Your Blue Team is your defense against malicious attackers who seek to take the data you work so hard to develop and protect. Attackers are constantly evolving, developing new entry mechanisms, new attack types, and releasing attacks that defy your software stack. Your Blue Team is a human element capable of stopping these attacks and thinking creatively in order to do so. However, in order to have an effective Blue Team, they must have experience which cannot be gained without experiencing an attack. To help keep your Blue Team effective and up to date on new tools, attack vectors, and defense strategies, we have released six new Blue Team scenarios on Cyberbit Range. These scenarios range from learning to use your tools better to multi-stage complex attacks that will give your team significantly more experience and make them much more effective.
New Blue Team Scenarios
SIEM EXERCISE2 – SMB Thief
Some of the most devastating ransomware and Trojan malware variants seen in the wild depend on vulnerabilities in the Windows Server Message Block (AKA SMB) to propagate through an organization’s network. Using the SIEM only, trainees will reconstruct the attack flow – from spreading across the network using the SMB vulnerability to the exfiltration of captured screenshots of infected machines, including the company`s database.
As an essential building block, the SIEM is your first investigative tool, compiling all events across your security software stack. Learning how to reconstruct an attack flow is an essential investigation technique to understand how an attack occurred and to stop it from happening again in the future.
Ms. GPO
Anyone who has inside knowledge or access to the organization’s confidential data, IT, or network resources is a potential insider threat. These insiders have the capabilities, privileges and sometimes the motivation needed to steal sensitive data. In this exercise, trainees will need to understand how a disgruntled employee was able to leak confidential information to his personal computer, while maintaining persistence in the network.
By training in this scenario, your team will gain experience with data leakage as well as gain hands-on experience with advanced lateral movement investigation techniques. In this scenario your team will see not one but two separate instances of lateral movement, ensuring that they are able to identify and mitigate the attack in a timely manner should they see it in real life.
Network Protocol Exercise
Often considered the “holy grail” of network data collection, Packet Capture files (AKA PCAP file) facilitates deep analysis long after the communication has ended. It is a powerful tool often used as part of incident response investigations. In this exercise, trainees will enhance their network forensics capabilities by investigating variety of network protocols in a PCAP file, including DHCP, ARP, DNS, HTTP, ICMP, SMTP, and FTP protocols.
Part of our “building-block” exercises, this scenario will ensure your trainees are familiar with common network protocols and traffic analysis techniques. Your trainees will learn how to perform a packet analysis using Wireshark, an open-source packet analyzer commonly used for network troubleshooting, analysis, and software/communications protocol development.
ARP Poisoning
The effects of ARP spoofing attacks can have serious implications for enterprises. In this exercise, the trainees will learn the power of a successful ARP spoofing attack beginning with the investigation of affected machines and servers followed by the identification of the sensitive data exfiltrated for the purpose of appropriate risk management and suitable mitigation.
Training on this scenario will ensure your team has the appropriate experience with the ARP protocol and have a deep understanding of the weaknesses and potential exploits. Additionally, they will gain hands-on experience with Wireshark as an investigative tool to identify and create new protocols to stop the data leakage.
SQLi Domain Hijacking
As the number one threat of OWASP Top 10, SQL injection attacks can allow an attacker to gain access to internally sensitive information without proper authorization. In this sophisticated attack, an attacker manages to use the SQL injection technique to exfiltrate the NTDS file which stores Active Directory data such as user objects, groups, and group membership as well as the password hashes for all users in the domain. In this exercise, the trainees will need to identify the suspicious activity in the domain controller, the malicious scripts used by the attacker for exfiltration and to block the communication to the attacker to prevent a complete catastrophe.
Learning how to mitigate an advanced SQL injection attack should be standard amongst members of the SOC. Your trainees will gain hands-on experience with domain control management tools, IIS management tools, and get to see a real SQL injection attack, ensuring they are prepared when this technique is used against your network. Additionally, your trainees will practice Windows and MSSQL server logging research and basic forensics to ensure they can properly identify the attack and reverse its effects.
Killer Trojan with Cuckoo Sandbox
A variation on the existing Killer Trojan attack already available on our Cyberbit Range, your trainees will learn to analyze files using the Cuckoo Sandbox, the leading open-source automated malware analysis system. You can throw any suspicious file at the environment and in a matter of minutes Cuckoo will provide a detailed report outlining the behavior of the file when executed inside a realistic but isolated environment.
Learning to use standard open source tools like Cuckoo will ensure your trainees knows every available weapon in their arsenal against malicious attackers. It is important that your trainees know how to wield these investigative tools as well as the appropriate time to employ them.
