The Cybersecurity and Infrastructure Security Agency (CISA) has rolled out a free open source tool to help red teams and penetration testers more efficiently conduct their analysis, visualization, and reporting activities. The platform could help harmonize the necessary, but often boring, work of communicating results to clients and management, the US Department of Homeland Security (DHS) agency said.
The tool, dubbed RedEye, helps visualize command-and-control activities, allowing the teams to replay assessment actions rather than manually parsing log files to recreate events. CISA, along with the Department of Energy’s Pacific Northwest National Laboratory (PNNL), created the tool to meet its own internal needs but decided to publish the software to help other red teams and gather feedback and feature requests from the community as a whole.
“The open source release was centered around contributing to the global information security community,” a CISA spokesperson told Dark Reading. “Diversity and openness of thought makes products better for everyone, and getting community feedback and even ‘pull requests’ to contribute to the project make for compelling on-ramps into improvements and helping the community at large.”
A number of organizations have published significant security tools as open source software in the past year. In August, NetSPI released two adversary simulation tools, PowerHuntShares and PowerHunt, to help companies detect vulnerable network shares and manage their attack surfaces. In November 2021, Google published its ClusterFuzzLite software as open source, a program that allows application security specialists to run various fuzzing capabilities against their software. The company released two related tools, OSS-Fuzz and ClusterFuzz, in 2016 and 2019, respectively.
The RedEye project could be a boon to red teams, especially those at smaller companies and agencies that do not have the support of a development team to make internals tools, says Charles Henderson, global head of IBM Security’s X-Force team. By making a red team’s reporting and communicating tasks more efficient, the tool can open up more time to do as much red teaming as possible, he says. Daily tasks, such as data aggregation, collating data, and working on presentation all take a lot of time — time that could be better spent simulating attacks.
“We spend a lot of time in security creating tools that are really centered around the ‘cool’ parts of security — the stuff that gets presented at conferences,” Henderson says. “The truth of the matter is that we spend a lot of time in security on auxiliary functions, like reporting and the aggregation of data, which are — for lack of a better term — unsexy. To the degree we can start to decrease the time sink associated with those tasks, then we are going to be far better at security.”
RedEye can help red team members and executives understand the attack paths by creating visualizations of the entries in log files. The tool currently supports Cobalt Strike logs, but will expand to support telemetry from other red team toolsets, CISA said. The goal is to allow red team analysts to be able to better visualize and understand attempted and successful attack paths used during penetration tests and display that information clearly.
“This tool … allows an operator to assess and display complex data, evaluate mitigation strategies, and enable effective decision making in response to a Red Team assessment,” CISA said in the project documentation. “The tool parses logs, such as those from Cobalt Strike, and presents the data in an easily digestible format. The users can then tag and add comments to activities displayed within the tool.”
The tool will be useful for companies that utilize in-house red teams as well as penetration-testing services as a way to standardize reporting. IBM creates its own tools to handle such activities, but the company is a “fairly advanced shop,” says IBM Security’s Henderson. “You would be surprised how few tools are out there for folks that may not not have the development resources that we do.”
If RedEye becomes popular, it could help to standardize reporting formats and feature sets for reporting and analysis tools. However, CISA stresses that use of the tool is not a government requirement nor is it intended to be.
“While CISA is excited for the community to get the opportunity to use this tool on their own engagements, we trust that each red team will use the tools that meet their specific use case as they deem appropriate,” the agency spokesperson said. “RedEye can help augment the way in which offensive reports and evidence is presented to customers/clients, but it is not intended to drive universal alignment around a common standards.”
Not Another Tool for Nefarious Hackers
Adversary-attack simulation tools such as Cobalt Strike and Brute Ratel have grown in popularity, not only with defenders, but with attackers as well. While many tools created to help red teams and penetration testers are dual use, equally beneficial to the attacker as well as the defender, but RedEye really does not fall into that category, IBM Security’s Henderson says.
“Criminals have gotten much better at eliminating the time sinks in their operations and focusing on the return on their investments, and this is the first time in a long time that a tool is coming out that is focusing on efficiency gains for the defender,” he says. “I think that benefit to the stakeholders in security testing is going to be far more meaningful than any benefit that could be provided to criminals.”
The CISA spokesperson said CISA plans to add a roadmap for the tool’s development to the GitHub repository in the future, and specify which adversary-simulation tools it plans to support.