Scenario:

• In the bustling city of Techton, the renowned financial institution, Bellwether Capital, stands as a beacon of innovative financial solutions. However, the stability of their IT infrastructure faces a significant challenge from ongoing global cyber threats. A team of dedicated IT professionals, led by Chief Information Security Officer (CISO) Cassandra Knight, discovers anomalous activities hinting at an imminent, sophisticated cyber-attack.
• The Bellwether Capital headquarters comprises a complex network with sensitive data across different departments, including consumer banking, corporate finance, and investment services. At stake are the personal records of millions of clients, proprietary market algorithms, and the company’s spotless reputation. Recent incidents within the industry have prompted the executive board to demand a robust security strategy, starting with a defensive exercise on Network Segmentation and Access Control.
• The company is ready to embark on a strategic cyber range exercise to test and solidify its defensive measures. The primary aims are to prevent lateral movements within the network, protect key assets, and ensure that if one segment falls, others will remain secure. The exercise is designed to simulate an APT (Advanced Persistent Threat) group attempting to move laterally within Bellwether’s network after an initial breach.

Playbook Objectives:

• Demonstrate the effectiveness of network segmentation strategies
• Test the current network access control policies
• Identify strengths and weaknesses in the security posture
• Train the IT security team in incident detection and response within a controlled environment
• Develop standard operating procedures for defense against network infiltration and lateral movement

Difficulty Level:

• Advanced

Scenario Category:

• Cybersecurity
• Network Defense
• Incident Response

Exercise Attack Steps:

1. Attack Initiation:
   • An attacker compromises an employee’s workstation through a phishing email containing a malicious attachment.
2. Establishing Foothold:
   • The malicious software on the workstation establishes a reverse shell to an external command and control (C2) server.
   • The attacker begins to probe the network from the compromised workstation.
3. Privilege Escalation:
   • The attacker exploits local vulnerabilities to gain administrative privileges on the compromised workstation.
4. Lateral Movement:
   • With escalated privileges, the attacker searches for network shares and additional credentials on the compromised system.
   • They attempt to move laterally to other systems within the same network segment.
5. Exploitation of Weak Segmentation:
   • The attacker discovers weak ACLs between segments and attempts to infiltrate adjacent segments, targeting sensitive financial data systems.
6. Data Exfiltration Attempt:
   • Upon reaching the targeted systems within the segmented network, the attacker tries to exfiltrate dummy financial reports to the C2 server.
7. Detection and Response:
   • The cyber range environment monitors the activity to determine if Bellwether’s security team, equipped with advanced monitoring tools and incident response protocols, can detect and thwart the attack.
8. Recovery and Lessons Learned:
   • Following the exercise, the security team identifies compromised systems and executes containment and remediation steps.
   • The team gathers for a debrief to analyze the attack vectors, the effectiveness of segmentation and access controls, and to update the incident response playbook based on the learnings.