BT3 (Blue Team Training Toolkit) is Python based toolkit designed for Network analysis training sessions, incident response drills and red team engagements. Based on adversary replication techniques, and with reusability in mind, Blue Team Training Toolkit allows individuals and organizations to create realistic computer attack scenarios, while reducing infrastructure costs, implementation time and risk.
- Adversary Replication and Malware Simulation - BT3 includes the latest version of Encripto’s Maligno. This module is designed with a client-server architecture, and it allows you to simulate malware infections or targeted attacks with specific C&C communications in a safe manner. It is also shipped with multiple malware indicator profiles that ensure a “plug & play” experience, when planning and preparing a training session, incident response drill or red team engagement. Furthermore, malware indicator profiles can be developed easily, something that contributes to lower preparation costs and better cooperation.
- Network Traffic Manipulation and Replay - BT3 includes Encripto’s Pcapteller, a module designed for traffic manipulation and replay. Pcapteller can customize and replay network traffic stored in PCAP files. This allows you not only to re-create scenarios where computer attacks or malware infections occurred, but also make it look like everything is really happening in your own network.
- Malware Sample Simulation - BT3 includes Encripto’s Mocksum, which provides access to a collection of files that mimic malware samples via MD5 hash collisions. The files downloaded via Mocksum allow you to simulate and plant realistic artifacts, without the risk of handling real malware. This is useful during training sessions, incident response drills and red team engagements. In a nutshell, these artifacts are harmless files that produce the same MD5 checksum as real malicious files. In many cases, the harmless artifacts also get detected by anti-virus software.
- Ease of Use and Flat Learning Curve - Information security tools usually implement their own options, syntax and commands. Mastering a tool can therefore take some time. To ensure usability from the first moment, BT3 uses an interactive command-line interface inspired by Rapid7’s Metasploit Framework (MSF). Since MSF is a tool well-known by information security professionals, it makes sense to provide some degree of familiarity. This means that learning how to use BT3 should take a minimum effort, and you will be able to focus on your training session, rather than figuring out how to use a new tool.
- Blue Team Cooperation and Network Traffic Reusability - On one hand, BT3 can contribute with flexible malware indicator profiles that can be exchanged or distributed among organizations. Also, it helps you train with a high degree of realism, without the need of using real malware. On the other hand, BT3 offers a platform that improves efficiency, by reducing preparation time and infrastructure costs. The ability to customize captured network traffic allows organizations to reuse and exchange PCAP files, while keeping a decent degree of realism. This reusability also ensures a better return on investment, since the network traffic of a training session can be customized and reused without setting up the whole original attack scenario.
- Powerful Resource for Red Teams - BT3 modules can assist with the production of network indicators, or decoys during a red team engagement. Let us consider advanced security assessments that result in access to the target’s internal network. In environments with tight network countermeasures and a (proactive) blue team in place, red teams must measure their movements across the target network, in order to fly under the radar. Occasionally, red teams may perform actions in the network that could draw a blue team’s attention. By using BT3 in combination with VPN pivoting, red teams can create a network diversion. In other words, they can make a blue team see ghosts, letting their red team hide in plain sight.
- Content Subscription - The Blue Team Training Toolkit has API powers. By creating a free content subscription account, you get access to training content ready for use. It includes realistic network traffic related to a wide range of network attacks, mock malware samples with hash collisions, as well as important malware indicator profiles. Get the training content you need, right at your fingertips! A BT3 content subscription user account provides access to both free and premium content. Premium content can be downloaded by using pre-paid credits directly from the BT3 command line interface. It follows a Personal or Enterprise license. By purchasing content credits, you get the most out of your cyber security training sessions, incident response drills and red team engagements. Content subscription is an optional feature in the Blue Team Training Toolkit. This means that BT3 can still be used in offline mode if desired, with the same experience as in version 1.x.
Despite BT3 aims for blue teams, it is also a powerful resource for Red Teams. In such context, BT3 modules can assist with the production of network indicators, or decoys during a red team engagement. Let’s consider advanced security assessments that result in access to the target’s internal network. Such access could be obtained in multiple ways, for example by using social engineering against employees, compromising weak internet-facing systems, or just as starting point if the engagement assumes compromise.
In environments with tight network countermeasures and a (proactive) blue team in place, red teams must measure their movements across the target network, in order to fly under the radar. Occasionally, red teams may perform actions in the network that could draw a blue team's attention. By using BT3 in combination with VPN pivoting, red teams can create a network diversion. In other words, they can make a blue team see ghosts, letting their red team hide in plain sight.
You might also like:
- Malcom - Malware Communication Analyzer
- ZMap - The Internet Scanner
- Yersinia - A Network Exploitation Tool
- GoLismero - The Web Knife
- CookieCatcher - Tool For Hijacking Sessions Using XSS
- DAP Password Decryptor - Tool For Recovering Login Details From Download Accelerator Plus
- DDoS Deflate - Shell Script For Blocking DDoS Attacks
- Bluebox-ng - VoIP Penetration Testing Framework
- wEAPe - Wireless EAP Extractor
- Broken Web Applications Project - A Virtual Machine For Web Application Security Researchers
- Samurai Web Testing Framework - A Virtual Machine Focused on Web Application Testing
- WATOBO - Web Application Security Auditing Toolbox
- MISP - A Threat Sharing Platform
- IronWASP - An Open Source Web Security Testing Platform
- Pyew - A Python Tool For Static Malware Analysis
- RAFT - Response Analysis and Further Testing Tool
- Introspy-Android - Tool For Blackbox Android App Analysis