Analysis of automated adversary emulation techniques

  title={Analysis of automated adversary emulation techniques},
  author={Andy Applebaum and Doug Miller and Blake E. Strom and Henry Foster and Cody Thomas},
Adversary emulation offers a concrete way to measure a network's resilience against an advanced attacker. Unfortunately, adversary emulation is typically a manual process, making it costly and hard to employ. Progress in automated adversary emulation techniques has only been lightly validated, and technique dependence on network properties has not been quantified. In this paper, we describe a simulation testbed designed to model attackers operating within a Windows enterprise network. Running a… Expand
5 Citations
Automated Adversary Emulation for Cyber-Physical Systems via Reinforcement Learning
An automated, domain-aware approach to adversary emulation for CPS is developed using a Markov Decision Process (MDP) model to determine an optimal attack sequence over a hybrid attack graph with cyber and physical components and related physical dynamics. Expand
Automated Adversary Emulation : A Case for Planning and Acting with Unknowns
Adversary emulation assessments offer defenders the ability to view their networks from the point of view of an adversary. Because these assessments are time consuming, there has been recent interestExpand
Cyber security threat modeling based on the MITRE Enterprise ATT&CK Matrix
A threat modeling language for enterprise security based on the MITRE Enterprise ATT&CK Matrix is proposed using the Meta Attack Language framework and focuses on describing system assets, attack steps, defenses, and asset associations. Expand
Steps toward a principled approach to automating cyber responses
This research shows how to break the “curse of dimensionality” that makes these problems intractable by computing approximate solutions using a Monte Carlo online planner that incorporates a computationally feasible simulation of the cyber security problem. Expand
Closing the Gap with APTs Through Semantic Clusters and Automated Cybergames
This paper closes the semantic gap by making the attackers’ strategy an explicit machine-readable component of intrusion detection, and introduces the concept of semantic clusters, which combine high-level technique and tactic annotations with a set of events providing evidence for those annotations. Expand


POMDPs Make Better Hackers: Accounting for Uncertainty in Penetration Testing
This work model the attack planning problem in terms of partially observable Markov decision processes (POMDP) and devise a method that relies on POMDPs to find good attacks on individual machines, which are then composed into an attack on the network as a whole. Expand
Intelligent, automated red team emulation
This paper creates a framework for automated red team emulation, focused on what the red team does post-compromise - i.e., after the perimeter has been breached, and uses an automated planner designed to accurately reason about future plans in the face of the vast amount of uncertainty in red teaming scenarios. Expand
Attack Planning in the Real World
A complete PDDL representation of an attack model, and an implementation that integrates a planner into a penetration testing tool to automatically generate attack paths for penetration testing scenarios, and to validate these attacks by executing the corresponding actions against the real target network. Expand
Simulated Penetration Testing: From "Dijkstra" to "Turing Test++"
Analyzing prior work in AI and other relevant areas, a systematization of the simulated pentesting model space is derived, highlighting a multitude of interesting challenges to AI sequential decision making research. Expand
Cyber attack modeling and simulation for network security analysis
A simulation modeling approach is presented to represent computer networks and intrusion detection systems (IDS) to efficiently simulate cyber attack scenarios and is designed to test information fusion systems for cyber security that are under development. Expand
Scalable, graph-based network vulnerability analysis
This paper revisits the idea of attack graphs themselves, and argues that they represent more information explicitly than is necessary for the analyst, and proposes a more compact and scalable representation. Expand
A characterization of cybersecurity simulation scenarios
This paper characterize cybersecurity scenarios along the nature of cyber systems with considerations for design and the type of actor with considerations of abilities, providing a more clear distinction compared to military oriented LVC (Live-Virtual-Constructive) simulation characterization. Expand
An overview of cyber attack and computer network operations simulation
A snapshot of the current state of the art in the simulation and modeling of cyber attacks and defensive responses to those, found in the open literature and conducted in the private sector, academia, and government. Expand
Context Model Fusion for Multistage Network Attack Simulation
This work develops a simulation system that fuses four context models: the networks, the system vulnerabilities, the attack behaviors, and the attack scenarios, so as to synthesize multistage attack sequences. Expand
Computational logic - CL 2000 : first International Conference, London, UK, July 24-28, 2000 : proceedings
Computational Logic: Memories of the Past and Challenges for the Future and ILP: Just Do It, a Denotational Semantics for First-Order Logic, Logic, Knowledge Representation, and Bayesian Decision Theory. Expand