Background

Cybersecurity has progressed by leaps and bounds in the past decade, particularly in the areas of orchestration and automation. Unfortunately, the adversaries have made similar progress and it's critically important that as an industry, we exceed their pace. One of the most effective ways to do that is through constant testing and validation. We need to move past the days of quarterly pen-tests and adopt a framework that enables security testing and validation that is, at a bare minimum, as frequent as infrastructure updates.

It is the belief of ./HAVOC's creator that a proper security validation effort must emulate the full attack life-cycle in a manner that is consistent with how a sophisticated cyber-adversary would conduct the operation. This implies that replaying small samples of exploits and C2 traffic is not sufficient if the actual intent is to validate a security program's ability to identify and respond to an active advanced compromise scenario. Such validation requires comprehensive emulation of the advanced compromise scenarios one would wish to detect. For example, validating a security program's ability to detect an external adversary attempting to achieve "Domain Admin" from an internal, compromised host requires emulation of an attacker's post-compromise behaviors, which should be executed through an active tunnel that is terminated on an external C2 server that isn't easily blocked with URL filtering or detected by sloppy attack emulation missteps such as using self-signed certificates. If a true adversary can employ evasion techniques that bypass controls, then a proper security validation exercise will either employ similar evasions or begin at a starting point that assumes such controls have already been bypassed.

What is ./HAVOC?

./HAVOC is an attack emulation framework and platform that is cloud-native, meaning that the infrastructure of the platform resides in the cloud (in your own AWS account specifically), giving you the ability to easily scale it up and down as needed while also providing a highly collaborative API that enables a team of security practitioners to develop attack automation, share work, track progress and build on each others efforts. The base ./HAVOC platform provides the components needed to provision attacker infrastructure and services that match the level of sophisticated evasion that an advanced adversary might employ and it can be done in a manner that maintains a high level of operational security. In addition, the ./HAVOC API provides the ability to automate the provisioning and attack execution processes through the use of playbooks.

Security testing and validation campaigns are orchestrated through the ./HAVOC CLI or ./HAVOC Python SDK (or via the REST API directly), which instructs containerized tasks to carry out their respective activities with all results getting logged to a queue that is visible to all of the campaign's users.

But it's not limited to just running in the cloud. With remote container tasks, attack tools and exploitable services can be deployed literally anywhere that containerized applications can run, providing the same level of security testing and validation as a cloud hosted container task but without requiring servers and applications to be exposed to the Internet.