By Adrian | February 9, 2019
This week I had an amazing opportunity to participate in a weeks worth of Cyber Defensive training at Cybergym. Cybergym is an Israeli based IT security company who provide organisations with the training, knowledge and tools to better defend their systems. They provided a tailored training solution with case studies, technical know how, hands on experience through live malware labs.
Most importantly, we were able to spend 2 days in their “Cyber Arena” where we were able to apply the new found skills that we had learnt in a full on, real-time simulated environment where our network was attacked by Cybergym hackers brought in from Israel.
Over the course of the first 3 days we learnt
- The role of the First Responders
- Learning about the mindset of a hacker
- Learning the stages of an APT hack
- Using Wireshark to analyse packet captures
- Basic forensics using tools in the sysmon suite
- Determining how a particular system was compromised, and the relevant indicators of that compromise and cleaning that up
- The Lockheed Martin Cyber Kill Chain and its application in numerous case studies
- Plenty of discussions about security controls, data classification, assets and how critical user awareness training really is
The 4th day saw us perform our first “live fire” exercise in the Arena where machines were compromised and we had to discover more information about what had happened. This day was a stop and go sort of day where we would discover the attack and try to figure out what happened, why it happened, what the motive of the attacker was and what controls we could put against each phase of the APT. The times we were off track we stopped and re-evaluated where we were which helped us focus as a team. Not going to lie, at first it was difficult in that we had been thrust into this environment we had little knowledge of with people who we had worked with before, but not directly like this. There were technologies that we had not used ourselves before so we had to learn them very quickly.
The days scenario involved a number of exploits against our public facing assets, website defacements, drive by downloads, privilege escalation, a worm, command and control servers and ultimately….. being ransomwared. But the point of the exercise was to see how we would detect and respond and all things considered, I think we did quite well.
The final day we participated in 2 more APT scenarios, one simulating a cleaner who was paid off and inserted an infected USB device (literally, the trainer infiltrated the room and carried this out, and he went unquestioned) and the other scenario of a compromised email server that sent a dodgy attachment in an email to the manager. Both of these scenarios saw the attackers carry out their mission quite quickly.
Given that this was considered an introduction / basic level course, many lessons were taken away and a great deal was learnt.
Overall, we all learnt a lot to take back to our workplaces. The trainers were very knowledgeable in the subject matter, the content is full on, and the last 2 days gave me that adrenaline rush mixed with a bit of stress. I hope that I am able to attend Cybergym again.