Microsoft Developed a SimuLand Lab Environment for Simulating Cyberattacks
SimuLand enables "resources from a variety of data sources, including telemetry from Microsoft 365 Defender security products, Azure Defender, and other integrated sources through Azure Sentinel Data Connectors."
Lab environments installed with SimuLab can help security experts "actively test and validate Microsoft 365 Defender, Azure Defender, and Azure Sentinel in detecting cyber threats, and expand their research with telemetry and artefacts generated after each simulation exercise."
SimuLab is designed to analyze the behaviour of cybercriminals, define defences, accelerate the development and launch of laboratory environments for threat research, inform about the latest technologies and hacker tools, identify, document and share relevant data sources for modelling and detecting criminals.
Currently, the only lab environment available to launch allows researchers to test and improve protection against Golden SAML attacks, in which attackers forge authentication for cloud applications.
The deployment processDepending on the lab guide being worked on, the design of the network environments might change a little. While some labs will replicate a hybrid cross-domain environment (on-premises to the cloud), others will focus only on resources in the cloud. Additionally, Azure Resource Manager (ARM) templates are provided to expedite the deployment process and document the infrastructure as code.
Simulation and detection
In addition to working on adding additional scripts, Microsoft also intends to add attack automation through the Azure Functions service in the cloud, telemetry export and exchange, integration of Microsoft Defender evaluation labs, and infrastructure installation and maintenance using CI / CD with Azure DevOps.