Skip to main content

An evaluation is a list of actions tied together in groups for execution in the Mandiant Security Validation Platform. Evaluations are part of a core set of functionality that allows customers to test their environment in a repeatable manner. The Validation Research Team releases some evaluations as part of the content packs made available to customers through the content service or through the Security Validation documentation portal.


Evaluations are not just for the VRT, though! Building an evaluation starts by visiting the Action Library in MSV. (Library → Actions) Once one has picked an action, it may be added to the queue. After a series of actions are added to the queue, the queue may be saved as an evaluation using the steps provided on our documentation portal.


The important part of this process is finding actions to add, and how to organize the evaluations. It is recommended to build an evaluation that focuses on a specific use case. So testing a particular scenario may require the building of multiple evaluations. As an example, let’s suppose our threat intel team warned us that an actor might use the DARKSIDE malware against our organization. We do a quick search of the action library (Library → Actions) and see that there are several different kinds of actions for DARKSIDE. (Protip: Using the TAG in the left text box Malware:DARKSIDE will pull up those actions quickly). For DARKSIDE we have malicious file transfers (Network Actions), Host CLI (Endpoint Actions), DNS, and Protected Theater (Malicious Endpoint Actions for the Protected Theater environment) Actions.


It is not recommended to create a single evaluation with all of these actions combined. It is recommended to create an evaluation for each use case.


Common use cases are:



  • Network Communication from Internal to External (Malicious File Transfer, Command
    and Control)

  • Network Communication from Internal to Internal (Lateral Movement, etc)

  • Non-Malicious Endpoint Actions (Host CLI Actions)

  • Malicious Endpoint Actions (Protected Theater Actions)

  • DNS Actions


Sorting the actions can be done using the tags in the library:



  • Internal to External: Src:Internal:Trusted+Dst:External:Untrusted

  • Lateral (Internal to Internal): Src:Internal:Trusted+Dst:Internal:Trusted

  • Non-Malicious Windows Endpoint Actions (and Malicious PT actions): OS:Windows:windowsVersion


Once you have built the evaluations, it is easy to run them between as many actors/zones as you have available. With the evaluations saved (using a naming convention that makes sense for your organization), you can run the same evaluations later once remediation of issues discovered is complete.


A robust validation program is defined by a solid foundation in repeatable processes to ensure that remediation is correct and any deviations between test executions can be properly documented. Having well-defined and robust evaluations that are straightforward to run is a foundational building block to your validation program.


Author: James Ruff, Google Cloud Security Technical Solutions Consultant

Be the first to reply!

Reply


Terms & ConditionsCookie settings
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.