Top 5 reasons Atomic Red Team is for the 99% + 1%
I recently listened to a Red Canary sponsored Risky Business podcast. The topic was around Atomic Red Team. A term kept being tossed around that attacker emulation is for the security 1%. Now, maybe I am reading into it too much, but since July 6th I can’t stop thinking about it. The podcast points out that the goal to ART is to provide attacker emulation to the 99%, but I think their premise is flawed. ART is _already_ adversary emulation for the 99% and the 1%, too. Nonetheless, the discussion is predicated on “attacker emulation is for the security 1%”. It’s a common misconception and I’d like to explain why it’s wrong.
Now, let’s go back in time to 2016–2017 when Breach Attack Simulation was not really a _thing_ yet, or had been truly defined. Atomic Red Team, originally named Bookish-Happiness (Thank you GitHub for random names), was used to help with Red Canary evaluations. Why? It was slightly mentioned in the podcast. This is how it went. Back in late 2016 and early 2017 (coming up on June 2017 when it went public on GitHub), I was doing a good amount of customer and prospect facing engagements and listening to what they were going to do for “Testing Red Canary’s detection capability”. Typically, this always meant, download random boatload of malware and run it. Cool, if you’re testing AV. But RC isn’t AV. We were here to detect what bypasses your AV. What better way than to talk about adversary tradecraft and what is being used in the wild. Now many prospects were small/medium businesses. They had no security team, didn’t know what “fileless malware” was or is, just read some blogs, saw bad things, and wanted to detect it. Good on them for caring. BUT, how do we provide a better example than running random malware? Enter Bookish-Happiness.
Bookish-Happiness, or now known as Atomic Red Team, provided the simple copy and paste execution and on the other end what did Red Canary see? Actually, what did any of your products in the stack see? Customers and prospects loved this. Without it, some small organizations generated zero detections. With Atomic, we could provide them with a solid timeline (detection) that showcased how Red Canary writes up an event.
Here are some of the original commits in ART that showcase how it was used:
Literal copy and paste. Run thing, what happened? Go find behaviors.
And it grew and grew from there.
Summer 2017 was a great year for these tools. Atomic took off. Uber METTA was happening, so much was going on in this space. Everyone wanted to validate there vendor claims.
Fast forward to now, how many of these enterprise products use Atomic Red Team?
I always envisioned Atomic being the central repo of atomic testing for all these products. Want more history? Heres the 1 year blog — https://redcanary.com/blog/atomic-red-team-1-year-lookback/
Casey and I would joke on Atomic Fridays, or on any presentation of Atomic, that Atomic Red Team is the El Camino of testing. Is it a truck? Is it a car? It does everything.
I know you are here for the Top 5 reasons, but you got some history instead. Here is the top 5 reasons Atomic Red Team is for the 100%.
Top 5 Reasons to use Atomic Red Team
- Atomic Red Team is free
ART is free. Anyone can contribute. You can fork it and use it on a private internal repo with specific Atomics. It’s simple, easy to understand. On top of it all, there are multiple free execution frameworks.
Over the years I have heard from vendors who have said customers love using Atomic to validate the MSSP is still active. I also have heard many say they missed testing and it helped them build better coverage.
As a consumer, it’s easy to get and use Atomic and validate your products. There is not a lot of fluff and no sales pitches to use Atomic.
The simplest form of Atomic, is to copy and paste a test. It doesn’t require a SIEM, SOAR, XDR. Use what you have, identify the gaps, report up and move forward.
2. Atomic Red Team is educational
This excites me. ART is meant to help anyone at any level get going in Red Teaming or Blue Teaming. It’s meant to be used, again, as a copy and paste factor or remote execution against multiple hosts. Carrie has been doing an amazing job evangelizing Atomic Red Team with a sweet course-
I know many folks out there that use Atomic to better understand a technique, not requiring a SIEM/XDR/SOAR. I also know folks who are breaking into the industry (college level) and want to understand how this all comes together. Recently, I added a test related to Raspberry Robin and this dropped:
Why run malware when you can build a Chain Reaction of Atomics and see how it really goes down?
Take the training and submit some tests and put Atomic Red Team on your resume. You may not be an _expert_ (who is?) , but you learned something! That is what matters here!
3. Extend and Integrate
As mentioned before, you can take the Atomics and do whatever you want with them. It’s all been yaml-ized. Want to integrate with a Enterprise tool? Simple. Want to build a python or Go runner for Atomics? consume! Back to education, use this project for your school to share how you built something that uses ART. Check out the Atomic GUI.
Want to go deeper in your testing? Check out AtomicTestHarnesses.
4. Vendor Testing
Atomic Red Team provides the quick win of validating your controls and managed vendors. Grab the latest DFIR Report, combine some Atomics, and run them. Were they captured in your lab? What was missing in the MSP response?
I have met a few teams who have Atomic integrated deeply with their SOC or MSSP
5. Everyone is Atomic
Atomic Red Team has always been about everyone. It was never meant for ONLY the 1% in the industry, but everyone. This is a community project used by some very large fortune 100s and by organizations less than 100 employees.
I Thank you for reading this far. I know I most likely misinterpreted this whole thing, but at the end of the day, we got a nice top 5 blog out of it!
PS — and just because, ask Red Canary to put this logo on stickers and shirts
Happy Hunting!
Edit: Patrick Gray Risky Business dropped an assist on the beginning, as I quoted a quote that was not real but a true misinterpretation of the podcast. Along with Adam and Brian. Really appreciate the clarity and guidance.
