Security tests
Identify your exposure to the latest threats
Security teams often work in the world of TTPs - or Tactics, Techniques and Procedures. Technically, a TTP is a payload or a sequence of commands that execute a focused behavior on a computer system.
This flexible definition means TTPs can create instability on an endpoint. Behaviors may generate new registry keys, unhook defensive controls, install utilities or perform more destructive actions like deleting files or entire user accounts.
Verified Security Tests (VST) are production-ready versions of TTPs. Tests have characteristics that encourage scale and safety, which are foreign concepts to traditional TTPs. Tests are the lifeblood of the Detect ecosystem: you write them, verify them, publish them and ultimately deploy them into your development and production environments.
What makes a test "Verified"? Prelude puts all tests through a robust testing process to verify their effectiveness and safety.
Read about our journey moving from TTPs to VSTs.
Philosophy
Prelude's stance on security tests is that they should:
- Provide default safety controls to avoid using high system resources.
- Reverse any effects the test had on the system.
- Exit with a granular code to easily understand what happened.
- Compile into a standard binary so the source language is unimportant.
Structure
Tests are broken into two parts: metadata and source code.
Metadata
Each VST has a JSON blob descriptor containing:
- account_id: the Prelude Account that owns the test
- id: a UUID to reference the test programmatically
- name: a short plain-text description
- unit: the endpoint component being tested
- advisory: the particular security advisory the test was coded against
An example is shown here:
{
"account_id": "prelude",
"id": "475a9cef-1326-49b4-b59a-d8072c007fd2",
"name": "Lockbit Ransomware",
"unit": "response",
"advisory": "AA23-075A"
}
Source code
Source code represents the test implementation. Prelude tests are written in Go, which provides several niceties for authors:
- Default cross-platform support for most operating systems
- Built-in guardrails around memory safety
- Unique capabilities, such as the
embed
build flag, which are ideal for endpoint testing
Tests are compiled into a set of executable files through an advanced Compute process. This process validates the integrity of each test and prepares it for scheduling.
Source code for the Go test template is displayed below:
package main
import (
"github.com/preludeorg/libraries/go/tests/endpoint"
)
func test() {
Endpoint.Stop(100)
}
func clean() {
Endpoint.Stop(100)
}
func main() {
Endpoint.Start(test, clean)
}
Endpoint module
Each test inherits a set of functions from the open-source Endpoint module. This module supplies out-of-box approaches to common needs, such as reading and writing files or scanning the internal network. At minimum, each test should start with Endpoint.Start
and exit with Endpoint.Stop
.
Updated 3 months ago