Detection Engineering Overview
This document describes the detection engineering program for LME — the goals, design, and implementation stages.
Goals
- Implement a Detection Engineering Environment for repeatable experiments
- Build a map of threats for LME users based on the MITRE ATT&CK framework
- Integrate threats into MITRE Caldera replayable scripts
- Ensure overlapping detections and applicable mitigations for threat attack scripts
- Integrate attack and detection into regression tests for the CI/CD pipeline
Stretch Goals
- Increase complexity of attacks to Stage 2 and support Active Directory / router virtual machine templates
- Increase attack complexity to Stage 3 and support internet-style attack simulations
What is Detection Engineering?
Detection engineering is about creating a culture, as well as a process, for developing, evolving, and tuning detections to defend against current threats.
It involves the following steps:
- Identify threats
- Collect logs / visibility
- Build mitigations
- Validate they work
- Repeat as needed
How Detection Engineering Supports LME Users
Active Defense
- Create documentation to answer "what do I do with LME for X defense need?"
- Develop detections and response capabilities for applicable threats
- Define the threats that users need mitigations for today
Actionable Visibility
- Expand documentation for logging types
- Expand coverage for types of ingestion to PCAPs, syslog, cloud, etc.
- Confirm that users can see activity
Components
- We begin with a simulation that emulates an actor and its behavior in a virtual network environment.
- This produces:
- Repeatable cyber range configuration
- Logs of activity
- Detections to notify on attack activity
- Attacker profile to understand what the attack emulates
- Attack script to re-run the attack
- Those pieces feed into GitHub CI/CD for validation
- The detections and actor profile feed into data LME users can use for:
- Dashboard understanding
- Forensic reports to understand how to use LME
- Alerts to notify on similar malicious activity
- Wazuh mitigations to stop attacks
Implementation Stages
Stage 0 — Foundations
Lay the infrastructure foundations described above.
Stage 1 — Simple Range
Single VLAN, basic endpoint telemetry, Caldera agent enrollment.
Stage 2 — Active Directory
Add domain controllers and router VMs for more realistic network topology.
Stage 3 — Volt Typhoon Simulation
Internet-style attack simulation with advanced threat emulation.
Further Reading
- Ludus Range Experiment — deploying the Stage 1 validation range
- Range Configuration Reference — VM inventory and Ludus config details
- MITRE Caldera
- LME on GitHub
- Ludus Documentation