Teams will investigate the incident using classic forensics and threat hunting techniques.
Based on the information gathered, participants will compose a dossier that would help law enforcement agencies to locate the criminals.
Develop skills in incident investigation using the scenario, where cybercriminals gained access to a privileged account through a successful phishing attack.
This scenario involves the investigation of two identical incidents which differ in their indicators of compromise and the data available for analysis.
One of the perimeter defence solutions detected a request to the сommand and сontrol centre associated with the APT group. The information about the group was obtained through the threat data exchange platform.
Blue Team will receive data from a compromised host (memory dump, event logs, Windows registry hives export, etc.). Participants will have 2 ways of getting this information:
- downloaded in advance using the link in participant’s account (the password for the encrypted archive will be issued at the start of the event);
- using virtual machines in the training infrastructure with loaded data and pre-installed tools for analysis.
An identical incident (but with altered indicators of compromise) occurred in the organisation which has EDR agents pre-installed on the final hosts. These agents continuously collect telemetry from the hosts and send it to the Threat Hunting platform. Inside the platform, the collected telemetry is analysed with the use of detection rules, which reveal potentially anomalous activity. The platform also has a convenient interface for searching historical data.
Blue Team will have access to an individual installation of such a platform, filled with events from the compromised infrastructure hosts.
Blue Team actions
In both cases, Blue Team will have to solve a number of tasks, analysing the data provided, but the analysis methods will differ.
First round. Blue Team will investigate the incident using the methods and tools of classical computer forensics.
Second round. Blue Team will investigate the incident using the Threat Hunting approach: the initial step will be to analyse the functions of several detection rules.
At the end of each investigation, participants will practice compiling dossiers with information about the incident for law enforcement agencies.