The handily named CyberBattleSim is a tool developed and used by the Microsoft 365 Defender Research team, helping to build “highly abstract” simulations of complex computer systems and how an attacker may spread laterally throughout it.
Microsoft hopes that the release of CyberBattleSim will encourage other security researchers to pick up the tool and develop further uses and roles for it and better understand how an attacker might act within a compromised network.
CyberBattleSim: An Open-Source Attack Simulator
At its core, CyberBattleSim is a threat modeling tool built using the Python-based Open AI Gym interface for ease of use.
Users can simulate a network of computer nodes using a fixed topology, then program a list of predefined vulnerabilities affecting the network. From there, the simulated attacker will attempt to breach the network using the defined vulnerabilities, exploiting any weaknesses in its attack.
In turn, automated defenses will attempt to protect against the attack, simulating how network defenses attempt to repel attackers and eject them from the network.
From the outside, it looks like a fun, exploratory tool. But CyberBattleSim allows for extensively customizable scenarios using a huge range of triggers and parameters. The official Microsoft Security blog announcing the tool’s release also details a custom capture-the-flag style challenge. At the same time, there are multiple types of predefined vulnerability outcomes that can affect the outcome of the model.
AI Tech Important to Threat Modelling
The use of AI-tech in threat modeling scenarios is important, providing researchers with the tools to understand interactions and the trajectory of an ongoing attack.
Importantly, CyberSimBattle’s simulation is highly abstract, meaning that it doesn’t bear a resemblance to any real-world systems, curtailing its use as a theoretical malicious tool.
