Amateur Security Archaeologists, trying not to break things.

Tag: Threat Modeling (Page 1 of 7)

All I want for Christmas is Caldera 5.0

Well it has been some time since I have had an opportunity to log in and capture some thoughts – sorry about that! The truth is, it has been a wild few months with work, kids, and the whole ‘adulting’ thing. I do hope I can start offering something of use more frequently. Something that took a lot of time – and shouldn’t have – was getting a working installation of MITRE’s Caldera open-source attack simulation tool. I have used prior versions since 2020 – I think it was version 2.7? Well, the new release (Magma or v5.0) is fantastic. If you can get it to install correctly for you.

What seemed wrong?

Keep in mind, I am an outage waiting to happen, so some of this is most certainly my self-inflicted wounds or ignorance. Call me crazy, but I think the biggest barrier to open source satisfying the masses is just how finicky it can be to set up an application and maintain it. That would seem the case here! Let’s start with the general complaints that could apply to any modern open-source solution:

Dependencies and the OS

Depending on your desired implementation, you may need to install and troubleshoot a long list of software packages:

  • python & pip
  • virtual environments
  • vue.js/node.js and NPM
  • Docker
  • upx
  • Go
  • and numerous other dependencies of these packages

Not to mention, you might be working around any new roadblocks your chosen OS throws at you. Ubuntu is continually re-working its complicated relationship with python, as I assume many other Linux distributions are. I get it. It is both essential to apps and the OS, but can be easily broken by the other. But yeah, what a PITA. The flow I will convey here isn’t pretty, but it seems to work (thanks Mark for the help and finding the mistake!)

Changes to the base platform

Application developers have a tough job – how do they keep offering functions the customers need in ways that are appealing and keep pace with user experience trends? The Caldera team dramatically shifted gears with Caldera Magma, moving into a vue.js based UI that is quite amazing once you get to work with it. It has much more visually significant iconography, more useful tables, and a much tighter workflow for setting up and managing an operation. They also needed to bake in capabilities that allow Caldera to be extended for OT/ICS coverage and for the eventual inclusion of AI-driven adversary simulation.

These major changes and enhancements mean the inclusion of even more dependencies. Earlier versions of Caldera were largely Python focused. Now a much broader set of capabilities are being brought to bear. All of these changes make installation a much more involved task for any script. And when the script fails, well, it becomes a lot of work for the poor end user.

A seemingly broken script

One of Caldera’s awesome superpowers is its ability to install even more fun via plugins. In effect, it installs itself even more super powers! Ahh, but like any good superhero, there is always a constraint, limit, or price to be paid. In Caldera’s case, these plugins are all developed different ways and some have fallen out of support, are no longer added by default (like Mock), are coded differently (Human), or require additional dependencies (e.g. Emu). Some are an easy fix – like cloning Mock in after the main package but before build. In Emu’s case, the included script fails to pull all required files and will thus hang the server’s startup. This was resolved by installing a fresh copy directly from the Emu plugin’s profiles.

Overcoming obstacles

I am afraid to admit how much time the above took to work through, but I managed with some digging into errors, multiple tries with different flavors of Ubuntu and install types (docker containers vs. directly on the VM) and a boatload of frustrating time on StackOverflow. As much as that site has bailed me out, it is useless to someone without a good clue as to how to outline their query. I even used by good buddy Claude.ai to help me get past some really fundamental issues with a botched NPM config. It even found a way to tell me nicely that it was my fault.

The working path

So without further ado, here is the general idea for how I tackled this and finally got Caldera to cooperate!

Prerequisites

  • Ubuntu 22.04 or 24.04 VM or host with sudo privileges
  • >20GB of free space to allow for node.js build, expanded libraries, and room for collected (looted) intel during ops
  • If you plan to use this on a real network, you might want to statically configure or reserve an IP in DHCP for the intended network interface

Installing dependencies

$ sudo apt update && sudo apt upgrade -y
$ sudo apt install python3-dev git curl python3-venv npm
$ curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.38.0/install.sh | bash
$ source ~/.bashrc
$ nvm install stable
$ sudo snap install go --classic && sudo snap install upx

Clone the main Caldera repo

git clone https://github.com/mitre/caldera.git --recursive caldera5

Install the Mock plugin

I use this no-longer-default plugin purely to help demonstrate how agents work when I am on the road and need to show a simulated environment without spinning up real targets.

cd caldera5/plugins<br>git clone https://github.com/mitre/mock.git --recursive

Install Emu payloads

This is where it gets fun. Emu’s directory structure comes through using the top-level clone, but it is missing some stuff further down the tree. Install the payloads as best you can now and we’ll clean it up shortly

cd emu
./download_payloads.sh

Fix emu plans directory

Because the plans don’t make it over completely, if you attempt to start the server the build will stall. In order to fix this, we’ll just remove the incomplete emulation plans directory and pull from source to ensure we have them all. You should see that when you re-run the download_payloads.sh script that more installs. Yippee!

cd data/
rm -rf adversary-emulation-plans/
cd ../../..
git clone --depth 1 https://github.com/center-for-threat-informed-defense/adversary_emulation_library.git plugins/emu/data/adversary-emulation-plans
cd plugins/emu
./download_payloads.sh

Finish config!

Here is where we finally get to do some customization. I know there is some sed/awk tricks that can make this easy, but I would rather spend 5 minuters making the changes than 2 hours learning how to script the change to save 5 minutes. I am not a role model for DevOps, that is for certain!

First, we’re going to modify the default.conf file so we can ensure our IP addresses are configured and the mock and emu plugins are loaded:

cd ../..
nano conf/default.yml 
Modify IP addresses (0.0.0.0 or localhost by default) and change usernames, passwords, and API keys as needed.
Add in mock and emu to ensure they are loaded, as well as any other plugins you desire (like caldera-ot!)

Breaking the rules for science

Now that we have that all knocked out, time to install your python packages. I know this can be done in a virtual environment – and it can also be run out of Docker. At the time I was putting this together, venv wasm’t working well for me, so I ran this on a small ubuntu VM dedicated to Caldera anyway and used the –break system packages switch to force the pip install. Feel free to let me know if you have a more elegant path in the comments below!

pip3 install -r requirements.txt —break-system-packages

Now we can start the server. The first run requires more time as vue.js needs to fully inflate, build out the web application, and do its thing. Don’t freak out if this takes a while! Also – I am using the --insecure switch for testing here. Whenever I plan to run it for more than a quick run, or unattended, I create a local.yml file that looks like default.yml but includes my salt value and encryption key, and then I drop that switch for subsequent startups.

# For testing
python3 server.py --insecure --build 

# For my more persistent lab box
python3 server.py --build
You may see some warnings, but “All systems ready.” is what we’re truly after 😉

You are likely to see errors related to payloads. Many of these are not allowed to be distributed to systems, and so you are left to search for them yourselves IF you have the permission and access from your organization to do so. Looking at some of those names, it makes sense that you would want to explicitly download those only if needed. Either way, your instance should build and work ok without those specific executables.

Starting up later

For subsequent start-ups, you can omit the build switch:

python3 server.py

And if all works well, you can log into your Caldera portal and get emulating! If you can get to the following portal but not log in, try a restart. More often than not that clears up any lingering issues 🙂

It doesn’t take much to get me excited. This simple screen took way too long to get back to with 5.0

Conclusion

Once Caldera is up and running, be sure to try out the training paths – that is the single best way to learn the tool inside and out. As you do see it, you might notice that the newest version is much more polished and extensible. Don’t try and do it all at once – take it slow and soak it in. This tool teaches you so much not only about Caldera itself, but about ATT&CK, adversaries, and offensive security in general. And with the Blue Team features, it even can assist with enabling defenders.

Hopefully this run through helps those of you looking for a path to playing with Caldera. I love this tool, and the effort of all involved is just amazing. Knowing what the alternatives cost, this is a fine way to get some familiarity with breach attack simulation and learn what you value most. For those who don’t mind the hands-on, it can even be a great long-term platform. We can be certain that Caldera will only get better, and the new Magma platform is worth my personal growing pains. With any luck, you can avoid my errors and be emulating APTs in no time!

Impact: When Attackers Just Want to Watch the World Burn

In our journey through the MITRE ATT&CK framework, we’ve explored how attackers gain access, establish persistence, and steal data. But what happens when adversaries decide to break things, or to show the defenders that they are in charge? This last post covers ATT&CK’s Impact tactic – the cyber equivalent of leaving a calling card, often with devastating consequences.

Continue reading

Exfiltration: The Attacker’s Great Escape with Your Data

In our Collection post, we examined how attackers collect valuable information within a compromised environment. Once adversaries have gathered their loot, the next crucial step is to smuggle it out. This brings us to the MITRE ATT&CK tactic of Exfiltration. Let’s explore how various threat actors, from cyber criminals to nation-state operatives, execute this critical phase of their operations.

Continue reading

Command and Control: This is Major Tom to Ground Control

In our last post, we explored how attackers gather valuable information through the Collection tactic. Once adversaries have a foothold and have collected data, they need a way to maintain control over compromised systems and coordinate their activities. In military operations, you’ll see a mix of overt and covert forms of communications. But we know they are happening. Without them, the various units involved would be uncoordinated and the attack would fail before major objectives could be accomplished. Cyber adversaries need this sustained control as well. Payloads are unable to act autonomously for long. And exfiltrating data without it is futile. This is where the next MITRE ATT&CK Tactic comes into play: Command and Control (C2). Let’s dive into how attackers use C2 to orchestrate their operations and why it’s a critical component of almost every sophisticated cyber attack.

Continue reading

Collection: How Attackers Gather the Loot Before Being Caught

In last week’s post, we tool at look at how attackers move laterally. They do this to get to their goals and to better entrench themselves. Whether the adversary is an APT or special forces unit, gathering information is critical to the success of any mission. If there are exceptions, they’re probably limited to bombardments (in physical warfare) or Denial of Service (DoS) attacks (in cyber). It’s tough to have long-lasting effects without going further than those brute-force attacks. FThe information may be the end goal, or it may be essential to achieving it. The next MITRE ATT&CK tactic is Collection. Let’s look at how almost every adversary on the very diverse spectrum of threats needs it.

Continue reading
« Older posts
Verified by MonsterInsights