Technical

Consolidated technical view
Overview based on all attack simulations carried out by your company. All events executed through these campaigns are included in this dashboard.

Hint: The slider in the top right allows you to switch the presentation of the results between absolute value and percentage.

Hint: You can also use the switch in the right top corner to exclude or include archived campaigns from those statistics


Main KPI (section 1)

The first line presents the main indicators:
  • Total number of campaigns (regardless of their status)
  • Total number of executed events
  • Number of qualified events, i.e. those for which the detection status has been provided (therefore different from Undefined)
  • Number of events with a status of Logged or Alerted
  • Number of events with an Alerted status


Detection efficiency (section 2)

Status synthesis

This graph shows the distribution of simulated attacks according to the 4 BlackNoise statuses:
  • Unqualified: Status assigned by default, no information on the detection of the event is given.
  • Undetected: The event is missed, the attack simulation is not detected (no logs, no alert).
  • Logged: The security tools created a technical trace (a log) corresponding to a simulated attack. But no alert was triggered and no reaction was taken. To be valid, Logged proofs must at least indicate: the source, the destination, the date and time and if possible the type of action recorded.
  • Alerted: The security tools identified the simulated attack. An alert or a notification was issued on one of these tools. To be valid, Alerted detection proofs must at least indicate: the source, the destination, the date & time and the type of threat identified. If applicable, the type of remediation made by the security teams can also be specified in the “reaction” section.


Mean time to detect (MTTD)

The Mean Time to Detect (MTTD) is the average time between the execution of a simulated BlackNoise attack and the alert by a security equipment. This KPI is calculated for events with the Alerted status and only if the dates and times of detection are provided. This overall MTTD is the average of the TTDs for all the events that meet these criteria in all campaigns.


Sources for Alerted & Logged events

This table lists the sources (equipment, tools, solutions) used to detect the simulated attacks.
This indicator helps quickly identify the most effective detection sources and those that are under-exploited. Under-exploited sources may indicate that the tools or services are not useful, or their configuration is inappropriate (e.g., no access to required technical data, incorrect settings, disabled functionalities, etc.).


Detection per severity

This graph shows the distribution of attacks detected (events with Alerted status) according to severity level.
  • High: An event whose detection is deemed to be of high priority due to the nature of the simulated attack being executed and/or the intended targets
  • Low: Event whose detection is judged to be less important compared to other attack simulations performed


Reaction efficiency (section 3)

Mean time to react (MTTR)

The Mean Time To Reaction (MTTR) is the average time between the alert by a security equipment and the application of the response strategy (reaction). This KPI is calculated for events with the Alerted status, detection dates & times and the dates and times of reaction. This overall MTTR is the average of the TTRs for all the events that meet these criteria in all campaigns.


Reaction strategy

This graph shows the distribution of actions taken (response strategy) to deal with events that have been the subject of an alert. An event can have several reactions.





Attack campaign statistics (section 4)

Campaign status

This graph shows the total number of campaigns included in this dashboard and their distribution by status.


Campaign targets

This graph shows the types of network targeted by the campaigns.


Campaigns temporal distribution

This graph shows the distribution of campaigns according to their score and duration.
By using the left and right arrows at the bottom of the graph, you can modify the time frame considered for this visualization.





Detection Compliance based on BlackNoise Simplified Kill Chain (section 5)

Distribution of the executed events according to a simplified decomposition of the Kill Chain in 3 major phases defined by the BlackNoise team. These 3 phases include the following MITRE ATT&CK Tactics:
  • Initial access & discovery: Reconnaissance, Resource Development, Initial Access, Credential Access, Discovery
  • Compromise & lateral movement: Persistence, Privilege Escalation, Defense Evasion, Lateral Movement
  • Impact & exfiltration: Execution, Collection, Command and Control, Exfiltration, Impact


Detection Compliance based on MITRE ATT&CK (section 6)

Distribution of the executed events according to the MITRE ATT&CK Tactics.
Tactics represent the 'why' of an ATT&CK technique or sub-technique. It is the adversary's tactical goal: the reason for performing an action.

Hint: You can hide/unhide empty Tactics and switch between a split or grouped view of events for each Tactic.