Cyber Drills?
- Christian Popov
- Mar 3, 2020
- 4 min read
Hello dear reader,
This is a story about Cyber Drills.
No, not the drills your annoying neighbor uses on weekends.
Cyber drills is a fancy name for cyber security training.
The best definition I could find is the following:
Drills are often used to validate a transaction or a specific function in a particular organization. They are commonly used for team building, to develop or test new policies or procedures, or to practice and maintain current skills.
Reference:
Recently I had to come up with a few training exercises.
These are some of the tools and resources I used.
On to the topic at hand - Cyber Drills.
Table Top Exercises
I love table top exercises as a warm-up for every training I do.
Usually early in the morning while everybody is still getting coffee in their system.
Nobody is thinking straight yet.
Table top exercises are great to get the brain juices flowing.
Here are 6 great scenarios for Tabletop exercises:
Here is great playbook on Cyber Exercises by MITRE:
Bonus Feature: Table top exercises make you feel like a DnD Dungeon Master. By the power of GreySkull! I have the power!!
Web Server exercise
Okay, now everybody has had coffee and their brains are working.
Let's get down to business.... ...to defeat the huns.
3 minutes 22 seconds later: No, no, no... to do an easy exercise - web server SQL injection.
First thing first we need some infrastructure - virtual for convenience.
For VMs my go to is OSBoxes:
You can get a wide variety of Linux/Unix boxes for VirtualBox or VMWare.
Light-weight distributions like CrunchBang (#!), ElementaryOS and Linux Lite are perfect for exercises.
We got our host now for a vulnerable application.
Enter the Dragon...
I mean enter CMS Made Simple.
CMSMS 2.2.9 is vulnerable to SQLi.
Reference:
Now you can go Red team:
Provide the VM and ask the participants to scan the machine, find and compile the exploit, hack the box.
Or you can go Blue team: Provide a pcap with said SQLi and server logs and find the problem.
Windows machine exercise
First: Get yourself a Windows VM. I prefer the Microsoft Edge VMs to the Microsoft Tool Evaluation VMs.
It's lighter on resources - less disk space, less applications running.
Reference:
Next: Sysmon
Enter SwiftOnSecurity sysmon config.
You can play around and modify the configuration or just let it run as is.
It works fine either way.
Installing sysmon on the system gives you improved event logging, hence better visibility.
Reference:
Lastly: Threat Actor activity
Enter Florian Roth's APT Simulator.
Real talk this thing is amazing. It can do so many things.
You can go with specific actions like malware beacons or you can with the run everything for extra chaos.
I will let you discover all features for yourself.
For an extra kick you can run Live Response tools to get artifacts and a memory dump of the compromised VM.
Side note: The red terminal is a great touch.
References:
Live Response Tools:
Linux Machine Exercise - Insider Threat... sort of.
Download a Linux VM flavor of your choosing.
Next light a DumpsterFire.
Please don't actually light a dumpster on fire.
The DumpsterFire Toolset is a modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events.
You can easily create custom event chains for Blue Team drills and sensor / alert mapping.
You can configure a custom Insider Threat Dumpster Fire including:
Suspicious Web browsing (hacking sites, insider revenge sites)
Network Scans (RDP/VNC, SMB, DB, Webserver)
Suspicious File downloads (Kali, TOR, other tools)
Malware C2
Account Brute Forcing
You can dump the web browsing and scanning activity to a pcap for analysis.
DumpsterFire goes great with other alert generating systems such as proxy, NIPS and AV.
I'm thinking about expanding this scenario to include sensitive data exfiltration either by DNS or e-mail.
Red Canary Atomic Red Team
These days the Red Canary Atomic Red team is the talk of the town and with good reason.
It's great! Also, everything is mapped to the MITRE ATT&CK matrix.
The Atomic Red Team is usually used to safely test your security controls against current hacking techniques used by threat actors.
That said, running the tests on a host and seeing what artifacts are left is a great training exercise.
The good people at RedCanary have even provided tools to run said techniques on both Windows and Linux hosts.
Invoke-RedTeam for Windows and Chain-Reactor for Linux.
With the Atomic Red team the sky is the limit.
You can pick and choose techniques at random or you can mimic specific threat actors.
Get another Windows VM, slap sysmon on it and go wild. Don't forget to dump memory.
For Linux.... we really need a sysmon equivalent for Linux.
These are some of the tools I used to create training exercises or Cyber Drills.
But there are others as well such as CALDERA and more.
You can find other tools in the link below.
Other great resources
Conclusions
Whether you call it security training or cyber drills the fact remains training will always be needed.
Tools and resources are always available in the great wide web.
Train the basics and train some of the newer stuff. Do it often.
That's all folks.
Thanks.
Comments