Playbook Objectives

• To understand and configure the essential features of a next-generation firewall (NGFW) within a corporate environment.
• To identify and prevent sophisticated cyber threats using the NGFW’s advanced inspection capabilities.
• To ensure business continuity by protecting network infrastructure against attacks on multiple vectors.
• To exercise and validate the incident response protocols when facing a complex, multi-layered attack scenario.
• To enhance the security team’s ability to quickly and effectively deploy security policies to counteract emerging threats.

Difficulty Level

• Advanced

Scenario

GlobalTech Solutions, Inc., a leading provider of cloud infrastructure and enterprise IT solutions, has been observing a surge in cyber threats targeting their network. The company’s Security Operations Center (SOC) recently reported an advanced persistent threat (APT) campaign designed to infiltrate the corporate network, exfiltrate sensitive data, and compromise their high-value cloud services. Cybersecurity analysts have noticed that adversaries are using highly sophisticated malware with evasion techniques that can bypass traditional security measures.

The current challenge for GlobalTech Solutions is to reinforce their defense mechanisms to counter the emerging threats. The CEO, Alice Johnson, and CISO, Michael Carter, jointly agree upon the need for a robust, state-of-the-art security posture. They decide to undertake the deployment of a Next-Generation Firewall as part of their strategic security enhancement initiative. The NGFW is expected to offer features such as application awareness, integrated intrusion prevention systems (IPS), advanced threat protection, and threat intelligence integration.

Network architect, Omar Singh, proposes the cyber range exercise to not only configure and fine-tune the NGFW but also to simulate actual cyber-attack scenarios that the SOC team might face. The company’s primary data center, with an array of servers hosting critical applications and its network topology, will serve as the environment for this exercise. GlobalTech is aiming to secure its intellectual property, protect customer data, and maintain a resilient network that responds dynamically to potential threats.

Category

• Network Security
• Firewall Implementation and Management
• Incident Response

Exercise Attack Steps

• Begin with pre-attack surveillance where the threat actor performs reconnaissance to discover network resources, network topology, and potential vulnerabilities in GlobalTech’s infrastructure.
• Move on to the initial exploitation phase where the adversary launches a phishing campaign. Simulate the delivery of spear-phishing emails to specific employees with tailored social engineering content designed to lure them into compromising their credentials.
• Upon a successful breach, simulate the lateral movement of the adversary within the network, targeting sensitive servers containing intellectual property.
• Include the exfiltration step where stolen data packets are prepared to be sent to an external command and control server.
• At the climax of the exercise, simulate the adversary attempting to deploy ransomware to encrypt critical systems, threatening the availability of services.
• Transition into the detection phase, where the SOC team uses the NGFW’s IPS features to identify malicious traffic and abnormal patterns that indicate a breach.
• Follow with a containment strategy where the SOC team utilizes the NGFW to isolate compromised systems by dynamically changing security policies.
• Proceed with incident response where the team engages their playbook to eradicate the threat actor’s presence, restore services, and bolster defenses.
• Move to the post-incident phase where lessons learned are reviewed, configurations adjusted, and policies updated to prevent similar attacks in the future.

The cyber range exercise concludes with a debrief session led by Michael Carter, where the SOC team discusses the efficacy of the NGFW features, the need for continuous staff training, and the establishment of a feedback loop to incorporate exercise learnings into their daily operational practices. This live simulation proves to be invaluable for GlobalTech Solutions to prepare and protect against sophisticated cyber threats while providing a practical, hands-on environment for security professionals to refine their skills.