For help organizations to prepare for a cyberattack, Microsoft has released a new tool that offers a training simulation model based on reinforced learning. The CyberBattleSim source code is made in Python and the OpenAI Gym interface, it is open source licensed under the MIT license and it is mentioned that the trademarks or logos of projects, products or services, contain the authorized use of the trademarks or Microsoft logos and is subject to the Microsoft Trademark and Trademark Guidelines.
CyberBattleSim is an experimentation research platform to investigate the interaction of automated agents operating in a simulated abstract business network environment. The simulation provides a high-level abstraction of computer networks and cybersecurity concepts. Its Python-based Open AI Gym interface enables automated agent training using reinforcement learning algorithms.
The simulation environment is parameterized by a fixed network topology and a set of vulnerabilities that agents can use to move laterally in the network. The attacker's goal is to take possession of a part of the network by exploiting vulnerabilities found in the computer's nodes.
As the attacker tries to spread across the network, a defending agent watches the network activity and tries to detect any attacks that are occurring and mitigate the impact on the system by evicting the attacker.
We provide a basic stochastic defender that detects and mitigates ongoing attacks based on predefined odds of success. We implement mitigation by re-imaging infected nodes, a process abstractly modeled as a multi-step simulation operation.
Reinforcement learning is a category of machine learning in which autonomous agents learn to make decisions by acting in accordance with their environment.
The goal of cyber threat simulation is to understand how an attacker manages to steal confidential information. By learning their intrusion techniques, defenders can better anticipate risks and loopholes and initiate corrective actions.
But we must not lose sight of the fact that the defense teams are always one step behind the attackers who determine which attack vector to use while the defenders have to prepare without knowing where the attack is going to take place. In short, the role of a goalkeeper above all a team that can also score behind and above him ...
CyberBattleSim cyber attack scenarios are varied and they go from the theft of credentials to the filtration of properties of the nodes for the escalation of privileges, and even the exploitation of Sharepoint sites by compromising the SSH credentials.
Microsoft also specifies that the Gym environment allows great flexibility in customization and configuration to simulate cyberattacks. The publisher has also included a benchmark tool to measure and compare the success of cyber defense actions based on machine learning.
“The simulation in CyberBattleSim is simplistic, which has its advantages: its highly abstract nature prevents direct application to real-world systems, thus providing protection against the potentially harmful use of automated agents trained with it.
It also allows us to focus on specific aspects of security that we want to study and experiment quickly with recent machine learning and artificial intelligence algorithms: we are currently focusing on lateral movement techniques, with the goal of understanding how the topology and configuration of the network affects these techniques. With that goal in mind, we thought modeling actual network traffic was unnecessary, but these are important limitations that future contributions may seek to address. "
Finally if you are interested in knowing more about it about CyberBattleSim or if you want to know how to implement this tool in your system you can consult the details and / or the installation and use instructions In the following link.