Attack and Detect with Prelude Operator and Security Onion
2021-08-06, 09:30–11:00, Workshops Track 1

In this workshop, we’ll leverage Prelude Operator, an easy-to-use desktop platform for autonomous red teaming. With Operator, we can generate adversary profiles, complete with TTPs and goals, then deploy an “adversary”, evaluating our detection coverage against the MITRE ATT&CK framework using Security Onion, a free and open platform for intrusion detection, enterprise security monitoring, and log management. By providing network, host, and other types of data, Security Onion can provide a leg up to defenders, allowing them to track down their adversaries and make them cry.


This talk will go over the introduction of red/purple teaming, along with how individuals can emulate adversary actions, as well as track those actions across their enterprise, evaluating their detection coverage.

We'll first go over how a tool like Prelude Operator can be used to emulate these adversary actions, then learn how Security Onion can be leveraged to detect these actions and track our coverage across the MITRE attack framework.

Throughout the discussion the following tools will be introduced:

  • Prelude Operator - autonomous red-teaming platform, creating adversaries to test detection
  • Zeek - Policy-neutral NIDS
  • Suricata - Signature-based NIDS
  • Stenographer – Full Packet capture
  • Playbook - Detection development
  • ATT&CK Navigator - Track detection coverage
  • Strelka - File analysis
  • Osquery - Host-based monitoring
  • Wazuh - HIDS

Wes Lambert is the Director of Support and Professional Services at Security Onion Solutions, where he helps customers to implement enterprise security monitoring solutions and understand their computer networks. A huge fan of OSS projects, Wes loves to solve problems and enhance security using completely free and easily deployable tools.