Abstract: One variation of a method for emulating a known attack on a computer network includes: generating a set of data packets by recombining packet fragments transmitted between machines during a prior malicious attack on a second network; defining transmission triggers for transmission of the set of data packets between pairs of assets connected to a target network based on timestamps of packet fragments; generating an executable file including the set of data packets and the transmission triggers; initiating transmission of the set of data packets between the pairs assets according to the set of transmission triggers to emulate the malicious attack on the target network; and, in response to absence of a security event related to the emulation in a log of a security technology deployed on the target network, generating a prompt to reconfigure the security technology to respond to the malicious attack.

Abstract: One variation of a system for emulating a known attack on a computer network includes a computer system configured to: generate a set of data packets by recombining packet fragments transmitted between machines during a prior malicious attack on a second network; define transmission triggers for transmission of the set of data packets between pairs of agents connected to a target network based on timestamps of packet fragments; generate an executable file including the set of data packets and the transmission triggers; initiate transmission of the set of data packets between the pairs assets according to the set of transmission triggers to emulate the malicious attack on the target network; and, in response to absence of a security event related to the emulation in a log of a security technology deployed on the target network, generate a prompt to reconfigure the security technology to respond to the malicious attack.

Abstract: One variation of a method for verifying configurations of security technologies deployed on a computer network includes: deploying a phase—within an attack validation scenario analogous to a network security threat and associated with a target response type—for execution by an asset on the computer network during a phase window; during the polling window following the phase window, polling a log of a security technology deployed on the network for a sequence of events associated with the target asset; correlation events, in the sequence of events, with the phase based on proximities of event timestamps to the phase window; and, in response to a difference between an event type of a first event correlated with the phase and the target response type, generating a prompt to reconfigure the security technology to respond to behaviors analogous to the phase, on the computer network, according to the target response type.

Abstract: One variation of a method includes: generating data packets by recombining packet fragments transmitted between machines during a prior malicious attack on a reference network; defining triggers for transmission of the data packets between pairs of assets connected to a target network; generating an executable file including the data packets and the triggers; initiating transmission of the data packets between the pairs of assets according to the triggers to emulate the malicious attack on the target network; serving a context file, specifying artifacts representing indicators of the malicious attack responsive to execution of behaviors corresponding to these triggers, to a security technology deployed on the target network; and, in response to absence of an event record related to the emulation in a log of the security technology, generating a prompt to reconfigure the security technology to respond to the malicious attack.

Abstract: A method includes: generating a transition probability matrix defining a set of transition probabilities for a set of techniques, each transition probability representing a probability of transitioning from a technique i to a technique j; defining a set of emission probability vectors corresponding to the set of techniques, each emission probability vector representing a probability of detecting a technique i and a probability of preventing a technique i; defining an initial technique vector representing an initial probability distribution of techniques; generating a hidden Markov model correlating a target sequence of observations with a hidden state sequence of techniques based on the transition probability matrix, the set of emission probability vectors, and the initial technique vector; and calculating a sequence of techniques, based on the hidden Markov model, exhibiting greatest probability to yield, for each technique in the sequence of techniques, absence of detection or prevention of the technique.

Abstract: One variation of a method for emulating a known attack on a computer network includes: generating a set of data packets by recombining packet fragments within a packet capture file representing packet fragments transmitted between machines during a prior malicious attack on a second network; defining transmission triggers for transmission of the set of data packets between pairs of agents connected to a target network based on timestamps of packet fragments in the packet capture file; initiating transmission of the set of data packets between the pairs agents according to the set of transmission triggers to simulate the malicious attack on the target network; and, in response to absence of a security event related to the simulation in a log of a security technology deployed on the target network, generating a prompt to reconfigure the security technology to respond to the malicious attack.

Abstract: A method includes: accessing an attack record defining actions representing a previous known attack on a second computer network; initializing an attack graph; for each action, defining a set of behaviors—analogous to the action and executable by an asset on a target network to emulate an effect of the action on the second computer network—and storing the set of behaviors in a node in the attack graph; connecting nodes in the attack graph according to an order of actions in the known attack; scheduling the asset to selectively execute analogous behaviors stored in the set of nodes in the attack graph; accessing alerts generated by a set of security tools deployed on the target network; and characterizing vulnerability of the target network based on alerts, in the set of alerts, indicating detection and prevention of behaviors executed by the asset according to the attack graph.

Abstract: One variation of a method for emulating a known attack on a computer network includes: generating a set of data packets by recombining packet fragments within a packet capture file representing packet fragments transmitted between machines during a prior malicious attack on a second network; defining transmission triggers for transmission of the set of data packets between pairs of agents connected to a target network based on timestamps of packet fragments in the packet capture file; initiating transmission of the set of data packets between the pairs agents according to the set of transmission triggers to simulate the malicious attack on the target network; and, in response to absence of a security event related to the simulation in a log of a security technology deployed on the target network, generating a prompt to reconfigure the security technology to respond to the malicious attack.

Abstract: A method includes: accessing an attack record defining actions representing a previous known attack on a second computer network; initializing an attack graph; for each action, defining a set of behaviors—analogous to the action and executable by an asset on a target network to emulate an effect of the action on the second computer network—and storing the set of behaviors in a node in the attack graph; connecting nodes in the attack graph according to an order of actions in the known attack; scheduling the asset to selectively execute analogous behaviors stored in the set of nodes in the attack graph; accessing alerts generated by a set of security tools deployed on the target network; and characterizing vulnerability of the target network based on alerts, in the set of alerts, indicating detection and prevention of behaviors executed by the asset according to the attack graph.

Abstract: A cyber security assessment platform is provided. The platform can assess the security posture of a network by deploying one or more scenarios to be executed on one or more assets on the network and analyzing the outcomes of the scenarios. A scenario can be configured to validate a device or network status, and/or mimic an unauthorized cyber-attack. Each scenario can include one or more phases defining an execution path. Related method, apparatus, systems, techniques and articles are also described.

Abstract: One variation of a method for emulating a known attack on a computer network includes: generating a set of data packets by recombining packet fragments within a packet capture file representing packet fragments transmitted between machines during a prior malicious attack on a second network; defining transmission triggers for transmission of the set of data packets between pairs of agents connected to a target network based on timestamps of packet fragments in the packet capture file; initiating transmission of the set of data packets between the pairs agents according to the set of transmission triggers to simulate the malicious attack on the target network; and, in response to absence of a security event related to the simulation in a log of a security technology deployed on the target network, generating a prompt to reconfigure the security technology to respond to the malicious attack.

Abstract: A cyber security assessment platform is provided. The platform can assess the security posture of a network by deploying one or more scenarios to be executed on one or more assets on the network and analyzing the outcomes of the scenarios. A scenario can be configured to validate a device or network status, and/or mimic an unauthorized cyber-attack. Each scenario can include one or more phases defining an execution path. Related method, apparatus, systems, techniques and articles are also described.