Verified Security Tests

Move from TTPs to VSTs to scale into production

Procedures - or the P in the acronym Tactics, Techniques and Procedures - are commands that execute a focused action or behavior on a computer system. Procedures are often referred to through the term TTP. TTPs are used by red and purple teams today to run repeatable actions in development environments.

Security tests are production-ready versions of TTPs. Tests have characteristics that encourage scale and safety. Tests are the lifeblood of the Prelude ecosystem: you write them, verify them, publish them and ultimately deploy them into your development and production environments.

Tests can be enabled against any subset of your Detect probes by using the Prelude CLI.

Philosophy

Prelude's stance on security tests is that they should:

  • Answer a logical question
  • Have standardized output so you can make sense of the results at scale
  • Be structured in a way that supports extensibility into any type of device (beyond computers)
  • Contain the ability to reverse any effects the test created
  • Compile to a standard binary, so the source language is unimportant

Understanding the structure

Tests are broken into two components: metadata and source code.

Metadata

A VST centers around the concept that it should affirm or reject accordance to a rule. Rules, or truth statements, indicate what you want to know, in binary terms, about the machine under test.

An example test is shown here:

{
    "account_id": "prelude",
    "id": "39de298a-911d-4a3b-aed4-1e8281010a9a",
    "name": "Health check",
    "mappings": [
        "VSR-2023-1",
        "CVE-2021-40444",
        "T1015"
    ]
}

Each test can be referenced through its unique UUID.

Source code

Source code represents the programmatic way to answer your test question.

A test will eventually compile into a set of executable files (for applicable operating systems) which can be run either without arguments (to run the test) or with a clean argument to indicate you want to reverse the effects of the test. Compiled tests are called Verified Security Tests (VST).

Source code for the VST template is displayed below:

package main

import (
    "github.com/preludeorg/test/endpoint"
)

func test() {
    Endpoint.Stop(100)
}

func clean() {
    Endpoint.Stop(100)
}

func main() {
    Endpoint.Start(test, clean)
}

Note a few characteristics:

  • A test must contain test and clean functions, which exit with a specific code
  • Tests start via the Endpoint.Start function, which fires off the test and clean up functions appropriately

Tests can contain as many debug statements as you'd like. These will print to stdout when the executable is run.