Making Red Teaming Easier: ASHIRT, An Open Source Tool For Operators
Note: Verizon Media is now known as Yahoo.
Face it. No one reads 80-page Red Team reports. Knowing that Yahoo’s Red Team uses ASHIRT.
The open-source tool aids the team in writing — and sharing — stories that focus on operational outcomes. And, most importantly, explain the success of attacker techniques!
Short for Adversary Simulators High-Fidelity Intelligence Reporting Toolkit, the software captures evidence, such as screenshots and videos, and seamlessly organizes them into a timeline.
To be clear, ASHIRT performs two discrete functions:
- It allows multiple operators to capture and place that evidence into a coherent timeline of events.
- It is an automatic synchronization point for different members and stakeholders to instantly get visibility into what is happening.
That’s right. No more dragging and dropping screenshots into a shared folder or document. No more saving recordings to a shared file folder. ASHIRT does it for you!
The software is a client desktop application that makes capturing evidence invisible.
Every time an operator takes a screenshot or recording, the software automatically tags and organizes that file according to who produced it and when it was produced.
As a result, product owners and engineers can access that shared timeline in their browsers. They can see IOCs and proofs of concept in the order in which they were discovered.
But what does ASHIRT do for Blue Teams? It improves collaboration — allowing network defenders to see exactly:
- What happened
- When it happened.
- And, perhaps, most importantly, how…
When the Blue Team wants to recreate an attack, structure a hunt, or build detections, Ashirt lays an easy-to-follow timeline to reference. One Paranoids’ network defender said, “It’s not quite being in the attacker’s shoes, but it’s pretty dang close.”
ASHIRT hasn’t just been a boon for stakeholders. It’s also sped up operations— the biggest stopgap to productivity in Red Teaming context switching and capturing evidence.
Since open-sourcing the software, Red Teams at several Red Teams at large companies, including those within technology, e-commerce, and financial services industries, have begun using the product.
What do you want me to do? We’re continuing to improve it, but today it meets our needs.
We want you to contribute — because your use cases may differ from ours.
__
About the Authors
John Kennedy leads the Paranoids’ Red Team. He’s a former senior incident response engineer at One Medical. He’s also fond of cats.
Joe Rozner is the Paranoids’ Director of Disruption Engineering. In that role, he leads a team of security and software engineers who disrupt the conditions that allow adversaries to succeed. He has over 14 years of experience in the tech industry.