Playbook Objectives:

• To test the response capabilities of the Security Operations Center team
• To identify any weaknesses in the current security infrastructure and incident response protocols
• To improve the coordination and communication between SOC team members during a live attack
• To measure the time it takes for the team to detect, analyze, and mitigate a cybersecurity threat
• To develop muscle memory for SOC analysts through a simulated real-world encounter
• To ensure compliance with regulatory standards for cybersecurity

Difficulty Level:

• Advanced: This exercise simulates a sophisticated attack requiring comprehensive detection and response activities from the SOC team.

Scenario:

• IonTech Solutions Inc., a leading software development company with a significant presence in the financial technology sector, has been subject to increased cyber threats given the sensitivity and value of the financial transactions their platforms handle.
• The company possesses a large network footprint with several branches across the globe and utilizes a mix of on-premises and cloud-based infrastructure to support its operations. IonTech’s CEO, Evelyn Mercer, has prioritized the strengthening of the company’s cyber defenses following recent high-profile breaches in the industry.
• Specifically, the SOC, led by security chief Alex Pierce, is tasked with fortifying their cyber defenses and preparedness. Using a Cyber Range exercise, the team is to engage in a simulated, targeted attack aiming to exfiltrate sensitive customer data and disrupt financial services, which could lead to significant reputational and financial damage.
• The company’s network comprises an assortment of interconnected systems including employee workstations, internal servers, cloud storage solutions, and customer-facing applications. Multiple firewalls, intrusion detection systems, and other security tools are spread across this network in strategic points, aimed at providing a robust defensive posture.
• The Cyber Range exercise is intended to validate the SOC’s procedures, uncover any vulnerabilities, and enhance the overall security posture of IonTech Solutions Inc. This exercise comes at a critical juncture when the company is expanding its services, and this defensive scalability is imperative to its continued success.

Category:

• Incident Response and Network Defense

Exercise Attack Steps:

• An initial reconnaissance phase where simulated attackers identify potential entry points into IonTech’s network, targeting less secure peripheral systems such as a third-party-operated HVAC control system connected to the corporate network.
• Exploitation of identified vulnerabilities to gain unauthorized access. The attackers deploy a custom piece of malware designed to evade current antivirus solutions IonTech has in place.
• Establishment of a command and control (C2) channel that enables communication with the compromised system from a remote server.
• Lateral movement within the network to escalate privileges and gain access to more critical systems, leveraging compromised credentials and exploiting trust relationships.
• Data exfiltration attempts begin, with attackers targeting customer databases and source code repositories, which triggers subtle anomalies in network traffic.
• Deployment of ransomware on certain critical systems to add urgency and complexity to the SOC team’s response, while simultaneously attempting a Distributed Denial-of-Service (DDoS) attack to overwhelm IonTech’s online services.
• The SOC team is expected to detect the intrusion, investigate the scope and impact, contain the threat by isolating affected systems, eradicate the threat by removing malicious footholds, and recover by restoring systems to their normal operations. Further, the team will need to coordinate communication with management and possibly law enforcement, keeping in mind any legal and compliance requirements.
• Post-exercise, the SOC team conducts a thorough review, examining the detection time, response actions, any delays or challenges faced, and the effectiveness of the team’s communication and coordination. From this, the team will update their Incident Response Plan incorporating lessons learned to solidify their defense against real-life cyber threats.