Automated Adversary Emulation: A Case for Planning and Acting with UnknownsJune 2018
Topics: Cybersecurity, Network Security, Information Security, Software Engineering, Systems Engineering
Adversary emulation assessments offer defenders the ability to view their networks from the point of view of an adversary. Because these assessments are time consuming, there has been recent interest in the automated planning community on using planning to create solutions for an automated adversary to follow. We deviate from existing research within the work under the CALDERA project, and instead argue that automated adversary emulation—as well as automated penetration testing—should be treated as both a planning and an acting problem. Our argument hinges on the fact that adversaries typically have to manage unbounded uncertainty during assessments, which many of the prior techniques do not consider. To illustrate this, we provide examples and a formalism of the problem, and discuss shortcomings in existing planning modeling languages when representing this domain. Additionally, we describe our experiences developing solutions to this problem, including our own custom representation and algorithms. Our work helps characterize the nature of problems in this space, and lays important groundwork for future research.