Microsoft Developed a SimuLand Lab Environment for Simulating Cyberattacks

SimuLab is designed to analyze the behavior of cybercriminals, determine how to defend against attacks, etc.

Microsoft has developed an open-source SimuLand lab environment to help test and improve the protection of Microsoft 365 Defender, Azure Defender, and Azure Sentinel against a variety of cyberattack scenarios.

SimuLand enables "resources from a variety of data sources, including telemetry from Microsoft 365 Defender security products, Azure Defender, and other integrated sources through Azure Sentinel Data Connectors."

Lab environments installed with SimuLab can help security experts "actively test and validate Microsoft 365 Defender, Azure Defender, and Azure Sentinel in detecting cyber threats, and expand their research with telemetry and artefacts generated after each simulation exercise."

SimuLab is designed to analyze the behaviour of cybercriminals, define defences, accelerate the development and launch of laboratory environments for threat research, inform about the latest technologies and hacker tools, identify, document and share relevant data sources for modelling and detecting criminals.

Currently, the only lab environment available to launch allows researchers to test and improve protection against Golden SAML attacks, in which attackers forge authentication for cloud applications.

The deployment process

Depending on the lab guide being worked on, the design of the network environments might change a little. While some labs will replicate a hybrid cross-domain environment (on-premises to the cloud), others will focus only on resources in the cloud. Additionally, Azure Resource Manager (ARM) templates are provided to expedite the deployment process and document the infrastructure as code.

Simulation and detection

Every simulation plan provided through this project is research-based and broken down into attacker actions mapped to the MITRE ATT&CK framework. The goal of the simulate and detect component is to also summarize the main steps used by a threat actor to accomplish a specific object and allow security researchers to get familiarized with the attacker behaviour at a high level. The below image shows some of the ways one could export the token signing certificate from a federation server.

In addition to working on adding additional scripts, Microsoft also intends to add attack automation through the Azure Functions service in the cloud, telemetry export and exchange, integration of Microsoft Defender evaluation labs, and infrastructure installation and maintenance using CI / CD with Azure DevOps.