Each Threat Simulation Index is a curated list of test cases derived from the threat groups of interest for members of a given industry using MITRE-tracked intelligence. Security Risk Advisors (SRA) collaborates with experts in threat intelligence and cyber defense at targeted organizations to identify priorities for defense testing.
One of the goals of each Threat Simulation Index is to allow organizations to compare objective defense scores against peers. Visit the Defense Success Metric blog post on SRA.io for more information.
Indexes are released once per year. Throughout the year, an Index may receive minor quality of life changes but will not deviate significantly from the initial release. New yearly releases start fresh and are not designed to be compatible with previous releases. Overlap between Indexes in the same industry for different years is incidental, as is overlap across industries.
The following Indexes are available for 2024:
Expand the below section to view Index group compositions
Expand
Financial Services
- Scattered Spider
- LockBit
- ALPHV
- Clop
- Lazarus
- APT41
- SocGholish
Retail & Hospitality
- BianLian
- Scattered Spider
- LockBit
- ALPHV
- Clop
Health
- Scattered Spider
- LockBit
- ALPHV
- Clop
- APT41
- SocGholish
- Mustang Panda
- Dark Angels
- BianLian
OT
- Scattered Spider
- LockBit
- ALPHV
- Lazarus
- Mustang Panda
- Dark Angels
- Sandworm
Indexes are designed to be used by human operators as part of simulated attack scenarios such as purple teams. Operators should have general familiarity with attacker techniques, payload generation, and infrastructure management.
Individual Index requirements can be found in that Index's folder in the REQUIREMENTS.md file.
Indexes can be imported directly into VECTR using the merged YAML document for that Index.
- Operators are free to use their payload generation procedures of choice as long as the resulting payload(s) complies with the general description provided by the test case and its associated documentation.
- Where possible, Operators should avoid using default settings for their tools. This includes, but is not limited to: shellcode, C2 traffic signatures, and default artifacts
- Some test cases can be performed through alternative execution methods. However, Operators should exercise caution in methods that produce significantly different detection artifacts for the core behaviors. For example, executing a .NET payload via an
execute-assembly
style harness is generally acceptable whereas substituting one credential dumping method for another should be avoided.
Test cases are based on MITRE-tracked intelligence and the general process for determining test cases for inclusion is as follows:
- Identify initial list of groups and TTPs with principal members
- Collect then review intelligence report for each group
- Remove anything produced before the look-back period of one year
- Remove reports that do not provide enough information for simulation purposes
- Cut groups lacking intelligence
- Extract TTP information from intelligence reports then develop full test cases for each
- Exclude TTPs that likely do not act as worthwhile simulation candidates
- Filter out items from list to balance plan composition