Technical key indicators and graphs of the campaign results.
This sketch cannot currently be displayed in exports
Key indicators (section 1)
Cybersecurity score
The score is the average of the scores obtained for all the events in this campaign. This is a measure of the detection rate of attack simulations carried out by BlackNoise.
BlackNoise rates each event according to 2 criteria:
The efficiency of the detection: The more effective it is, the higher the score (an "Alerted" event earns more points than a "Logged" event, which itself earns more points than an "Undetected" event). The score is also higher if it concerns a High severity event than a Low severity event, supporting the need to detect the most characteristic malicious actions.
The more information there is on the context of the detection, the higher the score.
The complete score calculation formula is indicated in the legend of the graph by clicking on the "i" information button.
Mean time to detect (MTTD)
The Mean Time to Detect (MTTD) is the average time between the execution of a simulated BlackNoise attack and the alert by a security equipment. This KPI is calculated for events with the Alerted status and only if the dates and times of detection are provided.
Mean time to react (MTTR)
The Mean Time To Reaction (MTTR) is the average time between the alert by a security equipment and the application of the response strategy (reaction). This KPI is calculated for events with the Alerted status, detection dates & times and the dates and times of reaction.
Campaign KPI
You can view several indicators:
Total number of executed events for this campaign
Number of qualified events, i.e. those for which the detection status has been provided (therefore different from Undefined)
Number of events with a status of Logged or Alerted
Number of events with an Alerted status
Kill Switch: The kill switch protocol allows you to stop the campaign. Note that if you activate the kill switch protocol, the campaign will be blocked and all the actions will be stopped.
Hint: The slider in the top right allows you to switch the presentation of the results between absolute value and percentage.
Hint: The "details" button in the top right open an information card with several information: campaign description, scope, dates, Attack Vector used, etc. You can also bookmark a campaign using the star button.
Detection & reaction efficiency (section 2)
Status synthesis
This graph shows the distribution of simulated attacks according to the 4 BlackNoise statuses:
Unqualified: Status assigned by default, no information on the detection of the event is given.
Undetected: The event is missed, the attack simulation is not detected (no logs, no alert).
Logged: The security tools created a technical trace (a log) corresponding to a simulated attack. But no alert was triggered and no reaction was taken. To be valid, Logged proofs must at least indicate: the source, the destination, the date and time and if possible the type of action recorded.
Alerted: The security tools identified the simulated attack. An alert or a notification was issued on one of these tools. To be valid, Alerted detection proofs must at least indicate: the source, the destination, the date & time and the type of threat identified. If applicable, the type of remediation made by the security teams can also be specified in the “reaction” section.
Detection per severity
This graph shows the distribution of attacks detected (events with Alerted status) according to severity level.
High: An event whose detection is deemed to be of high priority due to the nature of the simulated attack being executed and/or the intended targets
Low: Event whose detection is judged to be less important compared to other attack simulations performed
Sources for Alerted & Logged events
This table lists the sources (equipment, tools, solutions) used to detect the simulated attacks.
This indicator helps quickly identify the most effective detection sources and those that are under-exploited. Under-exploited sources may indicate that the tools or services are not useful, or their configuration is inappropriate (e.g., no access to required technical data, incorrect settings, disabled functionalities, etc.).
Reaction strategy
This graph shows the distribution of actions taken (response strategy) to deal with events that have been the subject of an alert. An event can have several reactions.
This sketch cannot currently be displayed in exports
Detection Compliance based on BlackNoise Simplified Kill Chain (section 3)
Distribution of the executed events according to a simplified decomposition of the Kill Chain in 3 major phases defined by the BlackNoise team. These 3 phases include the following MITRE ATT&CK Tactics:
Impact & exfiltration: Execution, Collection, Command and Control, Exfiltration, Impact
Detection Compliance based on MITRE ATT&CK (section 4)
Distribution of the executed events according to the MITRE ATT&CK Tactics.
Tactics represent the 'why' of an ATT&CK technique or sub-technique. It is the adversary's tactical goal: the reason for performing an action.
Hint: You can hide/unhide empty Tactics and switch between a split or grouped view of events for each Tactic.
This sketch cannot currently be displayed in exports
MITRE ATT&CK MATRIX view (section 5)
Representation of executed events according to the MITRE ATT&CK MATRIX Techniques.
Techniques represent “how” an adversary achieves a tactical objective by performing an action. Techniques may also represent “what” an adversary gains by performing an action.
Hint: You can hide/unhide empty Tactics and select an event status to focus on specific events.