|
Summary
In this scenario-oriented and interactive training event, we immerse between 15-20 participants of varying skill-sets, backgrounds and interests into a realistic cyber security attack and defense wargame environment. The scenario provides a fictitious environment having loosely integrated government and commercial sector industrial Information Technology (IT) and Operational Technology (OT) assets. These networks and assets are under attack from multiple threat sources comprised of activist and nation state organizations. Participants will be assigned to one of the attack teams or the defending team. With this participation, participants will learn about cyber security vulnerability, attack techniques, defense and reaction techniques by role-playing in a competitive, emulated but realistic environment.
Format
The event will consist of a short introductory briefing outlining each team’s objectives, rules of the game, team assignments and brief summaries of participating organizations. Teams will report to their assigned area, be further briefed by their player-coaches and begin operations. Player coaches will track objectives and record points. After 90 minutes of gameplay, operations will conclude, with a winner announced, each team presenting recap and lessons learned.
Tools, Techniques
Attack teams will work collaboratively to find and exploit vulnerabilities in the target infrastructure. Both social and technology based vectors will be used. Insider Threat and other forms of social engineering are vectors used by attackers and defended against. The Kali Linux framework is the primary technical reconnaissance, exploitation toolkit used by attackers. Defenders will leverage a state of the art real-time network situational awareness visualization tool along with industry standard firewall software. Participants on attack teams will leverage player-coaches for offensive operations using cyber kill chain methodology. Participants on defending team will also leverage player-coaches and have some basic hands-on monitoring and reaction responsibilities.
Learning Objectives
All participants will learn the basic principles of cyber security attack and defense operations concepts reinforced by reference to actual influencing events and guiding industry best practices for offensive and defensive operations. These objectives will be met primarily through the initial war game introductory briefing (30 minutes).
Participants assigned to attack teams (2) will be further trained in more detail on offensive cyber attack techniques, tools, and motivations. Role playing as either hacktivist or nation-state teams will reinforce understanding of attacking organization motivations and ultimate targets. Both teams use the same tools and abide by the same cyber kill chain (Reconnaissance, Weaponize, Deliver, Control, Execute, Maintain), but have completely different means and incentives of gaining access to the Oil Refinery’s network. Participants will either directly perform attack actions or collaborate with their teammates as they perform attack actions, under the guidance of the player coach. The player coach must have the technical ability to understand the scripting of the game well enough to troubleshoot any issues, whether they be inside the realm of the game or outside of it. This phase of training will last 75 minutes, comprised of 15 minutes of detailed team briefing and 60 minutes of game play. Attack team participants will be taught basic use for tools that perform network mapping, port/service scanning, website vulnerability assessment, account/password brute-force attack, website page defacement, and more. Social engineering techniques will also be taught and used.
Participants assigned to the sole defending team will be further trained in more detail on defensive cyber techniques and tools. Role playing as a hybrid government/industrial joint operations team will reinforce understanding of target organization assets and networks. Participants will either directly perform attack detection and mitigation actions or collaborate with their teammates as they perform attack detection and mitigation actions, under the guidance of the player coach. A good player coach must also dynamically respond to their team’s ability and cyber level of expertise, knowing when to give more in-depth information, be able to provide the right amount of guidance towards the target, or even allow the team the independence to achieve their list of objectives with minimal support. This phase of training will last 75 minutes, comprised of 15 minutes of detailed team briefing and 60 minutes of game play. Defending team participants will be taught basic use for tools that perform multi-network traffic visualization, firewall rule creation, industrial control system interface/control, and more. Social engineering techniques will also be taught and defended against. And, participants will experience through realistic conditions the challenges of defeating cyber attacks while keeping critical assets operational.
Finally, all participants will hear from each other on their operational objectives, outcomes and lessons learned, giving everyone an opportunity to learn how other teams operated differently from their own.
|