Which is the caldera philosophy?

[Farcocoop]

Hello. I am a newbie and I need to understand the philosophy of Caldera. To use caldera, I must necessarily assume that there are infected machines where an agent communicates with a C2 server. Also my antivirus (Sophos) and Microsofot Defender intercepted a caldera agent so I had to disable both. Again, to simulate lateral movement, in the caldera documentation, I read that some ports must be opened on the target host. But these three aspects do not correspond to the real network configuration. In other words I'm simulating attacks in a network where I had to generate vulnerabilities to make caldera work (communication with a C2, antivirus disabled and some ports opened) that in reality are not normally present in my network. Actually I have systems that try to avoid communication to a C2 server as well as I have antivirus on the endpoints that avoid launching caldera-like agents. I would expect to attempt attacks on my network as is to see if there are any problems. Where is my reasoning wrong? Thank you.

[L015H4CK]

Hello, first off - I am only using CALDERA and I am not affiliated with MITRE in any form, so the following is only my experience/opinion.

To use caldera, I must necessarily assume that there are infected machines where an agent communicates with a C2 server.

Yes. CALDERA focuses on the emulation of attacks after the initial compromise. This means, that an adversary already gained access to the machine and established a RAT, i.e. the agent.
The access plugin aims to add the initial compromise of a system to the attack emulation. In my experience, it offers some ways to do so, but it is not very sophisticated. Also, it is important to note, that the access plugin does not automatically scan a system, detect its vulnerabilities and exploits them. This is actually quite hard to do and even automate and is still a very active research field. So, to include the initial compromise, one would still have to implement vulnerabilities (e.g. out-dated ftp versions or weak credentials) to the target system in order to exploit them.

Also my antivirus (Sophos) and Microsofot Defender intercepted a caldera agent so I had to disable both. (...)

Again - yes. There are several adversary emulation tools (some free-to-use and open-source) out there. As far as I know, (at least almost) all of them require that any antivirus software is disabled. If everyone would be able to use open-source tools that emulate attacks that are not even detected/blocked by antivirus software we would have a really big problem.

Again, to simulate lateral movement, in the caldera documentation, I read that some ports must be opened on the target host. (...)
In other words I'm simulating attacks in a network where I had to generate vulnerabilities to make caldera work (communication with a C2, antivirus disabled and some ports opened) that in reality are not normally present in my network.

That is correct. The same aspect as above applies to the necessary configurations for exploits to work. The exploits implemented in CALDERA are pretty straight-forward but work exactly as they should. So, the simulated lateral movement does not automatically scan the target system, detects its vulnerabilities and exploits them. Instead, it is the implementation of a specific lateral movement exploit, that assumes a specific scenario.
Same as above: Imagine CALDERA would be able to run a successful attack on your system with enabled antivirus software and no known vulnerabilities. I would sure hope, that no free tool would be able to do so!

Some final words. I think CALDERA is a great tool and a great framework for adversary emulation and many other adversary emulation or red team automation tools have the same drawbacks as you described.
CALDERA already offers many possibilities to emulate an adversary and the new planners add a more sophisticated attack behavior.
Furthermore, the implementation of new custom planners allows everyone to implement any attack behavior you could wish for.

[digoblin]

I would add that CALDERA is great to test visibility for blue teams, in that, you can emulate various techniques and then check the visibility of said techniques in blue team's tools, do the necessary adjustments and run the same scenario again to check for further blind spots.

Deactivating antivirus and other protections may seem like cheating from some perspectives, but you are not testing for vulnerabilities or successful penetration of your network, you are testing WHEN and attacker is already on your network and if you are able to map its actions in a timely matter to be able to stop him from going deeper.

This is how I see CALDERA and its usefulness.