This simulator is built leveraging the Python-based Open AI Gym interface. The Microsoft 365 Defender Research team developed the CyberBattleSim to model how a potential threat spreads laterally across the network after breaking into the system.
“The environment consists of a network of computer nodes. It is parameterized by fixed network topology and a set of predefined vulnerabilities that an agent can exploit to laterally move through the network.”
“The simulated attacker’s goal is to take ownership of some portion of the network by exploiting these planted vulnerabilities. While the simulated attacker moves through the network, a defender agent watches the network activity to detect the presence of the attacker and contain the attack,” as explained by the Microsoft 365 Defender Research Team.
To create the simulated environment, researchers will develop various nodes on the network and specify that services are functional across each node, related vulnerabilities, and the ways the device is protected.
Automated threat actors are then introduced in the environment, where they select actions on a random basis and act against the various nodes to overpower them.
While most of these activities may send out alerts in an XDR or SIEM system, Microsoft believes that the security community can leverage this simulator to gain a better understanding of how AI can interpret post-breach activities and help safeguard against them.
“With CyberBattleSim, we are just scratching the surface of what we believe is a huge potential for applying reinforcement learning to security. We invite researchers and data scientists to build on our experimentation. We’re excited to see this work expand and inspire new and innovative ways to approach security problems.” as stated by Microsoft.