Modular Automated Cyber Range Deployment with Adversary Emulation In Compliance with the Digital Operational Resilience Act (DORA)
Abstract
In the forthcoming Digital Operational Resilience Act (DORA), financial entities and their third-party service providers will be required to comply with best-practice cybersecurity measures. Of the measures, Threat- Led Penetration Tests (TLPTs) were identified to be the most advanced, where they will be used to assess the cybersecurity posture of a financial entity. However, the identified options available for financial entities to comply with TLPTs were limited and commercial only. This motivated the development of an automated system using free and open-source tools that could assist financial entities in performing TLPTs.
With TLPTs being comprehensive and the operational requirements for TLPTs still being in development, this thesis focused on internal TLPTs, concerning the digital attack surface. Furthermore, as TLPTs are based on emulating the Tactics, Techniques, and Procedures (TTPs) used by known threat actors, the automated system should be capable of performing adversary emulation. Specifically, the automated system should be capable of provisioning and configuring different IT infrastructures and perform adversary emulation based on the TTPs used by known threat actors, against the provisioned IT infrastructures.
For the automated system to provision and configure different IT infrastructures, such as those used by financial entities, their internal workings would have to be known. However, with the internal workings of financial entities not being publicly disclosed, this would prove challenging. Regardless of this, some insight was arguably discovered as financial entities commonly use cloud service providers. This implied the IT infrastructures of financial entities would be compatible with cloud platforms, where the goal of this thesis was to ensure that the developed automated system was both Operating System (OS) and platform independent. Such that it would most likely be able to accommodate the IT infrastructures of financial entities, as well as any other major OS and platform in general.
To address this goal, the automated system was developed with a modular system design using the free, open-source, OS and platform independent software tools, Ansible, Terraform, Caldera, and Metasploit. To demonstrate the capabilities of the automated system, two test scenarios based on identified types of cyberattacks threatening the EU financial sector were defined, implemented, and tested on two different platforms. Regarding the test scenarios, one was based on a system misconfiguration scenario, and the other a software supply chain scenario. Regarding the platforms, both a virtualization platform and a cloud platform were used, which were Proxmox Virtual Environment (PVE) and OpenStack. Furthermore, both test scenarios ran fully automated on both platforms with a time for completion of 11 minutes for the system misconfiguration scenario, and respectively 14 and 13 minutes for the software supply chain scenario, 14 minutes on PVE and 13 minutes on OpenStack.
Based on these results, the automated system arguably addressed the motivation and goal for this thesis with further implications. Because of the modularity of the automated system and the flexibility of the Caldera adversary emulation platform, the use of the automated system could be extended beyond its intended purpose, where it could be used in cybersecurity training. Regarding using the automated system in cybersecurity training in academia and enterprises, the red team and blue team capabilities of Caldera should be explored, where they could be utilized by participants in cybersecurity training scenarios, such as in Capture The Flag (CTF) events.