CALDERA is an automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) project. These features allow CALDERA to dynamically operate over a set of systems using variable behavior, which better represents how human adversaries perform operations than systems that follow prescribed sequences of actions.
CALDERA is useful for defenders who want to generate real data that represents how an adversary would typically behave within their networks. Since CALDERA’s knowledge about a network is gathered during its operation and is used to drive its use of techniques to reach a goal, defenders can get a glimpse into how the intrinsic security dependencies of their network allow an adversary to be successful. CALDERA is useful for identifying new data sources, creating and refining behavioral-based intrusion detection analytics, testing defenses and security configurations, and generating experience for training.
Architecture
CALDERA consists of:
- Server
- Planner – Decision engine allowing CALDERA to chose actions
- Attacker Model – Actions available based on ATT&CK
- World Model – Representation of the environment
- Execution Engine – Drives actuation of techniques and updates the database
- Database – Stores knowledge learned about the environment
- HTTP Server
- Planner – Decision engine allowing CALDERA to chose actions
- Clients
- Agent – Client on endpoint systems used for communication
- RAT – Remote access tool used during operations to emulate adversary behavior
Supported Adversary Actions by CALDERA
Project Slides can be found here : Link
Project Demo
Reference Link to Project : Source GitHub
Comments are closed.