Technical key indicators and graphs of the campaign results.
Preamble: Select your simulation within the campaign
The top banner grants access to a variety of information and actions.
Select the campaign simulation to display; the most recent one is automatically chosen. All tabs (Synthesis, Execution, Timeline, ATT&CK matrix) utilize this simulation's data. To choose another, use the Simulation menu at the top.
Create a new simulation to effectively compare results with the same parameters.
This sketch cannot currently be displayed in exports
Simulation dashboard
Hint: The "details" button in the top right open an information card with several information: campaign description, scope, dates, Attack Vector used, etc. You can also bookmark a campaign using the star button.
Hint: In each section, the slider at the top right allows you to switch the data between absolute value and percentage.
This sketch cannot currently be displayed in exports
Simulation score (section 1)
This score is the average of the scores obtained for all the events in this simulation. This is a measure of the detection rate of attacks carried out by BlackNoise.
BlackNoise rates each event according to 2 criteria:
The efficiency of the detection: The more effective it is, the higher the score (an "Alerted" event earns more points than a "Logged" event, which itself earns more points than an "Undetected" event). The score is also higher if it concerns a High severity event than a Low severity event, supporting the need to detect the most characteristic malicious actions.
The more information there is on the context of the detection, the higher the score.
The complete score calculation formula is indicated in the legend of the graph by clicking on the "i" information button.
You also find the number of executed events for this simulation and the total duration of the simulation execution.
From the 2nd simulation, results are compared with the previous one, showing percentage changes to indicate the evolution of each measure, as shown below:
This sketch cannot currently be displayed in exports
Detection efficiency (section 2)
Status synthesis
This graph shows the distribution of simulated attacks according to the 4 BlackNoise statuses:
Unqualified: Status assigned by default, no information on the detection of the event is given.
Undetected: The event is missed, the attack simulation is not detected (no logs, no alert).
Logged: The security tools created a technical trace (a log) corresponding to a simulated attack. But no alert was triggered and no reaction was taken. To be valid, Logged proofs must at least indicate: the source, the destination, the date and time and if possible the type of action recorded.
Alerted: The security tools identified the simulated attack. An alert or a notification was issued on one of these tools. To be valid, Alerted detection proofs must at least indicate: the source, the destination, the date & time and the type of threat identified. If applicable, the type of remediation made by the security teams can also be specified in the “reaction” section.
Mean time to detect (MTTD)
The Mean Time to Detect (MTTD) is the average time between the execution of a simulated BlackNoise attack and the alert by a security equipment. This KPI is calculated for events with the Alerted status and only if the dates and times of detection are provided.
Detection per severity
This graph shows the distribution of attacks detected (events with Alerted status) according to severity level.
High: An event whose detection is deemed to be of high priority due to the nature of the simulated attack being executed and/or the intended targets
Low: Event whose detection is judged to be less important compared to other attack simulations performed
Sources for Alerted & Logged events
This table lists the sources (equipment, tools, solutions) used to detect the simulated attacks.
This indicator helps quickly identify the most effective detection sources and those that are under-exploited. Under-exploited sources may indicate that the tools or services are not useful, or their configuration is inappropriate (e.g., no access to required technical data, incorrect settings, disabled functionalities, etc.).
Reaction efficiency (section 3)
Reaction status
This graph shows the distribution of simulated attacks according to the reaction status:
Reacted: At least one action taken (response strategy) has been delared on the event after its detection.
Ignored: No reaction has been provided after the detection of the event.
Mean time to react (MTTR)
The Mean Time To Reaction (MTTR) is the average time between the alert by a security equipment and the application of the response strategy (reaction). This KPI is calculated for events with the Alerted status, detection dates & times and the dates and times of reaction.
Reaction per severity
This graph shows the distribution of attacks reacted (events with a reaction provided) according to severity level.
High: An event whose detection is deemed to be of high priority due to the nature of the simulated attack being executed and/or the intended targets
Low: Event whose detection is judged to be less important compared to other attack simulations performed
Reaction strategy
This graph shows the distribution of actions taken (response strategy) to deal with events that have been the subject of an alert. An event can have several reactions.
This sketch cannot currently be displayed in exports
Detection Compliance based on BlackNoise Simplified Kill Chain (section 4)
Distribution of the executed events according to a simplified decomposition of the Kill Chain in 3 major phases defined by the BlackNoise team. These 3 phases include the following MITRE ATT&CK Tactics:
Impact & exfiltration: Execution, Collection, Command and Control, Exfiltration, Impact
Detection Compliance based on MITRE ATT&CK (section 5)
Distribution of the executed events according to the MITRE ATT&CK Tactics.
Tactics represent the 'why' of an ATT&CK technique or sub-technique. It is the adversary's tactical goal: the reason for performing an action.
Hint: You can hide/unhide empty Tactics and switch between a split or grouped view of events for each Tactic.
Kill Switch: The kill switch protocol enables you to halt the campaign. It can be activated by using the button located in the top right corner. Once the kill switch protocol is activated, the campaign will be suspended, and all actions will cease.