Terminology
Understanding BlackNoise basic concepts
Event
A single technical action that replicates adversary behaviors, such as port scanning, attempting to gain unauthorized access to an account, executing a system command, connecting to a cloud service, etc.
All BlackNoise events are categorized according to the MITRE ATT&CK framework, each having a tactic and a technique ID.
Scenario
A sequence of events that emulates a series of actions carried out by an attacker. A scenario can replicate a complete Attack Pattern or a limited set of adversary behaviors (APT, data breach, ransomware, etc.).
The scenarios included in the solution catalog are derived from real observed threats. They are the outcome of research and development by the BlackNoise R&D team, drawing from various CTI sources.
Attack campaign
Application of a user-selected scenario to a specific scope. The scenario serves as a template for generating the sequential list of events used in the campaign.
A campaign may consist of multiple simulations (the first one is a calibration simulation, the others are control tests). The events and the scope for the targeted attack tests are established during the campaign's creation and remains unchanged for subsequent simulations.
Simulation
A single execution of all campaign events defined by the chosen scenario and the configured campaign scope.
Each simulation can have its own parameters that define the attack vector used to execute the events, an immediate or scheduled start, an automatic or manual sequencing of events, and a possible delay between each event.
Calibration
The initial simulation of the campaign. The so-called "calibration simulation" enables a comprehensive evaluation of detection and response capabilities by providing the detection status of each event executed, detection dates/times and sources, reaction dates/times and type engaged, and adding associated evidence if necessary. The resulting score serves as a benchmark for the campaign.
Control test
Subsequent simulations conducted as part of the campaign involve re-executing the events. This replay allows for evaluating the evolution of detection and reaction capabilities while maintaining the target perimeter unchanged.
To enable the execution of Control Tests, the campaign status must be changed to "Calibrated". This freezes the initially provided score and information.
This sketch cannot currently be displayed in exports
Attack Vector
This component executes the events (offensive actions). It is deployed on the User Information System to carry out the agreed technical actions within the defined campaign scope and based on the configured technical settings.
The solution offers various Attack Vectors formats: software (docker) or physical (stormblaster box). They are both operated from the web app.
It can be deployed in different types of environments: legacy infrastructure, cloud, industrial networks, etc.
Target System
Component targeted by events executed at the OS level. This is a physical or virtual server or workstation running a Windows, Linux, or macOS operating system. Customers have complete control over those targets, as they create them in the web app and assign them within the attack campaign according to their needs.
The Attack Vector establishes connections with each Target System to execute the events. Commands, programs, or tools are launched on the Target System to accurately replicate the attackers' behaviors.
For the best results, a Target System must be representative of the defenses in place, based on what is commonly used (EDR, antivirus, SIEM integration, etc.).
The use of Target Systems ensures complete control over the potential impacts caused by the executed events. For security reasons, no automatic propagation of attacks can be carried out silently and without user control. The most critical operations executed on the systems are specifically directed towards machines designated by the user within the campaign's scope, providing our customers with complete control over the targeted assets.
This sketch cannot currently be displayed in exports
For information regarding the campaign perimeter and the connection between Attack Vector and Target System, kindly consult our FAQ
How is the perimeter of a campaign defined?
How does the Attack Vector connect to the Target Systems to execute the events?
Need help to enable and test WMI access from BlackNoise Attack Vector to your Windows Target System?