Hands on Introduction to CALDERA, a Red-Blue Cyber Operations Automation Platform

An ICAPS'22 Tutorial

(half day)

June 15, 2022

Description

Live evaluation of cybersecurity defenses, or red team engagements, can be costly, difficult to commission, and inconsistent in scope, detail, and results. This high overhead prevents many organizations from fully using them despite their benefits. The objective of CALDERA is to enable automated assessment of a network’s susceptibility to an adversary, essentially allowing an organization to see their network through the eyes of attackers on demand. CALDERA features an adversary model that maps to the MITRE ATT&CK® framework and an extensible planning system able to select and execute techniques. Inspired by automated planning methodologies, CALDERA provides a flexible, mature platform for developing adaptive and intelligent cyber agents.

Our tutorial will encourage automated planning researchers to apply their skills to pressing cybersecurity issues. Towards this end, we will introduce attendees to CALDERA, and use CALDERA to automate attacks against an enterprise network. Attendees will learn how CALDERA gathers information and makes decisions, as well as how to modify those capabilities and run their own cybersecurity trials.

Outline

  • Opening
    • Overview of the codebase
    • Install CALDERA into an AWS sandbox
    • Install extensions (defensive deception plugin)
  • CALDERA Agents
    • Deploy agents on AWS VMs, discuss features
    • Configuration options discussion
  • Adversary profiles
    • Adversaries are collection of abilities, often designed to mimic a particular group
    • Inspect an adversary to see how its component abilities can be sequenced to gain control of a network.
    • Walk through an ability and explain how it uses learned facts to execute its function.
  • Operations
    • Operations are the application of an adversary to a group of agents
    • Show configuration options
    • Launch operation and show step output
    • Deploy defensive deceptions (honey credentials, fake machines), re-launch operation to show impact.
  • Planning
    • Walk through CALDERA architecture
    • Map between CALDERA and planning terminologies
    • Work through CALDERA’s planning API with examples.
  • Closing
    • Run through relevant plugins
    • Show the field manual and how the same information on readthedocs is available offline
    • Open Q&A: Work with participants in setting up their own trials, create new planners, etc.
  • Provide contact info / offer general support

Bios

Corinne Magone

Corinne Magone is a Lead Cybersecurity Engineer at The MITRE Corporation. She is an architect of CALDERA’s test range creation capability, and an experienced CALDERA instructor.

Ron Alford

Ron Alford is a Lead Autonomous Systems Engineer at the MITRE Corporation. He is the co-PI on a project investigating the use of deception against autonomous systems, and has co-organized several workshops.

Michael Kouremetis

Michael Kouremetis is a Lead Cyber Operations Engineer and Group Lead at the MITRE Corporation who focuses on applying artificial intelligence, data science and software engineering to the cyber domain.