• John Lundgren

Introducing Attack On Demand

Testing the internal security of your organization on your schedule just got easier.

What is Attack On Demand?

Attack On Demand (AoD) is a new feature in our Continuous Intelligent Red Team (CIRT) Service that allows customers to test any computer within their IT environment against realistic but safe attack attempts to verify their security controls and assess the effectiveness of their defense in depth policies.

Why Attack On Demand?

While CIRT's perimeter and social attack features are continuously searching for weaknesses in our customers' public-facing cyber defenses to exploit, some of our customers have asked for additional ways to test the security controls on internal hosts - on their schedule. AoD is our response to that demand signal. By frequently testing the security controls of your internal hosts and servers (after patches, updates or reconfigurations, for example), you can be confident in just how those controls will respond if attackers make it through any layers of your defenses.

Even though you've spent hours training your employees not to click on that tempting phishing email, there will always be instances when those nasty phishing emails are clicked on within your IT environment. AoD gives your internal or external security team the ability to test just what would happen if one of your employees clicked on the wrong link or opened a malicious attachment, but in a safe and controlled manner.

How does it work?

Customers will have access to choose from an evolving collection of attack packages built by the BreachBits Team, each with a variety of exploitation techniques, discovery and reconnaissance tactics that can be used to test your internal hosts. Once an attack package is chosen, CIRT configures the cloud-based attack infrastructure needed for the test. This infrastructure resembles what an advanced attacker would use for a similar operation, such as command & control (C2) servers that give the commands to the compromised hosts.

Then, customers will be given a command to run on their Terminal window (Linux/Mac) or Command Prompt (Windows) to begin the test. Upon completion of the test, you'll be able to see either if the attack was defeated entirely by your controls, was partially successful or was entirely successful at evading your security controls and completing the attack package. Then, once you've been able to adjust your controls, re-run the test to try it again to verify it made a difference.

Attack On Demand Walkthrough

You can request an AoD attack by selecting the 'Request Attack On Demand' button from your BreachBoard. Alternatively, you can also select the 'Attack on Demand' link in the navigation bar at the top of the BreachBoard, and then select 'Request Attack on Demand' from the Attack on Demand Dashboard.

Either of these methods of requesting a new AoD attack will provide you with a Request Attack on Demand window with a list of attacks to choose from. Select any attack for the operating system of the host you will be testing (Windows/Mac/Linux), and select 'Request Attack'.

Next, you will be brought to the Attack On Demand Dashboard, and your attack will have a 'Requested' status in your Attack On Demand Attack Log.

Wait 15-30 seconds for CIRT to provision the attack infrastructure, and refresh the page until the attack is in a 'Ready' state.

When the attack is Ready, click on the 'Launch Attack' button, which will provide you with the command to start the attack and detailed instructions and troubleshooting tips for that particular attack.

Copy the command in the first text box by selecting the 'Copy' button - this will add the attack command to your clipboard. From there, paste the command into a Command Prompt (Windows) or Terminal (Mac/Linux) window, and hit Enter. There will likely be nothing that is displayed on the screen, and this is intentional - we want every attack to be as realistic as possible to truly give your security controls a run for their money.

Back on the BreachBoard, refresh your screen periodically to see if the status of your attack has changed. There may be a few different paths that your attack can take at this point:

  • If your security controls have disrupted the attack entirely, or a firewall is blocking the requests to our BreachBits C2 server, then your attack will stay in a 'Ready' state for roughly 10 minutes, when it will turn to 'Disrupted'. This is the best-case scenario. This means that some or serval layers of your security controls have stopped this attack from even getting started.

  • If this attack was able to get past your security controls to make the first connection with the BreachBits C2 server, you will see the status of the attack turn from Ready to Ongoing. This means the attack was able to start on the host being tested and is still in progress.

  • If the attack was able to execute, then the attack will complete in either a 'Partially Disrupted' or 'Complete' status. If the attack ended with a 'Partially Disrupted' status, this means that while the attack was able to begin, your security controls or policies disrupted some portion of the attack, and it was not able to complete all of the steps it attempted.

  • If the attack ends in a 'Complete' status, that means that the attack was able to successfully execute each of the tactics the BreachBits C2 server gave it, until the attack package was complete.

For attacks that end in either a 'Partially Disrupted' or 'Complete' status, users will be able to select the 'View Attack Timeline' button to view the fine-grain details of the attack, in the Attack Timeline view.

At the top of the Attack Timeline view, users will see an Attack Overview section, that has the start and stop times of the attack, as well as a list of the tactics that were used. Selecting any of the tactics will bring the user to the Mitre ATT&CK website with details on that particular tactic, with details about threat groups that use that tactic, and mediation strategies to improve detection and disruption of that tactic in the future.

The bottom of the Attack Timeline provides the user with a step-by-step timeline of each step of the attack, covering the details of the initial execution, communication with the BreachBits C2 server and post-exploitation steps that were taken. This gives defenders the ability to correlate BreachBits' details of the attack with their own logs to see how security controls can be adjusted to improve detection and disruption of each tactic by BreachBits (and real attackers) in the future.


Have feedback about how we can improve this (or any other CIRT feature) to better support the cyber defenders or executives in your organization? We want to hear from you! Please email support@breachbits.com anytime to let us know how you are using this feature in your own IT environment, and how we can make it better.

25 views0 comments