December 15, 2022
This post is an expedited tutorial on automating security testing - at scale - across your infrastructure. If you are a red or purple teamer, or a penetration tester, you can use the methods described here to set up around-the-clock testing on your machines.
We've broken this workflow into four components:
The Prelude CLI is a developer utility to manage all things Prelude.
Get started by installing the CLI with pip install prelude-cli. Once installed, create a Prelude Account by entering prelude iam create-account.
Be sure to explore other CLI functionality through the -help command: prelude -–help or read the full documentation.
A probe is a tiny (KB), ephemeral process that runs in RAM. It accepts security tests from Prelude, verifies and executes them, and sends results back to a central server. Probes are written in several languages to run anywhere code runs.
Start by registering an endpoint to run your probe on. You can do this in the CLI with the following: prelude detect create-endpoint <NAME>, where <NAME> can be any string. This will register your endpoint and provide a token.
Next, select an open-source probe from GitHub and follow the instructions for starting it. For example, if you have Go installed on your machine you can download Hades and run it with export PRELUDE_TOKEN=<TOKEN>; go run hades.go The first command sets the token to an environment variable and the second starts the probe.
Sample a few probes in different languages to get a feel for where they can run. Run them on multiple machines and monitor their footprint.
Verified Security Tests (VST) are compiled binaries that have been compiled and tested against target operating systems with a high degree of confidence.
From the CLI, you can list the tests your account comes with by default through prelude build tests. Select a test ID, such as “Health Check”, and enable it to run daily for all your probes using prelude detect enable-test 39de298a-911d-4a3b-aed4-1e8281010a9a. (In fact, the Health Check VST is automatically enabled on all accounts.) Go back to your probe and restart it. Probes look for enabled tests every 4 hours and do nothing in the meantime.
Want to write your own VSTs? Build is a tool designed for security engineers and penetration testers to write custom VSTs. You can upload the credentials from your CLI to use the same account you’ve been using here.
When you execute a VST, a single number is generated. This number describes what occurred during the test to a high degree of granularity. Storing results in this way allows you to make sense of them at high scale and allows us to take the minimum telemetry off of the machine.
You can view the results from the CLI using prelude detect activity. Here you’ll see the number of tests that succeeded, failed, were detected by your defense or had an error.
Deploy more probes on more machines and enable additional tests to run. Check the results periodically and see if you can ascertain a trend.
What we've shared is a guide to start scaling automated security testing. While we absolutely encourage organizations to continue using Build to author custom VSTs, Prelude’s internal team writes new security tests as threats emerge. Tests are released into Build and the CLI so you can use them quickly to test your defenses.