Comparison With Other Tools
Atomic Red Team by Red Canary
Atomic Red Team™ is library of tests mapped to the MITRE ATT&CK® framework. Security teams can use Atomic Red Team to quickly, portably, and reproducibly test their environments.
In 2021, Atomic Red Team added support for Cloud TTPs.
At the time of writing, Atomic Red Team has only 4 TTPs for AWS:
- AWS CloudTrail Changes
- AWS - Create a group and add a user to that group
- AWS - Create Access Key and Secret Key
- AWS - Create a new IAM user
While Atomic Red Team is an awesome tool for endpoint security, it wasn't built purposely for cloud environments. In particular, it doesn't handle the prerequisite infrastructure and configuration necessary to detonate TTPs, and leaves that to the user. For instance, AWS - Create Access Key and Secret Key requires you to create an IAM user prior to detonating the attack. Stratus Red Team packages this prerequisite logic, so you can detonate attack techniques without having to create any infrastructure or cloud configuration manually.
However, the attack technique format of Atomic Red Team is based on YAML, and it's therefore easier to add new TTPs, even if they are not in the core of Atomic Red Team.
Leonidas by F-Secure (Nick Jones)
Leonidas is a framework for executing attacker actions in the cloud. It provides a YAML-based format for defining cloud attacker tactics, techniques and procedures (TTPs) and their associated detection properties
While Stratus Red Team and Leonidas have similar goals, their implementation is fundamentally different.
- Leonidas is a fully-fledged web application you deploy in your AWS account using Terraform, and then a CodePipeline pipeline.
- Then, you use "Leo", the test case orchestrator, to hit the web API and detonate attack techniques.
- Leonidas allows describing TTPs as YAML, making it easier to extend than Stratus Red Team.
- Leonidas does not handle prerequisites for detonating attack techniques.
- The attack techniques implemented by Leonidas are very granular, meaning it can be challenging to implement detection for them. See for instance: STS Get Caller Identity
- Leonidas comes with a set of suggested threat detection rules. However, as its attack techniques are very granular, it is practically impossible to use them as-is in a real production environment, as they would trigger many false positives.
Stratus Red Team aims at being simpler to use (single binary) and does not require you to have prior infrastructure or configuration in your AWS account. Stratus Red Team focuses on a single thing: executing cloud attack tactics against a live environment, with minimal overhead. You can also use Stratus Red Team programmatically, from Go code, as a library.
Pacu by Rhino Security Labs
Pacu is an open-source AWS exploitation framework, designed for offensive security testing against cloud environments. Created and maintained by Rhino Security Labs, Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules to easily expand its functionality.
Pacu is an offensive AWS exploitation framework, aimed at penetration testers. It implements various enumeration and exploitation methods, some straightforward and some advanced. For instance, lambda__backdoor_new_roles creates a Lambda function and a CloudWatch Event causing all future IAM roles created in an AWS account to be backdoored automatically. Pacu aims at being used against existing AWS infrastructure.
Stratus Red Team is self-contained and does not necessitate prior infrastructure or configuration in your cloud environment. You can also use it programmatically, from Go code, as a library.
Amazon GuardDuty Tester is helpful to trigger GuardDuty findings. However, it is tightly coupled with GuardDuty and is a product-specific tool, even within the AWS ecosystem. If GuardDuty doesn't detect an attack technique, you won't find it in here.
CloudGoat by Rhino Security Labs
CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool. It allows you to hone your cloud cybersecurity skills by creating and completing several "capture-the-flag" style scenarios.
CloudGoat is focused on spinning up vulnerable AWS infrastructure, so that you can exploit it to find a flag through a complete exploitation chain.
Use CloudGoat to: practice your AWS offensive security and enumeration skills.
Use Stratus Red Team to: emulate adversary behavior in AWS to validate your threat detection.