Cyber Exercise Playbook

Cyber Exercise Playbook The views, opinions and/or findings contained in this report are those of The MITRE Corporation and should not be construed as an official government position, policy, or decision, unless designated by other documentation. pproved for !ublic Release" #istribution $nlimited. %&'()*) This technical data was produced for the $.+. overnment under Contract -o. %!0T'%('C'12*, and is sub3ect to the Rights in Technical #ata'-oncommercial Items clause at #4R+ **.**0' 02%( 5-67 %))8.

Jason Kick

November 2014

9*2%& The MITRE Corporation. ll rights reserved.

MP140714 Wiesbaden, Germany

Approved By

Mr. Charles :est !ro3ect ;eader

#ate

ii

Abstract This paper provides an overview of the cyber eing the scenarios outlined during an e
iii

This page intentionally left blan=.

iv

Acknowledgements +everal MITRE staff members contributed to this paper, either by reviewing it or by writing certain sections. Than= you to everyone who too= part in ensuring this paper?s accuracy and completeness, especially@ •

Mr. -athan dams

•

Mr. #an iello

•

Mr. Charles :est

•

Mrs. Margaret Mac#onald

•

Mr. Aohn Modrich

•

Mr. +cott ilson

+everal staff of the $+ rmy also reviewed this paper. Than=s are due to@ •

Mr. aron +mith

•

Mr. #ennis 4reed

•

Mr. #aniel Crandall

v

This page intentionally left blan=.

vi

Table of Contents 6verview 6verview ............................ .......................................... ............................ ............................ ............................ ............................ ............................ ............................ ........................... ............................ ....................... ........ % Terminolog Terminology y ........................... ......................................... ............................ ........................... ........................... ............................. ............................. ........................... ........................... ............................. .................. ... % E
vii

ppendi< #@ +ample Eip file ........................................................................................ (2 Initial +pearphishing email@ +ite Introduction Email 5non malicious8 ................................ (% ater contamination report spearphishing 5malicious lin= to website8 ...................... ........... ................ ..... (% ppendi< @ +ample Red Team Event ;og.................... .......... ..................... ..................... ..................... ...................... ..................... .................... ..................... ............... (* ppendi< @ +ample In3ect 6bservation 4orm ....................................................................................... (& ppendi< I@ +ample Master +tation ;og .................................................................................................... ( ppendi< A@ +ample fter ction Report ................................................................................................... (D ppendi< B@ +oftware Tools ........................................................................................................................... (0 ppendi< ppendi< ;@ References References .......................... ........................................ ............................ ........................... ............................ ............................. ........................... ........................... ...................... ........ () !apers .......................... ........................................ ............................ ............................ ............................ ............................. ............................ ........................... ............................ ............................ ................. ... () eb Resources Resources ............................ .......................................... ............................ ............................ ........................... ............................ ............................. ............................ .......................... ............ () ppendi< ppendi< M@ cronyms cronyms.................................... .................................................. ............................ ........................... ............................ ............................. ............................ .......................... ............ &2

viii

List of Figures 4igure %. E
i<

List of Tables Table %. Terminology ........................................................................................................................................... * Table *. Common E
<

Overview chieving ob3ectives through the employment of cyberspace capabilities loosely defines cyberspace operations. In essence, an organi>ation that eation a commercial entity, government agency, sovereign nation, or combination. owever, many organi>ations never evaluate and eations can eations as they eation?s cyberspace assets. The playboo=@ •

•

#efines terminology based on doctrine and practical implementation #efines ob3ectives for e
•

6utlines threats, ranges, and best practices for operating a Cyber E
•

Reports on the effectiveness of cyber in3ects and scenarios

•

!rovides the necessary information to e
E
o

+ample scenarios

o

+ample incident response plan

o

+ample observation and incident reporting formats

o

+ample networ= architecture

o

Tools that could facilitate various scenarios

Terminology s $.+. dependence on networ=s has increased, the nation?s reliance on 3ointly defending cyberspace with its !-s has also increased. Many e
%

Table 1. Terminology

Term

Definition

 After Action Review (AAR)

n analytical review of training events that enables the training audience, through a facilitated professional professional discussion, to e
Blue Team

The group responsible for defending an enterprise?s use of information systems by maintaining its security posture against a group of moc= attac=ers. 5+ource@ C-++I' &22)8 In application, application, this role belongs to the training audience.

Cyber Security

The strategy, policy, and standards regarding the security of and operations operations in cyberspace" encompasses encompasses the full range of threat reduction, vulnerability reduction, deterrence, international international engagement, engagement, incident response, resiliency, and recovery policies and activities, including computer networ= operations, information assurance, law enforcement, diplomacy, military, and intelligence missions as they relate to the security and stability of the global information and communications communications infrastructure. 5+ource -I+T -ICE8 7ery much li=e =inetic and physical war" however, it ta=es place over the networ=s and systems against IT assets and the data contained within them.

Cyber Warfare Cyber Warfare Exercise

n assessment or evaluation of an organi>ation focusing on the Information ssurance program.

Deconfliction

The process that ta=es place between an RT and EC to determine if malicious activity during an e
Event/n!ect

 specific activity e
Exercise

 simulated wartime operation involving planning, preparation, and e
Exercise Control "rou# (EC")

!ersonnel that assist in the management and direction of the e
Exercise Scenario

#escribes the strategic and operating environment in sufficient scope and detail to allow accomplishment of the eed by all planners and participants.

$otwas%

 debrief conducted immediately after an e
nci&ent

 violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. 5+ource -I+T IR 0*)18

nformation  Assurance (A)

Measures that protect and defend information information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non'repudiation. non'repudiation. These measures include providing for restoration of information systems by incorporating incorporating protection, detection, and reaction capabilities. 5+ource@ C-++I'&22)8

'aster Scenario Event ist ('SE)

 collection of pre'scripted events intended to guide an e
enetration

 test methodology in which assessors, using all available documentation 5e.g., *

Test

system design, source code, manuals8 and wor=ing under specific constraints, attempt to circumvent the security features of an information system. 5+ource -I+T IR 0*)18

lanners

The group responsible for planning and e
Ran*e

!rovides a uniFue testing environment that allows large and small scale networ=s to be simulated using a mied and organi>ed to emulate a potential adversary?s attac= or e
Re& Team (RT)

Ris+ 'ana*ement

The process of managing ris=s to organi>ational operations 5including mission, functions, image, or reputation8, organi>ational assets, individuals, other organi>ations, or the nation resulting from the operation or use of an information system. 5+ource@ C-++I'&22)8

Rules of En*a*ement (R,E)

#etailed guidelines and constraints regarding the e
T%reats

ny circumstance or event with the potential to adversely impact organi>ational operations, organi>ational assets, individuals, other organi>ations, or the -ation through an information system via unauthori>ed access, destruction, disclosure, modification of information, and/or denial of service. 5+ource C-++I &22)8

Trainin*  Au&ience

n individual, staff element, staff or organi>ation that performs a particular tas= or set of tas=s during the e
-ulnerability

ea=ness in an information system, system security procedures, internal controls, or implementation that could be e
-ulnerability  Assessment

+ystematic e
W%ite Team/ ,bservers

The group responsible for refereeing an engagement between a Red Team of moc= attac=ers and a :lue Team of actual defenders of their enterprise?s use of information information systems. The hite Team acts as the 3udges, enforces the rules of the e
(

!ercise "lanning The eations" however, the eation has established eation?s I program.  cyber e
Ob#ectives ithout clear ob3ectives, planners cannot design a meaningful eation possesses the capabilities necessary to operate successfully within a hostile cyber environment and defend against cyber threats. #ifferent organi>ations have different guiding principles, tools, tactics, and procedures, which ma=e it important to establish a baseline for each e
&

Table $. Common C ommon !ercise Ob#ectives

I#

,b!ective

.

#etermine the effectiveness of the cyber education provided to the training audience prior to the start of the e
.0

ssess effectiveness of the organi>ation?s/eation?s/e
.1

ssess ability of the training audience to detect and properly react to hostile activity during the e
.2

ssess the organi>ation?s organi>ation?s capability to determine operational impacts of cyber attac=s and implement proper recovery procedures for the e
.3

#etermine the success of scenario planning and e
.4

$nderstand the implications implications of losing trust in IT systems and capture the wor=' arounds for such losses

.5

E
.6

E
.7

#etermine what enhancements or capabilities are needed to protect an information system and provide for operations in a hostile environment environment

.

#etermine if the in3ects meet the ob3ectives of the training



Enhance cyber awareness, readiness, and coordination

0

#evelop contingency contingency plans for surviving the loss of some or all IT systems

!ercise Outcomes The desired outcomes differ for each e


Table %. &esired Cyber !ercise Outcomes

D ,utcome

Activity

Cate*ory

.

!erformed cyber awareness training at the appropriate appropriate level/language of the training audience

!- end users, system administrators, networ= administrators, administrators, and cyber security administrators administrators will complete cyber awareness training, to include cyber threats, incident response, and responsibilities.

Training

.0

Trained cyber defense personnel to operate networ= and system security tools

+ub3ect matter e
Training

.1

Ensured the RT applied realistic training scenarios to e
The RT will utili>e unclassified tools and techniFues that can be shared with !-s, to include social engineering, engineering, spear phishing, fa=e web sites, physical access attempts, and internal networ= manipulation to stimulate the e
E
.2

Ensured the e
The EC will be prepared to in3ect a Kpaper cardL or notification notification into a cyber scenario in order to stimulate attainment of !- training ob3ectives in the event the RT actions fail to do so.

E
.3

Ensured the RT can deconflict Fuestions from the EC about suspicious activities

In the event a suspicious activity is reported to the EC, the RT must be able to confirm or deny its involvement within (2 minutes of reFuest from EC.

E
.4

7alidated the ability to operate, defend, and restore availability and integrity of the networ=

The !- communicators can maintain networ= operation during the course of the e
7alidation

.5

7alidated the cyber defense security procedures 5incident response plan8 in place for the e
The RT stimulates threat scenarios that drive the !training audience to e
7alidation

!rovided situational awareness to training audience and leadership for the e
s the !- training audience audience detects an event and e
.6

ppendi< C@ +ample Incident Response 4orm 8.

D

7alidation

D ,utcome

Activity

Cate*ory

.7

E
t the conclusion of the eers should reveal the RT activities to the cyber training audience to identify the actions e
Reporting

.

Identified and reported gaps in capability, manning or training

E
Reporting

'now t(e Training Audience The $nited +tates has established, secured, and defended networ=s for many years, while many other nations may not even operate their own networ= and instead rely on commercial services such as ahoo or oogle. +ome nations have Fuite advanced cyber security practices, but may ta=e vastly different approaches to the e
C%allen*e

m#act

Resolution

artici#ants %ave varyin* levels of trainin* an& e&ucation about cyber security8

This will create confusion about the goals and activities associated with the cyber scenario.

Ensure that cyber in3ects match the s=ills and capacity of the training audience while adeFuately demonstrating cyberspace threats.

artici#ants %ave only a minimal un&erstan&in* of t%e conce#ts of &efense in &e#t%9 internal security9 s#ear#%is%in*9 s#ear#%is%in*9 an& ot%er malicious activities8

The e
!rovide a threat briefing to the !-s to increase understanding of spearphishing, spearphishing, malicious logic, attac= Tactics, TechniFues, and !rocedures 5TT!s8 and defense TT!s.

artici#ants rely too %eavily on w%at a tool :tells; t%em versus w%at t%e &ata actually means because t%ey lac+ an un&erstan&in* of w%at is ta+in* #lace on t%e networ+8

The training audience may not respond appropriately to the in3ects due to a lac= of awareness and ability to correlate events occurring on a networ= or system.

Mentor the training audience on understanding how their enterprise wor=s, what alerts mean, and what tools/data are available to determine actuality of reported events 5commercial, military, or other courses already e
0

C%allen*e

m#act

Resolution

 Awareness an& un&erstan&in* of an enter#rise baseline are not common conce#ts in many or*ani
The lac= of understanding will ma=e it almost impossible to distinguish what is normal from what is anomalous during the e
Establish real scenarios that allow the training audience to learn the details of their enterprise.

artici#ants use #oor security #ractices9 from wea+/&efault #asswor&s to use of #ersonal com#uters c om#uters for t%e mission8

!oor security practices will allow the RT to succeed in e
Establish a baseline for security during e
Types of Cyber !ercises Cyber eations may perform p erform the three type of ees some characteristics of different e
Style

Descri#tion

Com#lexity

Timin*

Resources

Table To#

!aper'driven e
This type of eations involved.

!lanning@ %H* months

;imited resources needed, depending on number of organi>ations

!aper in3ects with some live scenarios facilitated by a RT for realism 5probes, scans, e'mail spoofing s poofing,, etc.8

This type of e
!lanning@ (HD months

$ybri&

E
'atc%es •

•

E
1

ReFuires more people and time, real targets for scenarios, deconfliction contacts

6rgani>ations new to eational I ob3ectives 6rgani>ations that need to validate processes/ train personnel in'between other e
6rgani>ations familiar with inter' organi>ation e
Style

Descri#tion

Com#lexity

Timin*

Resources

'atc%es

=ull ive

E
This type of e
!lanning@ DH%* months

;arge number of organi>ational participants, IT resources, travel budget for meetings, deconfliction contacts

6rgani>ations familiar with eational ob3ectives

:uildup@ *H( months E
Ideally, as an organi>ation matures it will progress through the different eations to step their way from smaller table top e
Table Top ,scripted eventsTable top eations use table top eations, partners, or countries" test the readiness of response capabilities" and raise awareness within the I community. Table . Table Top !ercise Overview

"oal

Establis% a *oo& baselin baseline e for future exercises> raise cyber security awareness an& s+ills

,b!ectives

Clear, well defined goals@ e.g., determine how cyber security staff interact and respond to an incident" validate procedures" observe and describe the processes used to detect, respond and recover from s imulated events

essons earne&

4ocus on what wor=ed well and what reFuires improvement

=uture

4uture e
This type of eation. The eations and determining dete rmining how information would flow in real world events.

)

/ybrid ,scripted in#ects wit( real probes0scansTable top eations and may reFuire deconfliction of real events, especially if using an operational networ=. Coordinating and planning a hybrid e
"oal

nte*rate& A exercise

,b!ectives

Train the organi>ation and I staff" validate procedures" determine ability to detect, respond, and recover from simulated events Real probes and scans used to stimulate player action

essons earne&

4ocus on what went well and what needs improvement Evaluate security baseline Raise organi>ational I awareness is raised

=uture

4uture e
This type of eation should use a mi< of fictitious events and real events to facilitate realism in e
Full Live ,real and scripted events4ull live eations and reFuires deconfliction with real'world events, since they will appear similar on a networ=. This environment stimulates training and assessment of current business processes associated with planning, e
%2

Table 2. Full Live Cyber !ercise Overview

"oal

=ully inte*rate& cyber exercise

,b!ectives

Train the organi>ation and I staff" validate procedures via real events and scenarios

essons earne&

4ocus on what went well and what needs improvement ssess capability for detecting, responding to, and recovering from some simulated and realistic events $se real events to facilitate e
=uture

4uture e
The realism of ee those methods during the ee and manage the possible impacts. dditionally, planners must understand the ris= to operations if a live networ= is utili>ed for the e
3anges Many organi>ations are familiar with the concept of a Krange,L but associate it with different purposes.  software company?s KrangeL may consist of an integration lab where developers can KplayL with the software and test how it functions in different situations.  police sFuad has a shooting range where officers safely train, maintain, and test proficiency with weapons. +imilarly, a cyber range can provide a controlled environment in which organi>ations can e
%%

where improvements might be needed, or confirm the e
T(reats Threats may occur naturally or result from human actions.  threat reFuires a motive and attac= vector in order to stimulate the training audience during the e
Table 4. Common T(reats and 5et(ods

T%reat

Exam#le

Simulation 'et%o&

?atural &isaster

+torm causes power failure EarthFua=e destroys infrastructure

In3ect power outage or accident 5e.g., to
*norant user

$ser introduces a virus due to poor security practice

In3ect internal networ= scanning, virus alerts, file loss

'alicious internal user

Internal user launches a virus to delete organi>ational data

In3ect internal networ= scanning, virus alerts, file loss

$ac+er

+cript =iddy or sophisticated entity gains unauthori>ed access to data/systems

In3ect e
+ample !ercise T(reats Table %2 lists a series of malicious activities that an RT could e
%*

Table 16. +ample Cyber 7n#ects

D

Title

Descri#tion

,b!ective1  ,utcome2

I'%

-etwor= virus

The RT sends the training audience a spearphishing email, supposedly signed by the e
2%, 2*, 2&, 20, 21, 2), %2, %%

2%, 2(, 2D, 20, 21, %2

I'*

-etwor= #enial of +ervice 5#o+8

The RT generates an abnormally high amount of networ= traffic against the training networ= in order to simulate reduced networ= capabilities capabilities visible in system performance statistics and volume of log data. dditional notification from the training audience about reduced networ= capability or inability to access website should prompt the incident response process and associated troubleshooting. troubleshooting.

2%, 2*, 2(, 2&, 2D, 20, 21, 2), %2, %%, %*

2(, 2&, 2D, 20, 21, %2

I'(

$nauthori>ed computer on networ=

The RT attempts to connect an unauthori>ed laptop to the training networ= to see if it is detected.

2%, 2*, 2&, 20, 21, 2), %2, %%

2*, 2(, 2D, 20, 21, %2

I'&

Malicious e
The RT e
2%, 2*, 2(, 2&, 2D, 20, 21, 2), %2, %%

2*, 2(, 2D, 20, 21, %2

I'

Malicious internal scanning

The RT connects a device to the training networ= and scans the e
2%, 2*, 2(, 2&, 2D, 20, 21, 2), %2, %%

2*, 2(, 2D, 20, 21, %2

I'D

Computer compromise

Members of the RT wal= around and e
2%, 2*, 2&, 20, 21, 2), %2, %*

2*, 2(, 2D, 20, 21, %2

I'0

4reFuency phishing via email

The RT sends a spearphishing email to the training audience attempting to elicit sensitive information being used in the e
2%, 2*, 2&, 20, 21, 2), %2, %*

2%, 2(, 2, 2D, 20, 21, %2

!ercise "lanning Cycle -ot surprisingly, the e
 +ee Table *.  +ee Table (.

2

%(

coordinating an eation or multiple !-s. ll organi>ations that will participate in the eation?s role in the e
Concept &evelopment 5eeting #epending on the eations involved in the eations, the more time reFuired for planning. This C#M should involve the eation. The senior leaders of the organi>ation must empower these planners to design an eation?s ob3ectives. The C#M should be an internal meeting to discuss ideas, determine ob3ectives, and decide what other organi>ations, +MEs, or RTs to include in the initial planning meeting. This meeting centers on identifying the ob3ectives, participating organi>ations or !-s, e
ro&ucts of t%e Conce#t Develo#ment 'eetin* •

#raft initial e
•

+elected style 5table top, hybrid, full live8

•

#efined e
•

#efined outcomes

•

Identification of additional organi>ations/!-s to participate in the initial planning meeting

•

Identification of logistical needs 5location, visa, language, lodging, etc.8

•

Identification of possible reFuired resources 5range, type of networ=s, systems, etc.8

•

ssigned action items, completion dates, and points of contact 5!6Cs8

7nitial "lanning 5eeting The initial planning meeting 5I!M8 should occur * to 1 wee=s after the C#M. This meeting should include all of the internal and eations and or !-s ta=e part in the eations or !-s into the planning process. #uring this %&

meeting the participants must review the eation or !- so that the eations. The planners should avoid significantly modifying the ob3ectives and scenario after this meeting, as these critical documents determine several actions.

ro&ucts of t%e ' •

4inali>ed e
•

#efined e
•

#evelop understanding of the R6E 5produced with RT8

•

#ates for the follow'on planning sessions and e
•

Comprehensive !6C list, including language preference when wor=ing with !-s

•

•

•

•

6rgani>ation/!- planner assigned to oversee the notifications/coordination process with eternal organi>ations/!-s 6rgani>ation/!- planner assigned to begin coordinating the logistics plan 5eation/!- planner assigned to begin coordinating the reFuired resources 5range, type of networ=s, diagrams 5see ppendi< E@ +ample -etwor= rchitecture8, rchitecture 8, systems, etc.8 ssigned action items, completion dates, and !6Cs

5+L "lanning 5eeting Eers may need to hold an M+E; planning meeting between the I!M and the mid'term planning meeting 5M!M8 to clearly define all of the in3ects needed to support the eations or !-s participating in the e
%

ro&ucts of 'SE lannin* 'eetin* •

•

•

#raft of the ee the ob3ectives and the scenario to identify any additional logistical or training reFuirements for e
ro&ucts of t%e '' •

4inali>ed e
•

4inali>ed understanding of the R6E 5produced with RT8 o

•

•

•

•

In a hybrid or full'live style e
#raft eation/!- assigned to plan and develop the training materials needed for the training audience 5operating environment, procedures, policies, eation/!- planner assigned to continue coordinating the resources reFuired at the eation/!- planner assigned to finali>e coordinating the logistics plan 5location, visa, translators, lodging, transportation, physical security, food/water/hygiene aspects of life support, etc.8

•

Criteria for the 6/-6 6 decision on e
•

#ates for the final planning meeting

•

ssigned action items, completion dates, and !6Cs %D

Final "lanning 5eeting The final planning meeting 54!M8 should ta=e place one month prior to the beginning of the eations involved to review previous action items and finali>e any remaining details of the ee all remaining details for the e
ro&ucts of =' •

4inali>ed e
•

4inali>ed R6E signed by appropriate leadership 5networ= owner and RT lead8 o

•

•

In a hybrid or full'live style e
4inali>ed eed training materials needed for the training audience in appropriate languages 5operating environment, procedures, policies, e
•

4inali>ed resource plan so resources arrive at the e
•

6rgani>ation/!- planner assigned to finali>e coordinating the logistics plan

•

Review of any changes that affect the 6/-6 6 decision on e
•

ssigned action items, completion dates, and !6Cs

%0

!ercise !ecution The EC oversees e
Figure 1. !ercise 7nformation Flow

Inevitably, the e
Observation 6bservation during the eation to assess its deficiencies and implement a plan to improve its readiness. ppendi<  includes  includes a sample observation format.

%1

Each in3ect to the eation must wor= to improve its processes. E
Figure $. !ercise Observation Cycle

Observation +cenario s an e
"ost !ercise iven the significant amount of resources applied toward the eation must collect information from e
%)

RT and observer observation forms completed throughout the course of the eation should consider for the ne
Lessons Learned The EC should document the =nowledge gained from the eation?s I program that can be built upon or improved. Eation?s deficiencies within a controlled environment. 6rgani>ation leadership must then create remediation plans and follow up on deficiencies identified during the e
!ercise "lanning "itfalls #uring the planning and eations also collect lessons learned about the eations must avoid multiple pitfalls during the development of cyber eational e
*2

Eation ta=e place in relation to the cyber scenario of the e
Situation

m#act

Resolution

Cyber scenario ob!ectives not clearly &efine&8

+enior leaders and e
Ensure the cyber e
Rules of en*a*ement not clearly &efine&8

The RT may access/e
Ensure that the scope of systems/targets/methods systems/targets/methods is clearly defined for the RT ahead of the e
Re&uce& awareness &ue to Senior lea&ers not involve& in #lannin*8

;eaders often resist actions that Kmay impact the e
The cyber e
Trainin* au&ience a#at%etic or not res#on&in* to in!ects8

Cyber e
Ensure that the cyber e
Cyber in!ects are not execute& as #lanne&8

Cyber e
Ensure that the in3ects are appropriately spaced out to account for reaction time" in addition, plan multiple methods for e
Trainin* au&ience fi*%ts a*ainst scenario instea& of actin* as a willin* #artici#ant8

Cyber e
The EC must ma=e certain that the scenario is realistic and engaging, engaging, and that the training audience understands that the e
RT inability to &econflict exercise in!ect versus real worl& activity in a timely means8

n entire e
Ensure that the RT trac=s their activities thoroughly and is able to provide deconfliction within (2min of their activities vice other activities that may occur on a real networ=.

*%

!ercise Logistical and Tec(nical Considerations Throughout the course of the eations should consider many of these items in the planning process, ta=ing the location and scope of the eations should@ •

Establish a primary and secondary communications and logistics plan.

•

Ensure safeguards are in place prior to e
•

•

•

•

RT deconfliction process is functioning with EC.

o

!roper coordination/training must be done on handling malware.

Compensate for issues with proper power H voltage, phase 5%,*,(8, adapters, or cables H and communications capabilities. o

•

o

;eased/local communications are not always available or reliable and cannot be the primary means of communication.

o

i'4i hot spots can be invaluable if service e
o

!articipants? cell phones may be loc=ed or unable to use the local cell networ=.

Ensure consideration of contingencies/failures of eFuipment. Ta=e all necessary software on C#/$+: drive" bandwidth may not be available or site s may be bloc=ed for downloading 5see ppendi< B +oftware Tools8. Tools8. Carry spares of everything from cable/fiber termination =its, +IM card cutters, repair =its spare parts, power generation, etc. !lan on ta=ing everything participants may need because local purchases are e
Conclusions n eation?s Kwhat'if scenarios.L 4rom a cyber perspective, it allows safe eation should improve or may reaffirm the adeFuacy of eation to assess its own security posture and the ability of the training audience to defend mission'critical data and enable the organi>ation to respond more effectively to real'world incidents when 5not if8 they occur. The training audience, planners, observers, and RT must wor= together and understand that all parties benefit from the eation loo= bad" instead, they help to train and eFuip the organi>ation for dealing with inevitable malicious activities. They allow a friendly force to pose as a threat and report how and what techniFues it utili>ed to attac= a security posture. ll parties benefit from an e
Appendi! A9 +ample 5aster +cenario vent List The M+E; contains all in3ects for the eed e
Figure %. +ample 5aster +cenario vent List

*(

Appendi! B9 +ample !ercise 7ncident 3esponse "lan !ercise 7ncident 3esponse "lan

1

s the compleations must establish procedures for reacting to any incidents affecting their information systems. Table %* lists the types of incidents, the reporting reFuirements, and processes to be utili>ed during the e
Cate*ory %

Re#ortable nci&ent/Event

Time to Re#ort

ny attac=s affecting critical assets #enial'of'+ervice #enial'of'+ervice attac=s that isolate or impede critical service or networ= performance

ithin (2 minutes

Malicious logic 5virus8 attac=s that isolate enclaves dministrator/root'level dministrator/root'level access obtained by unauthori>ed personnel *

+ignificant +ignificant trends suspected in incidents or events

ithin % hour

Indication of multiple suspected systems +uspected e'mail spoofing $nauthori>ed probes or scans of the networ= (

$nusual system performance performance or behavior $nplanned system crashes, outages, or configuration changes +uspicious files identified on a server Missing data, files, or programs $need activity by privileged users Malicious logic 5virus8

1

 Incident response plan adapted from the frica Endeavor *2%( andboo=

*&

ithin * hours

3eporting "rocedures The eing the incident rep orting form. s incidents are resolved, the security representatives should update the report and master station log appropriately. The security representatives should review events, perform analysis, develop responses, and provide reporting for the event to the EC.

nci&ent Res#onse rocess %. $pon detection the user will disconnect the computer from the networ=. *. The user will contact his/her security se curity representative. (. The security representative will complete the Incident Response form with the user and provide it to the cyber security team with a copy to the leader of the eing the security representative to proceed. . The security representative may remove the threat once approved by the cyber security team. D. The security representative will finali>e reporting in coordination with the cyber security team.

*

Appendi! C9 +ample 7ncident 3esponse Form E@ERCSE @@@@ ?CDE?T RE,RT =,R' 1  Date/Time 0

?ame/,r*ani
1

Contact nformation

2

ocation of system

3

Ty#e of nci&ent (Denial of service9 -irus9 naut%ori
4

System(s) involve&

5

$ow inci&ent was &etecte&

6

A&&ition Details

1

 Incident response form adapted from the frica Endeavor *2%( andboo=

*D

Appendi! &9 +ample !ercise 3oles and 3esponsibilities Training Audience :ser 3ole 3esponsibilities

1

•

#o not use a computer to harm other people or their wor=.

•

#o not use or copy software that is not approved for the e
•

#o not steal other people?s intellectual property.

•

#o not use a computer to pose as another person.

•

#o not use other people?s computer resources without approval.

•

•

•

#o not send sensitive information over data 5email, sms8 or by voice 5phone/radio8 unless it is secured. #o not use media received from un=nown sources. o

ll media will be scanned for virus on a stand alone system prior to usage.

o

Every $+: drive must be chec=ed by the cyber security team.

o

C#s will be used only by the cyber security team.

Choose a password that is %* or more characters in length o

our password should be a mi
o

o

o

o

o

E
$se alphanumeric combinations or phrase associations to create passwords that are easy for you to remember, and hard for others to guess. void using words or phrases that can be found in a dictionary in any language. #o not use personal information such as the names or birthdays of family members, pets, color, sports teams, or places when creating your password. 6nce you have created your password, memori>e it and do not write it down or share it with others. Change your password on a regular basis.

$sers who discover information security incidents will report using the form specified below to their designated security representative.

1

 Roles and responsibilities responsibilities adapted from the frica Endeavor *2%( andboo=

*0

Training Audience +ystem Administrator 3ole 3esponsibilities In addition to the user responsibilities, an administrator must also ensure that all reporting and remediation are completed in accordance with the incident response policy. o

o

If you thin= that you have encountered malware, a phishing email, or anything else out of the ordinary on your information system, contact the technical or security representative. Complete the Incident Response 4orm promptly and accurately. 



o

If the incident cannot be confirmed a cyber security team member will be dispatched to the location of the device to confirm the incident and fi< the issue if possible.  security officer will compile reports and determine if the incident reFuires reporting to the EC.

$pdate firewalls, I#+, anti'virus software, and other services as reFuired.

*1

Appendi! 9 +ample ;etwork Arc(itecture Eed point with firewall, I#+, and pro
Figure ). +ample ;etwork Arc(itecture 1

1

 -etwor= architecture adapted from the frica Endeavor *2%( andboo=

*)

Appendi! F9 +ample 3ed Team !ercise &ata 7arious types of information are critical to collect during the e
mail Address List e
7" addresses for !ercise %0*.%D.%%.DD H -etwor= gateway I! %0*.%D.%%.0 H Malicious laptop for RT %)*.%D1.%.*& ' Internal firewall

Logs from web server Access logs9 %0*.%D.%%.02 ' ' %(/ug/*2%(@%2@0@*) Q2*22J ET / TT!/%.% (2& ' %0*.%D.%%.02 ' ' %(/ug/*2%(@%%@2D@( Q2*22J ET / TT!/%.% (2& ' ' Mo>illa/.2 5compatible" M+IE %2.2" indows -T D.%" Trident/D.28 %0*.%D.%%.02 ' ' %(/ug/*2%(@%*@%)@2 Q2*22J ET / TT!/%.2 *22 %2) ' ' %0*.%D.%%.02 ' ' %(/ug/*2%(@%(@22@( Q2*22J ET / TT!/%.% (2& ' ' Mo>illa/.2 5compatible" M+IE %2.2" indows -T D.%" 6D&" Trident/D.28 %0*.%D.%%.02 ' ' %(/ug/*2%(@%(@21@*& Q2*22J ET / TT!/%.% (2& ' ' Mo>illa/.2

Logs accessing t(e contaminated ip TT!/%.% *22 %1& http@//%0*.%D.%%.0/waterSreport.html Mo>illa/.2 5compatible" M+IE %2.2" indows -T D.*" 6D&" Trident/D.28 %0*.%D.%%.02 ' ' %(/ug/*2%(@%&@(@*1 Q2*22J ET /reports/waterSreport.>ip TT!/%.% (2& ' http@//%0*.%D.%%.0/waterSreport.html Mo>illa/.2 5compatible" M+IE

(2

7nitial +pearp(is(ing email9 +ite 7ntroduction mail ,non malicious;C6-@ !lease ta=e a moment to review the news reporting from the Ke un moment pour e
Cheers/Merci C#R EERCI+E EERCI+E EERCI+E

=ater contamination report spearp(is(ing ,malicious link to website;C6-@ !lease ta=e a moment to review the water contamination report due to the situation. +Gil vous plait prene> un moment pour e
Cheers/Merci Commander EERCI+E EERCI+E EERCI+E

(%

Appendi! >9 +ample 3ed Team vent Log Tables %( and %& outline sample reporting of the activities conducted by the RT during the course of the e
Time

Activity

?otes

Comments

.7..

:egan e
+ource I! %0*.%D.%%.0 Target I! %0*%.D.%%.02" +MT! is open on the firewall

...

Introductory spearphishing email

Email from fa=e email address e
-on malicious email H builds trust

.1.

!hysical security chec=s

al= around e
Computer screens not loc=ed when unattended, server room not secured

.17

Email response received

Training audience confirmed email receipt

7alid address and relationship

2.3

Malicious spearphishing email

Email from e
20.

Email response

Training audience responds to email notice and viewing information

203

Eicar download

pache logs show that the training audience downloaded the simulated virus.

226

Email response

Training audience responds about the spearphishing email on water contamination containing a virus

3

Eicar download

pache logs show that the training audience downloaded the simulated virus.

(*

Chec= web server logs

This is good, but the incident response process was not e
Table 1). +ample 3ed Team vent Log &ay $

Time

Activity

?otes

Comments

.62.

E
Email from e
.63.

#6+ attac=

:egan #6+ attac= by reducing networ= port to %2M: and e
!erformed mentoring with training audience to identify and outline attac= and response options

.723

Ended #6+ attac=

!er cyber lead

ctivity was identified by training audience

.1.

Radio 4reFuency phishing via email

Email from e
This was after the training audience was educated about the possible spearphishing ta=ing place

.23

$nauthori>ed device on networ=

 laptop was successfully added a $nit  networ= without Fuestion from training audience

Can use this later for internal scanning

1.

Internal networ= scanning started

Internal networ= scanning H not detected in the firewall

25

Email Response

$nit  replies that they received the email, but does not provide freFuencies

This was after the training audience was educated about the possible spearphishing ta=ing place

22.

Email Response

$nit C replies with radio freFuencies

4orce radio freFuency change due to compromise

((

Appendi! /9 +ample 7n#ect Observation Form This appendi< shows a sample observation form outlining the important types of information to collect for each event/in3ect eed during the e
INJECT OBSERVER FORM Inject Number: IA-2 Inject Title: NETWORK VIRUS

Observer Name: Jane Doe

CONTROL AND OBSERVER EYES ONLY

1

Inject Date: 25JUN2014 START TIME (Local): __________ COMPLETE TIME (Local) __________ Inject Delivered Via: CARD or CARD  or ELECTRONIC

Target Group/Unit/Position: Group/Unit/Position: Unit A

Inject description, ASSUMPTIONS and references: Your antivirus SW has just alerted a virus. Take appropriate actions in accordance with standard policies and procedures. Notify the Exercise Observer when you have completed all required actions. Assumptions: Simulated virus triggers user anti virus software on device References: (Source or document that states required actions)

Cyber Ops & IA; Cyber Incident Management Guide; (page 27-28) Expectation:

"(e) Each virus incident must be reported as soon as possible to Cyber Security Team. The Cyber Security Team will then issue a virus warning to the other units the unit’s appointed senior communications officers if necessary.

Assessment of training audience response:

CIRCLE ONE

COMPLETED: (3) PART COMPLETE: (2) INCOMPLETE: (1) N/A (Explain Below):____ Was event documented in Master station log? Yes / No Was incident response form c ompleted? Yes ompleted?  Yes / No

Observation and notes:

1

 In3ect observer form adapted from the frica Endeavor *2%( andboo=

(&

Appendi! 79 +ample 5aster +tation Log The training audience uses the master station log 5M+;8 to trac= all of the events reported during the e
MASTER STATION LOG Date/Time

Exercise Impact Yes/No

Description of Event

1

 Master station log adapted from the frica Endeavor *2%( andboo=

(

1

Action Taken

Initials

Appendi! ?9 +ample After Action 3eport This R concludes the C Eing for future e
Sustain8 5%8 Issue@ Cyber response and threat training. #iscussion@ The Cyber +ecurity team conducted thorough and accurate threat information about e
5*8 Issue@ #iscussion@ Recommendation@

m#rove8 5%8 Issue@ Realism of the spearphishing attempts. #iscussion@ The spearphishing emails that were attempted a ttempted during the eing information form the e
(D

Appendi! '9 +oftware Tools Multiple well'=nown and tested freeware and open'source scanning tools are available to conduct cyber aspects of an eations can ensure the safety of open'source and freeware tools by downloading these tools from =nown sources, observing their functions in laboratory conditions, or comparing published signatures to the computed hash code of each tool. The items mentioned below do not represent an eilla.org g8 H freeware eb browsers 'oilla.or used to manually browse and inspect the eb application and associated forms. The Mo>illa coo=ie manager is especially useful in viewing the values of coo=ies to ensure that they were randomly generated from one session to the neens of other characteristics.  5http@//www.cirt.net/code/ni=to.shtmll8 H a free open'source, command'line, eb ?i+to 5http@//www.cirt.net/code/ni=to.shtm server scanner which is used to perform comprehensive tests against eb servers for multiple items, including over (%22 potentially dangerous files, Common ateway Interfaces 5CIs8, versions on over D* servers, and version specific problems on over *(2 servers. -i=to is not designed as an overly stealthy tool and will test a eb server in the shortest time span possible. The ni=to scan is an aggressive scan and the developers of this scanning tool warn users that the ni=to scan can crash un'patched or mis'configured servers.

(0

http@//www.openssl.org/ /8 H an open source library that provides cryptographic ,#enssl 5http@//www.openssl.org functionality to applications such as secure eb servers.  5https@//www.openvas.org/ /8 H an open source vulnerability scanner and ,#en-AS 5https@//www.openvas.org management framewor=.  5http@//portswigger.net/burp p8 H a local web proer. It has a Wires%ar+  5http@//www.wireshar=.or rich and powerful feature set, and runs on most computing platforms including indows.

entyal 5http@//www.>entyal.org/8 H an $buntu ;inu< based Ventyal +erver offers a drop' in ;inu< replacement for Microsoft +mall :usiness +erverW and Microsoft E
(1

Appendi! L9 3eferences "apers CAC+M (22.2(# Aoint Training Manual for the rmed 4orces of the $nited +tates % ugust *2%* CAC+I D%2.2%4 Information ssurance 5I8 and +upport to Computer -etwor= #efense 5C-#8 %2, 6ctober *2%( C-++I -o. &22) -ational Information ssurance lossary *D pril *2%2 #o#I 1%2.2% Ris= Management 4ramewor= 4 ramewor= 5RM48 for #o# Information Technology 5IT8 %* March *2%& A! ('2 Aoint 6perations, %% ugust *2%% A! D'2 Aoint Communications +ystems, %2 Aune *2%2 -I+T +! 122'(, 122'D%, +! 122'1& -I+TIR 0*)1 lossary of Bey Information +ecurity Terms May *2 %( -I+T -ational Initiative for Cyber security Education +eptember *2%* frica Endeavor *2%( C&I andboo=

=eb 3esources http@//www.afcea.org/signal/articles/anmviewer.aspXaY&*P>Y%0 http@//blac=hat.com/presentations/bh'federal'2(/bh'fed'2('dodge.pdf http@//www.dtic.mil/doctrine/training/c3csm(22S2(d.pdf http@//technet.microsoft.com/en'us/library/cc0*(20.asp< http@//cwe.mitre.org/data/inde<.htmlZreleaseSnotes http@//www.mitre.org/sites/default/files/pdf/2S%%(.pdf http@//www.nci<.gov/publications/policy/docs/C-++IS&22).pdf http@//nvlpubs.nist.gov/nistpubs/ir/*2%(/-I+T.IR.0*)1r*.pdf http@//idart.sandia.gov/inde<.html http@//www.sans.org/critical'security'controls http@//stormsecurity.files.wordpress.com/*2%2/2%/guide'for'designing'cyber'security' e
()

Appendi! 59 Acronyms R C#M CAC+I CAC+M C-++I EC #6+ 4!M I I!M M!M M+E; -I+TIR !!6C R6E RT +ME T66

fter ction Review Concept #evelopment Meeting Chairman of the Aoint Chiefs of +taff Instruction Chairman of the Aoint Chiefs of +taff Manual Committee on -ational +ecurity +ystems Instruction E
&2