Features

How SaltStack can help both your redteam and blueteam

Your organization’s redteam and blueteam must work constantly to keep your networks secure. 

Your redteam must check to see if your security policies, procedures, and configurations work. Not just by running a penetration test, but by running various attack simulation campaigns on an ongoing basis. They may spend weeks pretending to be one type of cyber attacker or another. And when any change is made to your security policies, procedures, and configurations, they must audit, audit, and audit again.

Your blueteam must work constantly to responsively and proactively security harden your networks. Has a vulnerability been discovered by the redteam? Patch, remove or mitigate it. They may work with a security operations center, your redteam, or perhaps a purple team (both offensive and defensive) to find ways in which the security of your networks can improve. They must work in a continuous state of security hardening.

That’s an awful lot of work that must be constantly done! What if many of your blueteam and redteam’s tasks could be automated? Automation, when implemented properly, can free your human beings from doing tedious and unnecessary work, freeing them to focus on tasks that are best done by a living person. Enter SaltStack.

What is SaltStack?

SaltStack is a powerful automation framework that offers tremendous compatibility and flexibility. Its architecture is based on remote execution. Imagine remotely executing commands to hundreds of client machines at once! Or even just to one machine. 

The Salt Master is the interface for executing many modules and commands. Each connected client machine is referred to as a minion. (No minions memes, please.) Network connections between the master and its minions are strongly encrypted to help secure the entire process. If you prefer SSH, there’s even a Salt SSH “agentless” systems management channel you may use.

Developers have created a plethora of different modules that can be used with SaltStack. Anyone with the knowhow may develop their own modules because the application is opensource. Security practitioners who don’t code very much may still use various modules and scripts through SaltStack’s command-line interface to powerful effect.

The main Salt Master application is based on Linux. But there are also applications for Windows, VMware vSphere, and BSD Unix. SaltStack can remotely execute commands to a variety of devices with most major operating system platforms.

How SaltStack can accelerate your blueteam

Lots of businesses in a variety of industries use SaltStack to improve the efficiency and responsiveness of their security controls. One such case study is Liberty Mutual (LMI):

“For their first SaltStack project, The LMI network security team decided to use SaltStack event-driven detection and automation to auto-resolve firewall issues and maintain predefined security policies for over 150 Junos configuration options. By replacing inconsistent bash and shell scripts with unified SaltStack automation, the team eliminated over 100 lines of code per firewall and reduced the time to detect and resolve issues by 90%—from 20 minutes down to 2.”

Another novel blueteam use of SaltStack is from a company in a completely different industry, Sterling Talent Solutions. Stephan Looney, is Sterling Talent Solutions’ IT director.

He says:
“A significant reason for Sterling’s selection of SaltStack Enterprise was to empower night operations and the support desk with a SaltStack self-service portal. Stephan said, “SaltStack is extremely flexible and can be configured to automate just about any job. But this flexibility can be difficult for the less technical, Windows-oriented members of our team. And if the power of SaltStack ends up in the wrong hands, bad things can happen.“SaltStack Enterprise gives systems administrators the ability to create the automation routines and then make them available as a push-button job in the console only to those authorized to do the work. We’ve already done the work on the backend solving for the majority of NOC and support desk tasks. When we customize SaltStack to our needs and make it easily consumed by the appropriate people on the team, good things happen.” 

Are you familiar with Tenable’s vulnerability management applications? SaltStack can now work with them directly.

From February, in a press release about SaltStack Protect:

Andrew Johnson, Payroc’s information security manager, said, ‘SaltStack Protect integrated with Tenable.io substantially simplifies our ability to remediate infrastructure vulnerability at scale. The more we can break down tool and process-imposed silos that exist between our security and operations teams the more confident we become in our ability to truly secure IT. We’re looking forward to more SecOps innovation from the SaltStack team.’

SaltStack Protect 6.2 can now import Tenable.io vulnerability assessment scan results to intelligently automate vulnerability remediation. SaltStack Infrastructure automation integrated with world-class Tenable.io vulnerability management solution helps security and IT teams streamline vulnerability remediation. This integration helps speed security enforcement, reduces threats caused by imperfect infrastructure cyber hygiene, and allows security operations teams to effectively collaborate within an all-in-one, actionable vulnerability management and remediation platform.”

A variety of SaltStack applications, modules, and scripts can be utilized to make the work of your blueteam so much more responsive and powerful. If you can design it, you can automate it!

How SaltStack can accelerate your redteam

A lot of the activities of your redteam can be thought of as what your blueteam does but in reverse. Now that SaltStack Protect can import vulnerability scan results from Tenable.io, your redteam can run vulnerability scans from Tenable and send the results directly to your blueteam. Is SaltStack Protect the real purple team? Maybe so! The functionality is yours to explore.

SaltStack Enterprise can remotely execute pretty much whichever commands you’d like if you want your redteam to be able to perform security audits with greater efficiency and potency. From the Enterprise whitepaper:

“The SaltStack was originally built as an extremely fast and powerful remote execution engine, allowing users to execute commands asynchronously across thousands of remote systems in milliseconds. This remote execution capability allows SaltStack to act as a command and control abstraction layer so IT professionals can execute complex tasks across tens of thousands of diverse and heterogeneous systems with the click of a button. Using SaltStack remote execution, IT tasks that used to require three of your best engineers and a week to complete can now be performed in seconds by anyone on the team.”

Use your imagination, put your mind in the role of a cyber attacker, and see which attack scenarios you can design for your security testing.

Cyxtera uses the power of SaltStack in a way that can maximize the effectiveness of security audits that are targeted to specific compliance standards.

From the case study:

“Once they’ve defined their policies, the team can create target groups of machines across any of their 57 datacenters and scan them to quickly understand their current compliance status. For example, if an insurance customer is utilizing Windows servers in the San Jose data center, the SRE team can use the SaltStack targeting system to target specific machines and scan them against a pre-defined PCI profile. When the scan comes back it not only identifies vulnerabilities but provides the automation action SaltStack will take to remediate. This allows the team to verify and test the action before it is run.”

Depending on the situation, this can be more useful than run-of-the-mill penetration testing.

Can you imagine how massive the systems are that IBM Cloud has to test? SaltStack makes it simple and easy, rather than complex and overwhelming.

From the case study:
“Rather than set the upgrade orchestration sequence loose on a production network, the network team used SaltStack native, event-driven automation capabilities to build careful testing into the upgrade sequence. These tests would run within a controlled environment between each phase of the A/B upgrade. As each test passed, SaltStack software detects the event and deploys the next firmware upgrade automatically. While almost the entire process was performed autonomously, the SaltStack event bus allowed network engineers to monitor the process in real time and intervene if ever a test failed or a sequence timed out.”

As you can see, SaltStack can be just as useful from your redteam as it is for your blueteam. It’s all in the way that you use it!

Conclusion

Whether you’re redteam, blueteam, or even purple team, you really ought to explore how SaltStack can make your everyday tasks so much easier and more powerful.

SaltStack is built with Python, a language that’s well known for its simplicity and for its compatibility with all major platforms including all flavors of Linux, Windows, macOS, and BSD/Unix. An index of all of SaltStack’s modules are here.

Organizations large and small in a wide variety of industries have leveraged SaltStack to help secure their networks. Offer that power to your security teams and you can security harden in a responsive way, ready for the growing cyber threat landscape.

Also Sunayu has the practitioners and expertise to perform blueteaming and redteaming exercises for your business. Sunayu leverages SaltStack and other cutting edge technologies to help improve the security of your network against the latest and most destructive threats. Hiring experts to improve your security is always a worthy investment. Check out Sunayu and see what they can do for your organization!


Author: Kim Crawley