEM-mapped exploits are curated, i.e., tested for efficacy and ease-of-use using a variant of the STRIDE scoring mechanism
An Ansible role called cyber-range-target is used to deliberately downgrade OS packages to a version vulnerable to a given CVE
Red Container offers containerized pentesting tooling, which can be launched from whole OSes or containerized environments like Kubernetes
Cyber range training scenarios that automatically launch and configure the cyber range via Deployment Manager and Ansible
Automatically apply DISA STIG settings to OS instances
Come hear luminaries from the offensive security community. (Washington, DC)
Learn how to use the Red Team Project tooling, contribute to our GitHub projects, and help us curate exploits. (Washington, DC)
Going to Def Con? We'll be there, so let's hang out! (Las Vegas, NV)
Red Team Project Lead
TrustedSec founder, hacker extraordinaire
Google Cloud Strategic Executive
Head of security at Stripe, the David Bowie of infosec
Cyber-ITL Chief Scientist
Fedora Kernel Maintainer