Participants will practice repelling an active APT cyberattack.
Objective
Develop skills for repelling targeted cyberattacks on a business-critical system.
Legend
The organization’s virtual infrastructure includes a service which processes confidential client information.
This service becomes the subject of interest to an APT group. Cybercriminals are going to steal confidential user data and then resell it on the Darknet in order to receive maximum financial benefit and cause damage to company reputation.
The APT group studied the target system in advance and discovered a number of critical vulnerabilities there. The ‘gang’ plans to attack on the day of the exercise.
Blue Team actions
Participants will have to:
- cope with the attack as fast as possible;
- minimise the amount of information stolen;
- maintain service availability.
Blue Team can apply any applications and tools to protect the infrastructure. They can also fix system vulnerabilities by improving the service code.
Teams will investigate the incident using classic forensics and threat hunting techniques.
Based on the information gathered, participants will compose a dossier that would help law enforcement agencies to locate the criminals.
Objective
Develop skills in incident investigation using the scenario, where cybercriminals gained access to a privileged account through a successful phishing attack.
Legend
This scenario involves the investigation of two identical incidents which differ in their indicators of compromise and the data available for analysis.
First round
One of the perimeter defense solutions detected a request to the сommand and сontrol centre associated with the APT group. The information about the group was obtained through the threat data exchange platform.
Blue Team will receive data from a compromised host (memory dump, event logs, Windows registry hives export, etc.). Participants will have 2 ways of getting this information:
- downloaded in advance using the link in participant’s account (the password for the encrypted archive will be issued at the start of the event);
- using virtual machines in the training infrastructure with loaded data and pre-installed tools for analysis.
Second round
An identical incident (but with altered indicators of compromise) occurred in the organization which has EDR agents pre-installed on the final hosts. These agents continuously collect telemetry from the hosts and send it to the Threat Hunting platform. Inside the platform, the collected telemetry is analysed with the use of detection rules, which reveal potentially anomalous activity. The platform also has a convenient interface for searching historical data.
Blue Team will have access to an individual installation of such a platform, filled with events from the compromised infrastructure hosts.
Blue Team actions
In both cases, Blue Team will have to solve a number of tasks, analysing the data provided, but the analysis methods will differ.
First round. Blue Team will investigate the incident using the methods and tools of classical computer forensics.
Second round. Blue Team will investigate the incident using the Threat Hunting approach: the initial step will be to analyse the functions of several detection rules.
At the end of each investigation, participants will practice compiling dossiers with information about the incident for law enforcement agencies.
Final result of the team is the sum of points earned in two scenarios. Each scenario has its own method of scoring.
Scenario 1
Points are awarded for two indicators: SLA and HP.
SLA (Service Level Agreement) indicates the integrity and accessibility of a service. It is measured as a percentage.
A checker will contact participants' services. SLA value is calculated as the percentage of successful checks (when the service is available and fully functional) to the total number of checks.
HP (Health Points) indicates the presence of vulnerabilities in the service and the ability to withstand attacks. It is scored as a simple numerical value.
Before the start of the scenario, each participant will receive 900 HP and the access to the training infrastructure with the same vulnerabilities.
Each time Red Team successfully exploits a vulnerability in the team’s service, the team will lose HP. The faster the team fixes the vulnerabilities in the service, the less HP it will lose by the end of the scenario.
Final result is calculated as SLA × HP.
Scenario 2
The number of points awarded for a correct answer depends on the complexity of the task.
Each task has several hints available. Using these hints will reduce the number of points for the answer. The final hint gives the correct answer but using it will earn the team zero points for the task.