Sequences
Sequences are groups of Actions that are meant to model or mimic the behavior of a real threat actor. It's very common for Sequences to leverage multiple steps of the kill chain, such as showing the initial infection, followed by lateral movement, and ending with data exfiltration. Actions need to be grouped and ordered correctly in these situations, or correlation technologies may not recognize the behavior or attack. Sleep Actions can be included to more closely model user and adversary behavior, and to further test the effectiveness of your correlation technologies. You can view the Security Validation-provided Sequences within the Director by going to Library > Sequences.
The Sequence Library
When you select a Sequence, you see that Sequence's VID added to the Sequence Library's URL. You can use the /simulation/<VID>?sim_type=sequence format to quickly view Sequences by replacing the VID in the URL or bookmarking the URL.
Video: Run a Sequence
Evaluations
Evaluations are groups of Actions that focus on testing specific network defenses, specific parts of the MITRE ATT&CK Framework, or behaviors associated with Threat Actors. For example, you might have all your SQL injection Actions in an Evaluation. Another example is an Evaluation that includes a group of Actions that test your firewalls.
You can see the Security Validation-provided Evaluations by going to Library > Evaluations.
The Evaluation Library
When you select an Evaluation, you see that Evaluation's VID added to the Evaluation Library's URL. You can use the /simulation/<VID>?sim_type=eval format to quickly view Evaluations by replacing the VID in the URL or bookmarking the URL.
TAAM Evaluations
A powerful functionality included with Security Validation's Threat Actor Assurance Module (TAAM) is the Evaluations it creates. After integrating with your TIP or TIF, you have Threat Actor information available in the Security Validation platform. These Threat Actors have different types of tags associated with them, and we use those tags to create two types of Threat Actor-specific Evaluations: General and Priority.
If you want a quick way to validate your environment is protected against a Threat Actor, use the Priority Evaluations.
General TAAM Evaluations have the following characteristics:
- Are based on the MITRE ATT&CK tags, with some exceptions:
Since most our Actions have MITRE ATT&CK tags, these Evaluations can get very larger and include hundreds of Actions.
- Threat Actors from Crowdstrike do not include MITRE ATT&CK Techniques so their Evaluations are based on the malware families.
- Actions created by the Validation Research Team (VRT) that use the EICAR behaviors (which are not malicious and are used for testing and stability) are not included.
- May contain multiple groups
- The groups are named according to the Actions' Source and Destination tags. These tags also account for the attributes on the Zones.
- Groups will have 100 or fewer Actions. If more than 100 Actions meet the criteria for a group, multiple groups are added; they have - Subset 1 added to the name of the first group, and increment for each group after.
- Separate Evaluations are created for Network Actions, Host CLI Actions, and Protected Theater Actions.
- VIDs start with S400.
Priority TAAM Evaluations have the following characteristics:
- Are based on the Threat Actor and Malware Family tags.
The use of Threat Actor and Malware Family tags keeps these Evaluations focused.
- May contain multiple groups.
- Titles start with Priority to make them easy to identify.
- Separate Evaluations are created for Network Actions, Host CLI Actions, and Protected Theater Actions.
- VIDs start with S400.
When you modify your environment (add/remove Action tags, add/update Zones or Actors, add new content packs, and so on), Evaluations may be created or updated the next time the Threat Intelligence Integrations sync. If an Evaluation is updated, it has a new version number.
If you run two instances of the Validation Platform (a test and production environment, for example) the Evaluations that are created are different unless the instances are identical. This means the VIDs, groups, and Actions included could be different when looking at the same Actor.