URSID: Using formalism to Refine attack Scenarios for vulnerable Infrastructure Deployment

TL;DR

This paper introduces URSID, a formal approach to generate deception platforms by translating attack scenarios into deployable vulnerable architectures, enhancing research and defense capabilities.

Contribution

It presents a novel method to refine attack scenarios into deployable infrastructures using formal descriptions and architecture constraints.

Findings

Successfully deployed a scenario inspired by APT-29

Demonstrated the feasibility of formal scenario translation

Provided an online proof of concept tool

Abstract

In this paper we propose a novel way of deploying vulnerable architectures for defense and research purposes, which aims to generate deception platforms based on the formal description of a scenario. An attack scenario is described by an attack graph in which transitions are labeled by ATT&CK techniques or procedures. The state of the attacker is modeled as a set of secrets he acquires and a set of nodes he controls. Descriptions of a single scenario on a technical level can then be declined into several different scenarios on a procedural level, and each of these scenarios can be deployed into its own vulnerable architecture. To achieve this goal we introduce the notion of architecture constraints, as some procedures may only be exploited on system presenting special properties, such as having a specific operating system version. Finally, we present our deployment process for converting one of these scenarios into a vulnerable infrastructure, and offer an online proof of concept demonstration of our tool, where readers may deploy locally deploy a complete scenario inspired by the threat actor APT-29.