Testing security incident response through automated injection of known indicators of compromise

摘要

Disclosed are various embodiments for testing the security incident response of an organization through automated injection of a known indicator of compromise. A stream of event data generated by a network monitoring system of an organization is received. The stream of event data is modified to include data embodying a fabricated indicator of compromise. The stream of event data that has been modified is then provided to an intrusion detection system of the organization. Metrics are then generated that assess the response of the organization to the fabricated indicator of compromise.