Skip to content

Threat Simulation Indexes

What is a Threat Simulation Index?

Each Threat Simulation Index is a curated list of test cases derived from the threat groups of interest for members of a given industry. SRA collaborates with experts in threat intelligence and cyber defense at targeted organizations to identify techniques which should be prioritized for defense testing. Each Index evolves over time as the threat landscape changes for an industry.

One of the goals of each Threat Simulation Index is to allow organizations to compare objective scores against peers. Visit the Defense Success Metric blog post on SRA.io for more detail.

Simulation vs Emulation

Why would you execute a Threat Simulation Index of 50-70 Test Cases vs emulating a specific Adversary?

Both have value. Adversary Emulation is a great exercise at a certain defense maturity level. One challenge with emulation is executing 30+ Test Cases per threat actor with a lot of defense overlap may not be the best use of your defender's time during Purple Team exercises.

Each Threat Simulation Index Test Case is intended to be actionable, repeatable, and cover a critical attack vector recently used by attackers. The methodology used to create each index is outlined in SRA's Threat Simulation Index GitHub repository.

Importing an Index to VECTR

Download a Threat Simulation Index YAML file

Indexes are available at SRA's Threat Simulation Index GitHub repository. Additional content such as MITRE ATT&CK Navigator layers and CSV summaries is provided in each industry index section.

Financial Services Threat Simulation Index

The latest Financial Services Threat Simulation Index YAML file is available here.

Health Threat Simulation Index

The latest Health Threat Simulation Index YAML file is available here

Import the Index YAML File to VECTR

  1. Navigate to Administration -> Import Data -> File Import VECTR import data

  2. Attach the Threat Simulation Index YAML file to the file upload field. VECTR attach file

  3. Click submit and note the newly imported Campaign Templates. VECTR note new campaign templates

Creating a Threat Simulation Index Assessment

Tip

You will need team members with operational familiarity with a variety of Red Team Tools and Defense Tools in your environment to run many of the prescribed Test Cases.

Prerequisites

Review VECTR documentation on Databases and make sure you've selected the Database where you want to record this Assessment.

Testing

  1. Navigate to the Assessments page and click New Assessment VECTR create assessment

  2. Select the Threat Simulation Index you wish to test from the 'From Template' dropdown on the Create New Assessment Dialog. Then fill out Name, Description, etc as desired and click 'Save' VECTR create assessment detail

  3. Click the Assessment name to view all Campaigns within that Assessment. VECTR navigate assessment

  4. Click the Campaign name to go to the Campaign View. VECTR navigate campaign

  5. Click a Test Case in the escalation diagram or the Test Case table VECTR view test case

  6. Prepare to execute the Red Team side of a Test Case. Note the target. Click play in the top left for status, then execute the test case manually, then click stop. VECTR navigate campaign

  7. Using the start time, stop time, and target of the attack, review your Defense Tools for events, detections, and alerts. Record the appropriate Outcome with any desired notes and then save the Test Case. VECTR navigate campaign

  8. Continue for all Test Cases in the Assessment.