- To enhance the cyber incident response team’s ability to identify, investigate, and mitigate potential cyber threats through proactive hunting.
- To validate the effectiveness of current security controls and incident detection capabilities.
- To develop and refine analyst skills in recognizing subtle indicators of compromise (IoCs).
- To practice the application of advanced threat intelligence to uncover stealthy, malicious activities that evade standard security solutions.
- To improve team coordination and communication during cyber incident handling.
- To generate actionable intelligence that can be applied to strengthen the organization’s cybersecurity posture.
- Advanced; the exercise is designed for experienced cybersecurity professionals who are familiar with threat hunting methodologies and have a deep understanding of network architectures and malicious actor tactics, techniques, and procedures (TTPs).
- A high-profile, multinational financial company, Global Finance Inc., with headquarters in New York, has recently expanded its digital services to include a revolutionary cryptocurrency exchange platform.
- The platform garners significant attention, increasing potential exposure to sophisticated cyber threats. The company employs a large IT team, with a dedicated Cyber Incident Response Team (CIRT) known for its advanced defensive capabilities.
- Global Finance Inc.’s network comprises thousands of devices, including employee workstations, server clusters for high-frequency trading algorithms, and a distributed cloud architecture supporting client transactions.
- Amidst the rapid expansion, the CISO, Evelyn Woods, receives intelligence about a targeted attack campaign aimed at financial institutions, involving a sophisticated threat actor group operating under the moniker “Fintech Phantom.”
- The report suggests that this group uses advanced persistent tactics and rarely detected malware to siphon sensitive financial data. Given the threat, Evelyn decides to implement a cyber range exercise focusing on cyber threat hunting to uncover any hidden threats within Global Finance Inc.’s network, bolster the CIRT’s readiness, and ultimately secure the company’s critical assets.
- Cyber threat hunting
Exercise Attack Steps:
- Preparations and Threat Intelligence Briefing:
- Compile the latest intelligence surrounding “Fintech Phantom” including TTPs, IoCs, and potential attack vectors that would be relevant to the company’s infrastructure.
- Review the company’s network architecture diagrams and identify critical assets likely to be targeted.
- Establish a baseline of normal network behavior for anomaly detection.
- Incident Scenario Kick-off:
- Simulate the discovery of a suspicious, encrypted outbound data flow from the trading algorithm servers, indicating potential exfiltration activities.
- Inject artificial but realistic IoCs into the network traffic that align with the known tactics of “Fintech Phantom.”
- Threat Hunting:
- Deploy network scanning tools and host-based analysis to uncover any unrecognized services or unusual processes running on the trading servers.
- Analyze firewall, IDS/IPS, and SIEM logs for signs of intrusion based upon provided threat intelligence.
- Task the threat hunting team with identifying and investigating abnormal security events, escalating as necessary.
- Identification and Containment:
- Once suspicious activity is discovered, execute procedures to isolate affected systems and prevent further compromise.
- Perform forensic analysis on any identified malware or tools used by the attackers to understand the scope of the breach.
- Eradication and Recovery:
- Outline steps to remove all traces of the attacker’s presence within the network following best practices and industry standards.
- Implement measures to restore any impacted systems to normal operations with minimal disruption to business activities.
- Lessons Learned:
- Convene a debriefing session to review the exercise outcomes, including what was successfully identified, how the team responded, and areas for improvement.
- Discuss how findings from the exercise can be used to refine existing security policies and preventive measures.
- Document the entire exercise to serve as the base for future training initiatives and continuous improvement in the threat hunting process.