Microsoft: This New Open Source Tool Helps You Test Your Defences Again Hacker Attacks
Microsoft has released SimuLand, an open-source project which aims to help security teams reproduce known attack scenarios - and test just how good Microsoft's core security products are.
SimuLand is a set of lab environments that allow researchers to test their Microsoft defenses. The framework can be used by researchers to test and verify the effectiveness of related Microsoft 365 Defender, Azure Defender, and Azure Sentinel detections.
Microsoft plans to add more attack scenarios in future, but said the aim of the project is to help security teams understand the underlying behavior and functionality of adversary tradecraft, and identify mitigations and attacker paths by documenting preconditions for each attacker action, and thus validate and tune detection capabilities.
Currently, it only includes the environment for "Golden SAML AD FS Mail Access" — an attack on Microsoft's Active Director Federation Services (AD FS) authentication scheme. That's a notable one, which affects Microsoft 365, and something similar was used in conjunction with the Solar Winds software supply chain attack that impacted FireEye and Microsoft.
The US and UK accused Russian intelligence of the SolarWinds attack. As FireEye explained last month, the hackers stole the token-signing certificate from an organization's AD FS server, which let them bypass MFA and access Microsoft cloud services as if they were an approved user. It took advantage of the design of processes for on-premise AD servers authenticating to cloud-based Microsoft 365 services, such as email.
According to Microsoft, its tool will allow researchers to "simulate an adversary stealing the AD FS token signing certificate, from an "on-prem" AD FS server, in order to sign SAML token, impersonate a privileged user and eventually collect mail data in a tenant via the Microsoft Graph API."
Microsoft promises that SimuLand will "extend threat research using telemetry and forensic artifacts generated after each simulation exercise."
Future improvements to the project include:
- A data model to document the simulation steps in a more organized and standardized way.
- A CI/CD pipeline with Azure DevOps to deploy and maintain infrastructure.
- Automation of attack actions in the cloud via Azure Functions.
- Capabilities to export and share telemetry generated with the InfoSec community.
- Microsoft Defender evaluation labs integration.
Azure Sentinel, Microsoft's cloud-based security information and event management (SIEM) system is also in focus. SimuLand will help users map out threats in Sentinel when investigating an attack.
Reassessing AI Investments: What The Correction In US Megacap Tech Stocks Signals
The recent correction in US megacap tech stocks, including giants like Nvidia, Tesla, Meta, and Alphabet, has sent rippl... Read more
AI Hype Meets Reality: Assessing The Impact Of Stock Declines On Future Tech Investments
Recent declines in the stock prices of major tech companies such as Nvidia, Tesla, Meta, and Alphabet have highlighted a... Read more
Technology Sector Fuels U.S. Economic Growth In Q2
The technology sector played a pivotal role in accelerating America's economic growth in the second quarter of 2024.The ... Read more
Tech Start-Ups Advised To Guard Against Foreign Investment Risks
The US National Counterintelligence and Security Center (NCSC) has advised American tech start-ups to be wary of foreign... Read more
Global IT Outage Threatens To Cost Insurers Billions
Largest disruption since 2017’s NotPetya malware attack highlights vulnerabilities.A recent global IT outage has cause... Read more
Global IT Outage Disrupts Airlines, Financial Services, And Media Groups
On Friday morning, a major IT outage caused widespread disruption across various sectors, including airlines, financial ... Read more