Abstract: One variation of a method for emulating a known attack on a computer network includes: generating a set of data packets by recombining packet fragments transmitted between machines during a prior malicious attack on a second network; defining transmission triggers for transmission of the set of data packets between pairs of assets connected to a target network based on timestamps of packet fragments; generating an executable file including the set of data packets and the transmission triggers; initiating transmission of the set of data packets between the pairs assets according to the set of transmission triggers to emulate the malicious attack on the target network; and, in response to absence of a security event related to the emulation in a log of a security technology deployed on the target network, generating a prompt to reconfigure the security technology to respond to the malicious attack.

Abstract: One variation of a system for emulating a known attack on a computer network includes a computer system configured to: generate a set of data packets by recombining packet fragments transmitted between machines during a prior malicious attack on a second network; define transmission triggers for transmission of the set of data packets between pairs of agents connected to a target network based on timestamps of packet fragments; generate an executable file including the set of data packets and the transmission triggers; initiate transmission of the set of data packets between the pairs assets according to the set of transmission triggers to emulate the malicious attack on the target network; and, in response to absence of a security event related to the emulation in a log of a security technology deployed on the target network, generate a prompt to reconfigure the security technology to respond to the malicious attack.

Abstract: A method includes: accessing an attack record defining actions representing a previous known attack on a second computer network; initializing an attack graph; for each action, defining a set of behaviors—analogous to the action and executable by an asset on a target network to emulate an effect of the action on the second computer network—and storing the set of behaviors in a node in the attack graph; connecting nodes in the attack graph according to an order of actions in the known attack; scheduling the asset to selectively execute analogous behaviors stored in the set of nodes in the attack graph; accessing alerts generated by a set of security tools deployed on the target network; and characterizing vulnerability of the target network based on alerts, in the set of alerts, indicating detection and prevention of behaviors executed by the asset according to the attack graph.

Abstract: A method includes: accessing an attack record defining actions representing a previous known attack on a second computer network; initializing an attack graph; for each action, defining a set of behaviors—analogous to the action and executable by an asset on a target network to emulate an effect of the action on the second computer network—and storing the set of behaviors in a node in the attack graph; connecting nodes in the attack graph according to an order of actions in the known attack; scheduling the asset to selectively execute analogous behaviors stored in the set of nodes in the attack graph; accessing alerts generated by a set of security tools deployed on the target network; and characterizing vulnerability of the target network based on alerts, in the set of alerts, indicating detection and prevention of behaviors executed by the asset according to the attack graph.

Abstract: A method includes: accessing an attack record defining actions representing a previous known attack on a second computer network; initializing an attack graph; for each action, defining a set of behaviors—analogous to the action and executable by an asset on a target network to emulate an effect of the action on the second computer network—and storing the set of behaviors in a node in the attack graph; connecting nodes in the attack graph according to an order of actions in the known attack; scheduling the asset to selectively execute analogous behaviors stored in the set of nodes in the attack graph; accessing alerts generated by a set of security tools deployed on the target network; and characterizing vulnerability of the target network based on alerts, in the set of alerts, indicating detection and prevention of behaviors executed by the asset according to the attack graph.