KR102578421B1 - Method And System for managing of attack equipment of Cyber Attack Simulation Platform - Google Patents

Abstract

The present invention relates to an attack tool management system and method for a cyber attack simulation platform. According to one embodiment, an attack tool management system for a cyber attack simulation platform provides training purposes, trainee levels, and target domain demand requirements in a virtual space. A virtual space simulator that simulates a virtual space by reflecting it, a format definition unit that defines an attack tool that fits a threat model included in at least one scenario in the virtual space created by the virtual space simulator in a preset attack tool format, and the attack tool It includes an execution unit that executes an attack tool defined in a format in a virtual space simulated by the virtual space simulator.

Description

Attack tool management system and method for cyber attack simulation platform {Method And System for managing of attack equipment of Cyber Attack Simulation Platform}

The present invention relates to an attack tool management system and method for a cyber attack simulation platform.

Cyber attack simulation (BAS: Breach and Attack Simulation) technology applied to various fields placed BAS technology in the Innovation Trigger stage in the ‘Threat-Facing Technologies’ hype cycle in 2017 and will be developed within the next 5 to 10 years. It was predicted that the productivity plateau would be reached. Accordingly, leading companies in the field are currently developing solutions and building a market.

According to a survey conducted at a recent RSA conference, many security experts are currently using security equipment and services, but are not sure whether these devices are actually working as intended or whether they are making good use of the functions of the security products they have purchased. In addition, security equipment is too complex and difficult to set up. Therefore, attack simulation technology is needed from a social perspective.

Continuous and consistent testing of security posture is required. Recently, the importance of an approach that strengthens the security of the overall IT environment by identifying attack surfaces through repeated security assessments and establishing response strategies has been emphasized. Therefore, from a technical perspective, attack simulation technology is needed.

In general, government-led cyber warfare training tools are being developed and utilized around the world, such as NCR (DARPA, USA), CyberGym (Israel), and CyRIS (JAIST, Japan).

In addition to Boeing's Cyber Range-in-a-Box and Microsoft's CyberBattleSim, similar cyber attack and defense simulators have been developed by ETH, University of Queensland, University of Arizona, and SkyRadar, and research into AI-based evolved attack and defense technology is an AI-based self-evolving cyber attack and defense platform. -Efforts are being made to discover unknown attacks and secure response technologies through cyber battles that utilize groundbreaking AI technology that evolves on its own through AI-based agent-to-agent games such as AlphaZero/Alphastar.

BAS (Breach&Attack Simulation) technology is being developed to simulate the attack behavior of cyber attacks, but it is far from an actual scenario-based training environment because it is simply carried out through individual execution of attacks.

In addition, there are many technical issues that need to be resolved in developing a cyber attack simulation platform using artificial intelligence technology for cyber security training and establishing an active cyber response strategy.

In addition, current tools for cyber warfare training have limitations in expertise, diversity, repeatability, etc., as attacks and defenses are carried out passively by humans. In addition, research on attack tool formats and attack tool management platforms for executing automated attacks is insufficient.

KR 101460589 B1 KR 1020090001609 A

The present invention was derived from this technical background, and proceeds with a unified definition to automatically execute attack tools for cyber warfare in virtual space, and provides a cyber attack simulation platform for automatic connection of attack tools to a scenario-based virtual space. The purpose is to provide an attack tool management system and method for

The present invention for achieving the above problems includes the following configuration.

That is, the attack tool management system for the cyber attack simulation platform according to an embodiment of the present invention includes a virtual space simulator that simulates the virtual space by reflecting the training purpose, trainee level, and target domain demand requirements in the virtual space; a format definition unit defining an attack tool that fits a threat model included in at least one scenario in the virtual space created by the virtual space simulator as a preset attack tool format; and an execution unit that executes the attack tool defined in the attack tool format in a virtual space simulated by the virtual space simulator. an attack execution determination unit that determines a result value after performing an attack according to the execution result of the attack tool executed by the execution unit; and an attack tool recommendation unit that recommends an attack tool by reflecting a result value after performing an attack identified by the attack execution determination unit according to a simulation scenario in a virtual space suitable for a training purpose, and the execution unit is configured to recommend an attack tool based on the threat model. / Create a virtual attack scenario based on the definition and design information of the defense execution tool requirements, design attack tool management and attack simulation log definitions (pre, post condition for each technique) and schema, and attack execution to execute the attack. Automatically executes attack tools by vulnerability type, including a judgment model for tool interaction, performs attack tool management based on threat models (MITRE ATT&-CK, cyber kill chain, etc.), and inflows cyber kill chain attacks. By further upgrading the attack stages after the stage, it is implemented to support various scenarios including internal infection spread attacks (Lateral Movement), reproduces advanced persistent threat (APT) techniques, and provides characteristics for each attack group. Result data is provided in a visible form for comparison, and the execution department develops execution code for each attack tool to manage customized attack tools in the cyber training range (CR, Cyber Range) (more than 10 types of 1-day exploit-based attack tool modifications) It includes an API module for technology and attack tool database interconnection, presents a penetration test model for combining existing attack tools and additional attack tools to advance the automatic execution technology for attack tools by vulnerability type, and provides a module for creating a full chain of attack tools according to the scenario. Includes, performs some modification functions of additional attack tools for linking with the attack tool management platform, creates at least one defender according to the created attacker, performs cyber warfare according to the scenario, and recommends the attack tool. The part is characterized by identifying the number of nodes that can be selected for attack and the shortest path to the final goal when setting the attack goal, and recommending it when setting the initial scenario.

Meanwhile, in the attack tool management method for a cyber attack simulation platform running on a computer device, the computer device includes at least one processor configured to execute computer readable instructions included in a memory, and the cyber attack simulation platform. The attack tool management method includes simulating a virtual space by reflecting training purposes, trainee levels, and target domain demand requirements in the virtual space; defining an attack tool that fits a threat model included in at least one scenario in the virtual space created in the step of simulating the virtual space in a preset attack tool format; and executing the attack tool defined in the attack tool format in a virtual space simulated in the virtual space simulation step, wherein the processor reflects the training purpose, trainee level, and target domain demand requirements in the virtual space. Virtual space simulator, which simulates virtual space; a format definition unit defining an attack tool that fits a threat model included in at least one scenario in the virtual space created by the virtual space simulator as a preset attack tool format; and an execution unit that executes the attack tool defined in the attack tool format in a virtual space simulated by the virtual space simulator. an attack execution determination unit that determines a result value after performing an attack according to the execution result of the attack tool executed by the execution unit; and an attack tool recommendation unit that recommends an attack tool by reflecting a result value after performing an attack identified by the attack execution determination unit according to a simulation scenario in a virtual space suitable for a training purpose, and the execution unit is configured to recommend an attack tool based on the threat model. / Create a virtual attack scenario based on the definition and design information of the defense execution tool requirements, design attack tool management and attack simulation log definitions (pre, post condition for each technique) and schema, and attack execution to execute the attack. Automatically executes attack tools by vulnerability type, including a judgment model for tool interaction, performs attack tool management based on threat models (MITRE ATT&-CK, cyber kill chain, etc.), and inflows cyber kill chain attacks. By further upgrading the attack stages after the stage, it is implemented to support various scenarios including internal infection spread attacks (Lateral Movement), reproduces advanced persistent threat (APT) techniques, and provides characteristics for each attack group. Result data is provided in a visible form for comparison, and the execution department develops execution code for each attack tool to manage customized attack tools in the cyber training range (CR, Cyber Range) (more than 10 types of 1-day exploit-based attack tool modifications) It includes an API module for technology and attack tool database interconnection, presents a penetration test model for combining existing attack tools and additional attack tools to advance the automatic execution technology for attack tools by vulnerability type, and provides a module for creating a full chain of attack tools according to the scenario. In addition, it performs some modification functions of additional attack tools for linking with the attack tool management platform, creates at least one defender according to the created attacker, performs cyber warfare according to the scenario, and performs cyber warfare according to the scenario. The recommendation unit is characterized by identifying the number of nodes that can be selected for attack and the shortest path to the final goal when setting an attack goal, and making recommendations when setting the initial scenario.

According to the present invention, a unified definition is provided to automatically execute attack tools for cyber warfare in virtual space, and an attack tool management system and method for a cyber attack simulation platform for automatic connection of attack tools to a scenario-based virtual space is provided. The effect of being able to provide it is derived.

In addition, by improving cyber warfare response capabilities, it is possible to overcome the shortage of security experts and the limitations of manual testing for the increasing number of attack points, reduce the social costs of cyber attacks, and lead the market through the development of innovative cyber training simulation technology. possible.

In addition, by creating a new technical workforce that specializes in researching and developing techniques for attack groups other than Threat Hunting and Intelligence, employment can be created by entering the overseas security control and mock hacking market with highly trained personnel, and domestic and foreign products can be created. By replacing the cyber defense and defense market centered on security solutions and standardized defense and defense products, the effect of raising the level of domestic security personnel by nurturing high-level cyber warriors is derived.

Figure 1 is an example diagram for explaining the overall operation of an attack tool management system for a cyber attack simulation platform according to an embodiment of the present invention.
Figure 2 is an example diagram for explaining the configuration of an attack tool management system for a cyber attack simulation platform according to an embodiment of the present invention.
3A and 3B are exemplary diagrams for explaining an attack tool management function according to an embodiment.
Figures 4A to 4C are exemplary diagrams for explaining the operation of an attack tool recommendation unit according to an embodiment of the present invention.
Figure 5 is a flowchart of an attack tool management method for a cyber attack simulation platform according to an embodiment of the present invention.

It should be noted that the technical terms used in the present invention are only used to describe specific embodiments and are not intended to limit the present invention. In addition, the technical terms used in the present invention, unless specifically defined in a different sense in the present invention, should be interpreted as meanings generally understood by those skilled in the art in the technical field to which the present invention pertains, and are not overly comprehensive. It should not be interpreted in a literal or excessively reduced sense.

Hereinafter, preferred embodiments according to the present invention will be described in detail with reference to the attached drawings.

Figure 1 is an example diagram for explaining the overall operation of an attack tool management system for a cyber attack simulation platform according to an embodiment of the present invention.

The cyber attack simulation platform according to an embodiment of the present invention can consistently define an attack tool format for performing automated attacks through simulation in a virtual space where an attack tool agent according to an embodiment is installed. In addition, attack tools in a defined format are provided in the simulation, the results of the attack execution judgment are stored in the results database, and data that is easy to create automated scenarios can be proposed by combining information.

Figure 2 is an example diagram for explaining the configuration of an attack tool management system for a cyber attack simulation platform according to an embodiment of the present invention.

An attack tool management system for a cyber attack simulation platform according to an embodiment of the present invention may be implemented by at least one computer device. The attack tool management method for a cyber attack simulation platform according to an embodiment of the present invention may be performed through at least one computer device 200 included in the cyber attack simulation platform providing system. At this time, the computer program according to one embodiment may be installed and driven in the computer device, and the computer device may perform the method of providing a cyber attack simulation platform according to embodiments of the present invention under the control of the driven computer program. The above-described computer program can be combined with a computer device and stored in a computer-readable recording medium to execute the method of providing a cyber attack simulation platform on a computer.

As shown in FIG. 2 , the computer device 200 may include a memory 210, a processor 220, a communication interface 230, and an input/output interface 240. The memory 210 is a computer-readable recording medium and may include a non-permanent mass storage device such as random access memory (RAM), read only memory (ROM), and a disk drive. Here, non-perishable large-capacity recording devices such as ROM and disk drives may be included in the computer device 200 as a separate permanent storage device that is distinct from the memory 210.

Additionally, an operating system and at least one program code may be stored in the memory 210. These software components may be loaded into the memory 210 from a computer-readable recording medium separate from the memory 210. Such separate computer-readable recording media may include computer-readable recording media such as floppy drives, disks, tapes, DVD/CD-ROM drives, and memory cards. In another embodiment, software components may be loaded into the memory 210 through the communication interface 230 rather than a computer-readable recording medium. For example, software components may be loaded into memory 210 of computer device 200 based on computer programs installed by files received over network 30.

The processor 220 may be configured to process instructions of a computer program by performing basic arithmetic, logic, and input/output operations. Commands may be provided to the processor 220 by the memory 210 or the communication interface 230. For example, processor 220 may be configured to execute received instructions according to program code stored in a recording device such as memory 210. The communication interface 230 may provide a function for the computer device 200 to communicate with other devices (eg, the storage devices described above) through the network 30. For example, a request, command, data, file, etc. generated by the processor 220 of the computer device 200 according to a program code stored in a recording device such as memory 210 is transmitted to the network ( 30) and can be transmitted to other devices. Conversely, signals, commands, data, files, etc. from other devices may be received by the computer device 200 through the communication interface 230 of the computer device 200 via the network 30. Signals, commands, data, etc. received through the communication interface 230 may be transmitted to the processor 220 or memory 210, and files, etc. may be stored in a storage medium (as described above) that the computer device 200 may further include. can be stored in permanent storage).

The input/output interface 240 may be a means for interfacing with the input/output device 250. For example, input devices may include devices such as a microphone, keyboard, or mouse, and output devices may include devices such as displays and speakers. As another example, the input/output interface 240 may be a means for interfacing with a device that integrates input and output functions, such as a touch screen. The input/output device 250 may be configured as a single device with the computer device 200.

Additionally, in other embodiments, computer device 200 may include fewer or more components than those of FIG. 2 . However, there is no need to clearly show most prior art components. For example, the computer device 200 may be implemented to include at least some of the input/output devices 250 described above, or may further include other components such as a transceiver, a database, etc.

Specifically, the processor 220 includes a virtual space simulator 2210, a format definition unit 2220, an execution unit 2230, an attack execution determination unit 2240, and an attack tool recommendation unit 2250.

The virtual space simulator 2210 simulates the virtual space by reflecting the training purpose, trainee level, and target domain demand requirements in the virtual space.

The virtual space simulator (2210) creates a network topology that reflects the complex environmental information of the ICT infrastructure that is the target of attack in accordance with the situation where security threats are increasing in various fields such as defense weapon systems / IoT / smart city. In addition to providing standardized asset types, a virtual space is created so that the attack results can be operated at the same level for the OS, applications, settings, and communication services of the assets in the attack route. In particular, a training center can be created by reflecting demand requirements such as training purpose/trainee level/target domain.

The virtual space simulator 2210 designs the virtual machine processor and peripheral devices (memory, NIC, Flash, etc.).

In addition, it is implemented to define the performance conditions and success traces of cyber attack/defense tools within the simulation virtual space to enable linkage of attack/defense tools suitable for the threat model (ATT&-CK, cyber kill chain). Therefore, it is possible to perform scenario units rather than simply executing tools. In addition, since the scenario module is easy to modify, it can be used as learning data for cyberspace AI.

The virtual space simulator 2210 includes an ICT infrastructure scanner, an environmental state information collector, and a virtual space replication/visualizer. In other words, virtual environment information can be created by collecting attack simulation log information. In other words, the virtual space simulator 2210 collects information on the ICT infrastructure to be protected and creates a virtual space for the ICT infrastructure to be protected. Additionally, we will build a virtual space visualization and ICT virtual space test bed customized for major infrastructure.

The virtual space simulator 2210 includes cyber battlefield ICT infrastructure information collection technology. In addition, it is possible to classify information collected within the cyber battlefield ICT infrastructure, perform behavioral data collection and interface design within the simulator virtual machine, and design a local network-based cyber battlefield network packet collection tool.

The virtual space simulator 2210 can automatically recommend attack tools through initial access, attack execution, authority acquisition, hijacking, and tampering to automate scenario training attacks.

At this time, the virtual space simulator performs simulation according to at least one of at least one simulation scenario.

In one embodiment, the virtual space simulator 2210 selects one of the scenarios that go through the processes of initial access, attack execution, authority acquisition, takeover, and tampering to automate scenario training attacks.

At this time, the virtual space simulator 2210 configures the scenario to provide at least one of the following: a malicious file required for initial access to the victim's virtual machine, a malicious file required to execute an attack, a malicious file required to secure permission, and a malicious file required for takeover and alteration. A simulation can be provided.

The format definition unit 2220 defines an attack tool that fits the threat model included in at least one scenario in a virtual space created by a virtual space simulator as a preset attack tool format. That is, the format definition unit 2220 defines the attack tool format during the cyber attack simulation process. In other words, the format of the attack tool is consistently defined to automate attack simulation.

In one embodiment, the format definition unit 2220 defines a preset attack tool format to derive a unified form of the attack tool by considering the previous scenario, the next scenario, and the target environment.

The execution unit 2230 executes the attack tool defined in the attack tool format in the format definition unit 2220 in the virtual space simulated by the virtual space simulator.

The execution unit 2230 selects an attack tool that fits the threat model included in at least one scenario in the virtual space simulation generated by the virtual space simulator.

The execution unit 2230 may automatically generate an attack scenario based on an attack scenario DB including attack path creation information, attack scenario creation information, and a playbook. That is, it includes attack graph-based attack path generation technology, threat model attack scenario creation technology, attack tool management platform/playbook technology, and scenario-linked attack tool automatic execution technology.

The execution unit 2230 establishes attack behavior definitions and monitoring data by collecting data such as ELF header tampering, tampering, transformation, information collection, persistence, authority theft, process interference, evasion, and malware-specific information.

3A and 3B are exemplary diagrams for explaining an attack tool management function according to an embodiment.

The execution unit 2230 may create a virtual attack scenario based on threat model-based cyber attack/defense execution tool requirements definition and design information.

It is possible to manage attack tools, define attack simulation logs (pre, post conditions for each technique), and design schemas. You can also define trace collection information for each attack tool.

The execution unit 2230 may be implemented to automatically execute attack tools for each vulnerability type, including a decision model for interaction between attack tools to execute the attack.

The execution unit 2230 performs attack tool management based on threat models (MITRE ATT&-CK, cyber kill chain, etc.). In other words, the attack module is implemented in detail. And attack scenarios can be flexibly created by linking each attack module.

The execution unit 2230 further enhances the attack stages after the attack inflow stage of the cyber kill chain and is implemented to support various scenarios, including internal infection spread attacks (Lateral Movement). In addition, it is possible to reproduce advanced persistent threat (APT) techniques and provide result data in a visible form so that the characteristics of each attack group can be compared at a glance.

Additionally, the execution unit 2230 performs a cyber training range (CR, Cyber Range) customized attack tool management function. In other words, it includes development of execution code for each attack tool (more than 10 types of 1-day exploit-based attack tool modification) and API modules for interoperability with the attack tool DB. In order to advance technology for automatic execution of attack tools by vulnerability type, a penetration test model combining existing attack tools and additional attack tools is presented, and a module for creating a full chain of attack tools according to the scenario is included. Additionally, some modifications to additional attack tools can be performed for integration with the attack tool management platform.

Additionally, the execution unit 2230 creates at least one defender according to the created attacker and performs cyber warfare according to the scenario. The execution department (2230) performs cyber attack response strategy establishment technology.

In cyber training range (Cyber-Range) operations, most cyber attack and defense scenarios are operated manually by professional hackers, and advanced responses are possible without restrictions on the hacker's skill level and field of expertise.

According to an attack tool management system for a cyber attack simulation platform according to an embodiment, a platform capable of integrated management of attack techniques (TTP) and mitigation tools (Mitigation) tools for attacks generated in a virtual space simulator; Through interface development, attack scenarios can be reproduced tailored to the characteristics of the target domain.

Additionally, the execution department (2230) performs analysis and design of cyber attack defense tools customized for cyber training sites. In other words, it can include the function of analyzing and deriving requirements for cyber attack defense for each cyber training site, the function of analyzing MITER ATT&CK-based cyber attack types and deriving countermeasures, and the derivation and design of requirements for customized cyber attack response detection/blocking tools.

The attack execution determination unit 2240 determines the result value after performing the attack according to the execution result of the attack tool executed by the execution unit 2230. That is, the attack execution determination unit 2240 determines the result of the defense against the type of attack tool in the execution unit 2230 and determines the result of the attack execution for the cyber warfare scenario in virtual space.

The attack execution determination unit 2240 performs cyber defense strategy and scenario analysis research technology, attack scenario target security evaluation technology, cyber attack response strategy technology, and cyber attack response strategy-based risk management technology.

In other words, it can be linked to a risk management system that derives a cyber attack response strategy according to the security evaluation of the attack scenario target according to the simulation results and stores the attack results and defense results in the response strategy database.

The attack tool recommendation unit 2250 recommends an attack tool by reflecting the result of the attack identified by the attack performance determination unit 2240 according to a simulation scenario in a virtual space suitable for the training purpose. In other words, it is possible to automatically recommend attack tools that fit the current training virtual environment in the scenario.

In one aspect, the attack tool recommendation unit 2250 receives fields for automatically recommending attack tools including an attack target, input values for performing an attack, pre-condition check information for performing an attack, and a result value after performing an attack. . And the attack tool recommendation unit 2250 selects an attack tool that matches at least one condition among the input attack target, input value for attack execution, pre-condition check information for attack execution, and result value field after attack execution in the attack tool database. Detected in

In one embodiment, the execution unit 2230 may automatically execute the selected tool recommended by the attack tool recommendation unit 2260 in the victim virtual machine or the attacker virtual machine. Additionally, the attack execution determination unit 2240 determines the possible node and final target distance for at least one attack tool recommended by the attack tool recommendation unit 2250.

Additionally, the attack execution determination unit 2240 performs cyber attack and defense simulation environment information, data design and development, and simulation evaluation and analysis functions.

In one embodiment, when a training operation scenario is selected to automate a scenario training attack, the attack tool should be configured with an automatic recommender, attack execution agent.

And the attack tool recommendation unit 2250 transmits the recommended attack tool to the execution unit 2230. Then, the execution unit 2230 executes the recommended attack tool and the virtual space simulator 2210 runs the attack execution agent.

Afterwards, the execution unit 2230 may select a training operation scenario to automate scenario training attacks, receive recommended attack tools, and run an attack execution agent. Specifically, the virtual space simulator 2210 can receive input from an administrator such as an instructor or instructor on the steps to be trained in the entire attack training series. The attack tool recommendation unit 2250 automatically recommends attack tools suitable for the current training virtual environment in the simulation scenario selected in the virtual space simulator 2210.

The attack execution agent is executed according to the operation of the execution unit 2230 to simulate the tool selected through automatic recommendation to be executed in a virtual space or on an attacker's virtual machine.

More specifically, the attack tool recommendation unit 2250 includes an attack name as a field item for automatically recommending an attack tool, an attack description (goal) as a field item for automatically recommending an attack tool, a supported OS, and an input for performing an attack. Value (file path, type, default value), precondition check for performing the attack (condition check script), and result value after performing the attack (result check script, type), and additional field items for automatic execution of the attack execution agent. This includes a test to determine whether the attack was successful (judgment test script), attack tool dependency test (dependency test check script, dependency tool installation script), and attack tools (execution commands such as executing malicious files, cleanup commands).

In order to automatically recommend and execute attack tools, a unified form is needed that takes into account the previous scenario, subsequent scenario, and target environment.

The attack tool recommendation unit 2250 can then identify the number of nodes that can be selected for attack and the shortest path to reach the final goal when setting the attack goal, and make recommendations when setting the initial scenario.

Figures 4A to 4C are exemplary diagrams for explaining the operation of an attack tool recommendation unit according to an embodiment of the present invention.

Figure 4a is an example diagram illustrating an attack tool recommendation process using the number of nodes that can be selected for subsequent attacks.

After selecting the initial attack tool and performing the attack, the result value field is passed, and after automatic recommendation of the attack tool is performed, whether the type matches the input value for performing the attack in the attack tool database and whether the value matches the precondition for performing the attack is checked. Confirm.

Then, it extracts the appropriate attack tool and returns the number of type matches and the number of items that do not require input values to perform the attack.

Figure 4b is another example diagram illustrating the attack tool recommendation process in order of the shortest path to the final goal.

After selecting the initial attack tool, additionally enter the attack target and search for attack tools that match the attack goal.

Then, the number of selected tools (distance value) is returned by comparing the distance between the Sinilao classification of the attack target matching tool and the initial attack tool scenario.

Figure 4c is an example diagram showing the attack tool recommendation process.

Attack tools are recommended according to the attack goal entered during the initial approach process, and the possible nodes and final target distances according to the recommended attack tool for each scenario are indicated.

It is possible to automatically recommend attack tools with content for scenario determination as well as for performing attacks using attack tools with the same format rather than executable file type attack tools.

Figure 5 is a flowchart of an attack tool management method for a cyber attack simulation platform according to an embodiment of the present invention.

The attack tool management method for a cyber attack simulation platform running on a computer device first simulates the virtual space by reflecting the training purpose, trainee level, and target domain demand requirements in the virtual space (S500).

Then, in the virtual space created in the virtual space simulation step, an attack tool that fits the threat model included in at least one scenario is defined in a preset attack tool format (S510).

In one aspect, the step of defining the format is defined as a preset attack tool format considering the previous scenario, the subsequent scenario, and the target environment.

Afterwards, the attack tool defined in the attack tool format is simulated in the virtual space simulation step (S520).

Then, the result value after executing the attack is determined according to the execution result of the attack tool executed in the execution stage (S530).

According to the characteristic aspects of the present invention, an attack tool is recommended by reflecting the results after performing the attack identified in the attack execution determination step according to a simulation scenario in virtual space suitable for training purposes (S540).

At this time, the attack tool recommendation step receives fields for automatically recommending attack tools, including the attack goal, input values for performing the attack, pre-condition check information for performing the attack, and result values after performing the attack. In addition, an attack tool that matches at least one condition among the input attack target, input value for attack execution, pre-condition check information for attack execution, and result value field after attack execution can be detected in the attack tool database.

The above-described method may be implemented as an application or in the form of program instructions that can be executed through various computer components and recorded on a computer-readable recording medium. The computer-readable recording medium may include program instructions, data files, data structures, etc., singly or in combination.

The program instructions recorded on the computer-readable recording medium may be those specifically designed and configured for the present invention, or may be known and usable by those skilled in the computer software field.

Examples of computer-readable recording media include magnetic media such as hard disks, floppy disks and magnetic tapes, optical recording media such as CD-ROMs and DVDs, and magneto-optical media such as floptical disks. media), and hardware devices specifically configured to store and perform program instructions, such as ROM, RAM, flash memory, etc.

Examples of program instructions include not only machine language code such as that created by a compiler, but also high-level language code that can be executed by a computer using an interpreter or the like. The hardware device may be configured to operate as one or more software modules to perform processing according to the invention and vice versa.

Although the above has been described with reference to embodiments, those skilled in the art will understand that various modifications and changes can be made to the present invention without departing from the spirit and scope of the present invention as set forth in the following patent claims. You will be able to.

200: computer device 210: memory
220: processor 230: communication interface
240: input/output interface 245: input/output device

Claims (12)

A virtual space simulator that simulates a virtual space by reflecting the training purpose, trainee level, and target domain demand source requirements in the virtual space;
a format definition unit defining an attack tool that fits a threat model included in at least one scenario in the virtual space created by the virtual space simulator as a preset attack tool format; and
an execution unit that executes an attack tool defined in the attack tool format in a virtual space simulated by the virtual space simulator;
an attack execution determination unit that determines a result value after performing an attack according to the execution result of the attack tool executed by the execution unit; and
An attack tool recommendation unit that recommends an attack tool by reflecting the result of the attack identified in the attack execution determination unit according to a simulation scenario in a virtual space suitable for training purposes,
The executive department
Create a virtual attack scenario based on the above threat model-based cyber attack/defense execution tool requirements definition and design information, and design attack tool management, attack simulation log definitions (pre, post conditions for each technique), and schema. do,
To execute an attack, automatic execution of attack tools is performed for each vulnerability type, including a decision model for interaction between attack tools.
Perform attack tool management based on threat models (MITRE ATT&-CK, cyber kill chain, etc.)
By further upgrading the attack stages after the attack inflow stage of the cyber kill chain, it is implemented to support various scenarios, including internal infection spread attacks (Lateral Movement), and uses advanced persistent threat (APT) techniques. Provides result data in a visible form so that you can reproduce and compare characteristics of each attack group.
The executive department
Development of execution code for each attack tool (more than 10 types of 1-day exploit-based attack tool modifications) to manage customized attack tools in cyber training range (CR, Cyber Range) and API module for interconnection with attack tool DB,
In order to advance technology for automatically executing attack tools by vulnerability type, we propose a penetration test model that combines existing and additional attack tools, and include a module for creating a full chain of attack tools according to the scenario.
Performs some modifications to additional attack tools for integration with the attack tool management platform,
Create at least one defender to match the created attacker and conduct cyber warfare according to the scenario.
The attack tool recommendation section
An attack tool management system for a cyber attack simulation platform that is recommended when setting an initial scenario by identifying the number of nodes that can be selected for attack and the shortest path to the final goal when setting an attack goal.
According to claim 1,
The format definition section,
An attack tool management system for a cyber attack simulation platform that defines a preset attack tool format considering the previous scenario, subsequent scenario, and target environment.
delete delete delete delete In a method of managing attack tools for a cyber attack simulation platform running on a computer device,
The computer device includes at least one processor configured to execute computer-readable instructions contained in a memory,
The attack tool management method for the cyber attack simulation platform is:
Simulating a virtual space by reflecting the training purpose, trainee level, and target domain demand requirements in the virtual space;
defining an attack tool that fits a threat model included in at least one scenario in the virtual space created in the step of simulating the virtual space in a preset attack tool format; and
Comprising: executing the attack tool defined in the attack tool format in a virtual space simulated in the virtual space simulation step,
The processor is
A virtual space simulator that simulates a virtual space by reflecting the training purpose, trainee level, and target domain demand source requirements in the virtual space;
a format definition unit defining an attack tool that fits a threat model included in at least one scenario in the virtual space created by the virtual space simulator as a preset attack tool format; and
an execution unit that executes an attack tool defined in the attack tool format in a virtual space simulated by the virtual space simulator;
an attack execution determination unit that determines a result value after performing an attack according to the execution result of the attack tool executed by the execution unit; and
An attack tool recommendation unit that recommends an attack tool by reflecting the result of the attack identified in the attack execution determination unit according to a simulation scenario in a virtual space suitable for training purposes,
The executive department
Create a virtual attack scenario based on the above threat model-based cyber attack/defense execution tool requirements definition and design information, and design attack tool management, attack simulation log definitions (pre, post conditions for each technique), and schema. do,
To execute an attack, automatic execution of attack tools is performed for each vulnerability type, including a decision model for interaction between attack tools.
Perform attack tool management based on threat models (MITRE ATT&-CK, cyber kill chain, etc.)
By further upgrading the attack stages after the attack inflow stage of the cyber kill chain, it is implemented to support various scenarios, including internal infection spread attacks (Lateral Movement), and uses advanced persistent threat (APT) techniques. Provides result data in a visible form so that you can reproduce and compare characteristics of each attack group.
The executive department
Development of execution code for each attack tool (more than 10 types of 1-day exploit-based attack tool modifications) to manage customized attack tools in cyber training range (CR, Cyber Range) and API module for interconnection with attack tool DB,
In order to advance technology for automatic execution of attack tools by vulnerability type, we propose a penetration test model combining existing attack tools and additional attack tools, include a module to create a full chain of attack tools according to the scenario, and additional attacks for linking with the attack tool management platform. Perform some modification functions of tools,
Create at least one defender to match the created attacker and conduct cyber warfare according to the scenario.
The attack tool recommendation section
An attack tool management method for a cyber attack simulation platform that is recommended when setting an initial scenario by determining the number of nodes that can be selected for attack and the shortest path to the final goal when setting an attack goal.
According to claim 7,
The step of defining the format is,
An attack tool management method for a cyber attack simulation platform that defines a preset attack tool format considering the previous scenario, subsequent scenario, and target environment.
delete delete delete delete