Playbook Objectives:
- To develop and validate a comprehensive cyber threat intelligence (CTI) program.
- To simulate realistic attack scenarios for improving the threat detection and response capabilities of the organization.
- To increase the awareness and preparedness of the security team in identifying and mitigating advanced persistent threats.
- To refine the processes and technologies used to collect, analyze, and disseminate threat intelligence.
Difficulty Level:
- Advanced
Scenario:
- In this exercise, we will focus on a high-profile financial services company named “Global Finance Inc.” which has recently been the target of increasingly sophisticated cyber-attacks. The company has recognized the need for an actionable and effective CTI program to protect its vast network and sensitive customer data from future threats.
- Company Overview: Global Finance Inc. is an international financial firm with headquarters in New York City, providing services in investment banking, asset management, and retail banking. It operates a multi-layered network infrastructure with several data centers across the globe, interconnected by a mix of private and public cloud services.
- Key Players: CEO: Johnathan Swift CTO: Emily Rogers CISO: Derek Yung Threat Intelligence Lead: Sofia Ramirez
- The team at Global Finance Inc. has outlined concerns after witnessing an uptick in reconnaissance activities on their networks. They fear a looming cyber-assault which could cripple their operations and cause irreparable damage to their reputation.
- The CISO, Derek Yung, aware of the importance of a proactive defense, has mandated the creation of an immersive Cyber Range exercise to establish a robust CTI program that continuously evolves based on the latest threat intelligence. The playbook will aim to ensure real-time threat detection and swift incident response by dissecting a simulated but realistically crafted advanced persistent threat (APT) attack.
Category:
- Cyber Threat Intelligence (CTI)
Exercise Attack Steps:
- Reconnaissance:
- Attackers profile the company, identifying key personnel and network information through social engineering and network scanning.
- A phishing campaign is launched aiming to compromise an employee’s credentials within the financial department.
- Initial Compromise:
- A successful spear-phishing email tricks an employee into downloading malicious software disguised as a legitimate financial report.
- The malware establishes a foothold on the employee’s computer, allowing for persistent access.
- Establishing Presence:
- The threat actors escalate their privileges using discovered vulnerabilities within the outdated systems deployed on the employee’s network segment.
- They establish a backdoor for continued access and exfiltration of data.
- Exploration & Pivoting:
- With the foothold secured, attackers begin lateral movement across the network, probing for high-value targets, such as servers containing customer financial data.
- Network traffic is closely monitored by attackers to avoid detection and establish patterns for evasion.
- Data Harvesting:
- Financial databases are accessed, and sensitive information is identified for extraction.
- Custom encryption is used by attackers to exfiltrate the data undetected.
- Covering Tracks:
- Attackers aim to erase logs and use anti-forensics techniques to obscure their presence and activities within the network.
- A distraction is created using a DDoS attack on the company’s public-facing services to divert the security team’s attention.
- Exit Strategy:
- The APT group prepares for withdrawal, leaving behind a few stealthy backdoors for future accesses.
- A time bomb is set to delete certain traces of their activities upon a final command.
