IoBs

Emulating Indicators of Behavior (IoB)

Indicators of Behavior (IoB) represent dynamic attacker activities observable within an environment. Unlike Indicators of Compromise (IOC), which are static artifacts such as hashes or IP addresses, IoBs describe behavioral patterns including process execution chains, registry modifications, lateral movement, authentication abuse, or command-and-control communication patterns.

The Epiphany Validation Engine (EVE) enables controlled emulation of IoBs through the use of Custom Threats. These Custom Threats allow organizations to simulate attacker-like behaviors in a safe and measurable way to validate detection capabilities.

Script Ownership and Responsibility Model

A critical architectural principle of EVE is that Custom Threat scripts must be created and maintained by the customer.

Reveald does not provide custom behavioral scripts tailored to specific environments or threat actors. The platform includes a limited set of default emulations that reproduce selected techniques and sub-techniques aligned with the MITRE ATT&CK framework. These default emulations serve as baseline validation scenarios.

However:

• Custom IoB simulations are designed, developed, and maintained by the user.

• The customer defines the behavior, logic, and execution parameters.

• The responsibility for script design and validation resides with the organization operating EVE.

This model ensures flexibility, environmental relevance, and operational control while avoiding dependency on predefined threat libraries.

What Is a Custom Threat?

Within EVE, a Custom Threat consists of:

• A user-developed script executed through the EVE Agent

• Parameterized runtime configuration (IP, port, callback interval, duration, instance ID)

• Defined behavioral objectives (e.g., persistence, beaconing, enumeration)

The script does not introduce real malicious payloads. Instead, it reproduces the observable behaviors that security controls should detect.

IoB Emulation Domains

1. Endpoint Behavior

User-created Custom Threats may emulate:

• Suspicious parent-child process relationships

• Registry modifications for persistence

• Scheduled task creation

• Simulated credential access patterns

• Local enumeration activities

These behaviors validate endpoint detection and response capabilities.

2. Network Behavior

Custom scripts can generate controlled network behaviors such as:

• Periodic beaconing to a defined test endpoint

• DNS query patterns

• Controlled HTTP/HTTPS callbacks

• Simulated lateral movement attempts

These activities validate firewalls, NDR solutions, IDS/IPS, and proxy controls.

3. Identity and Authentication Behavior

Custom Threats can simulate identity-focused IoBs, including:

• Authentication attempts

• Privilege escalation simulations

• Directory enumeration patterns

These tests validate SIEM rules, IAM controls, and directory monitoring mechanisms.

Operational Workflow

The IoB emulation process in EVE follows a structured lifecycle:

1. User develops the Custom Threat script

2. Behavioral logic and parameters are defined

3. Script is uploaded and configured within EVE

4. Execution occurs through the EVE Agent

5. Detection validation and telemetry review

Because EVE supports unlimited emulations, organizations can continuously validate behavioral detection effectiveness after configuration changes, updates, or architectural modifications.