Exercises

Regular exercises are a helpful way to identify detection gaps and build maturity.


CIS's example tabletop exercises

https://www.cisecurity.org/wp-content/uploads/2018/10/Six-tabletop-exercises-FINAL.pdf


NCSC's 'exercise in a box'. Requires signup

https://exerciseinabox.service.ncsc.gov.uk/


Mitre's exercise playbook.

https://www.mitre.org/sites/default/files/publications/pr_14-3929-cyber-exercise-playbook.pdf


This account tweets fictional or headline inspired breach scenarios. Often the replies offer helpful thoughts on how these could be detected or mitigated

https://twitter.com/badthingsdaily

Testing

Atomic red team provides unit tests for individual Mitre ATT&CK techniques. These can be used as smoke tests to trigger use case alerts firing.

https://github.com/redcanaryco/atomic-red-team


Create a simulated AD environment for testing.

https://github.com/davidprowe/BadBlood


Sysmon Simulator can be used to generate events to test EDR detections

https://github.com/ScarredMonk/SysmonSimulator


Public pen test reports

https://github.com/juliocesarfort/public-pentesting-reports

Red Teaming

The CBEST and TIBER EU frameworks set out how the Bank of England and the ECB use adversarial testing to assess the cyber resilience of UK and EU financial services. If you are looking to assess the capability and maturity of your detection and response this is the gold standard.


https://www.bankofengland.co.uk/-/media/boe/files/financial-stability/financial-sector-continuity/cbest-implementation-guide.pdf

https://www.ecb.europa.eu/pub/pdf/other/ecb.tiber_eu_framework.en.pdf


Red team tooling. Often repurposed by real threats.

https://github.com/infosecn1nja/Red-Teaming-Toolkit


Ben Turner and Doug McLeod's blog

https://redteaming.co.uk/


David's Red Team notes

https://dmcxblue.gitbook.io/red-team-notes-2-0/


Choose your own adventure

https://scythe-io.github.io/cyoa-red-team/


The UK MOD's Red Teaming Guide

https://www.gov.uk/government/publications/a-guide-to-red-teaming