Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Waiting for a cyber range exercise is not enough

196 views

Published on

In this talk Olaf will elaborate on typical tasks related to incident response and why it is possible to practice them without the need for complex cybersecurity ranges or cybersecurity drills. He will also discuss what cyber ranges should be used for and why they should not be the starting point in preparing for incident response.

  • Be the first to comment

  • Be the first to like this

Waiting for a cyber range exercise is not enough

  1. 1. Waiting for a cyber range exercise is not enough
  2. 2. Who am I?Who am I? o Olaf Schwarz o Austrian Energy CERT / CERT.at / GovCERT o https://github.com/AustrianEnergyCERT/ICS_IoT_Shoda n_Dorks/ o Incident Handling, Forensics o Private projects: o https://github.com/00010111/ o smbtimeline o Twitter: @b00010111
  3. 3. o Simulating a cyber attack o Solving challenges in teams or alone o Explicit setup o Usually precooked scenario/evidence o sometimes live/real attackers o Challenges: o processes o communication o technical skills What is a cyber range?What is a cyber range?
  4. 4. Examples – A1 Cyber Security TrainingExamples – A1 Cyber Security Training https://www.a1.net/cyber-security-training
  5. 5. Examples - Cyber Czech 2016Examples - Cyber Czech 2016 https://www.govcert.cz/en/info/events/2532-national-cyber-security-centre-held-exercise-for-cecsp-partners/
  6. 6. Examples – KSÖ PlanspielExamples – KSÖ Planspiel https://kuratorium-sicheres-oesterreich.at/ksoe-cybersecurity-planspiel-praxistest-fuer-eu-richtlinie/
  7. 7. Examples – NetWarsExamples – NetWars https://www.sans.org/netwars
  8. 8. Typical IR tasks to train
  9. 9. o Did someone form network XYZ accessed a specific URL? o timestamp of visit (hopefully time zone) o domain o proxy logs o Why is this a typical IR task? o a very common starting point for IR o someone trustworthy asks you to do so o Do we need a cyber range to practice? o NO o You only need $random URL and permission to search proxy logs typical IR taskstypical IR tasks
  10. 10. o What did someone form network XYZ accessed? o timestamp / time frame (hopefully time zone) o proxy logs o firewall logs o logs on the client o …. o Why is this a typical IR task? o checking for C2 or lateral movement from suspicious client o Do we need a cyber range to practice? o NO o You can simply check what your client machine talked on the network typical IR taskstypical IR tasks
  11. 11. o Which client/server had IP address $A at specific time? o timestamp / time frame (hopefully a time zone) o DHCP logs o CMDB o Why is this a typical IR task? o identify the machine causing the afore mentioned connections o Do we need a cyber range to practice? o NO o You can simply check if you can narrow down you work machine typical IR taskstypical IR tasks
  12. 12. o Collecting memory o physical machine o virtual machine o Why is this a typical IR task? o standard process for potentially malicious box o Do we need a cyber range to practice? o NO o You can test this on your work machine or test-VMs typical IR taskstypical IR tasks
  13. 13. o Did a configuration change occur on network equipment o timestamp / time frame o scope of network equipment o Why is this a typical IR task? o networking gear is a juicy target for attackers o Do we need a cyber range to practice? o NO o You can test this with your networking team typical IR taskstypical IR tasks
  14. 14. o Did a new network port came up or down & up? o timestamp / time frame o scope of network equipment o Why is this a typical IR task? o let's assume a physical security breach o Do we need a cyber range to practice? o NO o You can test this with your networking team typical IR taskstypical IR tasks
  15. 15. o Start a pcap collection for a specific network segment o target network segment o Why is this a typical IR task? o usually attackers and their tools talk… o Do we need a cyber range to practice? o NO o You can test this with your networking team o important addition: Know the impact of the collection on the network, not fear it. typical IR taskstypical IR tasks
  16. 16. o Open an encrypted image for analysis o image o recovery key or password o Why is this a typical IR task? o more and more clients are full disk encrypted (bitlocker etc.) o Do we need a cyber range to practice? o NO o You can test this with your work machine or a test-PC typical IR taskstypical IR tasks
  17. 17. o Create an triage data collection from a client/server o "victim" client/server machine o Why is this a typical IR task? o simply not possible to analyze 1000 clients o "98% of needed information is in 2 % of the data" o Do we need a cyber range to practice? o NO o You can test this with your work machine or a test-PC typical IR taskstypical IR tasks
  18. 18. Focusing on images / collected data
  19. 19. o Did a user on a client visited a specific URL? o triage image, user-profile, known bad URL o Why is this a typical IR task? o possible triage question o 2nd stage or C2 often lists of URLs o Do we need a cyber range to practice? o NO o Test this with your triage (full) image collected earlier and $random URL typical IR taskstypical IR tasks
  20. 20. o Did a user on a client opened a specific file? o triage image, user-profile, file name o Why is this a typical IR task? o typical triage/analysis question o Do we need a cyber range to practice? o NO o Test this with your triage (full) image collected earlier and $random file typical IR taskstypical IR tasks
  21. 21. o Create timeline for client o triage image / full image o Why is this a typical IR task? o typical analysis task o Do we need a cyber range to practice? o NO o Test this with your triage (full) image collected earlier typical IR taskstypical IR tasks
  22. 22. o You will mostly do IR in YOUR environment o everything need to work in your environment o Everything that works can be documented into local procedures o Everything that did not work can be improved o add missing visibility o add new processes/procedures (not only in your team) o You start to get a better understanding what is normal in YOUR environment Why practice locallyWhy practice locally
  23. 23. o Learning new things o check before buying if there is something for you to learn o Simulate stress o Team Building o … and of cause having fun What is a cyber range good for?What is a cyber range good for?
  24. 24. o You do not need a complex setting to start practicing IR o You can start practicing IR tasks tomorrow with your work laptop/PC only o no issue with data protection/working council o simple and small tasks first o You should start to practice IR in you very own environment tomorrow o A cyber range exercise is a very useful addition but not the starting point. To long … didn't listenTo long … didn't listen
  25. 25. QuestionsQuestions © REUTERS / Philippe Wojazer
  26. 26. o DEAD + 1 (you) = DEAE o DEAE = 57006 T-Shirt SolutionT-Shirt Solution

×