Halberd: The Open-Source Tool Democratizing Multi-Cloud Security Testing

October 2, 2024
Arpan Sarkar
Senior Security Engineer
Halberd: The Open-Source Tool Democratizing Multi-Cloud Security Testing

In the ever-evolving landscape of cloud security, staying ahead of threats is like trying to hit a moving target while blindfolded. Security teams face a daunting challenge: how to consistently and effectively test security across multiple cloud platforms without breaking the bank or burning out your team. As cloud adoption accelerates, the need for accessible, comprehensive security testing tools has never been greater. Enter Halberd, the open-source security testing tool that's about to upgrade how we approach cloud security assessments.

At its core, Halberd aims to democratize security testing. We believe that everyone who wishes to perform security testing should be able to do so without constraints of available resources like skill sets, people, time, or budget. By providing an intuitive, accessible tool, Halberd empowers organizations of all sizes to take control of their cloud security testing.

Why Halberd? Because Cloud Security Shouldn't Be Rocket Science

Let's face it: testing cloud security across Entra ID, M365, AWS, and Azure can feel like juggling chainsaws while riding a unicycle. Each platform has its quirks, and piecing together a comprehensive security assessment often requires a hodgepodge of tools and scripts. Halberd aims to change that by offering a unified, intuitive interface for executing attack techniques across multiple cloud surfaces.

As I like to say, "Complex problems don’t need complex solutions." This philosophy is at the heart of Halberd's design.

Meet Halberd: Your New Favorite Security Testing Sidekick

Halberd is an open-source security testing tool that enables security professionals to proactively assess their cloud defenses. With its sleek web interface, Halberd makes executing complex attack techniques as easy as ordering a pizza online (minus the carbs and regret).

It's important to note that while Halberd is a powerful tool for security testing, it's not a replacement for a full-fledged red team exercise. Instead, it's designed to fill the gap where regular security testing might be lacking due to resource constraints or other challenges. Halberd empowers teams to perform frequent, targeted security assessments, complementing more comprehensive security strategies.

Screenshot of the interface of Halberd showing the TTPs

Halberd's Secret Sauce: Simplicity, Speed, and Effectiveness

  1. Simplicity: Halberd's intuitive UI means you won't need a PhD in rocket science to run advanced security tests.
  2. Speed: Deploy quickly and start testing faster than you can say "cloud misconfiguration."
  3. Effectiveness: Execute real-world attack techniques to identify security gaps before the bad guys do.

While Halberd is still in its early stages, it's already packing a punch with 80+ unique techniques across Entra ID, M365, AWS, and Azure. And like a fine wine or your favorite cheese, it's only going to get better with age (and community contributions).

What Sets Halberd Apart?

Halberd isn't here to replace your existing toolkit – it's here to supercharge it. While other tools might excel in specific areas, Halberd aims to be your one-stop shop for multi-cloud security testing. Its web interface makes it accessible to both seasoned pentesters and those just dipping their toes into the world of cloud security.

Easy Multi-Cloud Access Management

One standout feature is Halberd's easy access management capabilities. Managing access across multiple cloud platforms can be a nightmare, but Halberd simplifies this process. You can easily establish, view, and manage access to various target environments all from one tool. This centralized access management streamlines your testing process by providing clear visibility into your testing identities.

Screenshot of Halberd showing simplified multi-cloud access management

Attack Playbooks with Automator

The Automator feature takes Halberd's capabilities to the next level. By creating attack playbooks, you can easily execute complex, multi-step attack scenarios with a single click. Need to test your incident response process? Create a playbook that simulates a realistic attack chain. The scheduling feature allows for repeated testing, ensuring your defenses remain strong over time and do not encounter silent failures. Moreover, the ability to share and import playbooks means you can leverage the collective wisdom of the security community, easily implementing test cases developed by other experts.

But here's the best part: remember in school when copying homework was frowned upon? Well, in the world of Halberd, we encourage it! The ability to share and import playbooks means you can "copy" the "security homework" of other experts. So go ahead, use that brilliant playbook your colleague created - we won't tell. After all, why reinvent the wheel when you can borrow someone else's perfectly good one? Just remember to buy the original playbook creator a coffee sometime!

Under the hood, Halberd leverages powerful, platform-specific methods to interact with different cloud environments:

  • Microsoft Graph
  • AWS SDK for Python (boto3)
  • Azure CLI and Azure SDK for Python

This ensures that Halberd can perform deep, accurate testing across all supported platforms while presenting a unified interface to the user.

Reporting

Halberd's reporting capabilities are also particularly useful. The tool logs techniques executed during your testing sessions and generates a comprehensive, data-rich report. These reports provide:

  • An executive summary with key metrics, including total techniques executed, success rates, and testing duration
  • Detailed breakdowns of tactics and techniques used, with execution counts and success rates
  • Per-source analysis, showing which identities or systems were used to perform tests
  • Chronological logs of each technique execution, including timestamps, results, and targets
  • Visual representations of data through charts and graphs for easy interpretation

This level of detail transforms raw testing data into actionable intelligence, helping security teams quickly understand their cloud environment's strengths and weaknesses.

Test Early, Test Often: Your Cloud Will Thank You

Remember, folks: cloud security isn't a one-and-done deal. It's an ongoing process, like trying to keep your inbox at zero or maintaining a sourdough starter. Regular testing is key to staying ahead of threats, and Halberd makes it easy to incorporate security assessments into your routine.

Join the Halberd Revolution!

We're calling all cloud security enthusiasts, bug hunters, and anyone who's ever muttered "there's got to be a better way" while testing cloud environments. Give Halberd a spin, put it through its paces, and let us know what you think. And if you're feeling particularly inspired, why not contribute to the project? Together, we can make cloud security testing less of a headache and more of a... well, slightly smaller headache.

Halberd in Action: A Technical Deep Dive

Let's get our hands dirty and see Halberd in action. Here's example of how simple it is to execute a technique:

  1. Navigate to the Attack page
  2. Select your target environment (e.g., Entra ID)
  3. Choose a tactic (e.g., Initial Access)
  4. Pick a technique (e.g., Establish Access via Device Code Flow)
  5. Configure the required technique parameters
  6. Hit "Execute Technique"
Screenshot of the attack console in Halberd

Halberd's range of techniques allows for comprehensive testing across various scenarios. For instance:

  • Privilege Escalation: Try assigning a directory role to a user in Entra ID or assuming a role in AWS.
  • Data Exfiltration: Test your DLP controls by attempting to exfiltrate data from an S3 bucket or user's mailbox.
  • Persistence: Simulate an attacker creating a backdoor account or inviting an external user to your Entra ID.

Halberd in Action: A Multi-Cloud Attack Scenario

Let's dive into a more complex, realistic scenario that demonstrates the power of Halberd's multi-cloud testing capabilities. Imagine you want to test your organization's defenses against a sophisticated attack that spans Entra ID, M365, and Azure. Here's how you might use Halberd to simulate this attack chain:

  1. Start by using Halberd's "EntraDeviceCodeFlowAuth" technique to simulate accessing Entra ID and M365 using compromised credentials.
  2. Next, leverage the "EntraEnumerateApps" technique to reconnoiter applications in your environment.
  3. Use "GenerateAppCredentials" to create new credentials for an overly permissive application you've identified.
  4. With these new credentials, employ "EntraEstablishAccessAsApp" to gain access as the application.
  5. Utilizing this elevated access, simulate creating a backdoor account with "EntraCreateBackdoorAccount".
  6. Escalate privileges by assigning Global Admin rights to this new account using "EntraAssignDirectoryRole".
  7. Switch gears to Azure, using "AzureElevateAccessFromEntraId" to elevate the backdoor account's access to "User Access Admin".
  8. Further escalate in Azure by granting "Owner" rights with "AzureAssignRole".
  9. Finally, demonstrate the potential impact by exposing a Storage Account publicly using "AzureExposeStorageAccountPublic".

This attack path traverses multiple cloud services, demonstrating how a real-world attacker might pivot from initial access in Entra ID to ultimately compromising sensitive data in Azure. With Halberd, you can execute this entire chain of techniques seamlessly, without switching between different tools or interfaces.

The beauty of Halberd lies in its ability to simulate such complex, cross-platform scenarios effortlessly. By providing a unified interface for testing across Entra ID, M365, Azure, and AWS, Halberd allows security teams to:

  1. Realistically emulate sophisticated, multi-stage attacks that span different cloud services.
  2. Identify potential weak points in cross-platform security configurations.
  3. Test incident response procedures across multiple cloud environments simultaneously.
  4. Streamline the testing process, reducing the time and complexity involved in comprehensive cloud security assessments.

Remember, while this example focuses on Microsoft services, Halberd's capabilities extend to AWS as well, allowing for even more complex multi-cloud attack simulations.

By leveraging Halberd to run such comprehensive tests, organizations can gain a holistic view of their cloud security posture, identifying and addressing vulnerabilities that might be missed when testing each platform in isolation. It's like having a Swiss Army knife for cloud security testing – versatile, efficient, and always ready for action.

Start Testing with Halberd

For more detailed information on Halberd's capabilities, installation instructions, and usage guides, be sure to check out the comprehensive Halberd wiki.

In the words of a wise security professional (me, just now): "Why spend hours cobbling together security tests when you could be sipping coffee and watching Halberd do the heavy lifting?"

So, what are you waiting for? Grab your Halberd and start hacking – ethically, of course. Your clouds will thank you, and who knows? You might even have a little fun along the way.

FAQs