Scenarios

Scenarios

List of BlackNoise scenarios that can be used to create an attack campaign.

A scenario is a sequence of events that emulates a series of actions carried out by an attacker. A scenario can replicate a complete Attack Pattern or a limited set of adversary behaviors (APT, data breach, ransomware, etc.).


Scenarios list


Scenarios are organized into several tabs based on their type: network, system, cloud and custom company scenarios.

Each scenario is by default represented as a card with the following information:
  • Name of the scenario
  • Number of events included in the scenario
  • Description
  • Prerequisites
  • Scenario last update and version
At the top of the cards, a status indicates whether the scenario has been created (New) or updated (Updated) recently. Icons also specify the environments covered by the scenario (network, windows, linux or macos).
A pill also specifies the format of the scenario:
  • full: The scenario reproduces all or part of a Kill Chain, with a sequence of events associated with different Tactics from MITRE ATT&CK.
  • focused: The scenario has fewer events, centered on a common tactic or approach, but allows for more varied technical implementations.
  • compliance: The scenario allows to check requirements of some directive, norm or standard such as NIS2 or PCI DSS for example.


Create a campaign from a scenario


The Create attack campaign button allows you to create a simulation based on the chosen scenario.

By clicking on the name of a scenario or the "i" button, you can view all details including the full description ("Details" tab) and the list of the events that make up the scenario ("Events" tab), as shown in the example below:


Hovering over an event will also display its description. The description clearly states the technical requirements needed to carry out the scenario. This includes the types of accounts and the right targets.

To facilitate the operation of the scenarios list, several features are available:
  • Application of filters: format (full / focused / compliance), MITRE ATT&CK Tactic, protocol, state, last update, risk category
  • Search field
  • Display of events in card or table form

Please be aware that the number of events executed in a campaign is determined by the number of Target Systems defined in the campaign perimeter. Each system event will be executed for each Target System.


Create your own scenario


The Create scenario button allows you to create a custom scenario. It is available if the feature is included in your company subscription.

When creating a scenario, you first need to give it a name, a description, and choose the perimeter it will apply to (network only or network & system events). If you choose the System perimeter, you will then be invited to select the Environment (the OS type) as a scenario is dedicated to an operating system.

After clicking on the Create button, you will be directed to the builder. On the left part of the screen, you can see the events list of the scenario you are creating. In the case of a system-type scenario, the session creation events that are mandatory for its execution are automatically added. They cannot be removed.
The section on the right side of the screen presents all available events based on the perimeter you selected. You can check one or more events and add them to the scenario you are creating. The selector at the top of the list allows you to navigate among the different categories of the MITRE ATT&CK framework, that is, according to the different tactics of the framework. A search field also allows you to select a specific event based on its name.

In the section on the left, you can change the order of events and remove them if needed.
It is always possible to edit the name and description of a scenario. You can also save it as you go in draft form to preserve the progress of your creation. When a scenario is complete, you can publish it. The preview screen summarizes the scenario information, including the order of executed events. You can finally specify the prerequisites to enrich the execution context of this scenario.

When a scenario is published, you will see the Create attack campaign button appear. This allows you to use it to create an attack simulation. It is always possible to edit a published scenario, in particular to modify the events that compose it.

If you want a scenario to no longer be used to create a campaign, you just need to edit it and save it as a draft.