SlideShare a Scribd company logo

Train Like You’re Going to Fight—What Kind of Exercise Meets Your Needs?

Priyanka Aash
Priyanka Aash

Cyber-exercises can be used to hone skills, build teams and practice procedures. With several different types of exercises available, which is the right type to achieve your objectives? Which is the right kind for the participants’ skill levels? Cyber-exercise expert Dr. Joe Adams explains the different types of existing exercises, how to create scenarios and how to get results from each event. (Source: RSA USA 2016-San Francisco)

Technology
1 of 46
Download to read offline
SESSION ID: #RSAC Dr. Joe Adams Train Like You're Going to Fight What Kind of Exercise Meets Your Needs? HUM-F01 Vice President for Research and Cyber Security Merit Network, Inc.
#RSAC Agenda What is this talk about? Exercises in Context Type of Exercises Putting Cyber in Kinetic Exercises Getting Your Exercise Started 2
#RSAC Introduction Why you’re here Talk about which type of exercise suits your objectives What you’ll take away from this presentation Steps to create an exercise Survey of exercise types Why this is important Validating processes in a controlled environment 3
#RSAC Glossary CTF – Capture the Flag. A tactical, hands-on, technical exercise DFIR – Digital Forensics, Incident Response. The two sides of cleaning up a big mess. Inject – What I do, during an exercise, to get a response. This is directly connected to the task and context the exercise is testing. 4
#RSAC Training Cycle 5 Classes (individual skills) Procedure Exercises Contextual Exercises Assess
#RSAC Why you need to exercise Complements classes -- Crawl -> Walk -> Run Validates & reviews processes Practices procedures – team dynamics Delivers a big picture view of a process or situation 6
#RSAC What you need to exercise Legal/Policy Media Engagement/Breach Notification Insurance coverage Response plans Not purely technical! Get everyone involved! 7
#RSAC Who needs to participate? Managers across the company Sales & Marketing Finance IT IT staff DFIR teams 8
#RSAC The Key Components 9 Make it worth the time! Record Review Report Show the results
#RSAC What gets in the way Budget Time Experience in putting an exercise together Unwarranted belief in untrusted skills 10
#RSAC Who else does exercises? The usual suspects: Government, DoD, DHS Usually kinetic. Increasingly including cyber Healthcare, Finance Moving from tabletop exercises to more hands-on exercises Demonstrate planning and response Utility Companies Large & medium sized companies (CIP v5) 11
#RSAC Types of Exercises
#RSAC Types of exercises Table Top Exercise (TTX) Capture the Flag (CTF) Red vs Blue Red on Red Digital Forensics/Incident Response (DFIR) 13
#RSAC Table Top Exercises Just like it sounds All you need is a table Use a note taker Applicable to: All levels (technical through executive) All sections (make the geeks talk to accountants!) 14
#RSAC Table Top Exercises 15 Objectives: - Explore scenarios - Verify procedures Benefits: - Identifies stakeholders - Identifies critical elements of info - Clarifies a taxonomy Time Frame: - 4-6 hours before eyes glaze over Constraints: - Not real time! - Beware of hand waving Table Top Exercises
#RSAC Capture the Flag Technical Seen at most (all?) hacker conferences Does everyone get a copy or is it a shared environment? Applicable to: Recruits Students Technical staff 16
#RSAC Capture the Flag 17 Objectives: - Individual or small team skills - Use the tools Benefits: - Technical focus - Fun! Time Frame: - 6-12 hours Constraints: - Development time - Assessment / scoring Capture the Flag
#RSAC Red vs. Blue I attack, you defend Run locally, run nationally Cyber Patriot National Collegiate Cyber Defense Competition Inter-service Academy Cyber Defense Exercise Applicable to: Students (culmination event) IT Teams 18
#RSAC Red vs. Blue 19 Objectives: - Practice defense - See cause & effect in an attack Benefits: - Fun, fast, challenging - Very stressful situations Time Frame: - 1 day to a full week Constraints: - Environment development - Repeatable results? Red vs. Blue
#RSAC Red vs. Red Paintball – everyone attacks and defends Can get very chaotic! Applicable for: Advanced students Pen testing teams 20
#RSAC Red vs. Red 21 Benefits Exercises the entire spectrum of skills Requires communication Constraints Takes practice and speed – some will get overwhelmed Objectives: - Control the network - Penetrate, harden, defend systems - Communicate & Delegate Benefits: - Fun, fast, challenging Time Frame: - 6-12 hours Constraints: - Environment development - Repeatable results? Red vs. Red
#RSAC Incident Response Something bad happened Needs a lot of prep or a lot of time Do you give them disk images? Can you generate enough, realistic, log data? Applicable for: Incident response teams Generating results to inject into a TTX 22
#RSAC Incident Response 23 Objectives: - Validate Incident Response plans - Perform DFIR skills - Rapid familiarization of a network Benefits: - Practice DFIR - Demonstrate what IR teams do Time Frame: - Days, especially if evidence collection is included Constraints: - Environment development Incident Response
#RSAC Steps to Making an Exercise - Overview
#RSAC Don’t Panic! 25
#RSAC Making an Exercise 26 5. Report 4. Create exercise 3. Determine type 2. Define objectives 1. Determine scope
#RSAC Making an Exercise Sponsor Who are we going to report the results to? Scope Definition What are we going to exercise? Who needs to be involved? 27
#RSAC Making an Exercise Objective Definition Here’s what we want to test Here’s how we’ll test it Here’s what we think you’re going to do Here’s what you did Task – Condition - Standard 28
#RSAC Making an Exercise Decide which type of exercise suits your requirements Table Top Exercise (TTX) Capture the Flag (CTF) Red vs Blue Red on Red Digital Forensics, Incident Response (DFIR) 29
#RSAC Making an Exercise Create the Scenario Realistic Applicable Keep it Simple! 30 scenario tec
#RSAC Making an Exercise Other Documentation Master Scenario Events List Timeline Communications Governs the flow of information Evaluation Guide 31
#RSAC Making an Exercise Write the Exercise Directive Objective Definition Scenario Means of Communication Timeframe Evaluation/Assessment 32
#RSAC Making an Exercise Publish the Exercise Directive Location People Participants Facilitator/Evaluator 33
#RSAC Making an Exercise - After Hotwash Immediately after the exercise Get everyone’s impressions, perceptions, gripes, and kudos Answer the sponsor’s question: “So how did it go?” After Action Review Walk through each objective and inject Results in a report with Record of what happened Follow ups and due outs 34
#RSAC Cyber in Kinetic Exercises You’re IT trying add to someone else’s exercise Substitute cyber causes for physical reasons Start small: don’t derail it or you won’t be invited back Stay with published exploits: if you claim “0 Day”, you’ll get called out Target specific systems/effects = task-condition-standard Manage expectations to make sure they know what’s coming 35
#RSAC An Example of an Exercise
#RSAC An Example Sponsor – Company CEO Scope - Small company, all sections/directors (about 14 people) Objectives - Continuity of Operations Do you have plans in place if the company is displaced? Where is the company’s data? Type – Table top exercise 37
#RSAC An Example Created a simple scenario Three phases Created injects in the form of questions Assigned responsibility for each inject Scheduled 4 hours in a conference room Included a scribe with a laptop Focus on communication between teams 38
#RSAC An Example Scenario – A fire in the office Phase 1 – The fire is happening Reporting Information dissemination Phase 2 – The inspection Temporary location (1 week to 3 months) What information is needed? Information access Phase 3 – The clean up Prolonged displacement (3 to 6 months) 39
#RSAC An Example How it went IT was defensive Finance and Sales were curious (over confident?) Marketing was the least prepared 5 hours What they discovered No backups in Marketing Many leave their laptops in the office (information access) IT relies on email to communicate and doesn’t have a backup plan 40
#RSAC An Example The follow up Cloud-based backups Emergency procurement processes Alternative communications paths Still working on Alternate locations Data access issues for specialized applications 41
#RSAC Apply what we’ve talked about Next week Pick 3 things that need to be exercised Assess your organization Within 3 months Develop a Table Top Exercise Deliver the results to potential sponsors Within 6 months Explore other, more in-depth exercises Start to plan a training cycle 42
#RSAC Summary Five types of exercises Each exercise is different Pick the type that addresses your objectives 43
#RSAC Conclusion Let objectives drive what type of exercise Get everyone involved Resources and time will scale the exercise Reports and follow up are key to holding the next one! 44
#RSAC Questions? 45
#RSAC Contacts Dr. Joe Adams cyberrange@merit.edu www.merit.edu/cyberrange 46

Recommended

CRISC Exam Questions
CRISC Exam QuestionsCRISC Exam Questions
CRISC Exam Questions
Dumpsbook
 
External Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersExternal Threat Hunters are Red Teamers
External Threat Hunters are Red Teamers
Jorge Orchilles
 
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Jorge Orchilles
 
5 steps to Creating and Delivering Tabletop Exercises
5 steps to Creating and Delivering Tabletop Exercises 5 steps to Creating and Delivering Tabletop Exercises
5 steps to Creating and Delivering Tabletop Exercises
rburton9
 
Too – too much too many –
Too – too much too many –Too – too much too many –
Too – too much too many –
belitgreen
 
Too much. too many, not enough iiº ppt
Too much. too many, not enough iiº pptToo much. too many, not enough iiº ppt
Too much. too many, not enough iiº ppt
mluisa007
 
Exercise in future with will and going to
Exercise in future with will and going toExercise in future with will and going to
Exercise in future with will and going to
Nellynex Santana Hernandez
 
Sc2 Unit 7 Too, Too Many, Too Much, Enough
Sc2 Unit 7 Too, Too Many, Too Much, EnoughSc2 Unit 7 Too, Too Many, Too Much, Enough
Sc2 Unit 7 Too, Too Many, Too Much, Enough
anyang
 

Recommended

CRISC Exam Questions
CRISC Exam QuestionsCRISC Exam Questions
CRISC Exam Questions
Dumpsbook
 
External Threat Hunters are Red Teamers
External Threat Hunters are Red TeamersExternal Threat Hunters are Red Teamers
External Threat Hunters are Red Teamers
Jorge Orchilles
 
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Ethical Hacking Definitions Matter - Covering Vulnerability Scanning, Vulnera...
Jorge Orchilles
 
5 steps to Creating and Delivering Tabletop Exercises
5 steps to Creating and Delivering Tabletop Exercises 5 steps to Creating and Delivering Tabletop Exercises
5 steps to Creating and Delivering Tabletop Exercises
rburton9
 
Too – too much too many –
Too – too much too many –Too – too much too many –
Too – too much too many –
belitgreen
 
Too much. too many, not enough iiº ppt
Too much. too many, not enough iiº pptToo much. too many, not enough iiº ppt
Too much. too many, not enough iiº ppt
mluisa007
 
Exercise in future with will and going to
Exercise in future with will and going toExercise in future with will and going to
Exercise in future with will and going to
Nellynex Santana Hernandez
 
Sc2 Unit 7 Too, Too Many, Too Much, Enough
Sc2 Unit 7 Too, Too Many, Too Much, EnoughSc2 Unit 7 Too, Too Many, Too Much, Enough
Sc2 Unit 7 Too, Too Many, Too Much, Enough
anyang
 
The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple Team
Priyanka Aash
 
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Brian Andrzejewski
 
FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019
FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019
FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019
Saeid Atabaki
 
Waterfall vs agile approach scrum framework and best practices in software d...
Waterfall vs agile approach scrum framework and best practices in software d...Waterfall vs agile approach scrum framework and best practices in software d...
Waterfall vs agile approach scrum framework and best practices in software d...
Tayfun Bilsel
 
Rapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling Techniques
Priyanka Aash
 
2020 FRSecure CISSP Mentor Program - Class 10
2020 FRSecure CISSP Mentor Program - Class 102020 FRSecure CISSP Mentor Program - Class 10
2020 FRSecure CISSP Mentor Program - Class 10
FRSecure
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scale
Priyanka Aash
 
No more security empires - The ciso as an individual contributor
No more security empires - The ciso as an individual contributorNo more security empires - The ciso as an individual contributor
No more security empires - The ciso as an individual contributor
Priyanka Aash
 
What is it
What is it What is it
What is it
Eugene Yakovlev
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
SeniorStoryteller
 
How to bring down your own RTC platform. Sandro Gauci
How to bring down your own RTC platform. Sandro GauciHow to bring down your own RTC platform. Sandro Gauci
How to bring down your own RTC platform. Sandro Gauci
Alan Quayle
 
TADSummit 2022 - How to bring your own RTC platform down
TADSummit 2022 - How to bring your own RTC platform downTADSummit 2022 - How to bring your own RTC platform down
TADSummit 2022 - How to bring your own RTC platform down
Sandro Gauci
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
Estimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an HourEstimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an Hour
Priyanka Aash
 
2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten
FRSecure
 
Unit_1_Agile development.pdf about the script of software
Unit_1_Agile development.pdf about the script of softwareUnit_1_Agile development.pdf about the script of software
Unit_1_Agile development.pdf about the script of software
zeelp3114
 
L08 architecture considerations
L08 architecture considerationsL08 architecture considerations
L08 architecture considerations
Ólafur Andri Ragnarsson
 
Chaos Engineering 101: A Field Guide
Chaos Engineering 101: A Field GuideChaos Engineering 101: A Field Guide
Chaos Engineering 101: A Field Guide
matthewbrahms
 
Agile London at Ticketmaster
Agile London at TicketmasterAgile London at Ticketmaster
Agile London at Ticketmaster
Billy Jenkins
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)
April Mardock CISSP
 
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Priyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
Priyanka Aash
 

More Related Content

Similar to Train Like You’re Going to Fight—What Kind of Exercise Meets Your Needs?

Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Brian Andrzejewski
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Jorge Orchilles
 
Unit_1_Agile development.pdf about the script of software
Unit_1_Agile development.pdf about the script of softwareUnit_1_Agile development.pdf about the script of software
Unit_1_Agile development.pdf about the script of software
zeelp3114
 
L08 architecture considerations
L08 architecture considerationsL08 architecture considerations
L08 architecture considerations
Ólafur Andri Ragnarsson
 

Similar to Train Like You’re Going to Fight—What Kind of Exercise Meets Your Needs? (20)

The Rise of the Purple Team
The Rise of the Purple TeamThe Rise of the Purple Team
The Rise of the Purple Team
 
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
 
FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019
FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019
FS-ISAC 2019 - Building an Effective Red Team Program 07/08/2019
 
Waterfall vs agile approach scrum framework and best practices in software d...
Waterfall vs agile approach scrum framework and best practices in software d...Waterfall vs agile approach scrum framework and best practices in software d...
Waterfall vs agile approach scrum framework and best practices in software d...
 
Rapid Threat Modeling Techniques
Rapid Threat Modeling TechniquesRapid Threat Modeling Techniques
Rapid Threat Modeling Techniques
 
2020 FRSecure CISSP Mentor Program - Class 10
2020 FRSecure CISSP Mentor Program - Class 102020 FRSecure CISSP Mentor Program - Class 10
2020 FRSecure CISSP Mentor Program - Class 10
 
A successful application security program - Envision build and scale
A successful application security program - Envision build and scaleA successful application security program - Envision build and scale
A successful application security program - Envision build and scale
 
No more security empires - The ciso as an individual contributor
No more security empires - The ciso as an individual contributorNo more security empires - The ciso as an individual contributor
No more security empires - The ciso as an individual contributor
 
What is it
What is it What is it
What is it
 
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
Culture Hacker: How to Herd CATTs and Inspire Rebels to Change the World! - S...
 
How to bring down your own RTC platform. Sandro Gauci
How to bring down your own RTC platform. Sandro GauciHow to bring down your own RTC platform. Sandro Gauci
How to bring down your own RTC platform. Sandro Gauci
 
TADSummit 2022 - How to bring your own RTC platform down
TADSummit 2022 - How to bring your own RTC platform downTADSummit 2022 - How to bring your own RTC platform down
TADSummit 2022 - How to bring your own RTC platform down
 
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
Managing & Showing Value during Red Team Engagements & Purple Team Exercises ...
 
Estimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an HourEstimating Development Security Maturity in About an Hour
Estimating Development Security Maturity in About an Hour
 
2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten2019 FRSecure CISSP Mentor Program: Class Ten
2019 FRSecure CISSP Mentor Program: Class Ten
 
Unit_1_Agile development.pdf about the script of software
Unit_1_Agile development.pdf about the script of softwareUnit_1_Agile development.pdf about the script of software
Unit_1_Agile development.pdf about the script of software
 
L08 architecture considerations
L08 architecture considerationsL08 architecture considerations
L08 architecture considerations
 
Chaos Engineering 101: A Field Guide
Chaos Engineering 101: A Field GuideChaos Engineering 101: A Field Guide
Chaos Engineering 101: A Field Guide
 
Agile London at Ticketmaster
Agile London at TicketmasterAgile London at Ticketmaster
Agile London at Ticketmaster
 
NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)NIST CSF review - Essential Protections (a K12 perspective)
NIST CSF review - Essential Protections (a K12 perspective)
 

More from Priyanka Aash

Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
Priyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Recently uploaded (20)

[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 

Train Like You’re Going to Fight—What Kind of Exercise Meets Your Needs?

  • 1. SESSION ID: #RSAC Dr. Joe Adams Train Like You're Going to Fight What Kind of Exercise Meets Your Needs? HUM-F01 Vice President for Research and Cyber Security Merit Network, Inc.
  • 2. #RSAC Agenda What is this talk about? Exercises in Context Type of Exercises Putting Cyber in Kinetic Exercises Getting Your Exercise Started 2
  • 3. #RSAC Introduction Why you’re here Talk about which type of exercise suits your objectives What you’ll take away from this presentation Steps to create an exercise Survey of exercise types Why this is important Validating processes in a controlled environment 3
  • 4. #RSAC Glossary CTF – Capture the Flag. A tactical, hands-on, technical exercise DFIR – Digital Forensics, Incident Response. The two sides of cleaning up a big mess. Inject – What I do, during an exercise, to get a response. This is directly connected to the task and context the exercise is testing. 4
  • 6. #RSAC Why you need to exercise Complements classes -- Crawl -> Walk -> Run Validates & reviews processes Practices procedures – team dynamics Delivers a big picture view of a process or situation 6
  • 7. #RSAC What you need to exercise Legal/Policy Media Engagement/Breach Notification Insurance coverage Response plans Not purely technical! Get everyone involved! 7
  • 8. #RSAC Who needs to participate? Managers across the company Sales & Marketing Finance IT IT staff DFIR teams 8
  • 9. #RSAC The Key Components 9 Make it worth the time! Record Review Report Show the results
  • 10. #RSAC What gets in the way Budget Time Experience in putting an exercise together Unwarranted belief in untrusted skills 10
  • 11. #RSAC Who else does exercises? The usual suspects: Government, DoD, DHS Usually kinetic. Increasingly including cyber Healthcare, Finance Moving from tabletop exercises to more hands-on exercises Demonstrate planning and response Utility Companies Large & medium sized companies (CIP v5) 11
  • 13. #RSAC Types of exercises Table Top Exercise (TTX) Capture the Flag (CTF) Red vs Blue Red on Red Digital Forensics/Incident Response (DFIR) 13
  • 14. #RSAC Table Top Exercises Just like it sounds All you need is a table Use a note taker Applicable to: All levels (technical through executive) All sections (make the geeks talk to accountants!) 14
  • 15. #RSAC Table Top Exercises 15 Objectives: - Explore scenarios - Verify procedures Benefits: - Identifies stakeholders - Identifies critical elements of info - Clarifies a taxonomy Time Frame: - 4-6 hours before eyes glaze over Constraints: - Not real time! - Beware of hand waving Table Top Exercises
  • 16. #RSAC Capture the Flag Technical Seen at most (all?) hacker conferences Does everyone get a copy or is it a shared environment? Applicable to: Recruits Students Technical staff 16
  • 17. #RSAC Capture the Flag 17 Objectives: - Individual or small team skills - Use the tools Benefits: - Technical focus - Fun! Time Frame: - 6-12 hours Constraints: - Development time - Assessment / scoring Capture the Flag
  • 18. #RSAC Red vs. Blue I attack, you defend Run locally, run nationally Cyber Patriot National Collegiate Cyber Defense Competition Inter-service Academy Cyber Defense Exercise Applicable to: Students (culmination event) IT Teams 18
  • 19. #RSAC Red vs. Blue 19 Objectives: - Practice defense - See cause & effect in an attack Benefits: - Fun, fast, challenging - Very stressful situations Time Frame: - 1 day to a full week Constraints: - Environment development - Repeatable results? Red vs. Blue
  • 20. #RSAC Red vs. Red Paintball – everyone attacks and defends Can get very chaotic! Applicable for: Advanced students Pen testing teams 20
  • 21. #RSAC Red vs. Red 21 Benefits Exercises the entire spectrum of skills Requires communication Constraints Takes practice and speed – some will get overwhelmed Objectives: - Control the network - Penetrate, harden, defend systems - Communicate & Delegate Benefits: - Fun, fast, challenging Time Frame: - 6-12 hours Constraints: - Environment development - Repeatable results? Red vs. Red
  • 22. #RSAC Incident Response Something bad happened Needs a lot of prep or a lot of time Do you give them disk images? Can you generate enough, realistic, log data? Applicable for: Incident response teams Generating results to inject into a TTX 22
  • 23. #RSAC Incident Response 23 Objectives: - Validate Incident Response plans - Perform DFIR skills - Rapid familiarization of a network Benefits: - Practice DFIR - Demonstrate what IR teams do Time Frame: - Days, especially if evidence collection is included Constraints: - Environment development Incident Response
  • 24. #RSAC Steps to Making an Exercise - Overview
  • 27. #RSAC Making an Exercise Sponsor Who are we going to report the results to? Scope Definition What are we going to exercise? Who needs to be involved? 27
  • 28. #RSAC Making an Exercise Objective Definition Here’s what we want to test Here’s how we’ll test it Here’s what we think you’re going to do Here’s what you did Task – Condition - Standard 28
  • 29. #RSAC Making an Exercise Decide which type of exercise suits your requirements Table Top Exercise (TTX) Capture the Flag (CTF) Red vs Blue Red on Red Digital Forensics, Incident Response (DFIR) 29
  • 30. #RSAC Making an Exercise Create the Scenario Realistic Applicable Keep it Simple! 30 scenario tec
  • 31. #RSAC Making an Exercise Other Documentation Master Scenario Events List Timeline Communications Governs the flow of information Evaluation Guide 31
  • 32. #RSAC Making an Exercise Write the Exercise Directive Objective Definition Scenario Means of Communication Timeframe Evaluation/Assessment 32
  • 33. #RSAC Making an Exercise Publish the Exercise Directive Location People Participants Facilitator/Evaluator 33
  • 34. #RSAC Making an Exercise - After Hotwash Immediately after the exercise Get everyone’s impressions, perceptions, gripes, and kudos Answer the sponsor’s question: “So how did it go?” After Action Review Walk through each objective and inject Results in a report with Record of what happened Follow ups and due outs 34
  • 35. #RSAC Cyber in Kinetic Exercises You’re IT trying add to someone else’s exercise Substitute cyber causes for physical reasons Start small: don’t derail it or you won’t be invited back Stay with published exploits: if you claim “0 Day”, you’ll get called out Target specific systems/effects = task-condition-standard Manage expectations to make sure they know what’s coming 35
  • 36. #RSAC An Example of an Exercise
  • 37. #RSAC An Example Sponsor – Company CEO Scope - Small company, all sections/directors (about 14 people) Objectives - Continuity of Operations Do you have plans in place if the company is displaced? Where is the company’s data? Type – Table top exercise 37
  • 38. #RSAC An Example Created a simple scenario Three phases Created injects in the form of questions Assigned responsibility for each inject Scheduled 4 hours in a conference room Included a scribe with a laptop Focus on communication between teams 38
  • 39. #RSAC An Example Scenario – A fire in the office Phase 1 – The fire is happening Reporting Information dissemination Phase 2 – The inspection Temporary location (1 week to 3 months) What information is needed? Information access Phase 3 – The clean up Prolonged displacement (3 to 6 months) 39
  • 40. #RSAC An Example How it went IT was defensive Finance and Sales were curious (over confident?) Marketing was the least prepared 5 hours What they discovered No backups in Marketing Many leave their laptops in the office (information access) IT relies on email to communicate and doesn’t have a backup plan 40
  • 41. #RSAC An Example The follow up Cloud-based backups Emergency procurement processes Alternative communications paths Still working on Alternate locations Data access issues for specialized applications 41
  • 42. #RSAC Apply what we’ve talked about Next week Pick 3 things that need to be exercised Assess your organization Within 3 months Develop a Table Top Exercise Deliver the results to potential sponsors Within 6 months Explore other, more in-depth exercises Start to plan a training cycle 42
  • 43. #RSAC Summary Five types of exercises Each exercise is different Pick the type that addresses your objectives 43
  • 44. #RSAC Conclusion Let objectives drive what type of exercise Get everyone involved Resources and time will scale the exercise Reports and follow up are key to holding the next one! 44