Security Unlocked 6.30.21
Ep 34 | 6.30.21

Simulating the Enemy


Nic Fillingham: Hello and welcome to Security Unlocked. A new podcast from Microsoft, where we unlock insights from the latest in news and research from across Microsoft Security Engineering and Operations teams. I'm Nic Fillingham.

Natalia Godyla: And I'm Natalia and Godyla. In each episode, we'll discuss the latest stories from Microsoft Security, deep dive into the newest threat intel, research and data science.

Nic Fillingham: And profile some of the fascinating people working on artificial intelligence in Microsoft Security.

Natalia Godyla: And now let's unlock the pod.

Nic Fillingham: Hello listeners. Hello, Natalia. Welcome to episode 34 of Security Unlocked. Natalia, how are you?

Natalia Godyla: I'm doing well, thanks for asking. And hello everyone.

Nic Fillingham: On today's episode, we have Principal Threat Researcher from the MSTIC Group, Roberto Rodriguez, who is here to talk to us about SimuLand, which is a new open source initiative, uh, that Roberto, uh, announced and discuss in a blog post from may the 20th, 2021. Natalia, you've got a, an overview here of SimuLand. Can you give us the TLDR?

Natalia Godyla: Of course. So SimuLand is like you said, an, an open source initiative at Microsoft that helps security researchers test real attack scenarios, and determine the effectiveness of the detections in products such as Microsoft 365 Defender, Azure Defender and Azure Sentinel, with the intent of expanding it beyond those products in the future.

Nic Fillingham: And Roberto, obviously we'll sort of expand upon that in the interview. Uh, one of the questions we asked Roberto is how did this all begin? And it began with an email from someone in Roberto's team saying, "Hey Roberto, could you write a blog post that sort of explains the steps needed to go and, uh, deploy a lab environment that reproduces some of these techniques?" And Roberta said, "Sure." And started writing. And he got to about page 80. Uh, you got 80 pages in and decided, "You know what, I think I can probably turn this into, uh, a set of scripts or into a tool." And that's sort of the kickoff of the SimuLand project. There's obviously more to it than that, which Roberto will go into, uh, in the interview. The other thing we learned, Natalia is Roberto might have taken the crown as the busiest person in, in security.

Natalia Godyla: He certainly does. And, uh, lucky us, we get to ask him questions about all of the open source projects that he's been working on. So we'll do a little bit of a Harbor cruise through those projects in addition to SimuLand and this episode.

Nic Fillingham: And with that, on with the pod.

Natalia Godyla: On with the pod.

Nic Fillingham: Welcome to the Security Unlocked podcast, Roberto Rodriguez. Thanks for your time.

Roberto Rodriguez: Yeah. Thank you. Thank you. Thank you for having me here.

Nic Fillingham: Yeah. We'd love to start with a quick intro. If you could tell the audience, uh, about yourself, about your role at Microsoft and, and what is your day-to-day look like?

Roberto Rodriguez: Sure. Yeah. So my name is Roberta Rodriguez. Um, I'm a Principal Threat Researcher for the Microsoft Threat Intelligence Center, known as MSTIC, and I'm part of the R&D team. And my day-to-day, uh, is very interesting. There's a lot of things going on. So my role primarily is to empower all their security researchers in my organization to do, for example, some of their development of detections, performing research in general. So I tend to follow my day-to-day into... I kind of like breaking it down into a couple of pieces. Like the whole research methodology has several different steps.

Roberto Rodriguez: So what I do is I try to innovate in some of those steps in order to expedite the process, trying to maybe come up with some new tools that they could use. And at the same time, I like to dissect adversary tradecraft, and then try and just to take that knowledge and then share it with others and trying to collaborate with other teams as well. Not only in MSTIC, but yeah, but across like other teams at Microsoft as well.

Natalia Godyla: Thank you for that. And today we're here to talk about one of the blogs you authored on the Microsoft Security blog, SimuLand understand adversary tradecraft, and improve detection strategies. So, um, can we just start with defining SimuLand? What is SimuLand?

Roberto Rodriguez: Yep. So SimuLand is an open source initiative. It's, it's a project that started just as a blog post to talk about, for example, an end-to-end scenario where we can start mapping detections to it. So we decided to take that idea and started sharing more scenarios with the community, showing them a little bit how, for example, like a threat actor could go about it and trying to compromise the specific, you know, resources either in Azure or on Prem. And then try to map all that with some of the detections that we have, trying to validate detections and alerts from different products from the 365 Defenders security, Azure Defender.

Roberto Rodriguez: And of course, Azure Sentinel at the end, trying to, trying to bring all those data sources together and then allow also not only people at Microsoft, but outside, right? Customers or people even trying to use trial licenses to understand the, you know, the power of all this technology together. Because usually, you know, when you start thinking about all these security products, we always try to picture them like as isolated products. So the idea is how we can start providing documentation to deploy lap environments, walk them through a whole scenario, map the... For example, attack behavior to detections, and then just showcase what you can do with, you know, with all these products.

Roberto Rodriguez: Um, that's kind of like the main idea. And of course I, some of the output could be understanding, you know, the adversary in general, trying to go deep beyond just alerts. Because our goal also is not just to say, "Oh, this attack action happens. And then this alert triggers." The idea is to say first, you know, let's validate those alerts, but then second, we want you to go through and analyze the additional data, additional context that gets created in every single step, because at the same, you know, it will be nice to see what people can come up with.

Roberto Rodriguez: You know, there's a lot of different data sets being showcased through this, you know, type of lab environments that, you know, for example, we believe that there could be other use cases that you can create on the top of all that telemetrics. So that's what we want to expose all that documentation that has helped us, for example, to do internal research. When I joined Microsoft, there was not much so I would say from a lap environment that was fully documented to deploy and then just try to use it right away when there is an incident, for example, or just trying to do research in general. So my idea was why can't we share all this with a community and see if they could also benefit because we're using this also internally.

Nic Fillingham: I, I'd love to actually just quickly look at the name. So SimuLand, I'm assuming that's a portmanteau or is it, is it an acronym? Tell me how you got to SimuLand. Because I think that may actually also help, you know, further clarify what this is.

Roberto Rodriguez: Yeah. So, yeah, SimuLand, uh, it's I believe, you know, it comes from as... Well, it has also some contexts around Spanish. Uh, so in Spanish we say simulando. So simulando means simulating something.

Nic Fillingham: Okay.

Roberto Rodriguez: But at the same time, I feel that SimuLand, the idea was to say, deploy this environment, which could turn into a, let's say like a land out there that it's, it's primarily to simulate stuff and to start, you know, learning about adversary trade graph. So it's kind of like the SimuLand, like the simulating land or the land of the simulation. And then also in Spanish, they simulando. So it has a couple of different meanings, but the, the main one is this is the land where you can simulate something and then learn and learn about that simulation in general.

Roberto Rodriguez: So that, that was kind of like the thought that, you know, when behind it, not probably too much, but, uh, (laughs) that was idea. And I think that people liked it. I think it just stayed with the project. So-

Nic Fillingham: And, and given that you're s- you're simulating sort of the threat space is, is this land that's being simulated? Is this your sort of sovereign, uh, land to protect? Or is this the, is this the actual sort of the theater of cyber war? Like what are you simulating here? Are you're simulating the attacker's environment. Are you simulating your environment? Are you simulating both?

Roberto Rodriguez: Yeah, it's a great question. So we're trying to, primarily of course you simulate, let's say an organization that has, for example, like on-prem resources that are trying to connect to an Azure cloud infrastructure, for example. So simulating that environment first, but then at the same time, trying to execute some of those, for example, actions that I threat actor could take in order to compromise the environment. And of course that could come with some of the tools that are used also by, you know, known threat actors who trying to stay with public tools. So things that are already out there, things that have been also identified, but a few threads reports out there as well.

Roberto Rodriguez: So we're trying to use what others also could use right away. You know, we don't want to, you know, of course share code or applications that no one has seen ever out there. So the idea is to primarily simulate the full organization environment, like an example of, of what that environment will look like, but then at the same time use public tools to perform some actions in the environment.

Natalia Godyla: So, as you said before, you're exposing a lab environment that you had been leveraging internally at Microsoft so the community can benefit from it. What was the community using before in order to either test these products or do further research?

Roberto Rodriguez: Sure. So I would say that there is a lot of different communities that we're building, let's say, like, for example, some active directory environments, uh, trying to simulate the creation of different, you know, windows endpoints, um, on a specific domain. And then they were using a lot of open source tools, for example, like, you know, things such as Sysmon from a windows perspective, like, oh, it's squarely also in windows, but then on other platforms. But at the same time, what I wanted to do is why can't we use that, which people are used to trying to use open source tools or just open tools.

Roberto Rodriguez: And then at the same time trying to use, uh, for example, enterprise, security controls or products in general. That type of, uh, simulation of a full end-to-end scenario, I have not seen it before. I have seen, for example, some basic examples of one, let's say, um, you know, scenario from Microsoft Defender, evaluation labs, for example, they have a service where you can simulate two to four computers with MDE, which is Microsoft Defender for endpoint, those scenarios existed, but there was nothing out there that could have everything in one place.

Roberto Rodriguez: So we're talking about Microsoft Defender for Endpoint, identity, Microsoft Defender for cloud application security, Azure Defender. And then on the top of that, Azure Sentinel detections, all that together was not out there. Once again, there was just a couple of scenarios, lap environments that were touching a few things, but he was not covering the whole framework or the whole platform to test all these different detections. But at the same time, how you can work with everything at once, because that's also one of the goals of the project is we always hear, for example, once again, detections from one product only, but then there is a lot that you can do when you have one detection from MDE, one detection from Azure Sentinel, MDI, et cetera, all that additional context was not public yet before SimuLand.

Roberto Rodriguez: So that's what I was trying to do. Is to bring all this in one place and, and, you know, bringing everything to the SimuLand. (laughs)

Nic Fillingham: Is there a particular scenario Roberto, that you can sort of walk us through that's sort of gonna, gonna fully cover the gamut of what SimuLand can do?

Roberto Rodriguez: Yes, yes. Definitely. So there is one scenario in there. We're trying to, to of course, you know, add more scenarios to this, uh, platform. So the only one that we have in there is what I call golden SAML two, you know, still for example, or 4J SAML token, and then use that in order to, for example, modify Azure ID applications in order to then use those applications to access mail data, for example. So that's one scenario. The, the main part is golden SAML. That's scenario for example, what we're trying to do with SimuLand is to first make sure that we prepare whoever is using SimuLand to understand what it is that you need before you even try to do anything.

Roberto Rodriguez: Right? Because usually we try to jump directly to the simulation and trying to let's say, attack an environment, but there is a lot of pieces that you need to happen before, right? So SimuLand gives you what is called preparation. So in preparation, and you understand all the licensing that you might need, not every scenario needs, uh, we'll need, let's say an enterprise license, or there's going to be a couple of scenarios where are going to be simple. So not too much going on in there, but next step is how to deploy an environment. So once you take care of the licensing, once you take care of, for example, what are the additional resources that you might need to stand up before you deploy a full environment? So now we can deploy it.

Roberto Rodriguez: We provide also Azure resource manager templates. So arm templates to let's say first document the environment as code, and then be able just to deploy it with a few commands, um, rather than trying to do everything manually, which is time consuming and is too complex to, to figure it out. The next step of once we have the environment, then we can start for example, running a few actions. So if we go to golden SAMLs, a golden SAMLs starts with let's for example, use a compromised account that was the one handling the Active Directory Federation Services, for example, in the organization on Prem, then we take that and then we start, for example, accessing the database where we can instill the certificate to sign tokens.

Roberto Rodriguez: Once we get that, then we can go through that whole scenario step-by-step as we go executing every single action, we can start identifying detections, images of what it would look like on MDI, MD, MDE, MKAZ, Azure Sentinel, all the way to even show you some additional settings that you might need to potentially enable if you want to collect more telemetry. And then at the end, which is, you know, closest scenario with, you know, showing you what it is that you did. And then, uh, at the same time, all the alerts that trigger or the telemetry that was available.

Roberto Rodriguez: And since we are sharing a full environment where everything is running, then you can just go back to the environment and go deeper. Maybe do some forensics, maybe do some additional incident response actions. So that, that will be, I would say the, the end-to-end thing with SimuLand, what you can do once you jump into the project.

Natalia Godyla: And so for users who've jumped into SimuLand and gone through some of the scenarios, what is your intent for the users once they have these results, what's the use case for them and how do you want them to interact with your team as well? How do you want the community to get involved?

Roberto Rodriguez: Yes, that's a great question. So initially what we want to people using SimuLand is once again, go beyond just the alerts. Because alerts, which is one thing that will trigger, we're taking care of all that. So wherever is using, for example, the Microsoft 365 Defender products in general, you know, they are protected with all these detections, right? But my goal is for a researcher or a security analyst to go deeper into that telemetry once again, around in a specific, uh, so I run a specific on alerts so that they can learn more about the adversary behavior in general.

Roberto Rodriguez: Usually we just see the alert and then we stop and then we just started the incident and then we pass it to somebody else. I want people to dive into the, you know, all this telemetry that is being collected and they start putting together that whole adversary tradecraft, for example. Understanding the behavior to me is, is very important. There is a lot of different things that you can do with a telemetry already in SimuLand. So that's just one of the goals. The second goal is to see if you're even ready for those types of, you know, alerts. For example, what do you do if you get all these four or five alerts in your environment? How do you respond to that?

Roberto Rodriguez: So these could also be part of our training exercise, for example. So there is a couple of things that you can do in there. Another scenario could be, you know, exporting all the data that is being collected and then probably use it for some demos. Once again, also for some training, focusing a lot on trying to understand and learn the adversary tradecraft. Like for me, that's very important once again, because we don't just want to learn about one specific indicator of compromise, we want to make sure that we're covering, uh, scenarios that would allow us to, you know, respond and understand techniques or at the tactical level.

Roberto Rodriguez: Um, and then from a collaboration with us, I believe that, you know, one could be trying to give us some feedback and see what else we could do with these scenarios. There is a couple of people in the community, for example, that are sharing some cool detections on the top of the stuff that we already developed. There is a lot of detections being insured through Azure Sentinel GitHub, through enter 65, advanced square is GitHub. And there is people just building things on the top of that. So we would like to hear more of those scenarios and maybe include all those to SimuLand so that we can make SimuLand also a place where we can share those schools, those cool detections ideas that people might have.

Roberto Rodriguez: And that could be shared also with others using the environment. Everything I would say from a communication perspective happens through GitHub through issues. Anything that anybody would like to add or probably request, any features. It will be nice. We had one person asking us about, can we add, for example, Microsoft Defender, so MDO, which is Microsoft Defender for Office 365, I think it is. And so those, you know, for example, products, something that I had not added yet. So that's something that is coming. So, uh, invest the type of collaboration that I expect from the community as well.

Natalia Godyla: And what's on the roadmap for simulant? What's next for evolving the project?

Roberto Rodriguez: Yeah. So SimuLand has a couple of things that are coming out. So one is going to be automation, automation from the execution of attacker actions. So right now the deployment is automated. I would say, I would say 90% of the deployment is automated. There is a few things that are kind of hard to automate right now. And it's just a simple, just like a few more clicks on the top of the deployment. But from the attacker's perspective, we wanted to make SimuLand a project where you can walk someone through the whole process. These are the actions that take place in the whole simulation, and then you can start exploring one-by-one.

Roberto Rodriguez: So it's a very manual process to, to go through the SimuLand labs, for example. So one thing that we wanted to do is to automate those steps, those attacker actions, because, you know, we have, for example, a few people that are taking advantage of how modular SimuLand is that they do not want to deal with preparation and deployment. All they wanna do is take the execution of the actions and then just plug them into their own environment. Because they say, I already have the same deployment. Well, yeah. A similar deployment with all the tools that you ask to be deployed. Why not? Can I just take the attacker actions and then just to start a learning or maybe do it in a schedule base, right?

Roberto Rodriguez: Like every Friday we execute a few scenarios. So that turned into, uh, a new project, which I'm going to be releasing in Black Hat, 2021 in August. That project is called Cloud Katana. And that's a project where I will be using Azure functions to execute actions automatically. And then the other thing that we have for SimuLand is data export. So what I wanna do also is share the data that gets generated after going through the whole SimuLand scenarios, and then just give it to the community. Because I believe that we also have a few conversations with people from the community that say, you know what, I don't have the environment to deploy this.

Roberto Rodriguez: You know, for example, I don't have resources to, you know, learn about all, you know, all of this, my company doesn't want to somehow, I don't know, support these type of projects, right? So a lot of things, you know, people are having some obstacles as well, right? To try to use these things, even like having a subscription in Azure might be an obstacle or constraint for a lot of people. So why not just give them the data with all the actions that were taken, all the alerts that were collected by Azure Sentinel, and then allow them to use, for example, plain Python code or PowerShell or Jupiter notebooks on the top of that, like, you know, to analyze the data, build visualizations from the top.

Roberto Rodriguez: So we want to empower those that also, you know, my want to use it, but do not have the resources to do it. So that's also, you know, second thing in the, uh, uh, in the list for SimuLand. The other thing is going to be, so we have, uh, have a lot of things going on, but, (laughs) the, the other thing is going to be, how can we provide a CICD pipeline for the deployment? That's critical because want to make sure that people can plug these into, for example, Azure DevOps, and then they can just have the environment running and they may be, you know, bring the deployment down, you know, bring it up every week and then run a few scenarios, bringing down again.

Roberto Rodriguez: So we wanted to make sure that he's also flexible for those too, right, to work with. And what else. And I think that the last thing that we have would, would be trying to see if we can integrate more products from Microsoft, and just share, uh, more scenarios. We have two or three coming, uh, hopefully in the next couple of months and it's going to be fun. Yeah. We have a lot of stuff in there. (laughs)

Nic Fillingham: Tell me how you built SimuLand and then worked a full-time job in the MSTIC team. Was this actually a special project that you're assigned to, or was this all extra curricular? A little column A, little column B?

Roberto Rodriguez: (laughs) Yeah. So once again, when I started right, these conversations, so I, I mentioned that my role is to also empower others and help to, you know, develop, you know, environments for research, because I love to do research as well, like dissecting. Yeah. Adversary tradecraft is pretty cool. And then the question was just, "Hey, can you build this environment?" Just a simple email? And I was like, "Yeah, I can do that." And I just, to be honest, it took me maybe a week or two to figure it out the infrastructure, and then maybe took me, uh, probably close to a month to write down the whole scenario and make sure that I have the PowerShell scripts that were actually working.

Roberto Rodriguez: So let's say probably two months it, it took me to do this. It was extra curriculum activities. (laughing?) Definitely besides what I was doing already. Um, and it was fun. I mean, it was fun because that's what I love to do. So some of my boss is super cool, you know, letting me do all this research and then allow me just to also spend some time and trying to get some feedback from also our internal team and other teams as well. So yeah. So it turned into just as a question, can you do this? And I love those questions and somebody says, can you do this? I was like, I would say yes, but then I don't know what I'm getting myself into. And that's the fun part of it.(laughs)

Nic Fillingham: Before we, before we sort of wrap up here, we're a better, are there any projects that you're working on right now or you're contributing to that you can, you can talk about?

Roberto Rodriguez: Yeah. So I would say from an open threat research perspective, there's a project called Modeler. So Modeler is a project where I decided to every time I execute or go through my research process, and, and then let's say learn about a specific attack technique, I can collect the data. And then I share those datasets through that project. So for other people that would like to learn about those techniques, they can just access the data directly. So you can learn about adversaries through the data instead of trying to go through a whole process to like to emulate or simulate an adversary.

Roberto Rodriguez: Which for a lot of people, it's, it's not that easy. So, you know, so for me, I wanted to find ways to expedite that process. Uh, so that project is something that I'm, you know, revamping, uh, soon. So I'm, I'm collecting more data sets from the cloud. Most of my datasets were windows base. I have a couple of from Linux. I have some from AWS, but I wanted to get more from, you know, from Azure. So SimuLand datasets are going to live in Modeler project. So, you know, anything that, you know, gets out of SimuLand, contributed directly to an open source project as well.

Roberto Rodriguez: So that's one of them. And the other one is Cloud Katana, which is the one that I talked about a couple of minutes ago. So Cloud Katana, the automation of SimuLand attack actions, that one I'm spending, uh, a lot of time to, uh, that one will be released under Azure, but this is still going to be open source. So that's also something that we want to provide to the community to use. And let's say there is a, all the projects too. Yes, I have another project. So it is a project called OSSCM, O-S-S-C-M. And OSSCM is a project that I started to document telemetry that I use during research.

Roberto Rodriguez: So I believe that a lot of people that want to dive into the technicians and the starring the, you know, defender world, they need to understand the data before they want to make the decisions of like building detections. So my goal with that project was to first document events that I use from different platforms. At the same time, I wanted to create a standardization like common data model for data sets, which by the way, Azure Sentinel is building their common data models through this project OSSCM. So it's also one of our interesting collaboration and opportunities that we have. Uh, Azure Sentinel reaching out to the community and saying, "Hey, instead of Pfizer reinventing the wheel, can we explore your project?" Which is OSSCM.

Roberto Rodriguez: And then the third part of OSSCM is also a way to document, for example, you know, relationships that we identify in data. So when you want to build, for example, detections, most of the time you want to understand what events can I use to build a chain of events that would actually give me context around an attack behavior. So what we do is we explore the data, we identify relationships and we just document them through that project. So that way somebody else could actually use it and understand what can they do with that telemetry.

Roberto Rodriguez: So I would say, once again, you learn about that telemetry, you standardize your telemetry, and at the same time, we give you some ideas into what you can do with our telemetry to build detections. So that's another project. Last one would be, (laughs) yeah, last one would be another-

Nic Fillingham: There's more?

Roberto Rodriguez: Yes. There's one more. (laughing)

Nic Fillingham: Do you sleep, man? When do you sleep?

Roberto Rodriguez: It is being hard but I try to manage my time for sure and do that, but it is, uh, a another project, it's private right now, but it's going to be public, uh, soon. It's going to be through the open threat research community as well. This project is a way to collaborate with, for example, researchers in the community that build offensive security tools or just tools to do, for example, you know, red teaming, they want to use those tools to perform certain actions in, in, in, in a specific environment.

Roberto Rodriguez: So we want to, you know, collaborate and partner with them and start documenting those tools in a way that we can share with others in the community. So for example, me as a researcher, dissecting adversary tray graph, like all, all the techniques and the behavior behind on a specific tool or a specific technique, it takes time. Like for me, like it would take probably a couple of weeks to dissect all the modules of one tool. So the goal is to why don't we partner with the authors of those tools, we document those, uh, tools and then we can start also sharing some potential ideas into how to detect those scenarios.

Roberto Rodriguez: That way we, you know, we expedite the research, right? We do it, let's say in a private setting with a lot of researchers from the community, and then we just distribute that, that knowledge across the world. So that way we also help and expedite that whole process. So open through research, we have data. Now we have knowledge, we have infrastructure and then we have a way to share it with our community. So it's like a whole kind of like the main parts of your, you know, research process, but we want to give it a community touch to the, you know, you know, to all this. And that's, and that's it. So I have a couple more, but that's, (laughing) that's kinda like another project that it's, it's, it's coming soon. So-

Nic Fillingham: I, I think we're going to have to let you go, Roberto. 'Cause if you're just going to get back in today's projects and start submitting some more contributions.(laughing) But before we do that, I want to, I want to circle back to SimuLand, and again, for folks listening to SimuLand, um, they're going to get rid of the blog post. We'll put the link in the, in the show notes. Tell me, what is your dream contribution? What is sort of the first scenario that you want sort of contributed back into this project?

Nic Fillingham: Or sort of, where are you really hoping that the community will come and rally around either a particular scenario or some sort of other... Who is the person you, you want to be listening to this podcast right now and go like, "Oh yeah, I can do that." What's that one thing you need, or you're really looking for?

Roberto Rodriguez: Well, actually two things. So one is the automation of, of the attacker actions. It will be, uh, uh, a dream, I would say because I'm, I'm building it on the top of Azure infrastructure. So it will be easier to plug in into your environments to kind of like, you know, periodically do some testing and then map it to SimuLand scenarios. So you have like the full end to end, uh, the environment. You have the labs preparation infrastructure as code all the way to even automating those, um, you know, validation of analytics, for example.

Roberto Rodriguez: That, that, that's one that even though it's something that it's been done in other places, I think the way how it's going to be done through, through Azure functions is going to be very, very interesting because we're going to have potentially not only attack our actions being automated, but we could maybe have some detections being automated on the top of that. So instead of releasing a tool that will only be used, let's say to attack, right, and a specific environment, we can use a tool that can do both to attack and defend the, uh, the environment.

Roberto Rodriguez: So usually you see one or the other. One tool to attack or one to defend. The automation that I'm planning to, to release, which would be one of the dreams is to be able to attack and defend automatically. And I think that that would link also very nicely with projects like CyberBattleSim. So that's also one of the dreams is how can we, uh, for example, document SimuLand in a way that could help us create synthetic scenarios that CyberBattleSim can use and then drop an agent and then learn about the most efficient path to take? Because that's, you know, CyberBattleSim, right?

Roberto Rodriguez: They build environments, synthetic environments to then, you know, teach an agent to take the most efficient path through like, you know, rewards and, and, you know, all this stuff. So SimuLand, the dream would be to connect also those projects. How can, you know how you can have these nice process where you can SimuLand can provide the adversary, tradecraft knowledge, all the, for example, preconditions and all the, the context that is needed to create a CyberBattleSim scenario, and then improve a model to, for example, automate some of that execution of attacks.

Roberto Rodriguez: And then that model can then be used through Cloud Katana to then execute those paths automatically. And then at the end, you can have some detections on the top where you can apply a similar context. Because SimuLand comes with the attack and detections. So we might find a way to create a data model where we could say, here's the attack here, all detection. So we can maybe build something also with CyberBattleSim the same way. And the other one, so the other dream bug is for me in SimuLand would be, since I was talking to a few coworkers today about this, um, that it would be nice to maybe provide SimuLand as a service for customers or also for, you know, people in the community.

Roberto Rodriguez: It will be nice to have a platform that people can just access and start learning about these, these tools, these, these data, uh, necessarily not give somebody of course control to execute something. We take care of the execution, but then just expose all this telemetry in a way that is easier for those that, you know, might not have the resources. I love to do things, to build things that would help others to, you know, to do more. So I think that that will be also one of the dreams is how can we just take SimuLand and then just make it a service for, you know, for the community.

Roberto Rodriguez: That would be pretty cool. So if anybody is listening, (laughs) and, and, you know, would like to make that happen, it would be amazing to have SimuLand as a service for those that don't have the resources like schools, uh, you know, like has anybody in general, the community that, you know, would like to, you know, learn more about this.

Natalia Godyla: Wow. Roberto, you're going to be busy.

Roberto Rodriguez: Yes. (laughs)

Natalia Godyla: For anyone who hasn't watched episode 26, we did discuss CyberBattleSim there. So if that peaked your interest, definitely check out that episode and Roberto, as we wrap up here, are there any resources, Twitter handles that folks can follow to continue to watch your work or maybe join the threat research community?

Roberto Rodriguez: Yes, yes. Yes. So my Twitter handle is Cyb3rWard0g with a three and the zero. So instead of the E and the O. So Cyb3rWard0g in Twitter. So there is what I share everything that I do is through there. Um, if you want to join the community, we would love to, you know, learn from you and collaborate, go to the Twitter handle OTR. So OT and then R_community. And then they're in the profile and description of the Twitter handle, you have a better link for the, uh, for the discourse invite. So the moment you join that discord, all you have to do is just accept the code of conduct. We want to make sure that we're inclusive, which is welcome everybody.

Roberto Rodriguez: And if you agree with that, just click the 100% emoji, and then you have access to, to, (laughing) and then you have access to all these channels where you can, you know, ask questions about open source projects. So that's the best way to collaborate.

Natalia Godyla: Awesome. Thank you. We'll definitely drop those links in the show notes. And thank you again for joining us on the show today, Roberto.

Roberto Rodriguez: No, thank you for having me. This was amazing. Um, I had never had the opportunity to talk about a lot of projects. Uh, usually it's a one project and then we will see when we talk about. So this has been nice. So thank you very much. I really appreciate it. And I hope to see you guys in another episode.

Nic Fillingham: We hope so too. Thanks for Roberto.

Roberto Rodriguez: Thank you.

Natalia Godyla: Well, we had a great time unlocking insights into security from research to artificial intelligence. Keep an eye out for our next episode.

Nic Fillingham: And don't forget to tweet us @msftsecurity, or email us at, with topics you'd like to hear on a future episode. Until then, stay safe.

Natalia Godyla: Stay secure.