Adversary emulation is an essential procedure for cybersecurity assessments such as evaluating an organization's security posture or facilitating structured training and research in dedicated environments. To allow for systematic and time-efficient assessments, several approaches from academia and industry have worked towards the automation of adversarial actions. However, they exhibit significant limitations regarding autonomy, tactics coverage, and real-world applicability. Consequently, adversary emulation remains a predominantly manual task requiring substantial human effort and security expertise - even amidst the rise of Large Language Models. In this paper, we present Bounty Hunter, an automated adversary emulation method, designed and implemented as an open-source plugin for the popular adversary emulation platform Caldera, that enables autonomous emulation of adversaries with multi-faceted behavior while providing a wide coverage of tactics. To this end, it realizes diverse adversarial behavior, such as different levels of detectability and varying attack paths across repeated emulations. By autonomously compromising a simulated enterprise network, Bounty Hunter showcases its ability to achieve given objectives without prior knowledge of its target, including pre-compromise, initial compromise, and post-compromise attack tactics. Overall, Bounty Hunter facilitates autonomous, comprehensive, and multi-faceted adversary emulation to help researchers and practitioners in performing realistic and time-efficient security assessments, training exercises, and intrusion detection research.

翻译：对手仿真是网络安全评估中的关键流程，例如评估组织的安全态势或在专用环境中促进结构化培训与研究。为实现系统化且高效的评估，学术界和工业界的多种方法致力于对手行为的自动化。然而，这些方法在自主性、战术覆盖范围和实际应用性方面存在显著局限。因此，即使在大语言模型兴起的背景下，对手仿真仍主要依赖人工操作，需要大量人力投入和安全专业知识。本文提出Bounty Hunter，一种自动化对手仿真方法，设计并实现为流行对手仿真平台Caldera的开源插件，能够自主仿真具有多面行为的对手，同时提供广泛的战术覆盖。为此，它实现了多样化的对手行为，例如不同级别的可检测性以及在重复仿真中变化的攻击路径。通过自主攻陷模拟企业网络，Bounty Hunter展示了其在无目标先验知识的情况下实现给定目标的能力，包括预攻陷、初始攻陷和攻陷后攻击战术。总体而言，Bounty Hunter促进了自主、全面且多面性的对手仿真，有助于研究人员和从业者进行现实且高效的安全评估、培训演练和入侵检测研究。