Microsoft developed a SimuLand lab environment for simulating cyberattacks

Microsoft's SimuLand lab environment

Microsoft has developed an open source SimuLand lab environment to help testing and improving Microsoft 365, Defender, Azure, and Azure Sentinel protection against a variety of cyberattack scenarios.

SimuLand enables “resources from a variety of data sources, including telemetry from Microsoft 365 Defender security products, Azure Defender, and other integrated sources through Azure Sentinel Data Connectors.”

The lab environments installed with SimuLand can help security experts actively test and validate the effectiveness of Microsoft 365 Defender, Azure Defender, and Azure Sentinel in detecting cyber threats, as well as expand research with telemetry and artifacts generated after each simulation exercise.Microsoft developers report

Simuland will be working under the following basic principles:

  • Understand the underlying behavior and functionality of adversary tradecraft.
  • Identify mitigations and attacker paths by documenting preconditions for each attacker action.
  • Expedite the design and deployment of threat research lab environments.
  • Stay up to date with the latest techniques and tools used by real threat actors.
  • Identify, document, and share relevant data sources to model and detect adversary actions.
  • Validate and tune detection capabilities.

SimuLab is designed to analyze the behavior of cybercriminals, define defenses, accelerate the development and launch of laboratory environments for threat research, inform about the latest technologies and hacker tools, and identify, document, and share relevant data sources for modeling and detecting criminals.

Microsoft aims to integrate SimuLand with threat research methodologies that apply dynamic analysis to end-to-end modeling scenarios.

The image below shows where SimuLand would fit.
SimuLand lab environment

Currently, the only open lab environment allows researchers to test and improve protection against Golden SAML attacks, in which attackers forge authentication for cloud applications.

Besides working on adding additional scripts, Microsoft also intends to add attack automation through the Azure Functions service in the cloud, telemetry export and exchange, integration of Microsoft Defender evaluation labs, and infrastructure installation and maintenance using CI/CD with Azure DevOps.

Let me remind you that I talked about the fact that Microsoft warns of the growing number of cyberattacks using web shells.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *