.. role:: html(raw)
   :format: html

.. title:: Vectra Community AWS Attack Labs


.. toctree::
   :maxdepth: 2
   :caption: Stratus Red Team
   :name: _stratus_red_team
   :hidden:
  
   overview/overview
   installation/setup_instructions
   rationale/rationale
   aws_attack_simulation_exfiltration_ebs_snapshot/exiltration_ebs_snapshot
   aws_attack_simulation_steal_passwords_and_access_keys_stored_in_ssm/steal_passwords_and_access_keys_stored_in_ssm
   aws_attack_simulation_run_all_stratus_techniques/run_all_stratus_techniques
    

=============
Stratus Red Team Attack Simulation
=============

Stratus Red Team is "Atomic Red Team™" for the cloud, allowing emulation of offensive attack techniques in a granular and self-contained manner. The philosophy of the Stratus Red Team attack techniques is based on the following characteristics:

- An attack technique should be granular, emulating a single step of an attack.
- An attack technique should emulate actual attacker activity, based on plausible and documented behavior.
- Each attack technique should be self-sufficient, independent of the cloud environment state it runs against.

Stratus-red-team is excellent for conducting proof of value (PoV) engagements with prospects, as it offers a turnkey tool with minimal setup and execution instructions.

The open-source tool provides broad coverage and can simulate attacks on multiple cloud platforms, including AWS, Azure, and GCP.

Stratus attack techniques focus on specific end goals rather than simulating an attacker's comprehensive steps post-compromise. Each technique creates vulnerable resources, executes an attack against them, and then removes the resources. However, executing individual attack techniques may not always represent the complexity of real-world multi-step attacks. To address this, attack scenarios incorporating chained techniques and simulating attacker activity have been created for a more comprehensive and realistic assessment.

Regardless of how you choose to execute the attack techniques, numerous detections will be triggered across the cloud kill chain by Detect for AWS.


Objectives 
=============

Validate the effectiveness of Detect for AWS in detecting and responding to security incidents in simulated attack scenarios:

- Improve the understanding of AWS cybersecurity concepts.
- Enhance the ability to communicate the security features and benefits of Detect for AWS to customers.
- Equip participants with practical knowledge to address customer concerns and questions about Detect for AWS.

Target Audience 
=============

Security engineers who want to learn more about:

- Emulating actual attacker activity in AWS.
- How Detect for AWS detects malicious behavior based on attack behavior.
- Conducting proof-of-value engagements with prospects using Stratus-red-team tool. Its turnkey nature, minimal setup, and execution instructions for conducting assessments.

Duration and format
=============

The entire workshop takes approximately two hours to complete: 

- Each exercise is standalone and does not depend on others.
- Create a separate IAM user with Administrator permissions for each attack simulation.
- Recommended for tracking and identifying activities associated with specific attack simulations by attributing them to corresponding users.

Agenda
=============

Participants can execute all exercises or choose the ones of interest: 

- Each exercise is accomplished by running a bash script.
- The script contains Stratus modules chained in a sequence to mimic real attacker behavior.
- After completing an exercise, navigate to the Detect for AWS demolab to view the detections generated by the simulated attack.
- To identify detections, search on the account prioritization screen using the IAM user that executed the attack simulation.

Evaluation
=============

When evaluating the account detections raised by the attack simulations and investigating the findings further, it is recommended to utilize the investigation workflow. 

- This typically includes steps such as starting with a prioritized account on the Respond page 
- Analyzing account detections on the Account Detections page
- Performing an in-depth investigation using Instant Investigations 
- Conducting Advanced Investigations. 

This approach allows for a comprehensive examination of the detected incidents, enabling the identification of potential threats and the implementation of appropriate response measures.