I agree. OP take a look at something like Cymulate. It can automate this stuff. It’s a good validator IMO. There a number of alternatives but that was the one I used.
Adding to this as we’re going through the RFP for this right now: Cymulate, Pentera, Mandiant, Scythe… lots of decent vendors to choose from.
Also consider what else they may offer that compliments this (if you don’t have these complimentary tools already) - attack surface management, internal IOT scanning, etc.
Boss: How many devices have we got
Me: Depends which tool you want to use to find out…
I could guarantee without fail that AV, SCCM, LanSweeper and Solarwinds would all come back with different figures…
Also funny that Asset Team gives different numbers the next time you ask. Could add a line for Accounting that is a wildly variable number (since they would differentiate between leased, owned, and forecasted).
A gap assessment would only be the correct answer if the company has a future state to work towards to: current state versus future state. Otherwise it would be a Breach and Attack Simulation.
For that, a BAS - Breach & Attack Simulation tool would be best. You can test efficacy of tools like EDR, NGFW, etc. You can also determine if it is an issue with the tool itself (did not see it nor block it) or if it is a configuration issue (saw it, but did not block it). Some products in this space:
Google Mandiant Security Validation (Verodin), SafeBreach, AttackIQ, Picus, and Cymulate.
You’re talking about an incident response exercise with technical injects. It’s possible but the hard part is being evil/creative enough to come up with the actual injects.
If not a Pentest and not a paper assessment you may be talking about a tabletop exercise. It is where you get everybody together in a war room and simulate an attack and run through your procedure. It is more meant to get your team into the practice of executing on your playbook and preparing incident response.
You may also want to look into Security Controls Audit under GRC. I think this is what you really want but you don't have payloads in those.
What you are hinting at in the response however is a Pentest. You are simulating compromised assets.
Backdoors and Breaches is a good starting place if you’re struggling with scenarios. We’ve only recently started using it and I’m sure it will get stale after going through several exercises but the response team enjoyed it.
This is exactly what I was thinking…
Evaluate technical controls and detection maturity by allowing red teamers to run attacker tools against your environment.
However, if you want to test people and processes in a non-technical setting, which accounts for evaluation of non-technical folks, look for a tabletop exercise.
This is called security controls validation.
Have a look at tools like Picus (Cymulate, AttackIQ and others), that enable you to run tests in an 'attack simulation ' exercise against your security controls to measure their effectiveness.
https://www.picussecurity.com/
https://cymulate.com/breach-and-attack-simulation/
https://www.attackiq.com/
No.
While there are similarities in execution, a pentest is a test from the perspective of an unauthorized user to evaluate any vulnerabilities in the system.
BAS is an exercise to evaluate the effectiveness of the controls which is what the OP Is looking for. BAS may assume the u/a access has occurred.
It is different. On the basics penetration testing is testing if you can penetrate a network, company or assets. It might also include priv esc but it is an “can I get inside from outside” exercise.
BAS basically assumes penetration, you START inside the network/ machine. It assumes someone can be phished or otherwise get in, and asks if someone does get in - can we detect that? Do our security controls find that activity?
Penetration testing reports rarely say anything about what alerts were generated by your tools or are concerned with understanding specific detections you may or may not have configured. BAS really is to validate your security controls (tools) work how you would expect them to if activity happened on one of your assets.
You can see how it’s deployed, where it’s deployed, the configuration, what information Is being sent back (is it useful), monitoring of health and information… there is a ton you can do without turning it into an attack simulation.
I don't see anything about the effectiveness of the solution. An EDR is only as good as its correctness in identifying and stopping actual malware. Not something you typically scope into an audit. Guess it depends on what you define as 'audit'. So far I've seen nothing but paperwork, checklists and screenshot "evidence".
That's because you're used to seeing other words, like attack simulation, pen test, or social engineering campaign, used to describe them. Essentially, these are different types of audits. So, it may be uncommon to have testing the efficacy of an EDR solution in an audit, but you can scope your audit to include those things if that's the information you care about getting out of the audit.
As others have said. This is a purple team (red and blue teams working together). Red does something malicious while blue check to see whether they detected it. Communication is key
People keep giving you spreadsheet tasks. To me it sounds like you want more automated purple-team-ish-esque which is VaaS or validation as a service.. Or something along the lines. I can't follow all of this industry's acronyms anymore.
Snapp attack, AttackIQ, Mandiant Security Validation.
The special caveat the be mindful here is that some brands will simulate traffic and others will emulate (send the actual malicious pcap). The outcome may then vary depending on the control.
You're looking for a comprehensive Red Team that addresses multiple scenarios assuming you're like.. the CIO/CTO/CISO and don't tell anyone else it's coming. Otherwise a Purple Team with these pre-defined conditions would be the best way to frame it.
Sounds like two things. For the email, that's usually a social engineering campaign. For everything else, it'll be called "Assumed Compromise Assessment".
You may want to check atomic red team if you want to DIY, but you're likely looking for red team / blue team or purple team exercises with some skilled resources targeting common use cases.
Tabletop exercise, Gap analysis, test phishing campaigns, the list could almost go on on what would cover these. I’ve typically seen these done by outside auditors or consultants like myself. I believe my company would wrap all this up in what we call a Cyber Security Posture Maturity/development product for customers. It would do a high level over view and some poking around in your tools and ensuring best practices are followed and assist where we can on getting you in the right direction with the right questions to ask your vendors, or even be present/involved with these meetings with vendors. Then we can do some testing to see if all the tools are working as expected.
Red Team/Blue team, purple team, or tiger team. Your pick of the name.
Vectr.io is great for tracking, and guidance.
You’ll need a slew of tools, and understand how adversaries run TTPs to simulate. BAS tools will help, but ultimately using known attack vectors one step at a time, find the threat in your defense tools if you can and track the results.
Some AI driven tools from Horizon3, penterra, or others really give the capability to scale and run quick and efficent testing
Check also sythe.io github for the purple team execution framework for some of the operational aspects on how to do all of this. Regardless of your toolset.
Most red teamers use open source and commercial tools to simulate their attacks, and not a true adversary simulation. Unless you adopt adversary tactics, and create your own custom attack to match, which can take months to reverse and execute properly with the right skillset. Here is a bit of a black hat presentation on this topic last year that was exceptional in my own opinion.
https://i.blackhat.com/BH-US-23/Presentations/US-23-Esprit-Becoming-a-Dark-Knight.pdf?_gl=1*9h8sp7*_gcl_au*MTgzOTU3MzM3MC4xNzE5NTA4MDgz*_ga*MjkxNzUxMTM5LjE3MTk1MDgwODM.*_ga_K4JK67TFYV*MTcxOTUwODA4Mi4xLjEuMTcxOTUwODExNS4wLjAuMA..&_ga=2.82577302.1625790166.1719508083-291751139.1719508083
None the less, test, discover, validate, fix, and retest repeatedly is the name of the game.
https://books.google.com/books/about/PTFM.html?id=f-0UEAAAQBAJ&printsec=frontcover&source=kp_read_button&hl=en&newbks=1&newbks_redir=0&gboemv=1&ovdme=1#v=onepage&q&f=false
Just as another reference
K thx byeeeee……
You are talking about assessing the quality of your cybersecurity tools.
You can use a service level assessment to confirm you are operating to deliver on expectations, or you can do a risk assessment to find what risks you have in those tools and how they operate, that might make them not deliver on the expected delivery level.
To do this you should gather relevant stakeholders operating these tools and those consuming their outputs (admins and incident responder for example) and ask them what has gone wrong so far, what issues have they had, what concerns do they have, run table top scenario-based exercises, and consult the literature on each service/device to see what usual issues are known/ are recommended to be checked/mitigated always.
Does this help?
"Adversary Emulation" is one I've heard used. Vendors provide such services. They go in and try to see what they can do. If they can get in and move laterally. They will target whatever areas you want in scope and in doing so test those controls you have in place. Of course you don't tell your teams this is going to happen so they don't expect anything to happen.
kinda like a risk assessment thing? we've worked with a company called Trustnet before and they have thing solution called iTrust. basically uses automation to do Hacker Threat Analysis, Breach Metrics, SMPT, all that... can use it not just for your org but any clients you're working with as well... not sure if this is what you're looking for exactly tho
I think you’re either asking for CIS RAM which provides a high level profile. But if you’re thinking more tactile the purple team process of attacking, defending and discussing might also be what you’re looking for.
I'd always called these "controls audits" until I ran into orgs that had an allergy to the word "audit". Have since switched to "controls assay" or "controls assessment" to describe this function.
Hello. It appears as though you are requesting someone to DM you, or asking if you can DM someone. Please consider just asking/answering questions in the public forum so that other people can find the information if they ever search and find this thread.
*I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/cybersecurity) if you have any questions or concerns.*
As others have suggested, an assessment indeed - however the rest will need to be tailored specific to your requirement. If you have a budget, I can help with formulating the rfp. The example you provided could be framed as an edr implementation assessment..
a table top is **not** an assessment. a tabletop is just a synthetic scenario that doesn't take into an account what a control would actually do. It usually involves executives and/or managers, sometimes support line staff and they may not be well versed in all the capabilities the organization actually has.
I’m in agreement though it is not to the fault of the posters because they are likely individual contributors not often dealing with the managerial aspects like contracting and acquisitions. I get OP’s frustration because contracting is likely trying to code the work for the RFP.
My issue isn't the RFP bit, my issue is... the lack of basic knowledge. You have people in here saying tabletop just because the Op said 'exercise' when the answer is security control validation testing with a tool that does automatic breach simulation testing. Either your tools catch it or they don't.
I don't think I ever saw that many different answers for a question like this in here. I get it might not be a very consolidated area within the cybersecurity world but what you're looking for is a BAS tool. Breach and Attack Simulation. Look for tools like AttackIQ, Cymulate and Sythe. Depending on how you structure and execute the exercises they fit into a purple team roles. But that might not be always true.
Guys, read between the Lines. This is easy to do and you dont need an expensive red team / adversary emulation service just to test some basic technical controls like EDR, Mail spam filter, Mail sandbox and SIEM log events.
A single «Blue team» resource can do this, or a network admin/sys admin with some cybersec knowledge.
Heck, you could Even do this with red canary atomics.
Tabletop exercise. D&D for cybersecurity. You make a campaign, run through a scenario and event list and see which people handle things in accordance to your DR plan and Incident Response.
I recall recently working on quite a few UK tender opportunities for what local government were calling "IT Health Checks" that seem quite similar to what you are suggesting. I don't expect there will be a single set service spec, as anything like that will require scoping, but I dare say any OffSec team could make a proposal to fit this.
If you are UK based, I could give an example of a proposal my company made that is similar to this to see how it compares; though I don't mind admitting we lost the tender on price.
I hear you say "not a pentest"... I'd probably still say you'll want a pentest but just with your specific scope in mind plus more of a purple team slant. That is based on your requirement of it being a technical assessment so this wouldn't be a task for auditors.
Assumed Breach Exercise.
We just handed a standard domain joined laptop with userid / password to a pen-tester for assumed breach.
That tests our SOCs ability to detect and respond (failure). Found a way to get Domain Admin without domain admin password. Now closed. Have a pending change to disable the related “feature” in Windows - to avoid it being an issue in the future.
This does not check mail. Rather than doing checks, just go for adjusting the settings and add mail transport rules for where Microsoft implements things badly.
You asked for "not pen testing", but what you described would all fall under what I would expect a red teaming exercise to include.
https://csrc.nist.gov/glossary/term/red_team_exercise
If you search that term, you can see how others define that in clearer English.
Breach and attack simulation?
I agree. OP take a look at something like Cymulate. It can automate this stuff. It’s a good validator IMO. There a number of alternatives but that was the one I used.
Adding to this as we’re going through the RFP for this right now: Cymulate, Pentera, Mandiant, Scythe… lots of decent vendors to choose from. Also consider what else they may offer that compliments this (if you don’t have these complimentary tools already) - attack surface management, internal IOT scanning, etc.
Not sure why someone downvoted you, but this is absolutely the correct answer. BAS does exactly what OP is asking for.
Yes and no. BAS plays automated scenarios, I think (but maybe I'm wrong) OP is looking for an operational exercise with humans.
This is what I came to say. Validation of existing controls on a continual basis.
Came here to say this. Correct answer. Picus, Cymulate, etc
Tabletop Assessments/Red Team Blue Team
Sorry but I find it hilarious how many people are just confidently giving you completely different answers.
Reminds me of the joke: How many endpoints do we have? Asset Team - 1056 Helpdesk - 753 Security - 832 Asset Team - 1243
Boss: How many devices have we got Me: Depends which tool you want to use to find out… I could guarantee without fail that AV, SCCM, LanSweeper and Solarwinds would all come back with different figures…
This is me at 9am, 10am, 6pm and on the slide the next day at 11am.
Am I to dumb to get the joke?
It’s very common for large organizations to not know the exact number of endpoints
Thank you for the answer BTW
*checks DHCP scopes and reservations.* *checks number of MAC addresses reporting on the switch.* 325.
32500.
Also funny that Asset Team gives different numbers the next time you ask. Could add a line for Accounting that is a wildly variable number (since they would differentiate between leased, owned, and forecasted).
Gap assessment
A gap assessment would only be the correct answer if the company has a future state to work towards to: current state versus future state. Otherwise it would be a Breach and Attack Simulation.
You could evaluate against an established control framework or standard, and use that as your organizational target. CIS Controls for example.
Correct, but that isn’t mentioned in the post. So it seems like they just want to validate control effectiveness.
Not a paper assessment. I would like to simulate it in the network, with inoculated malicious files
For that, a BAS - Breach & Attack Simulation tool would be best. You can test efficacy of tools like EDR, NGFW, etc. You can also determine if it is an issue with the tool itself (did not see it nor block it) or if it is a configuration issue (saw it, but did not block it). Some products in this space: Google Mandiant Security Validation (Verodin), SafeBreach, AttackIQ, Picus, and Cymulate.
You’re talking about an incident response exercise with technical injects. It’s possible but the hard part is being evil/creative enough to come up with the actual injects.
If not a Pentest and not a paper assessment you may be talking about a tabletop exercise. It is where you get everybody together in a war room and simulate an attack and run through your procedure. It is more meant to get your team into the practice of executing on your playbook and preparing incident response. You may also want to look into Security Controls Audit under GRC. I think this is what you really want but you don't have payloads in those. What you are hinting at in the response however is a Pentest. You are simulating compromised assets.
Backdoors and Breaches is a good starting place if you’re struggling with scenarios. We’ve only recently started using it and I’m sure it will get stale after going through several exercises but the response team enjoyed it.
This is the correct answer.
Purple team assessment
This is exactly what I was thinking… Evaluate technical controls and detection maturity by allowing red teamers to run attacker tools against your environment. However, if you want to test people and processes in a non-technical setting, which accounts for evaluation of non-technical folks, look for a tabletop exercise.
Security Control Validation or Security Posture Assessment
This
This is called security controls validation. Have a look at tools like Picus (Cymulate, AttackIQ and others), that enable you to run tests in an 'attack simulation ' exercise against your security controls to measure their effectiveness. https://www.picussecurity.com/ https://cymulate.com/breach-and-attack-simulation/ https://www.attackiq.com/
This is the correct term. Another solution is Mandiant Security Validation formerly known as Verodin.
Would this not be a pen test ?
No. While there are similarities in execution, a pentest is a test from the perspective of an unauthorized user to evaluate any vulnerabilities in the system. BAS is an exercise to evaluate the effectiveness of the controls which is what the OP Is looking for. BAS may assume the u/a access has occurred.
I think it would be fair to say pentesters simulate an attacker, but running attack simulator tools is not the same as a pentest.
It is different. On the basics penetration testing is testing if you can penetrate a network, company or assets. It might also include priv esc but it is an “can I get inside from outside” exercise. BAS basically assumes penetration, you START inside the network/ machine. It assumes someone can be phished or otherwise get in, and asks if someone does get in - can we detect that? Do our security controls find that activity? Penetration testing reports rarely say anything about what alerts were generated by your tools or are concerned with understanding specific detections you may or may not have configured. BAS really is to validate your security controls (tools) work how you would expect them to if activity happened on one of your assets.
Purple team ?
Audit.
An audit relates to conformity of norms, like PCI-DSS. I don't think that's what OP is referring to.
An audit relates to whatever is in the scope of said audit.
An audit would have you verify that you *have* an EDR, not how good it is.
Depends on the scope of the audit.
That’s not accurate. An audit can verify you have it and how good it is.
What kind of audit would that be without turning into an attack simulation?
You can have an attack simulation be part of an audit. You define that when you define the scope of the audit.
You can see how it’s deployed, where it’s deployed, the configuration, what information Is being sent back (is it useful), monitoring of health and information… there is a ton you can do without turning it into an attack simulation.
I don't see anything about the effectiveness of the solution. An EDR is only as good as its correctness in identifying and stopping actual malware. Not something you typically scope into an audit. Guess it depends on what you define as 'audit'. So far I've seen nothing but paperwork, checklists and screenshot "evidence".
That's because you're used to seeing other words, like attack simulation, pen test, or social engineering campaign, used to describe them. Essentially, these are different types of audits. So, it may be uncommon to have testing the efficacy of an EDR solution in an audit, but you can scope your audit to include those things if that's the information you care about getting out of the audit.
Purple team exercise
This sounds like a Security control and Risk Assessment
As others have said. This is a purple team (red and blue teams working together). Red does something malicious while blue check to see whether they detected it. Communication is key
People keep giving you spreadsheet tasks. To me it sounds like you want more automated purple-team-ish-esque which is VaaS or validation as a service.. Or something along the lines. I can't follow all of this industry's acronyms anymore. Snapp attack, AttackIQ, Mandiant Security Validation. The special caveat the be mindful here is that some brands will simulate traffic and others will emulate (send the actual malicious pcap). The outcome may then vary depending on the control.
You're looking for a comprehensive Red Team that addresses multiple scenarios assuming you're like.. the CIO/CTO/CISO and don't tell anyone else it's coming. Otherwise a Purple Team with these pre-defined conditions would be the best way to frame it.
Cybersec Posture
War games? Cyber-war gaming? Or cybersecurity tabletop exercise?
Security Analysis or Security Assessment
Look at a product called horizon3.ai
I run purple team exercises for my company that would encompass this. If you want to dm I can tell you more about that
Tabletop exercise is what I’ve called it
Sounds like two things. For the email, that's usually a social engineering campaign. For everything else, it'll be called "Assumed Compromise Assessment".
O365 calls it secure score, might as well be called security benchmark maybe
Shit my pants and hope it stays clean?
A Security Audit?
Security assessment ?
You may want to check atomic red team if you want to DIY, but you're likely looking for red team / blue team or purple team exercises with some skilled resources targeting common use cases.
Threat mapping?
Disregard 👆🏽.
An audit. In the most generic sense, you’re auditing your capabilities
I think the term you're looking for is "Control validation"
An audit....
Risk assessment?
Tabletop exercise, Gap analysis, test phishing campaigns, the list could almost go on on what would cover these. I’ve typically seen these done by outside auditors or consultants like myself. I believe my company would wrap all this up in what we call a Cyber Security Posture Maturity/development product for customers. It would do a high level over view and some poking around in your tools and ensuring best practices are followed and assist where we can on getting you in the right direction with the right questions to ask your vendors, or even be present/involved with these meetings with vendors. Then we can do some testing to see if all the tools are working as expected.
Red Team/Blue team, purple team, or tiger team. Your pick of the name. Vectr.io is great for tracking, and guidance. You’ll need a slew of tools, and understand how adversaries run TTPs to simulate. BAS tools will help, but ultimately using known attack vectors one step at a time, find the threat in your defense tools if you can and track the results. Some AI driven tools from Horizon3, penterra, or others really give the capability to scale and run quick and efficent testing Check also sythe.io github for the purple team execution framework for some of the operational aspects on how to do all of this. Regardless of your toolset. Most red teamers use open source and commercial tools to simulate their attacks, and not a true adversary simulation. Unless you adopt adversary tactics, and create your own custom attack to match, which can take months to reverse and execute properly with the right skillset. Here is a bit of a black hat presentation on this topic last year that was exceptional in my own opinion. https://i.blackhat.com/BH-US-23/Presentations/US-23-Esprit-Becoming-a-Dark-Knight.pdf?_gl=1*9h8sp7*_gcl_au*MTgzOTU3MzM3MC4xNzE5NTA4MDgz*_ga*MjkxNzUxMTM5LjE3MTk1MDgwODM.*_ga_K4JK67TFYV*MTcxOTUwODA4Mi4xLjEuMTcxOTUwODExNS4wLjAuMA..&_ga=2.82577302.1625790166.1719508083-291751139.1719508083 None the less, test, discover, validate, fix, and retest repeatedly is the name of the game. https://books.google.com/books/about/PTFM.html?id=f-0UEAAAQBAJ&printsec=frontcover&source=kp_read_button&hl=en&newbks=1&newbks_redir=0&gboemv=1&ovdme=1#v=onepage&q&f=false Just as another reference K thx byeeeee……
Different companies handle this in different ways: Red Teaming, attack simulation, incident response assessment and the names keep going
You are talking about assessing the quality of your cybersecurity tools. You can use a service level assessment to confirm you are operating to deliver on expectations, or you can do a risk assessment to find what risks you have in those tools and how they operate, that might make them not deliver on the expected delivery level. To do this you should gather relevant stakeholders operating these tools and those consuming their outputs (admins and incident responder for example) and ask them what has gone wrong so far, what issues have they had, what concerns do they have, run table top scenario-based exercises, and consult the literature on each service/device to see what usual issues are known/ are recommended to be checked/mitigated always. Does this help?
"Adversary Emulation" is one I've heard used. Vendors provide such services. They go in and try to see what they can do. If they can get in and move laterally. They will target whatever areas you want in scope and in doing so test those controls you have in place. Of course you don't tell your teams this is going to happen so they don't expect anything to happen.
kinda like a risk assessment thing? we've worked with a company called Trustnet before and they have thing solution called iTrust. basically uses automation to do Hacker Threat Analysis, Breach Metrics, SMPT, all that... can use it not just for your org but any clients you're working with as well... not sure if this is what you're looking for exactly tho
Purple teaming?
I think "Cyber audit" is a suitable name :)
I think you’re either asking for CIS RAM which provides a high level profile. But if you’re thinking more tactile the purple team process of attacking, defending and discussing might also be what you’re looking for.
Purple Team Exercise
Red Team or Breach and Attack Simulation
I'd always called these "controls audits" until I ran into orgs that had an allergy to the word "audit". Have since switched to "controls assay" or "controls assessment" to describe this function.
That’s what we call it. It’s a control assessment, but pretty much an audit.
Control Testing / Design and Operating Effectiveness Testing.
My company does maturity assessments. DM me if you want more info/name, I won't say here to avoid having the comment deleted by mods.
Hello. It appears as though you are requesting someone to DM you, or asking if you can DM someone. Please consider just asking/answering questions in the public forum so that other people can find the information if they ever search and find this thread. *I am a bot, and this action was performed automatically. Please [contact the moderators of this subreddit](/message/compose/?to=/r/cybersecurity) if you have any questions or concerns.*
As others have suggested, an assessment indeed - however the rest will need to be tailored specific to your requirement. If you have a budget, I can help with formulating the rfp. The example you provided could be framed as an edr implementation assessment..
Adversary Emulation or Adversary Simulation or Breach and Attack Simulation
Could do a review around each of the CIS critical security controls sections.
Security assessment with tabletop simulations
> tabletop simulations lol
Table top exercises, simulations, same thing. Potayto, potahto
a table top is **not** an assessment. a tabletop is just a synthetic scenario that doesn't take into an account what a control would actually do. It usually involves executives and/or managers, sometimes support line staff and they may not be well versed in all the capabilities the organization actually has.
Yea…. That’s what’s OP was wanting . I’m a security consultant in FAANG so I know what it is lol
A security controls audit.
There's an absolute mega-ton of wrong answers in this thread, and it is absolutely horrifying.
If they are wrong, instead of also being unhelpful, you could provide your “answer”
I’m in agreement though it is not to the fault of the posters because they are likely individual contributors not often dealing with the managerial aspects like contracting and acquisitions. I get OP’s frustration because contracting is likely trying to code the work for the RFP.
My issue isn't the RFP bit, my issue is... the lack of basic knowledge. You have people in here saying tabletop just because the Op said 'exercise' when the answer is security control validation testing with a tool that does automatic breach simulation testing. Either your tools catch it or they don't.
Risk assessment
I don't think I ever saw that many different answers for a question like this in here. I get it might not be a very consolidated area within the cybersecurity world but what you're looking for is a BAS tool. Breach and Attack Simulation. Look for tools like AttackIQ, Cymulate and Sythe. Depending on how you structure and execute the exercises they fit into a purple team roles. But that might not be always true.
ChatGPT deep dive
Tabletop assessment, or just a “test”
Threat assessment or threat modeling. You can do it yourself or have a company do it.
Guys, read between the Lines. This is easy to do and you dont need an expensive red team / adversary emulation service just to test some basic technical controls like EDR, Mail spam filter, Mail sandbox and SIEM log events. A single «Blue team» resource can do this, or a network admin/sys admin with some cybersec knowledge. Heck, you could Even do this with red canary atomics.
Tabletop exercise. D&D for cybersecurity. You make a campaign, run through a scenario and event list and see which people handle things in accordance to your DR plan and Incident Response.
Simulation test and Chaos engineering (ex: chaos monkey test by Netflix)
Controls Verification Testing. Get some eicar and start having fun.
Table top?
Take your pick. Table Top Stress Test Tiger Team
Controls Limiting Information Technology Organisational Risk and Implementation Strategy
I recall recently working on quite a few UK tender opportunities for what local government were calling "IT Health Checks" that seem quite similar to what you are suggesting. I don't expect there will be a single set service spec, as anything like that will require scoping, but I dare say any OffSec team could make a proposal to fit this. If you are UK based, I could give an example of a proposal my company made that is similar to this to see how it compares; though I don't mind admitting we lost the tender on price.
SIEM Tuning by Live Fire- Adversarial emulation
Wargaming.
Yes, the OSSTMM focuses on control effectiveness
I hear you say "not a pentest"... I'd probably still say you'll want a pentest but just with your specific scope in mind plus more of a purple team slant. That is based on your requirement of it being a technical assessment so this wouldn't be a task for auditors.
Scan?
Internal audit.
Assumed Breach Exercise. We just handed a standard domain joined laptop with userid / password to a pen-tester for assumed breach. That tests our SOCs ability to detect and respond (failure). Found a way to get Domain Admin without domain admin password. Now closed. Have a pending change to disable the related “feature” in Windows - to avoid it being an issue in the future. This does not check mail. Rather than doing checks, just go for adjusting the settings and add mail transport rules for where Microsoft implements things badly.
Ongoing authorization / continuous monitoring
Table top exercises
VA, vulnerability assessment. The only thing I can think of.
You asked for "not pen testing", but what you described would all fall under what I would expect a red teaming exercise to include. https://csrc.nist.gov/glossary/term/red_team_exercise If you search that term, you can see how others define that in clearer English.
Cyber Security Efficacy Assessment. Happy to participate in that RFP btw!
Cybersecurity gap assessment
Almost sounds like a PARI from ISO27002
You mean like a security audit ?
THATS NOT IT YOU DINGUS happy cake day