Go to listing page

Orchestrated Attack and Defense Simulation: Automatically Testing Defense Effectiveness

Orchestrated Attack and Defense Simulation: Automatically Testing Defense Effectiveness

Share Blog Post

The cyber threat landscape is growing in complexity with the increase in overall attack surface of organizations. To counteract this growing attack complexity, defenders also rapidly emplace robust defenses to ensure timely detection, isolation, and resolution of potential attacks.
The security technology suite has expanded to fit this requirement with a lot of solutions available today to defenders that help in effective detection and creation of knowledge bases to ensure detected attacks are resolved correctly and quickly.

A major part of ensuring our detections stay updated with today's attacks depends on continual testing of these defenses that enables identifying the attack indicators with low latency. This is where attack simulation comes into the picture. 

What is Attack Simulation?

Attack simulation is the practice of deploying a victim machine within the internal network to regularly simulate attacks and test defenses. These attack simulations often mimic the steps an attacker takes by generating the logs that are normally produced when a threat actor launches a cyberattack.

Ideally, these logs are forwarded to our detection solutions such as SIEMs which are caught by pre-configured rules. The failure to catch the simulation hints at an outdated detection approach, which mandates that the implemented defenses are regularly re-evaluated and updated.

Why Orchestrate Attack Simulation?

Orchestration excels at automating a repetitive set of steps across systems and enabling autonomous responses based on responses received from previous steps, which incidentally makes it a perfect fit for attack simulation. 

With orchestrated attack simulation, incident responders can simulate multiple attacks happening across multiple systems at the same time, at record speed without human intervention. This allows them to stress test defenses, reduce defender time spent on the attack simulation, and focus time on other critical tasks that require human efforts.

How Cyware Orchestrates Attack Simulations?

While one can write custom scripts to connect to systems and simulate attacks, Cyware offers a combination of tools, including Cyware Orchestrate and Cyware Fusion and Threat Response (CFTR) to orchestrate attack simulations. Cyware Orchestrate offers both low-code and no-code security orchestration and automation capabilities enabling security teams to orchestrate both attacks and detection flows. CFTR is an end-to-end incident management and threat response automation platform that connects the dots between different threat elements, including incident, malware, vulnerability, and threat actors providing a 360-degree view of threats for a faster and efficient response. Cyware Orchestrate and CFTR platforms connect with Splunk (SIEM) and METTA (attack simulation tool) to orchestrate attack simulations for security teams in a smarter and efficient manner.

The overall flow of the attack simulation offered by Cyware works fairly straightforward, where Cyware Orchestrate connects to the victim machine via SSH and runs a few attack simulations. This in turn generates logs on the victim machine. A Splunk Universal Forwarder is configured on the victim machine, which forwards certain log files over to Splunk, where rules are run to capture attack signatures.

The Simulation Playbook

To simulate attacks, Cyware Orchestrate comes with a playbook that runs tests on the victim machine by connecting to a machine deployed on an internal machine via SSH. 

Through this playbook, security teams can further funnel attacks by sorting attack simulations with the help of Operating Systems and MITRE Tactics to gain visibility into the types of attacks that have good detections and the ones that need improvement.

By running attack simulations mapped to MITRE, security teams not only gain effective attack visibility, but it also allows them to map defenses mapped to MITRE Defend. Moreover, this helps security teams leverage the community around MITRE to get suggested queries, rules, threat actors who leverage these attacks, and defenses against the same.

Advantages of Orchestration Over Cron

While the users can run the tool on a cron, running the tool via an orchestration platform has two major advantages:

  • Ability to perform further actions based on the responses of the simulation tool: Cyware Orchestrate allows security teams to run custom codes to parse the response of the tool run on the victim machine. By parsing this tool response, they can further run actions such as Notifications, Alerting, Proactive Hunting of Attack Patterns, etc. ?These additional action steps can be customized to a great length, allowing security teams to scale effortlessly while maintaining precision of steps taken based on certain conditions.

  • Ability to scale across multiple machines: As previously mentioned, orchestration tools excel at taking a defined flow and scaling it across systems. Now this in combination with the abovementioned point, allows security teams to run simulations on multiple systems, each running a specified attack based on parameters such as resource criticality, all without trading out precision for scale.

The Detection Playbook

Cyware’s detection playbook allows security teams to virtually run detections, incident onboarding, and resolutions automatically eliminating defender burnout and reducing the overall Mean Time To Detect (MTTD). The playbook entails the following simple steps: 

  • Configure the Splunk Universal Forwarder to forward bash command history and auth logs to Splunk SIEM.
  • Configure an alert on Splunk to run on a cron job and send matching alerts via Webhook to Cyware Orchestrate asynchronously. 
  • In Cyware Orchestrate, configure a webhook to receive this information and a playbook to be triggered upon data being posted to the aforementioned webhook.
  • In the detection playbook, parse out events from the SIEM (Splunk) and map them to TTPs.
  • Map TTPs to defenses via MITRE DEFEND and get related detection queries.
  • Create CFTR Incident.
  • Attach MITRE Mappings, Defenses, and Detection queries as notes to the CFTR incident.

Once the incidents are mapped to MITRE, the Attack Navigator module is used on CFTR, Cyware’s incident management platform to reflect incidents across the ATT&CK Matrix.

To learn more about Cyware’s Orchestrated Attack Simulation solution, schedule a free demo.


  1. Splunk 
  2. METTA
  3. Cyware Orchestrate
  4. Cyware Fusion and Threat Response


use case
attack simulation orchestration
orchestrated attack simulation
attack simulations
simulation playbook
attack simulation
detection playbook

Posted on: August 03, 2022

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.

The Virtual Cyber Fusion Suite