Timberlake is a tool we are releasing that helps to automate AWS attack simulations. It was originally designed to support our purple team operations here at Security Risk Advisors. In this blog, we will introduce the Timberlake tool and its functionality.
Overview
At a high level, Timberlake works by taking one or more test case definitions – a YAML document containing Python code – and executing them. These test cases can realistically cover any type of attack that can be performed using Python code, but the tool specifically caters to AWS-specific attack techniques and exposes primitive operations to users to support executing those attacks.
At the time of its initial development (mid-2021), the most compelling options for AWS attack automation were Atomic Red Team and Leonidas. These two projects served as the initial inspiration for the test case format.
Example test case:
Leonida provides the inline code in the test case file as well as noting useful metadata for users and Atomic Red Team provides a phased approach to execution (setup, execution, cleanup).
Timberlake can also integrate with another Security Risk Advisors tool, VECTR, to track its automated attacks alongside other exercises an organization may run. Timberlake will use the VECTR GraphQL API to create the test cases it performs as well as export a log of the attacks in the execution log format ATTiRE.
The following videos demonstrate the Timberlake workflow. The first video covers using the tool on its own and the second video covers using the tool with VECTR.
Design Intent
Timberlake is very much a batteries-excluded tool when it comes to the test cases themselves. It is designed to support making and executing test cases, not necessarily providing them directly. This is an important distinction as it also informs the future development of the tool, which will be primarily focused on changes like extending the primitive operations exposed to test case designers. This is opposed to the more common approach of providing a curated set of test cases users can execute; though, that is not to say we won’t provide such content. Further, providing a direct comparison to other tools is difficult. While Timberlake is a command-line tool, it effectively acts more like a library.
Repository
The Timberlake repository can be found here: https://github.com/SecurityRiskAdvisors/timberlake. Refer to the examples and documentation in the repository for more information. For questions/concerns, feel free to open an issue on the repo or reach out to me directly @2xxeformyshirt.
Evan Perotti
Evan specializes in technical security assessments including network penetration tests, purple teams, red teams, and cloud security. He has experience in a variety of industries including telecommunications, financial services, pharmaceuticals, and healthcare.
Evan maintains the internal SRA standards and methodologies for purple team projects.
Evan is a member of SRA’s internal Research and Innovation team where he works to research novel approaches to security problems as well as develop security tools and resources.