Attack Simulations in Next-gen Cyber Ranges
Attack Simulations in Next-gen Cyber Ranges – As the threat intelligence landscape grows and evolves, so does the need for tools that help us defend against evolving threats.
Tools alone, mind you, will not be enough for us to defend our assets and keep our organizations operational. Organizations that manage to do it understand that there is more to Cyber Security than just having security controls in place. The goal posts are constantly being moved and to keep up with this, so must we.
Out of that need a plethora of tools and solutions were born, among which Breach & Attack Simulation (BAS) tools and solutions have become widely popular in the industry over the recent years. Attack simulation refers to the ability to simulate the tactics, techniques and procedures (TTPs) of a threat actor. The business focus of most attack simulation tools and platforms is to provide a (semi) automated means of accomplishing the attacker’s view or perspective of the target organization.
While traditional vulnerability scanning technology focuses on the identification of systems, networks and application vulnerabilities, BAS solutions go the extra mile by allowing to simulate the different phases of the security kill-chain while at the same time providing recommendations on how to secure the target organization.
Most importantly though, a BAS solution would aim to see if the security controls of the organization have been correctly configured and if they are able to discover and catch attacks.
A good breach simulator would simulate, assess, and validate the most current attack techniques used by advanced persistent threats (APTs). This is of course not limited just to the techniques but also to the tools these threat actors would use.
An even better breach simulator would then leverage these attack behaviours against a standard, such as the MITRE ATT&CK Framework, to give you a better understanding of the progression path an APT would take by following every step in their attack – what is referred to as the Cyber Kill-Chain.
As we mentioned before, there are several tools out there and each one of these works a little bit differently. Below are some examples:
Infection Monkey – it allows you to automatically simulate and attack for credential theft or check for compromised assets or misconfigured security controls, to mention a few of its features.
NeSSi2 – this tool focuses mainly on testing intrusion algorithms, network analysis and profile-based automated attacks.
AttackIQ – it allows you to customize attack scenarios to mimic real-world threats. It makes use of lightweight agents deployed at your endpoints.
Cymulate – it allows you to simulate attacks at every stage of the cyber kill-chain and reports back how well your security controls did. Like AttackIQ Cymulate does this through the use of agents deployed at your endpoints.
Figure 1 – Sample visualization of a BAS solution (re-edited for image resolution from a vendor screenshot)
When looking at BAS solutions, it is important to understand how they actually work. What makes them sure that the results they get are not just false positives and how how they really relate to the tools actually used by the organization’s SOC team?
Well, it turns out that they do this in a rather smart way. For instance, let us assume that we want to run an attack simulation using Cymulate and that, in a given scenario, we want to validate the following:
- Can we gain access to the assets (computers or devices connected to the network)?
- Can we escalate our privileges to gain more control?
- Are we able to infect the assets or endpoints?
- What about encrypting files to simulate a ransomware attack?
Of course, infecting production systems with live malicious code is never a good idea and it would set you back a lot more than help you prevent the attacks in the first place.
What BAS solutions generally do is to use agent-based technology deployed on production systems. Commands are then sent to the agents to perform certain attacks without actually using malicious code.
For instance, to check and see if we can gain access to a system and escalate privileges, what the agent will attempt to do is to see if we are able to open a window and type a message or open an app such as the calculator.
To check and see if we are able to infect a machine or deploy a payload, the agent will try to write files to the machine the agent is attached to. For the ransomware attack it would attempt to create a directory, write files to it and then encrypt these files. In essence, the BAS solution will attempt to emulate an APT behaviour through the actions it takes via the simulation.
Another matter to address is about understanding the effect that such attack simulations, managed and generated by the BAS platform, have on the security controls of the organization – what such controls are able to see and report to the end users. Remember, BAS solutions perform attack simulations directly on production systems and therefore it is important to understand what visibility we can obtain from such attacks.
Let us try to understand this point with an example. Let us assume that the BAS platform is trying to simulate a ransomware attack. The files that the BAS agent tries to write to disk on the production systems are harmless files that simply contain hashes of known malicious entities. This way, a SIEM might flag the files, if they are even allowed to be written to disc, while endpoint security controls deployed on the machines might quarantine the actual files.
Such events are monitored during the simulation and the BAS platform will then produce a report highlighting what attacks have been successful. The BAS platform will also check the log files of your SIEM, EDR or Vulnerability Management System. This is done through the integrations that are already built into the BAS platform. However, not all BAS platforms have the same reporting and integration capabilities. Some also offer an API that you can use should you wish to do something custom as well.
It is also worth mentioning that some BAS vendors also update their library as new threats emerge and have this leveraged against the MITRE ATT&CK Framework to give you better insights into the attack and the mitigation thereof.
Figure 2 – Sample BAS Threat Library (vendor screenshot)
As we mentioned earlier, the threat intelligence landscape is forever growing and evolving. So, it is not a matter of running a simulation once and be done with it: we are sure by now that you understand that this is something that has to be done regularly as new threats emerge, to validate your set-up and help mitigate what may be vulnerable; be it because a system has not got the latest software patch and is therefore exploitable or be it because of credentials theft and these leaks are not detected, etc.
Using a next-generation cyber range
A Cyber Range is a platform that allows for the development, delivery and use of interactive simulation environments. To take full advantage of such a platform the environments created should be an identical representation of an organization’s ICT/OT infrastructure.
Source: “Understanding cyber ranges: from hype to reality” (ECSO, March 2020)
This infrastructure replica takes the form of virtual machines (VMs) deployed on the cyber range fully configured with an organization’s suite of software and security controls in place.
A next-generation cyber range such as CYBER RANGES by Silensec can include any SIEM, SOAR, EDR or XDR solution that is in place in the organization and can automate the execution of attack simulations to quickly replicate current and relevant cyber threats. Attack simulations are then carried out on the cyber range using the real tools and malicious code as deployed by known threat actors, giving you a taste of the real experience your organization would go through when facing such a threat.
This is used for training and exercising across the entire detection, response and remediation cycle.
As such, an organization’s SOC team can choose to run attack simulations of known attacks or currently ongoing campaigns to measure their own capabilities in terms of their ability to detect the attacks and their remediation response time.
Using a cyber range, simulated attacks, user activities or any other kind of traffic by Internet or third-party services can be captured and analyzed as if they were happening there and then on the organization’s production systems.
Cross Cyber eXercise on CYBER RANGES – a simplified setting
What a next-generation cyber range adds to attack simulation
A next-generation cyber range like CYBER RANGES by Silensec has two key characteristics which distinguish it from traditional cyber ranges, and which greatly improve the attack simulation experience:
- Agent-Based Attack Simulation – Just like BAS solutions, next-generation cyber ranges use agent-based attack simulation to simulate attacks but instead of doing it on production systems they do it in the sandbox environments simulated on the cyber range. Furthermore, the agent-based attack simulator is integrated with the actual cyber range, which combined with the orchestration capabilities of the cyber range, greatly simplifies the execution, replicability and use of the attack simulations.
- A high level of orchestration and automation – In relation to cyber range environments and to virtualization technologies, orchestration refers to the technology responsible for the creation of automation workflows including the mass configuration, creation, modification and deletion of virtual machines. It is also responsible for the self-provisioning and automation of tasks between the virtual infrastructure and other cyber range components including, of course, any other systems interfacing with the cyber range.
In CYBER RANGES by Silensec, for instance, the attack simulator is provided by the CYBER RANGES Injector Engine, which allows the creation and customization of attack simulations using the same tools and malware used by the attackers. The CYBER RANGES Injector Engine provides various injection templates, from background traffic generation to post exploits to Malware. Any one of these can be selected from the repository and injected into a scenario. Complex attacks can also be combined into workflows to simulate the sequencing and timing of a real attack.
CYBER RANGES Injector Engine – an overview
Phishing attacks can be simulated and can be created with real malware attachments. In order to simulate global APT attacks, IP addresses can be used from IP pools known to be malicious and to have taken part in certain attacks and campaigns using threat intelligence feeds.
Once the attacks have been created and the APTs have been configured with the Injector Engine, the CYBER RANGES orchestrator takes care of automating the execution of the attacks in the simulated environment allowing the instructor to either watch those attacks unfold automatically or to seamlessly add live attacks in the course of a cyber exercise or security training session.
The combination of agent-based attack simulation and orchestration make a next-generation cyber range such as CYBER RANGES by Silensec the ideal platform to train security professionals efficiently and following the pace of development of cyber threats and associated attack campaigns.
Attack Simulation: comparing BAS vs. attack simulation on cyber ranges
To recap, Breach-and-Attack Simulation solutions:
- Provide automated and configurable ways of testing attacker’s TTPs on production environments
- are mostly audit tools
- Usually come with such features as:
- Agent-based technology installed on production environments
- An automated attacker’s view of an organization’s environment
- Capture-the-flag-like tests, targeting key corporate computing assets
- Recommendations on how to mitigate gaps
- Map of assessment findings to the MITRE ATT&CK Framework.
Attack Simulation via a cyber range aims at:
- providing a sandboxed emulation of target environments
- using real TTPs with real malware and C2 servers, etc.
- training personnel across the entire detection, response and remediation cycle
In addition, a next-gen cyber range such as CYBER RANGES by Silensec offers:
- One-click execution of attacks and attack campaigns
- CTI-driven automation of attacks
- Execution of real attacks on a replica environment of the organization without affecting production systems
- Ability to assess incident response communications and collaboration and to assess organizational cyber resilience through repeatable up-to-date cyber drills.
The attack simulation domain is growing with offensive and audit solutions, often agent-based, but different use cases require different attack simulations. The table below summarizes the main take-away points of this article:
Source: Dr. Almerindo Graziano, Silensec (2021)
CYBER RANGES exercising with Attack & Use Traffic Simulation
To help users/instructors control training performance and monitor the achievement of learning objectives in exercises with attack simulation, a next-gen cyber range like CYBER RANGES offers integration via x-API for instance to a Learning Management System. This enables the planning and management of exercises, teams, and the tracking of participants’ progress, both as a team or individuals, in tackling both novel and advanced simulated attacks.
Gamification of the cyber range environment adds to the realism of simulated attacks and increases the participants’ engagement and encourages creativity. Thanks to how easy it is to generate new scenarios with new workflows and randomized injections the re-play value is at its greatest.
This way, participants are constantly faced with new challenges rather than just replaying the same scenarios over and over again, thus maximizing the ROI of deploying CYBER RANGES, which also happens to be the only range on the market to provide the full feature set in 4 different deployment options: cloud-based subscription, hosted, On-Premise, Hosted and Portable.
Return on Investment in a next-gen cyber range solution
CYBER RANGES PORTABLE: delivering attack simulations where it matters (Next-Gen Ruggedized Deployment)
Dr. Al Graziano, CEO, Silensec | CYBER RANGES
Dr. Al Graziano founded Silensec in Sheffield (UK) in 2006, after a successful career as the university course designer and then director of the first UK MSc. Information Security programme. An ISO 27001 certified cyber security company, Silensec has been delivering hands-on cyber drills to national CERT/CSIRT since 2014 in collaboration with the UN’s International Telecommunication Union. Silensec has developed the latest ITU Cyber Drill Framework. CYBER RANGES by Silensec is the only next-gen cyber range platform with its full feature set available on premises, on private and public cloud, and portable.
Silensec is a member of the European Cyber Security Organization (ECSO) and co-chairs the ECSO Working Group WG 5 on cyber ranges, cyber exercises and training, and also at sub-WG 5.1 (cyber ranges) and sub-WG 5.2 (education and training), furthering the best practice in the area of cyber ranges and cyber exercises.
Silensec is also a Premium Partner of the Global Cyber Alliance (GCA), based in NY, London and Brussels and focused on cooperation between industries and governments in tackling cybercrime.
Ali Vonk, CMktr SCIP, Head of Cyber Intelligence, Silensec | CYBER RANGES
Ali Vonk has gained over 20 years of experience in cybersecurity and threat hunting, ranging from hunting threat actors to working with the authorities in the UK and providing intel to GCHQ.
Ali has worked across Asia, Scandinavia and Europe, and the Middle East providing security consultancy services to private and government organizations. His work on threat intelligence has focused on the Financial Sector, Telco, Oil & Gas (Energy) and Healthcare, where he provided training and services to such organizations as Nasdaq, Tele2, KPN and Shell.
In recent years Ali has contributed to cybersecurity awareness raising through writing and co-authoring articles with other threat intelligence researchers.
A speaker of Dutch, Danish, Swedish, Norwegian and Arabic, Ali holds a BSc. Hons in Computer Network Technology & IT from Manchester Metropolitan University.
Attack Simulations in Next-gen Cyber Ranges