# Resilience Testing [[Core Capabilities/D. Control Verification/D.2 Resilience Testing/Resilience Testing|Resilience Testing]] is a [[Control Verification]] capability. It involves assessing and validating the effectiveness of security measures to ensure resilience against an adversary attack. Resilience Testing is performed from the vantage point of an adversary persona against an assigned target using the exploits or exploit methods attributable to that persona. ## Map ``` mermaid <!-- element style="width:90%; height:auto" --> graph TD Top[[Cybersecurity]] --- D[[Control Verification]] D --- D.1[[Attack Surface Enumeration]] D --- D.2[[Resilience Testing]] D --- D.3[[Risk Prioritization]] D --- D.4[[Remediation Management]] D --- D.5[[Assurance Reporting]] %% Class Definitions %% ===================== class Top,A,A.1,A.2,A.2,A.3,A.4,A.5,A.6,B,B.1,B.2,B.3,B.4,B.5,C,C.1,C.2,C.3,C.4,D,D.1,D.2,D.3,D.4,D.5,E,E.1,E.2,E.3,E.4,E.5,E.6 internal-link,font-color:white; class Top cssClassL0; classDef cssClassL0 fill:black,stroke:black,stroke-width:4px,font-size:15px,font-color:white; class A,B,C,D,E cssClassL1; classDef cssClassL1 fill:darkblue,stroke:darkblue,stroke-width:4px,font-size:15px,font-color:white; class A.1,A.3,A.4,A.5,A.6,B.1,B.2,B.3,B.4,B.5,C.1,C.2,C.3,C.4,D.1,D.2,D.3,D.4,D.5,E.1,E.2,E.3,E.4,E.5,E.6 cssClassL2; classDef cssClassL2 fill:blue,stroke:blue,stroke-width:4px,font-size:15px,font-color:white; class D.2 cssClassCurrent; classDef cssClassCurrent fill:#2f9503,stroke:#2f9503,stroke-width:4px,font-size:15px,font-color:white; ``` ## Definition > [!success] Definition > Resilience testing is the process of evaluating systems, applications, and infrastructure to ensure they can withstand and recover from adverse conditions, such as intentional and un-intentional abuse, misuse, and cyber-attacks. Testing involves simulating real world adversary scenarios to assess the effectiveness of security controls. ## Goals >[!cm-goal] Goal 1 >**Validate Security Controls** - Evaluate the ability of the system or application to withstand and operate under adverse conditions, such as attack attempts, and abuse cases. >[!cm-goal] Goal 2 >**Identify Vulnerabilities in Defenses** - Discover weaknesses and gaps that could be exploited by attackers. >[!cm-goal] Goal 3 >**Enable Continuous Improvement** - Use findings from resilience testing to continuously improve security measures, incident response strategies, and recovery plans. ## Scope ## Process 1. Define the objective of resilience testing 2. Develop a test plan with a defined scope methodology and tolerances 3. Simulate real world adversary attacks 4. Evaluate the effectiveness and document the performance of the security controls ```mermaid flowchart LR A[1. Adversary Inteligence] --> B[2.<br /> Defense Modeling ] B --> C[2. Test Plan Management] C --> D[3. Resilience Testing] D --> E[4. Assurance Reporting] ``` ## Metrics >[!cm-metric] Metric: % of test results within defined tolerance >[!cm-metric] Metric: % of test results out of tolerance >[!cm-metric] Metric: Number of false positives/negatives >[!cm-metric] Metric: [[% of tests that simulate incidents]] >[!cm-metric] Metric: [[% of incidents with unknown weaknesses]] >[!cm-metric] Metric: [[% of Incidents related to a known vulnerability]] ## Inspiration & Resources + ## [Cyber City Map](https://cybercitymap.com/) © 2023-2024 by [ThirdScore, Inc.](https://thirdscore.com/) All Rights Reserved.