Threat Simulation

Hunt for the gaps in your defences.

Threat simulation is a highly bespoke activity, during which we take on the role of an agreed threat actor or threat group to find the gaps in blue team tradecraft (the operations performed by security, incident response, and monitoring teams) or defensive capabilities that attackers would exploit. Starting from use-case modelling, through to targeted validation of the protective monitoring solution, and finally on to full threat simulation and red team engagement.

Working at varying levels of covertness, the aim of the engagement is to identify gaps in the defenders’ visibility and in their ability to stop an attack that is in motion, whilst using the same tactics, techniques, and procedures (TTPs) that known threat groups use.

Depending on the threat model for the target organisation and the level of prior knowledge, simulated attackers’ capabilities and their underlying motivation can be tailored to suit the specifics of that threat model, in order to provide an effective simulation of a real-world attack.

Red Teaming

Red team engagements are designed to stretch and test the capability of network defenders (blue teams), and to simulate the activities of a wide variety of known threat actors and malicious groups. As such, the capabilities and techniques used will prioritise engagement objectives, for example covert access and data theft, over assessment breadth and vulnerability assessment coverage.

Unlike penetration testing, which aims identify vulnerabilities in a system, the objective of a red team engagement is to provide a comprehensive test of the effectiveness of a target organisation’s detection and response capabilities, measured against real-world attacks.

Learn More

Protective Monitoring Validation

Protective monitoring solutions are difficult and expensive to implement, and require a significant investment in both tooling and resources to be effective. However, once they’re in place it’s very difficult to know how effective they are, because an absence of alerts could either mean that no suspicious or malicious activity is happening, or that malicious activity is happening but not being detected.

In the same way that it’s crucial to carry out penetration testing to verify that systems are secure, it’s important to carry out testing to verify that the protective monitoring solution is working as it should.

Learn More

Use-Case Modelling

Use-case modelling is one of the key steps in establishing an effective protective monitoring capability.

While most SIEM software comes with a set of default use-cases, these will only cover common applications and threat models, and are often not well suited to the specifics of the environment. Use-case modelling allows CODA consultants to work with the blue team to identify and develop bespoke use-cases tailored to the key systems and threats facing the organisation.

Learn More