Skade: A scenario generator for threat hunting training
Duration: October 2022 — December 2025
Cyber Threat Hunters are Made, not Born
Cyber threat hunting offers a proactive defense to advanced cyber attacks. But cyber threat hunting is difficult, and requires training. This project will develop a threat hunting training capability, with a prototype for instantiating threat hunting scenarios. The prototype will be evaluated in terms of its difficulty settings, and in terms of trainee learning.
One kind of proactive cyber defense is based on hunting down the cyber threats, rather than passively waiting for alarms to go off. However, cyber threat hunting is difficult and requires training. That statement is especially true for threat hunting in national defense and homeland security, where the threats are especially advanced and serious. This project aims to develop a capability for conducting cyber threat hunting training. The capability will consist of a prototype, called Skade, capable of instantiating different threat hunting training scenarios in a cyber range. The scenarios include threats of varying difficulty, different amounts of threat intelligence, and various sensors. The prototype will be evaluated by generating some of the scenarios, and using them in training. Evaluations will concern both how well the difficulty settings match the perceived difficulty of trainees, and how much trainees learn from the scenarios.
The most advanced cyber threats are not detected by automated defense mechanisms. Instead, those threats must be hunted down by tool-assisted humans who look for artifacts which signify compromise. The threat hunters must have the ability to piece together different signs, hypothesize about likely attack vectors, keep up-to-date about the threat picture, use various software tools, and reason about novel threats. In other words, a threat hunter’s job is difficult. To manage this difficulty, it is essential that threat hunters receive appropriate training.
The project will develop a prototype application capable of managing threat scenario descriptions, interaction with emulators, interaction with training instructors, and interaction with trainees. Additionally, the project will write four papers describing: important aspects for threat hunting training; how the aspects relate to each other; how the aspects impact training difficulty; and how users perceive the training produced by the Skade prototype.
The Skade prototype will be available for use in MSB’s threat hunting trainings for both new, and improving, threat hunters within organizations in Swedish civil defense.
The Skade prototype will build on existing tools for threat emulation such as MITRE’s CALDERA and FOI’s Lore, as well as FOI’s environment emulation the cyber range Crate. The data produced in the design and evaluation of the protype can also inform these tools, as well as FOI’s research on automating defense.
Funding and Collaboration
The project funding is approximately 5 million SEK (eq. 500 000 USD). The research is part of MSB’s bilateral agreement on research and development with US Department of Homeland Security (DHS). The DHS Cybersecurity and Infrastructure Security Agency (CISA), and MITRE, will provide expert advice, and access to threat emulation tools as necessary. FOI and MSB will share research results with the DHS.