Automated Repeatable Adversary Threat Emulation with Effects Language (EL)
Suresh K. Damodaran, Paul D. Rowe
TL;DR
The paper tackles the challenge of automatically emulating multi-step adversary TTPs in a repeatable, tool-agnostic way. It introduces Effects Language (EL), a visually defined, directly executable coordination language, and provides a formal execution semantics to drive attack graphs with asynchronous precondition evaluation and distributed execution. A Wizard Spider-based example demonstrates how EL can model, execute, and produce proof-of-attack traces, while experimental results show meaningful reductions in time and labor for initial and repeated emulations. The work delivers a structured, collaborative framework for defensive tool evaluation, cyber range experiments, and what-if analyses, enabling scalable and verifiable threat emulation across diverse environments.
Abstract
The emulation of multi-step attacks attributed to advanced persistent threats is valuable for training defenders and evaluating defense tools. In this paper, we discuss the numerous challenges and desired attributes associated with such automation. Additionally, we introduce the use of Effects Language (EL), a visual programming language with graph-based operational semantics, as a solution to address many of these challenges and requirements. We formally define the execution semantics of EL, and prove important execution properties. Furthermore, we showcase the application of EL to codify attacks using an example from one of the publicly available attack scenarios. We also demonstrate how EL can be utilized to provide proof-of-attack of complex multi-step attacks. Our results highlight the improvements in time and resource efficiency achieved through the use of EL for repeatable automation.