SoK: A Survey of Open-Source Threat Emulators

Zilberman, Polina; Puzis, Rami; Bruskin, Sunders; Shwarz, Shai; Elovici, Yuval

doi:10.48550/arxiv.2003.01518

Cited by 4 publications

(12 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…To address this issue, many solutions known as Automated threat emulators have been proposed. Zilberman et al [33] carried out an exhaustive analysis of the most popular threat emulators, ranked according to several criteria, e.g. coverage of the MITRE ATT&CK Enterprise Matrix [21].…”

Section: Actor Simulation Through Ai Techniquesmentioning

confidence: 99%

A next-generation platform for Cyber Range-as-a-Service

Orbinato¹

2021

Preprint

View full text Add to dashboard Cite

In the last years, Cyber Ranges have become a widespread solution to train professionals for responding to cyber threats and attacks. Cloud computing plays a key role in this context since it enables the creation of virtual infrastructures on which Cyber Ranges are based. However, the setup and management of Cyber Ranges are expensive and time-consuming activities. In this paper, we highlight the novel features for the next-generation Cyber Range platforms. In particular, these features include the creation of a virtual clone for an actual corporate infrastructure, relieving the security managers from the setup of the training scenarios and sessions, the automatic monitoring of the participants' activities, and the emulation of their behavior.

show abstract

Section: Actor Simulation Through Ai Techniquesmentioning

confidence: 99%

A next-generation platform for Cyber Range-as-a-Service

Orbinato¹

2021

Preprint

View full text Add to dashboard Cite

show abstract

“…Adversary emulation is usually exercised in virtualized environments (cyber-ranges) and, in general, it encompasses time-consuming activities that engage human personnel (red teams). Several tools aim to automate adversary emulation [67], which offer automated procedures that implement APT techniques, as learned from threat intelligence sources. These tools typically automate actions for information gathering, lateral movement across hosts, connections to command-andcontrol servers, and privilege escalation.…”

Section: Introductionmentioning

confidence: 99%

“…In this work, we investigate a novel solution for adversary emulation with anti-detection capabilities, to avoid the previously mentioned "cat-and-mouse" game. We tested stateof-the-art solutions for adversary emulation (MITRE CALDERA [67] , Atomic Red Team [51], Invoke-Adversary [13]) and for antidetection (Inceptor [29]) against multiple AV/EDR products. We found that several malicious actions (and even the installation of the emulation agent) cannot evade detection, thus limiting the realism of emulated attacks.…”

Section: Introductionmentioning

confidence: 99%

“…ATT&CK [10] is a security framework introduced by the MITRE Corporation and has rapidly become the de facto standard in the security community. ATT&CK provides a detailed classification of the adversaries' tactics, techniques, and procedures (TTPs), organized as a matrix, continuously updated by observing and analyzing threat intelligence sources [56], [67]. Tactics describe why an adversary performs an action, and techniques describe how they do it.…”

Section: Introductionmentioning

confidence: 99%

“…In particular, we will refer to CALDERA [1], [42], an open-source adversary emulation tool developed by MITRE. CALDERA has gained popularity due to its feature-richness, maturity, and ease of setup and use [67]. In addition, it provides high coverage of TTPs of the MITRE ATT&CK framework.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Laccolith: Hypervisor-Based Adversary Emulation With Anti-Detection

Orbinato,

Feliciano,

Cotroneo

et al. 2024

IEEE Trans. Dependable and Secure Comput.

View full text Add to dashboard Cite

Advanced Persistent Threats (APTs) represent the most threatening form of attack nowadays since they can stay undetected for a long time. Adversary emulation is a proactive approach for preparing against these attacks. However, adversary emulation tools lack the anti-detection abilities of APTs. We introduce Laccolith, a hypervisor-based solution for adversary emulation with anti-detection to fill this gap. We also present an experimental study to compare Laccolith with MITRE CALDERA, a state-of-the-art solution for adversary emulation, against five popular anti-virus products. We found that CALDERA cannot evade detection, limiting the realism of emulated attacks, even when combined with a state-of-the-art anti-detection framework. Our experiments show that Laccolith can hide its activities from all the tested anti-virus products, thus making it suitable for realistic emulations.

show abstract

Analysis and Characterization of Cyber Threats Leveraging the MITRE ATT&CK Database

Al-Sada,

Sadighian,

Oligeri

2024

IEEE Access

View full text Add to dashboard Cite

MITRE ATT&CK is a comprehensive knowledge-base of adversary tactics, techniques, and procedures (TTP) based on real-world attack scenarios. It has been used in different sectors, such as government, academia, and industry, as a foundation for threat modeling, risk assessment, and defensive strategies. There are valuable insights within MITRE ATT&CK knowledge-base that can be applied to various fields and applications, such as risk assessment, threat characterization, and attack modeling. No previous work has been devoted to the comprehensive collection and investigation of statistical insights of the MITRE ATT&CK dataset. Hence, this work aims to extract, analyze, and represent MITRE ATT&CK statistical insights providing valuable recommendations to improve the security aspects of Enterprise, Industrial Control Systems (ICS), and mobile digital infrastructures. For this purpose, we conduct a hierarchical analysis starting from MITRE ATT&CK threat profiles toward the list of techniques in the MITRE ATT&CK database. Finally, we summarize our key findings while providing recommendations that will pave the way for future research in the area.

show abstract

SoK: A Survey of Open-Source Threat Emulators

Cited by 4 publications

References 0 publications

A next-generation platform for Cyber Range-as-a-Service

A next-generation platform for Cyber Range-as-a-Service

Laccolith: Hypervisor-Based Adversary Emulation With Anti-Detection

Analysis and Characterization of Cyber Threats Leveraging the MITRE ATT&CK Database

Contact Info

Product

Resources

About