=Paper=
{{Paper
|id=Vol-3056/paper-10
|storemode=property
|title=Cyber Range Automation, a Bedrock for AI Applications
|pdfUrl=https://ceur-ws.org/Vol-3056/paper-10.pdf
|volume=Vol-3056
|authors=Leonardo GAVAUDAN,Swann LEGRAS,Véronique VENTOS
}}
==Cyber Range Automation, a Bedrock for AI Applications==
https://ceur-ws.org/Vol-3056/paper-10.pdf
Cyber range automation, a bedrock for AI applications
Leonardo Gavaudan1 , Swann Legras1 and Véronique Ventos1
1
NukkAI, 75013 Paris
Abstract
This paper proposes an automated solution for conducting cybersecurity research. It shows how automation can improve
the foundations of cybersecurity research, and consequently facilitate and bolster the development of artificial intelligence
applications. The challenges that cybersecurity researchers face are discussed, as well as what automation offers to tackle
them at three different stages: provisioning, configuration, and attack simulation.
Keywords
cyber range, security automation, security testing, adversary emulation, threat hunting, infrastructure-as-code
1. Introduction advanced AI applications remains an extremely difficult
task. An automated cyber range is a cyber range where
Over the last few years, the pace of cyber attacks has the deployment and configuration of the infrastructure,
particularly accelerated; their complexity and reach have and initial installation of red teaming tools are automated.
relentlessly been growing. The 2020 Solarwinds attack, By automating its setup, cybersecurity and AI researchers
an attack estimated to have infiltrated thousands of or- are empowered to focus on studying the core of an attack,
ganizations among which United States government sys- and building AI applications, rather having to worry
tems, is perhaps the best example of the trend. From the about the underlying groundwork.
start of 2020, the following major attacks can be already Given that the bottle neck to AI research and devel-
named: Solarwinds, Colonial Pipeline, JBS, Microsoft Ex- opment is a lack of good datasets, the aim of this paper
change Servers. The growing recognition of the need is to illustrate an automated cyber range platform that
for artificial intelligence applications in the realm of cy- researchers can use to easily generate and access high
bersecurity research in order to respond to the increased quality, and diverse attack simulation datasets. The con-
complexity and frequency of these attacks, is paralleled tribution of this paper is in the showcase of how and
with a lack of a good ecosystem for them to flourish. why existing open source technologies can be assembled
The current cybersecurity research process has more of to build an end to end platform solution for cybersecu-
a manual approach, and is not best suited for artificial rity automation. This paper explains how the choice
intelligence development. for each component of the solution is justified. More
According to the European Defense Agency, a cyber importantly, it will compare the platform solution as a
range is ”a multipurpose environment in support of 3 whole to the current state of practice for end to end au-
primary processes: knowledge development, assurance tomation solution. As much as this paper is an abstract
and dissemination” composed of ”three complementary and theoretical explanation for cybersecurity automation,
functionality packages”: a Cyber Research Range (CRR), it is also a practical guide. That is why the paper will
a Cyber Simulation & Test Range (CSTR), and a Cyber instantiate the proposed solution through an advanced
Training & Exercise Range (CTER)[1]. It is a common persistent threat simulation example. The advanced per-
issue for cybersecurity researchers who want to study sistent threat example will help depict the technologies,
a particular attack or technique to end up realizing just as well help researchers to start implementing, and using
how incredibly arduous the process of setting up such them.
a cyber range is. Cybersecurity professionals looking The plan of the paper is as follows: To begin with, in
to get started with AI development, and AI researchers section 2, we take a look at the APT29 attack simulation
looking to develop applications are confronted with a example, and current end to end solutions. In section 3,
same problem. Without access to both a repository of we inspect the current way cybersecurity research takes
good datasets and a system to keep it up to date, the place and its shortcomings. We then provide, in section
mission for developing production ready, up to date and 4, a comprehensive automated solution that addresses
the challenges discussed in the previous section. Finally,
CESAR 2021: Automatisation en Cybersécurité - Automation in in section 5, we examine how cybersecurity automation
Cybersecurity positively impacts artificial intelligence development.
email: lgavaudan@nukk.ai (L. Gavaudan); slegras@nukk.ai
(S. Legras); vventos@nukk.ai (V. Ventos)
© 2021 Copyright for this paper by its authors. Use permitted under Creative
Commons License Attribution 4.0 International (CC BY 4.0).
CEUR
Workshop
Proceedings
http://ceur-ws.org
ISSN 1613-0073
CEUR Workshop Proceedings (CEUR-WS.org)
Proceedings of the 28th C&ESAR (2021) 165
�Cyber Range Automation, a Bedrock for AI Applications
2. Prerequisites & related works 2.2. Existing Cyber Ranges
In this section, we look at the context from which the 2.2.1. Splunk - Attack Range
scenario of APT29 is drawn, and why it is fit to describe The first end to end solution proposed is Splunk’s At-
the cybersecurity automation landscape in 2.1. We then tack Range[5]. Introduced in 2019 and developed by the
look at two existing end to end solutions, one of whom Splunk Threat Research Team, Attack Range is the state
represents current state of the art and practice in 2.2. Both of art and state of practice when it comes to integrating
the pros and cons of the existing end to end solutions are multiple technologies to automate each stage in the cy-
analyzed, as well as how the solutions compare to the bersecurity research process. It takes care of deploying
one proposed in this paper. and configuring infrastructure in the cloud, to running
autonomous adversary emulation and extracting the re-
2.1. APT 29 sulting logs. The Attack Range technology stack is very
similar to the one proposed in this paper, albeit the solu-
MITRE Engenuity is a technology foundation and a portal tion presented here proposes some improvements. Attack
through which MITRE collaborates with the private sec- Range uses Terraform to deploy infrastructure in either
tor, and applies state of the art innovation that emerges AWS or Azure’s cloud, and Ansible to then configure
out of their research and development activity[2]. Op- it. Attack Range also deploys MITRE’s CALDERA as an
erating in MITRE Engenuity is the Center for Threat autonomous red teaming tool. Lastly, it uses Window’s
Informed Defense (CTID), a ”privately funded research WEF technology in order to recuperate the logs gener-
and development organization”[3] that has developed ated from an attack. Attack Range then indexes the logs
an adversary emulation library of advanced persistent on a Splunk Server and uses other Splunk technologies
threat attack plans. If an autonomous red teaming tool for security orchestration and rule based detection.
allows us to launch adversary simulations, then the plans However, although Splunk’s Attack Range allows us
produced by CTID are the important inputs needed to to test individual abilities and techniques, it does not
generate high quality attack simulation datasets. provide comprehensive attacks for researchers to study,
One of the attack simulation plans that CTID has de- run, and develop on. Likewise, Attack Range’s default
veloped is a plan to simulate an APT29 attack. APT29 environment setup is composed of 2 Windows machines,
is a ”threat group that has been attributed to Russia’s and 2 Linux servers. In order to execute complex attack
Foreign Intelligence Service (SVR). They have operated chains that require larger and convoluted environments,
since at least 2008, often targeting government networks one would need to firstly adapt to required the environ-
in Europe and NATO member countries, research in- ment by editing a configuration file provided in Attack
stitutes, and think tanks”[4]. By extensively studying Range. Then, one would need to gather, in the correct or-
real cyber attacks conducted by APT29, the CTID team der from the MITRE ATT&CK framework, the list of tech-
built an attack plan that simulates and draws on identical nique IDs used in the attack, and feed it as a command
or similar techniques, tactics and procedures that the line argument argument when initiating the program.
Russian hacking group has previously used. We have Depending on an attack’s complexity, the configuration
chosen this particular attack simulation plan because the file can quickly become bloated, hard to manage, and
attack’s complexity will further accentuate the benefits work against the initial intended goal that the research
of automation. The APT29 simulation plans provide both team had set: facilitating cybersecurity automation for
a manual and automatic implementation guide for how threat research.
to carry out the attack simulation. This in turn allows us Secondly, because Attack Range was developed by a
to start setting quantitative benchmarks for how much research team within Splunk, the data indexing and visu-
gain in time and productivity one can achieve through alization step, and SOAR step of the solution can only be
an automated solution. configured with Splunk technologies: Splunk and Splunk
The CTID team continues to develop new emulation Phantom. Although Splunk is recognised as a leader in
plans, and refine already established ones. The plans are the field of log collection, analysis, and detection, avoid-
mapped to MITRE’s ATT&CK framework, and used to ing vendor lock-in is a fundamental concept to consider
evaluate detection solutions both in the context of the when it comes to designing an end to end solution. It al-
’ATT&CK Evaluations’, a detection solution evaluation lows the solution to be easily modified in order to best fit
series led by MITRE, and for individually and separately the needs of users, and ensures that the solution doesn’t
evaluating one’s own detection solution. This ecosys- have a single point of failure.
tem allows researchers to develop applications on the Lastly, Splunk’s red teaming automation is based on
emulation library with confidence. CALDERA’s old version 2 release, and therefore any new
features developed and introduced in CALDERA will not
be compatible with Attack Range.
166 Proceedings of the 28th C&ESAR (2021)
� L. Gavaudan, S. Legras and V. Ventos
2.2.2. Microsoft - SimuLand attacker environment is required. The target environ-
ment is a Windows domain sub-network with 2 Windows
The second tool we’re going to a look at is SimuLand[6],
servers with the ’2019-Datacenter’ SKU, one serving as a
a tool developed by Microsoft and introduced in 2021.
domain controller, and the other serving as a file server,
The tool isn’t a fully automated end to end solution. It
and three Windows workstations running Windows 10
automates the deployment and configuration of infras-
1903 with a “19h1-pro” or “1903-evd-o365pp“ SKU. The
tructure, but lacks red team automation tooling. Rather,
domain controller and file server are usually controlled
it aims to guide researchers on how to manually simulate
and under the supervision of IT professionals, whilst
different techniques on already deployed and configured
workstations usually represent regular computers that
infrastructure. It deploys and configures an infrastruc-
non-technical employees use. In this case, all VMs are
ture in the cloud using Azure Resource Manager Tem-
“Standard B4MS” instances, with four vCPUs and 16GB of
plates, and has good integration with different security,
RAM. The attacker environment is a second sub-network
DevOps, and cloud products within the Microsoft ecosys-
with 2 Linux machines running 18.04.3 LTS Ubuntu, one
tem (Microsoft 365 Defender, Azure Defender, and Azure
serving as a traffic redirector, and the other as a C2 (Com-
Sentinel). On another hand, SimuLand’s design limits
mand and Control) from where attack commands are
users to using Azure as a sole cloud provider, which is
sent. The sub-network also has a workstation running
particularly problematic when studying security exploits
Windows 10 1903 with the same SKU as the target work-
directly embedded in a cloud provider’s system.
stations, it serves as a platform to replicate the target
environment, appropriately compile payloads. Lastly, a
3. Manual security research virtual peering network is needed to connect the two
sub-networks.
In this section we will look at how current cybersecurity
research is being conducted at three different stages: pro- 3.2. Configuration
visioning (3.1), configuration (3.2), and attack simulation
(3.3). The section will analyze in detail the procedure that The process of configuring an environment varies a lot
a researcher would go through for each step, and analyze depending on the target operating system, and the attack
its weaknesses and disadvantages, all done through the simulation. Without a clear list of settings and software
lens of a setup for an APT29 attack simulation. that need to be present, launching an attack is either un-
achievable, or produces inaccurate results. The countless
ways a configuration setup can go amiss, and the needed
3.1. Provisioning technical knowledge and familiarity with the operating
The first step in conducting cybersecurity research is the system make configuration a daunting task.
deployment of an environment, a cyber range, in which To configure the environment for the APT29 scenarios,
we want to test out different abilities and techniques. A one needs to connect to each resource through Windows
common way to manually deploy the infrastructure is Remote Desktop, an application that allows one to inter-
by requesting the necessary resources through a cloud act with a GUI for your virtual machines. The domain
provider website’s graphical user interface. Another so- controller server needs to be setup by installing Active Di-
lution is to build the required infrastructure with virtual- rectory (AD), creating a domain, adding the workstations
izing software like VirtualBox, or KVM and locally host to the domain along with creating a domain name service
the environment. (DNS), group policy objects (GPO), domain users, and
Going through a cloud provider entails having to sepa- domain user groups. The workstations are then setup by
rately request each resource and specify instance details. installing additional software like Google Chrome, tam-
The process of setting up an environment for a complex pering with the registries and firewall rules, disabling
attack can call for requesting to the cloud provider virtual Windows Defender, and ensuring that Windows Remote
machines, networks, sub-networks, network interface Management (WinRM) as well as other communication
controllers, network peerings, and additional resources. protocols and services are functioning correctly. Finally,
For each of these resource requests, one must specify a on a command and control server (C2), one needs to in-
group of settings. For instance, a virtual machine will stall penetration testing tools such as Metasploit [7] to
typically require the disk, image, CPU, RAM among other have a platform on which to launch the attack from.
details to be provided in order to be deployed. Individu- The measures taken on the domain controller, work-
ally deploying resources is prone to error, hard to debug, stations, and C2 are quite common for threat hunting cy-
tedious, and time consuming. bersecurity research. Additionally, APT29 also requires
In order to set up the correct environment for the the Powershell execution policy set to ”Bypass”, the reg-
APT29 scenario as depicted in Figure 1 (1), a target and istry modified to allow storage of wdigest credentials, the
firewall configured to allow SMB (Server Message Block),
Proceedings of the 28th C&ESAR (2021) 167
�Cyber Range Automation, a Bedrock for AI Applications
Figure 1: Schema of the APT29 Network
a SMB share present and working, the UAC (User Access tration testing tools ready, the attack simulation can be
Control) set to never notify for all Windows hosts. initiated. This step requires general knowledge about
Whereas the manual provisioning of the infrastructure what the attack is trying to achieve, how it accomplishes
was all initiated from a centralized cloud provider web its goals, what each step of the attack performs, also
platform with a user friendly interface, the manual con- known as ’Techniques, Tactics and Procedures’ (TTP), as
figuration of an environment requires configuring the well as more in-depth knowledge about how to navigate
environment by connecting to different virtual machines and send commands from the penetration testing tool.
endpoints. That framework offers a less controlled envi- The APT29 attack simulation is broken down into 2
ronment where the user has a harder time tracking the different scenarios in order to depict the two approaches
current state of configuration process and the remaining that the hacking group could deploy when they attack
steps. their targets. For both scenarios, the attacker uses a mix
of Metasploit and Pupy in order to communicate with
3.3. Attack Simulation infected workstations and send shell commands to carry
out the attacks. The first APT29 scenario represents a
Once the infrastructure is deployed and configured, a re- more aggressive, fast-paced, direct style that ’smashes
searcher can then proceed to launch attacks. Every attack and grabs’ in order to reach its goals. The goal is to
simulation requires an entry point from which malicious firstly collect and exfiltrate data, the focus then shifts to
commands are executed and payloads downloaded. The persistence, data collection, credential access, and lateral
entry point is an agent that lays in wait and listens for movement. The second scenario on the other hand is a
commands to execute from the C2 server. Therefore, stealthier and slower attack that looks at ”establishing
one needs to connect to at least one workstation, and persistence, harvesting credentials, then finally enumer-
initiate the agent process before starting the attack sim- ating and compromising the entire domain”.[9]
ulation. The use of already infected workstations as a More details about each step of the attack for both
starting point for conducting post-breach cybersecurity scenario 1 and 2 can be found in the appendix, where
research is common under the paradigm known as ”As- notes gathered from MITRE’s adversary_emulation_li-
sume Breach Paradigm” [8]. Microsoft’s Cyber Defense brary GitHub repository[9] can be found.
Operations Center describes it as such: ”despite all the
protections in place, we assume systems will fail or peo-
ple will make errors, and an adversary may penetrate our
infrastructure and services.”
Once the workstation(s) are infected and the pene-
168 Proceedings of the 28th C&ESAR (2021)
� L. Gavaudan, S. Legras and V. Ventos
4. Automated security research
After studying how current manual security research is
directed, we propose a way to conduct automated secu-
rity research, and how to implement each of its steps.
The automated solution is split in 3 main steps: provi-
sioning (4.1), configuration (4.2), and attack simulation
(4.3) as shown on figure 2. Additionally, data collection
and reporting will be covered in 4.4, and a comparison
between manual and automatic cyber security research
will be drawn in 4.5.
One important and pressing issue reoccurring in the
last section was the unavoidable complexity, and sub-
sequently the required technical know-how one needs
in order to carry out security research.This section is
now going to see how to abstract out the intricacies of
deploying, and configuring our cyber range through the
concept of Infrastructure as Code (IaC) [10, 11]. As for at-
tack simulations, the required technical knowledge that
comes with penetration testing software is abstracted
out through Caldera’s intuitive GUI for managing agents, Figure 2: The 3 step automation cycle for cybersecurity re-
adversarial profiles, and operations. search: Terraform, Ansible, and Caldera.
Furthermore the automation technologies outlined for
infrastructure provisioning and configuring have impor-
tant attributes that make them all the more fit for cy- currently creates infrastructure in a way that respects
bersecurity research and development. The agentless the dependency graph, and in a manner that humans
nature of the technologies is an important step towards could not compete with. But the leading gain is in the
tackling the automation challenge as it avoids any unnec- reduced amount of workload and time someone has to
essary dependencies, limits the requirements to initiate spend in order to boot up the infrastructure. The whole
the automation process, and minimizes the probability of infrastructure can be built from 2 simple commands:
critical errors. Moreover, the declarative capabilities of
those technologies allow users to rapidly learn about and terraform plan -out {name_of_plan}
understand the different components that make up the terraform apply {name_of_plan}
automation process with little to no technical knowledge The user first creates a ’plan’ that represents the changes
of the tools used. By separating the user from software Terraform counts on implementing such as destroying or
implementation issues and edge case problems, a declar- creating a virtual machine, and then applies the planned
ative style approach requires very little effort to build changes. Finally, ”terraform state list” shows the current
functional and robust programs. state of the infrastructure. The user then doesn’t have to
spend 1 to 2 hours creating the resources by hand, but
4.1. Provisioning can spend that time on higher added value work whilst
waiting for Terraform to complete. The modular nature
In order to provision our environment in a fully auto-
of Terraform means that we can share our code, or a
mated manner, we use Terraform [12], an open source
portion of it for others to reuse. There are no manual
IaC software tool. The tool allows for the creation and
equivalents when one looks for a way to share the abil-
provisioning of infrastructure using HashiCorp Configu-
ity to launch an identical infrastructure, and show the
ration Language (HCL), a declarative configuration lan-
desired infrastructure end-state. The code format of our
guage where the user ’declares’ or writes in HCL code
infrastructure deployment, or IaC, enables us to use fea-
the desired state for the infrastructure.
tures that come with version controller systems (VCS)
Terraform offers the ability to write reusable and mod-
hosting platforms like GitHub or GitLab. It allows us to
ular code. The re-usability feature gives Terraform a
perform code reviews, work on particular branches of
sizeable advantage over deploying each resource manu-
the code, look at history graphs, track issues and goals,
ally on a Cloud Provider. Users save on the amount of
and more broadly work in a collaborative, structured
time the infrastructure takes to deploy: Terraform creates
and fast-paced environment. Finally, in contrast to an
a resource dependency graph to set the order in which
imperative approach, the user does not need to know
resources need to be deployed, it then instantly and con-
how Terraform implements HCL code and deploys the
Proceedings of the 28th C&ESAR (2021) 169
�Cyber Range Automation, a Bedrock for AI Applications
infrastructure. Subsequently, a great deal of complexity provides an interface to inspect the collection of abili-
is taken out of the hands of the user given that HCL is ties that make up an adversary, or an adversarial attack.
easy to read, learn and execute. One can either analyze the attack by overviewing the
different abilities and getting a general understanding of
4.2. Configuration how the attack works, or dig deeper in each ability, and
inspect the commands launched. Lastly, the ’operations’
As for the automation of configuration for our environ- section is at the core of launching attacks, it allows for
ment, Ansible [13], another open source IaC software the configuration and management of operations, with
tool released in 2012, and developed by Red Hat Inc since the capability to manually add and execute commands
2015, provides a wide range of packages and functions to an on-going autonomous attack.
that allow for configuration management. Ansible uses The second advantage CALDERA has to offer is a plat-
a hybrid between imperative and declarative style lan- form on which one can easily build variations out of a
guage where development should be as declarative as particular adversarial attack, as well as producing, exper-
possible but might still require imperative style code. imenting and sharing new adversaries. This feature is of
Ansible’s modular programming capabilities are just as upmost importance as it comprehensively captures the
pronounced as Terraform’s, not only are functions used merit and spectrum of benefits that an automated system
within a source code file reusable, but so are larger and ab-provides. It provides an unparalleled flexible structure to
stract goals such as setting up and configuring Windows’ produce modular and automated attacks.
Active Directory can be packaged and encapsulated in The third advantage CALDERA brings is a catalogue of
a single package or ’role’. A role is a folder or package attacks belonging to different threat actors, including the
that contains both what the user might conceive as the APT29 scenario. The utility for autonomous red teaming
main source code (tasks), as well as additional resources grows with the complexity of the simulated attacks, and
such as template files, variable files, handler files (files given that the attacks available are of APT level sophis-
that manage exceptions and special conditions). They tication, CALDERA becomes an invaluable tool. An ad-
can then easily be shared with the community or within vanced persistent threat (APT) is a threat group, usually
a workspace. Ansible’s flexibility becomes important associated with nation states, with advanced capabilities
when looking at requirements and interoperability. Its to penetrate systems and networks.
requirements are minimal, as it only requires for Python
to be installed, and for a mean of connection (WinRM or
4.4. Data collection and reporting
ssh [14]) to be available. Like Terraform, Ansible’s use
of IaC allows for code reviews and other perks, as well The data collection process is specific to an operating
as being easy and quick to launch. system, but can be setup automatically at the configura-
tion step through Ansible. Taking a deeper look at the
4.3. Attack simulation platform data collection process for a windows ecosystem, a way
to collect logs is through Windows Event Forwarding
There are various challenges with automatically mea- (WEF) [17], a service that comes as part of Windows 10,
suring aspects of a network’s security posture through and allows workstations to forward local logs to other
penetration testing, red teams, and adversary emulation Windows machines. The main steps in setting up WEF
and numerous way to go about implementing it [15]. Cy- can be split between setting up the workstations, also
ber Adversary Language and Detection Engine for Red known as WEF clients, on which the attacks are unfold-
team Automation (CALDERA) version 3 [16] is a simu- ing, and the server listening for incoming connections
lated penetration testing platform for autonomous red from the WEF Clients. These steps include enabling the
teaming. It is an open source tool developed by MITRE. WinRM service, changing registry keys, changing au-
CALDERA offers three major advantages over a manual dit policies and system access controls, and uploading
style attack. XML files to configure the WEF service, all steps that can
The first is that CALDERA has an interactive, friendly be completed automatically through Ansible packages
and graphical user interface, launching an attack is an in- and functions. There are plenty of services and products
tuitive and short procedure. The program has 3 main cat- that take care of the data reporting process, and are usu-
egories: Agents, Adversaries, and Operations. One can ally chosen depending on the technology a user is most
easily toggle from one to the other without any interfer- familiar with, or already has setup.
ence between each other. The ’Agents’ section provides
a dashboard with a list of agents currently running, their
4.5. Results
information and whether they have been terminated, as
well as code to implant agents on a target workstation be- The time results comparing a manual and automated
fore one can simulate an attack. The ’Adversaries’ section approach to simulating the APT29 attack plans can be
170 Proceedings of the 28th C&ESAR (2021)
� L. Gavaudan, S. Legras and V. Ventos
Provisioning
Manual
1 - 2h
Automatic
17m
5. Relevance of automation for AI
Configuring 5 - 10h 30m Generating and updating a collection of diverse datasets
Attack 10 - 15h (30m if familiar) 8m
is especially important in the cybersecurity field where
Total 6.5 - 27h 55m
threats, actors and their representations are constantly
changing, and where experts have to be persistently
Table 1 learning about new paradigms, heuristics and technolo-
Time comparisons between manually and automatically com- gies. The automatic construction of a cyber range pre-
pleting APT29’s scenario 1 sented in this paper does not just provide solutions for
current threats, but a general framework in which one
can continually conduct research, and build new datasets.
found above in Table 1 (1). All in all, the deployment of In AI development, results can only be as good as the
the infrastructure, configuration of the environment, and quality of the data used. Therefore, having a limited
completion of the attack simulation for the first scenario amount of datasets to train good models and counting
of APT29 takes just under an hour from start to finish. on them to protect organisations is not a viable solution.
In contrast, for a cybersecurity researcher new to APT29 A fully automated cyber range ensures us to have access
attacks, the simulation would likely take between 6.5 and to diverse datasets. Its flexibility enables us to add varia-
27 hours. tions on an attack, and create a wide array of different
Using Terraform to deploy the infrastructure took 17 environments against which to generate datasets.
minutes, whilst deploying all of the infrastructure man- In this section we will discuss how such a framework
ually through Azure would take an amount of time in does not just enhance cybersecurity researchers but also
the scale of multiple hours. Configuration automation provide the necessary sandbox for AI researchers to de-
allows researchers to have a environment ready in 30 velop applications and train models of good quality. We
minutes. Configuring automatically with Ansible, here, will firstly see how such a cyber range can help build a
allows us to save time on a process that would usually high level ontology in the domain of cybersecurity in 5.1.
take between 5 - 10 hours. We then look at some commons pitfalls machine learning
Manually running an attack simulation is different models encounter with poor data and how an automated
from deploying an infrastructure or configuring it, in the cyber range can help us avoid them in 5.2.
sense that once an attack is mastered by a researcher,
he can complete the attack in the same time order as he
5.1. Ontologies
automatically would with an automated tool. CALDERA
took a total of 8 minutes to run scenario 1 of the APT29 ”MITRE ATT&CK is a globally-accessible knowledge base
simulation, whilst a well versed researcher could finish of adversary tactics and techniques based on real-world
it in less than 30 minutes. observations”. The tactics and procedures provided by
The automation of a cyber range does not come with- the framework allow us to paint a meaningful picture
out a price, cyber range automation allows us to acceler- for attacks [18]. If the MITRE ATT&CK framework pro-
ate the research development cycle but in turn takes away vides the tools to build high level view attacks, and an
from potential expertise and knowledge that researchers automated system the low level log datasets of attack
would have developed in the process of creating a cyber simulations (see figure 3), then Ontology [19] is the key
range themselves. In the deployment and configuration to bridging the gaps between the two. It enables us to
step, the time savings justifies the expertise delegated map thousands of logs into a coherent and comprehensi-
to the automated platform. In contrast, spending time ble sequence of MITRE ATT&CK techniques, tactics and
in the attack simulation stage to understand an attack procedures.
and manually launch attack simulations is an important Ontology-based data access (OBDA) is a well estab-
component to preserve in an automated cyber range. If lished paradigm for querying incomplete and heteroge-
expertise was delegated in the deployment and config- neous data sources while incorporating knowledge from
uration stage, it is for researchers to spend more time a domain ontology [20, 21]. OBDA allows a user to for-
on mastering the attack simulation stage. Nevertheless, mulate queries through a high-level ontology vocabulary,
automated red teaming presents an alternative and in- delegating to the algorithm the task of querying low level
teresting way of conducting attack simulations. Whilst data and mapping them back to high level concepts.
manually executing an attack simulation requires a grasp The ontological process represents the abstraction ex-
of every step before completing an attack, automated red ercise that cybersecurity experts perform each day when
teaming allows researchers to run full attack simulations looking at a collection of security logs, whether it is in an
without understanding certain steps, which is useful for incident response, troubleshooting, or active monitoring
understanding the general operational flow of an attack. context. An ontology must consequently define semantic
Proceedings of the 28th C&ESAR (2021) 171
�Cyber Range Automation, a Bedrock for AI Applications
Figure 3: ATT&CK Data Sources (Defining ATT&CK Data Sources, Part I: Enhancing the Current State).
concepts that cybersecurity analysts use and recognise attack risk, and should therefore be blocked. Secondly,
in order to abstract out the logs. the heavy use of abstraction allowed through the use of
The diversity of our data allows us to test the level ontologies enables the models to limit the effects of ad-
of expressiveness an ontology has to offer. Building an versarial artificial intelligence examples. Deep learning
ontology only with high level concepts in mind might models for instance, are known to be highly vulnerable
not scale to real data mapping. On the other hand, over- to adversarial examples[24]. Introducing very superficial
fitting concepts on a limited amount of datasets puts us changes to an input can make predictions highly unstable
at risk of not being able to generalize when the paradigm and inaccurate, a situation where humans can reliably
shifts ever so slightly. Therefore, ontology building is understand that the input has not significantly changed.
an iterative process which is best served by an flexible Ultimately, the hope is for the machine learning models
and automated cyber range that can reliably produce to grasp abstract concepts and general pattern recogni-
heterogeneous and realist as possible data. tion, and discover new heuristics for cybersecurity an-
alysts to integrate in their practice. As can be seen on
5.2. Machine learning figure 4 (4), among the most pressing issues that cyber-
security analysts are trying to solve is the problem of
After developing an ontology, one can train machine overwhelming false positives (A2 and A3). The prob-
learning models that learn from the same semantic con- lem clouds analysts’ judgment for potential threats, and
cepts that cybersecurity experts use, enabling them to causes what is known as ’Alert Fatigue’, a fatigue pro-
intelligently interpret predictions, as opposed to trying duced by a myriad of false positives that continually drain
to learn directly from datasets of innumerable logs. Al- analysts’ attention. Other important issues pointed out
lowing machine learning models to base themselves off in Panther Labs’ survey findings (Figure 4) are a lack of
of high level abstractions, it empower them to be much context for alerts and insights given by current SIEM
more robust both to overfitting problems, and adversarial systems to experts, and the sheer number of those alerts
examples. Firstly, it allows models to avoid overfitting on (A1 and A4). Using an approach to machine learning
meaningless features [22, 23] such as learning that com- based on ontology, the enrichment of our data from ini-
munication with a particular IP address presents a high tial logs to high level data would allow models to put
172 Proceedings of the 28th C&ESAR (2021)
� L. Gavaudan, S. Legras and V. Ventos
Figure 4: Panther Labs’ cybersecurity survey on the current state of SIEM ( State of SIEM 2021 Insights From 400 Security
Professionals )
in the hands of cybersecurity experts meaningful and [5] Attack range github repository, 2019. URL: https:
contextual alerts. //github.com/splunk/attack_range.
[6] Simuland github repository, 2021. URL: https://
github.com/Azure/SimuLand.
6. Conclusion [7] D. Kennedy, J. O’gorman, D. Kearns, M. Aharoni,
Metasploit: the penetration tester’s guide, No
The automation solution we brought forward in this pa-
Starch Press, 2011.
per is designed to help cybersecurity researchers look-
[8] R. Pompon, Assume Breach, Apress,
ing to integrate AI in their operations, as well as AI re-
Berkeley, CA, 2016, pp. 13–21. URL:
searchers interested in contributing to the cybersecurity
https://doi.org/10.1007/978-1-4842-2140-2_2.
field. We used a scenario inspired from an APT29 attack
doi:1 0 . 1 0 0 7 / 9 7 8 - 1 - 4 8 4 2 - 2 1 4 0 - 2 _ 2 .
campaign to better illustrate the benefits that the automa-
[9] Adversary emulation library github repos-
tion platform brings for researchers. The solution enables
itory, 2019. URL: https://github.com/
researchers to operate and build software on top of an
center-for-threat-informed-defense/adversary_
automated cyber range, allowing them to save time and
emulation_library/tree/master/apt29/Emulation_
focus solely on the development of artificial intelligence
Plan.
tools. Terraform automates the deployment of the infras-
[10] A. Rahman, R. Mahdavi-Hezaveh, L. Williams, A
tructure, Ansible automates its configuration, Caldera
systematic mapping study of infrastructure as code
provides autonomous red teaming capabilities for attack
research, Information and Software Technology 108
simulations, and WEF helps centralize and collect the
(2019) 65–77. URL: https://www.sciencedirect.com/
attack simulation’s data.
science/article/pii/S0950584918302507. doi:h t t p s :
//doi.org/10.1016/j.infsof.2018.12.004.
References [11] C. Parnin, E. Helms, C. Atlee, H. Boughton, M. Ghat-
tas, A. Glover, J. Holman, J. Micco, B. Murphy, T. Sa-
[1] Common staff target for military cooperation vor, M. Stumm, S. Whitaker, L. Williams, The top 10
on cyber ranges in the european union, 2013. adages in continuous deployment, IEEE Software
URL: https://eda.europa.eu/docs/default-source/ 34 (2017) 86–95. doi:1 0 . 1 1 0 9 / M S . 2 0 1 7 . 8 6 .
procurement/annex-a---cyber-ranges-cst.pdf. [12] Mitchell Hashimoto et al , Terraform website, 2014.
[2] Mitre engenuity website, 2019. URL: https:// URL: https://www.terraform.io/.
mitre-engenuity.org/. [13] Ansible website, 2012. URL: https://www.ansible.
[3] Center for threat informed defense website, 2019. com/.
URL: https://ctid.mitre-engenuity.org/. [14] T. Ylonen, C. Lonvick, et al., The secure shell (ssh)
[4] Mitre att&ck website, 2015. URL: https://attack. protocol architecture, 2006.
mitre.org/groups/G0016/. [15] J. Hoffmann, Simulated penetration testing: From
Proceedings of the 28th C&ESAR (2021) 173
�Cyber Range Automation, a Bedrock for AI Applications
”dijkstra” to ”turing test++”, in: Proceedings of
the Twenty-Fifth International Conference on In-
ternational Conference on Automated Planning
and Scheduling, ICAPS’15, AAAI Press, 2015, p.
364–372.
[16] Caldera, a scalable, automated adversary emulation
platform, 2021. URL: https://caldera.mitre.org/.
[17] Spotting the Adversary with Windows Event Log
Monitoring, Technical Report, NSA, 2015.
[18] Best Practices for MITRE ATT&CK Mapping, Tech-
nical Report, CISA, HSSEDI, 2021.
[19] D. L. McGuinness, F. Van Harmelen, et al., Owl web
ontology language overview, W3C recommenda-
tion 10 (2004) 2004.
[20] M.-L. Mugnier, M.-C. Rousset, F. Ulliana, Ontology-
Mediated Queries for NOSQL Databases, in:
DL: Description Logics, volume CEUR Workshop
Proceedings, Cape Town, South Africa, 2016,
pp. 1051–1057. URL: https://hal-lirmm.ccsd.cnrs.fr/
lirmm-01375093, this paper is an extended abstract
of the paper with the same title presented at AAAI
2016.
[21] A. Poggi, D. Lembo, D. Calvanese, G. De Giacomo,
M. Lenzerini, R. Rosati, Linking data to ontologies,
in: S. Spaccapietra (Ed.), Journal on Data Semantics
X, Springer Berlin Heidelberg, Berlin, Heidelberg,
2008, pp. 133–173.
[22] J. Reunanen, Overfitting in making comparisons
between variable selection methods, J. Mach. Learn.
Res. 3 (2003) 1371–1382.
[23] R. B. Rao, G. Fung, R. Rosales, On the Dangers
of Cross-Validation. An Experimental Evaluation,
Society for Industrial and Applied Mathematics,
2008, pp. 588–596. URL: https://epubs.siam.org/
doi/abs/10.1137/1.9781611972788.54. doi:1 0 . 1 1 3 7 / 1 .
9781611972788.54.
[24] P.-A. Moëllic, The dark side of neural networks: an
advocacy for security in machine learning, Com-
puter & Electronics Security Applications Rendez-
vous (C&ESAR) (2018).
174 Proceedings of the 28th C&ESAR (2021)
� L. Gavaudan, S. Legras and V. Ventos
Appendix (LDAP) queries to enumerate other hosts in the domain
(T1018) before creating a remote PowerShell session to
Details about each step of the APT29 attack simulation a secondary victim (T1021 / T1021.006). Through this
for both scenario 1 and 2 are compiled here, as refer- connection, the attacker enumerates running processes
enced in 3.3. The details were gathered from MITRE’s (T1057). Next, the attacker uploads (T1105) a new UPX-
adversary_emulation_library GitHub repository[9]. packed payload (T1027 / T1027.002) to the secondary
victim. This new payload is executed on the secondary
Scenario 1 victim via the PSExec utility (T1021 / T1021.002, T1035 /
T1569.002) using the previously stolen credentials (T1078
The scenario begins with an initial breach, where a le- / T1078.002).
gitimate user clicks (T1204 / T1204.002) an executable The attacker uploads additional utilities to the sec-
payload (screensaver executable) masquerading as a be- ondary victim (T1105) before running a PowerShell one-
nign word document (T1036 / T1036.002). Once exe- liner command (T1059 / T1059.001) to search for filesys-
cuted, the payload creates a C2 connection over port tem for document and media files (T1083, T1119). Files
1234 (T1065) using the RC4 cryptographic cipher. The of interested are collected (T1005) then encrypted and
attacker then uses the active C2 connection to spawn in- compressed (T1002, T1022 / T1560.001 into a single file
teractive cmd.exe (T1059 / T1059.003) and powershell.exe (T1074 / T1074.001). The file this then exfiltrated over
(T1086 / T1059.001). the existing C2 connection (T1041). Finally, the attacker
The attacker runs a one-liner command to search the deletes various files (T1107 / T1070.004) associated with
filesystem for document and media files (T1083, T1119), that access.
collecting (T1005) and compressing (T1002 / T1560.001) The original victim is rebooted and the legitimate user
content into a single file. The file is then exfiltrated over logs in, emulating ordinary usage and a passage of time.
the existing C2 connection (T1041). The attacker now This activity triggers the previously established persis-
uploads a new payload (T1105) to the victim. The pay- tence mechanisms, namely the execution of the new ser-
load is a legitimately formed image file with a concealed vice (T1035 / T1569.002) and payload in the Windows
PowerShell script (T1027 / T1027.003). The attacker then Startup folder (T1060 / T1547.001). The payload in the
elevates privileges via a user account control (UAC) by- Startup folder executes a follow-on payload using a stolen
pass (T1122 / T1546.015, T1088 / T1548.002), which ex- token (T1106, T1134 / T1134.002).
ecutes the newly added payload. A new C2 connection
is established over port 443 (T1043 using the HTTPS
protocol (T1071 / T1071.001, T1032 / T1573). Finally, the Scenario 2
attacker removes artifacts of the privilege escalation from The scenario begins with initial breach, where a legiti-
the Registry (T1112). mate user clicks (T1204 / T1204.002) a link file payload,
The attacker uploads additional tools (T1105) through which executes an alternate data stream (ADS) hidden
the new, elevated access before spawning an interac- on another dummy file (T1096 / T1564.004) delivered
tive powershell.exe shell (T1086 / T1059.001). The addi- as part of the spearphishing campaign. The ADS per-
tional tools are decompressed (T1140) and positioned on forms a series of enumeration commands to ensure it
the target for usage. The attacker then enumerates run- is not executing in a virtualized analysis environment
ning processes (T1057) to discover/terminate the initial (T1497 / T1497.001, T1082, T1120, T1033, T1016, T1057,
access from Step 1 before deleting various files (T1107 T1083) before establishing persistence via a Windows
/ T1070.004) associated with that access. Finally, the Registry Run key entry (T1060 / T1547.001) pointing to
attacker launches a PowerShell script that performs a an embedded DLL payload that was decoded and dropped
wide variety of reconnaissance commands (T1016, T1033, to disk (T1140). The ADS then executes a PowerShell
T1063 / T1518.001, T1069, T1082, T1083), some of which stager (T1086 / T1059.001) which creates a C2 connection
are done by accessing the Windows API (T1106). over port 443 (T1043) using the HTTPS protocol (T1032 /
The attacker establishes two distinct means of persis- T1573.002 , T1071 / T1071.001).
tent access to the victim by creating a new service (T1031 The attacker modifies the time attributes of the DLL
/ T1543.003) and creating a malicious payload in the Win- payload (T1099 / T1070.006) used in the previously estab-
dows Startup folder (T1060 / T1547.001). The attacker col- lished persistence mechanism to match that of a random
lects screenshots (T1113), data from the user’s clipboard file found in the victim’s System32 directory (T1083).
(T1115), and keystrokes (T1056 / T1056.001). The attacker The attacker then enumerates registered AV products
then collects files (T1005), which are compressed and en- (T1063 / T1518.001) and software installed by the user
crypted (T1560 / T1560.001), before being exfiltrated to documented in the Windows Registry (T1012).
an attacker-controlled WebDAV share (T1048 / T1048). The attacker performs local enumeration using vari-
The attacker uses Lightweight Directory Access Protocol ous Windows API calls, specifically gathering the local
Proceedings of the 28th C&ESAR (2021) 175
�Cyber Range Automation, a Bedrock for AI Applications
computer name (T1082), domain name (T1016), current
user context (T1033), and running processes (T1057).
The attacker elevates privileges via a user account con-
trol (UAC) bypass (T1122 / T1546.015, T1088 / T1548.002).
The attacker then uses the new elevated access to create
and execute code within a custom WMI class (T1047) that
downloads (T1105) and executes Mimikatz to dump plain-
text credentials (T1003 / T1003.001), which are parsed,
encoded, and stored in the WMI class (T1027). After
tracking that the WMI execution has completed (T1057),
the attacker reads the plaintext credentials stored within
the WMI class (T1140).
The attacker establishes a secondary means of per-
sistent access to the victim by creating a WMI event
subscription (T1084 / T1546.003) to execute a PowerShell
payload whenever the current user (T1033) logs in.
The attacker enumerates the environment’s domain
controller (T1018) and the domain’s security identifier
(SID) (T1033) via the Windows API (T1106). Next, the
attacker uses the previously dumped credentials (T1078
/ T1078.002) to create a remote PowerShell session to
the domain controller (T1028 / T1021.006). Through
this connection, the attacker copies the Mimikatz binary
used in Step 14 to the domain controller (T1105 / T1570)
then dumps the hash of the KRBTGT account (T1003 /
T1003.001).
The attacker harvests emails stored in the local email
client (T1114 / T1114.001) before collecting (T1005) and
staging (T1074 / T1074.001) a file of interest. The staged
file is compressed (T1002 / T1560.001) as well as prepended
with the magic bytes of the GIF file type (T1027).
The attacker maps a local drive to an online web ser-
vice account (T1102) then exfiltrates the previous staged
data to this repository (T1048 / T1567.002).
The attacker deletes various files (T1107 / T1070.004)
associated with that access by reflectively loading and
executing the Sdelete binary (T1055 / T1055.002) within
powershell.exe.
The original victim is rebooted and the legitimate
user logs in, emulating ordinary usage and a passage
of time. This activity triggers the previously established
persistence mechanisms, namely the execution of the
DLL payload (T1085 / T1218.011), referenced by the Win-
dows Registry Run key, and the WMI event subscription
(T1084 / T1546.003), which executes a new PowerShell
stager (T1086 / T1059.001). The attacker uses the renewed
access to generate a Kerberos Golden Ticket (T1097 /
T1558.001, T1558.003), using materials from the earlier
breach, which is used to establish a remote PowerShell
session to a new victim (T1028 / T1021.006). Through this
connection, the attacker creates a new account within
the domain (T1136 / T1136.001).
176 Proceedings of the 28th C&ESAR (2021)
�