The Splunk Threat Research Team is releasing v4.0 of Splunk Attack Range, an open source project that allows security teams to spin up a detection development environment to emulate adversary behavior and use the generated telemetry data to build detections in Splunk.
Updates include:
- SnapAttack CapAttack Integration
- GCP Support
- Automated Splunk Apps Update Through CI/CD
- Improved Caldera Integration
- Version-Tagged Docker Containers
- Deprecate Splunk Attack Range Local
CapAttack is a PowerShell capture agent that allows for the packaging of an attack into a standard format. It collects system logs, system information, keystrokes, PCAP, and video during the attack. A CapAttack capture allows for attack data to be easily reviewed with all the context of what was happening on the system at the time.
It currently works on modern Windows environments and some Linux distros. When you execute the Splunk Attack Range simulate command, the system automatically initiates a CapAttack capture session before launching the Atomic Red Team framework. Upon completion, the system seamlessly uploads the entire CapAttack capture data to SnapAttack (if enabled in attack_range.yml).
This integrated workflow allows for efficient attack simulation, data collection, and analysis in a single streamlined process, Splunk said. Additionally, users have granular control over the capture process through the cap_attack command, which enables manual starting and stopping of CapAttack capture sessions.
Splunk Attack Range is expanding its capabilities with the addition of Google Cloud Platform (GCP) support in its latest release. This enhancement allows security teams to create instrumented cloud environments in GCP alongside the previously supported AWS and Azure platforms. The GCP implementation in Splunk Attack Range allows security teams to deploy and configure Google Cloud resources through the same streamlined interface used for AWS and Azure, according to the vendor.
The latest Splunk Attack Range release introduces automated Splunk Apps updates through CI/CD, ensuring detection engineers always work with the most current version of the different Splunk Apps. This feature automatically updates all integrated Splunk Apps within the Splunk Attack Range environment and eliminates manual update processes.
Furthermore, the update significantly enhances Caldera integration, addressing previous implementation challenges that users faced. The improved integration streamlines the deployment and configuration of MITRE's Caldera adversary emulation platform within the Splunk Attack Range environment, making it more accessible and reliable.
The latest Splunk Attack Range release introduces version-tagged Docker containers on DockerHub, a significant improvement over the previous approach that only offered "latest" tags.
According to Splunk, this enhancement allows security teams to select specific versions of Splunk Attack Range components, ensuring greater stability and reproducibility in testing environments.
Users can now reference exact container versions in their deployments, making it easier to maintain consistent environments across different testing cycles and preventing unexpected changes when containers are updated. This versioning approach also facilitates easier rollbacks to previous configurations if needed, addressing a popular request from the Splunk Attack Range community.
For more information about this news, visit www.splunk.com.