Table of Contents
Fetching ...

SCyTAG: Scalable Cyber-Twin for Threat-Assessment Based on Attack Graphs

David Tayouri, Elad Duani, Abed Showgan, Ofir Manor, Ortal Lavi, Igor Podoski, Miro Ohana, Yuval Elovici, Andres Murillo, Asaf Shabtai, Rami Puzis

TL;DR

SCyTAG presents a framework that bridges CTI-derived attack scenarios and practical, scalable threat assessment by generating a MulVAL-based attack graph and a minimal viable cyber twin for emulation. The approach first extracts attack techniques from CTI, then maps them to Caldera Abilities and MulVAL IRs, constructs a reduced but faithful cyber twin, and finally replays the attack scenario to assess impact. Across real and synthetic topologies, SCyTAG achieves substantial reductions in network components (up to 85% in topology size) while preserving attack fidelity, enabling cost-effective, repeatable testing. This work advances threat analysis by enabling end-to-end CTI-to-emulation pipelines that support what-if analyses, blue-team validation, and vendor audits with scalable runtime efficiency and fidelity.

Abstract

Understanding the risks associated with an enterprise environment is the first step toward improving its security. Organizations employ various methods to assess and prioritize the risks identified in cyber threat intelligence (CTI) reports that may be relevant to their operations. Some methodologies rely heavily on manual analysis (which requires expertise and cannot be applied frequently), while others automate the assessment, using attack graphs (AGs) or threat emulators. Such emulators can be employed in conjunction with cyber twins to avoid disruptions in live production environments when evaluating the highlighted threats. Unfortunately, the use of cyber twins in organizational networks is limited due to their inability to scale. In this paper, we propose SCyTAG, a multi-step framework that generates the minimal viable cyber twin required to assess the impact of a given attack scenario. Given the organizational computer network specifications and an attack scenario extracted from a CTI report, SCyTAG generates an AG. Then, based on the AG, it automatically constructs a cyber twin comprising the network components necessary to emulate the attack scenario and assess the relevance and risks of the attack to the organization. We evaluate SCyTAG on both a real and fictitious organizational network. The results show that compared to the full topology, SCyTAG reduces the number of network components needed for emulation by up to 85% and halves the amount of required resources while preserving the fidelity of the emulated attack. SCyTAG serves as a cost-effective, scalable, and highly adaptable threat assessment solution, improving organizational cyber defense by bridging the gap between abstract CTI and practical scenario-driven testing.

SCyTAG: Scalable Cyber-Twin for Threat-Assessment Based on Attack Graphs

TL;DR

SCyTAG presents a framework that bridges CTI-derived attack scenarios and practical, scalable threat assessment by generating a MulVAL-based attack graph and a minimal viable cyber twin for emulation. The approach first extracts attack techniques from CTI, then maps them to Caldera Abilities and MulVAL IRs, constructs a reduced but faithful cyber twin, and finally replays the attack scenario to assess impact. Across real and synthetic topologies, SCyTAG achieves substantial reductions in network components (up to 85% in topology size) while preserving attack fidelity, enabling cost-effective, repeatable testing. This work advances threat analysis by enabling end-to-end CTI-to-emulation pipelines that support what-if analyses, blue-team validation, and vendor audits with scalable runtime efficiency and fidelity.

Abstract

Understanding the risks associated with an enterprise environment is the first step toward improving its security. Organizations employ various methods to assess and prioritize the risks identified in cyber threat intelligence (CTI) reports that may be relevant to their operations. Some methodologies rely heavily on manual analysis (which requires expertise and cannot be applied frequently), while others automate the assessment, using attack graphs (AGs) or threat emulators. Such emulators can be employed in conjunction with cyber twins to avoid disruptions in live production environments when evaluating the highlighted threats. Unfortunately, the use of cyber twins in organizational networks is limited due to their inability to scale. In this paper, we propose SCyTAG, a multi-step framework that generates the minimal viable cyber twin required to assess the impact of a given attack scenario. Given the organizational computer network specifications and an attack scenario extracted from a CTI report, SCyTAG generates an AG. Then, based on the AG, it automatically constructs a cyber twin comprising the network components necessary to emulate the attack scenario and assess the relevance and risks of the attack to the organization. We evaluate SCyTAG on both a real and fictitious organizational network. The results show that compared to the full topology, SCyTAG reduces the number of network components needed for emulation by up to 85% and halves the amount of required resources while preserving the fidelity of the emulated attack. SCyTAG serves as a cost-effective, scalable, and highly adaptable threat assessment solution, improving organizational cyber defense by bridging the gap between abstract CTI and practical scenario-driven testing.
Paper Structure (55 sections, 7 equations, 8 figures, 10 tables)

This paper contains 55 sections, 7 equations, 8 figures, 10 tables.

Figures (8)

  • Figure 1: SCyTAG architecture.
  • Figure 2: Full UK Office topology (GNS3-based).
  • Figure 3: Reduced UK Office topology (GNS3-based).
  • Figure 4: Attack graph generated for the UK Office topology.
  • Figure 5: Full Bank topology (GNS3-based).
  • ...and 3 more figures