Investing in cybersecurity and implementing policies designed to help keep your organization safe from threat actors is one thing, but how do you know that your networks are truly safe?
Microsoft is attempting to answer that question by releasing SimuLand, an open-source initiative designed to help security researchers deploy lab environments to test and improve Microsoft’s cybersecurity tools against well-known attack techniques used in real scenarios.
According to a Microsoft blog, those lab environments will provide use cases from a variety of data sources, including telemetry from Microsoft 365 Defender security products, like Azure Defender and other integrated data sources through Azure Sentinel data connectors.
The company hopes SimuLand will help IT pros better understand cybercriminals and their tools, identify mitigations and attacker paths, expedite the design and deployment of threat research lab environments, stay current on the techniques and tools used by threat actors, document and share data to model and detect threats and tune detection capabilities accordingly.
Microsoft wants to have SimuLand integrated with threat research methodologies where dynamic analysis is applied to end-to-end scenarios, and it is designed to reuse and test combinations of attacker actions with different lab environment designs.
Simulations provided to the project are based on research and broken down into attacker actions mapped to the MITRE ATT&CK framework.
Simulation steps will then be mapped to detection queries and alerts from Microsoft 365 Defender security products, Azure Defender and Azure Sentinel.
According to the project’s GitHub repository, the only lab available allows organizations to “simulate an adversary stealing the AD FS token signing certification from an on-prem AD FS server in order to sign SAML token, impersonate a privileged user and collect mail data in a tenant via the Microsoft Graph APi.”
Cybersecurity firm FireEye says that was one method that the actors behind the SolarWinds compromise used to bypass multi-factor authentication and access cloud services as any user at any time.
The company is calling for customers to share new scenarios and detection rules, and Microsoft plans on creating more scenarios and working on new features to improve the project, including:
- A data model to document the simulation steps in a more organized and standardized way.
- A CI/CD pipeline with Azure DevOps to deploy and maintain infrastructure.
- Automation of attack actions in the cloud via Azure Functions.
- Capabilities to export and share telemetry generated with the InfoSec community.
- Microsoft Defender evaluation labs integration.
To contribute, you need a paid or trial version of Microsoft 365 E5 and an Azure tenant.