CALDERA – Automated Adversary Emulation System

CALDERA is an automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) project. These features allow CALDERA to dynamically operate over a set of systems using variable behavior, which better represents how human adversaries perform operations than systems that follow prescribed sequences of actions.

CALDERA is useful for defenders who want to generate real data that represents how an adversary would typically behave within their networks. Since CALDERA’s knowledge about a network is gathered during its operation and is used to drive its use of techniques to reach a goal, defenders can get a glimpse into how the intrinsic security dependencies of their network allow an adversary to be successful. CALDERA is useful for identifying new data sources, creating and refining behavioral-based intrusion detection analytics, testing defenses and security configurations, and generating experience for training.

Architecture

CALDERA consists of:

  • Server
    • Planner – Decision engine allowing CALDERA to chose actions
      • Attacker Model – Actions available based on ATT&CK
      • World Model – Representation of the environment
    • Execution Engine – Drives actuation of techniques and updates the database
    • Database – Stores knowledge learned about the environment
    • HTTP Server
  • Clients
    • Agent – Client on endpoint systems used for communication
    • RAT – Remote access tool used during operations to emulate adversary behavior

Supported Adversary Actions by CALDERA


Project Slides can be found here : Link 

Project Demo

Reference Link to Project : Source GitHub

%d bloggers like this: