Attack Range – Tool to Create Vulnerable Instrumented Environment

Attack Range solves two main challenges in development of detections. First, it allows the user to quickly build a small lab infrastructure as close as possible to your production environment. This lab infrastructure contains a Windows Domain Controller, Windows Workstation and Linux server, which comes pre-configured with multiple security tools and logging configuration.

The infrastructure comes with a Splunk server collecting multiple log sources from the different servers.

Attack Range - Create Vulnerable Instrumented Environment
Attack Range – Create Vulnerable Instrumented Environment

Second, this framework allows the user to perform attack simulation using different engines. Therefore, the user can repeatedly replicate and generate data as close to “ground truth” as possible, in a format that allows the creation of detections, investigations, knowledge objects, and playbooks in Splunk.

Attack Range can be used in two different ways:

  • local using vagrant and virtualbox
  • in the cloud using terraform and AWS

In order to make Attack Range work on almost every laptop, the local version using Vagrant and Virtualbox consists of a subset of the full-blown cloud infrastructure in AWS using Terraform.

The local version consists of a Splunk single instance and a Windows 10 workstation pre-configured with best practice logging configuration according to Splunk. The cloud infrastructure in AWS using Terraform consists of a Windows 10 workstation, a Windows 2016 server and a Splunk server.

The simulation attack engine with this framework is based on the Red Canary Atomic Red Team.

You can read more and download this tool over here: https://github.com/splunk/attack_range

Share
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments