Threat Simulation Indexes¶
What is a Threat Simulation Index?¶
Each Threat Simulation Index is a curated list of test cases derived from the threat groups of interest for members of a given industry. SRA collaborates with experts in threat intelligence and cyber defense at targeted organizations to identify techniques which should be prioritized for defense testing. Each Index evolves over time as the threat landscape changes for an industry.
One of the goals of each Threat Simulation Index is to allow organizations to compare objective scores against peers. Visit the Defense Success Metric blog post on SRA.io for more detail.
Simulation vs Emulation¶
Why would you execute a Threat Simulation Index of 50-70 Test Cases vs emulating a specific Adversary?
Both have value. Adversary Emulation is a great exercise at a certain defense maturity level. One challenge with emulation is executing 30+ Test Cases per threat actor with a lot of defense overlap may not be the best use of your defender's time during Purple Team exercises.
Each Threat Simulation Index Test Case is intended to be actionable, repeatable, and cover a critical attack vector recently used by attackers. The methodology used to create each index is outlined in SRA's Threat Simulation Index GitHub repository.
Importing an Index to VECTR¶
Download a Threat Simulation Index YAML file¶
Indexes are available at SRA's Threat Simulation Index GitHub repository. Additional content such as MITRE ATT&CK Navigator layers and CSV summaries is provided in each industry index section.
Financial Services Threat Simulation Index¶
The latest Financial Services Threat Simulation Index YAML file is available here.
Health Threat Simulation Index¶
The latest Health Threat Simulation Index YAML file is available here
Import the Index YAML File to VECTR¶
Navigate to Library -> Import Data
Attach the Threat Simulation Index YAML file to the file upload field.
Click submit and note the newly imported Campaign Templates.
Creating a Threat Simulation Index Assessment¶
You will need team members with operational familiarity with a variety of Red Team Tools and Defense Tools in your environment to run many of the prescribed Test Cases.
Review VECTR documentation on Environments and make sure you've selected the Environment where you want to record this Assessment.
Navigate to the Assessments page and click New Assessment
Select the Threat Simulation Index you wish to test from the 'From Template' dropdown on the Create New Assessment Dialog. Then fill out Name, Description, etc as desired and click 'Save'
Click the Assessment name to view all Campaigns within that Assessment.
Click the Campaign name to go to the Campaign View.
Click a Test Case in the escalation diagram or the Test Case table
Prepare to execute the Red Team side of a Test Case. Note the target. Click play in the top left for status, then execute the test case manually, then click stop.
Using the start time, stop time, and target of the attack, review your Defense Tools for events, detections, and alerts. Record the appropriate Outcome with any desired notes and then save the Test Case.
Continue for all Test Cases in the Assessment.