Mandiant Security Validation (MSV) is an automated and continuous approach to testing the efficacy of an organization's security controls against cyber threats. Security Validation is informed by timely threat intelligence and executes automated and continuous testing of security controls with the use of real attacks.

Effective security requires more than just implementing controls. Understanding their real-world effectiveness is crucial for protecting your organization from cyber threats. Mandiant Security Validation tackles this challenge by providing a comprehensive solution to test and evaluate your security posture.

Baseline Testing provides a starting point for measuring the effectiveness of your security controls. Baselines are essential for creating a repeatable process to generate large scale metrics used to measure trends and get a deeper understanding of your security posture.

Implementing Baseline Testing

Identifying actions from the Action Library to add to your baseline evaluation can be one of the hardest parts. Some users are not sure where to start, while others get overwhelmed by the 7000+ actions available within the library. We’ve included some guidelines below to help you create your own baseline evaluation:

• The best way to identify gaps in your security controls is to run actions that cover an array of tactics and techniques that attackers use. The Action Library provides a Tag Filter that allows you to search for actions based on MITRE techniques. The actions you select should then be added to the Queue for your baseline evaluation.
• Your baseline evaluation should include actions that cover techniques from multiple  MITRE tactics. These include but are not limited to Reconnaissance, Initial Access, Execution, Persistence, Command and Control, and Exfiltration.
• Ensure the actions you choose from the Action Library are supported by the Network and Endpoint actors you have deployed. Some actions specifically test certain Operating Systems like Windows, Linux, or macOS.
  
• Ensure your actors meet the prerequisites outlined in the action descriptions. Sometimes actions require specific software to be installed on your actors in order for the actions to run. This should be identified and addressed during the evaluation build out.
  
• The actions in your baseline evaluation should be grouped into actions of 20-30 actions per group. This best practice will ensure your baseline evaluation is performant and not overwhelming the Director or Actors during runtime.
  
• Your baseline evaluation should run on a recurring basis such as weekly, monthly, or quarterly. This can be set up in MSV in the Job Definition by selecting Repeat Job and setting the appropriate values for the frequency. Ensuring the baseline assessments recurs periodically helps to establish the trending so that you can measure your progress in improving your security posture through the use of a validation program over time.
  

Baseline testing is the initial step in understanding your security posture. It involves identifying critical assets, analyzing the security controls in place, and conducting tests to measure their effectiveness against common attack scenarios. The focus of baseline testing should be on understanding your current security posture and identifying gaps instead of immediately remediating or re-configuring security controls.

Special thanks to @nathanael_s for the idea.