Insight into Military Cyber Exercises: Roles, Teams, and Setup

undefined
Cyber Exercises
A Military Perspective
Disclaimer
The views expressed are my own
and do not reflect the official policy
or position of US European
Command, Department of Defense,
or the U.S. Government.
About Me
USC, M.Eng. Computer Science & Engineering
Fulbright Scholar
Major, US Army Reserves
15 years in military Cyber organizations
Cyber Exercises Planner, US European
Command
Commercial Persona
Owner, NineFX, Inc.
Certifications
Security+, CompTIA
Defensive Cyberspace Operations Engineer Certified
Instructor, CSFI
Certified Ethical Hacker, EC-Council
Exploit Researcher and Advanced Penetration Tester
(GXPN), GIAC
Exercise Experience
Service Academies/NSA: Cyber Defense Exercise
US Strategic Command: Bulwark Defender
US European Command: Coalition/Cyber Endeavor
US Army Europe: Immediate Response
NATO: Coalition Warrior Interoperability
eXploration, eXperimentation, eXamination,
eXercise (CWIX)
undefined
Exercise Roles
General Setup
Usually more than one organization participates
Exercise Director
Senior leader from sponsoring organization
Blue Team
Defend and operate systems as their day job
Typically have a subset of their organization at the exercise
Red Team: Dedicated Penetration Testers
White Cell: Often from simulations and exercise groups
Black Cell: Cyber specialists and maybe ORSAs
Blue/Red Teams
Blue Team
Defenders
Under evaluation
Executes TTPs
Tactics
Techniques
Procedures
Red Team
Attackers
Simulates an agressor
Often trained to emulate
aggressor TTPs
Stimulates training, tied to
objectives
Injects events into the exercise
from the Master Scenario
Events List (MSEL)
White/Black Cells
White Cell
Exercise Control (EXCON)
Evaluates outcomes
Synchronizes injects based on
the exercise schedule
Collects lessons learned
Black Cell
Data collection
Event correlation
Provides data for reporting
and visualization
Injects events into the exercise
from the Master Scenario
Events List (MSEL)
Often these responsibilities are merged into the White Cell
Red Team Tools of the Trade
Red Teaming vs. Penetration
Testing
Red Team
Objective-driven
“Disrupt ability to launch
counterattack”
Evasion
Often on air-gapped networks,
can degrade and disable Blue
Team systems
Often integrates social
engineering and physical security
Penetration Testing
Designed to find
vulnerabilities
Loud, scan the most devices in
the shortest amount of time
Don’t damage production
systems
See Rapid7 Pirates vs. Ninjas discussion
https://community.rapid7.com/community/infosec/blog/2016/06/23/penetration-testing-vs-red-teaming-the-age-old-debate-of-pirates-vs-ninja-continues
undefined
 
Black Cell
Vulnerability Assessments
Longer Time Period
System/Product focused
White/Gray/Black Box Testing
Rules of Engagement & Written Agreements
Common Attacker TTPs
The majority of hacks start with an email
Weakest link is user
Advanced Persistent Threats (APTs)
After exploitation, goal is to maintain access and escalate
privileges (root)
Reverse shells
Command and Control nets
Covering your tracks
Offensive Security
Penetration Testing / Red Teaming
Vulnerability Assessment
Exploit Research
Tools Development
Exploit Research
Local
Desktop, mobile or similar applications
Often exploits poor memory management
You’re going to learn assembler
Remote
Exploits network/server applications
SQL Injections, Shell Injects, Cross Site Scripting (XSS), etc.
Bug Bounties
Contract Gigs
CVEs
Traditional Exploit Dev
F
i
n
d
M
e
m
o
r
y
V
u
l
n
e
r
a
b
i
l
i
t
y
G
a
i
n
 
C
o
n
t
r
o
l
o
f
 
E
I
P
D
e
v
e
l
o
p
P
a
y
l
o
a
d
Slide Note
Embed
Share

Delve into the world of military cyber exercises from a planner's perspective, exploring roles, teams, and setup. Learn about the Blue and Red Teams, White and Black Cells, as well as the general setup involving multiple organizations. Gain insights into the exercise experience and the different roles played by participants.


Uploaded on Oct 07, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Cyber Exercises A Military Perspective

  2. Disclaimer The views expressed are my own and do not reflect the official policy or position of US European Command, Department of Defense, or the U.S. Government.

  3. About Me USC, M.Eng. Computer Science & Engineering Fulbright Scholar Major, US Army Reserves 15 years in military Cyber organizations Cyber Exercises Planner, US European Command

  4. Commercial Persona Owner, NineFX, Inc. Certifications Security+, CompTIA Defensive Cyberspace Operations Engineer Certified Instructor, CSFI Certified Ethical Hacker, EC-Council Exploit Researcher and Advanced Penetration Tester (GXPN), GIAC

  5. Exercise Experience Service Academies/NSA: Cyber Defense Exercise US Strategic Command: Bulwark Defender US European Command: Coalition/Cyber Endeavor US Army Europe: Immediate Response NATO: Coalition Warrior Interoperability eXploration, eXperimentation, eXamination, eXercise (CWIX)

  6. Exercise Roles

  7. General Setup Usually more than one organization participates Exercise Director Senior leader from sponsoring organization Blue Team Defend and operate systems as their day job Typically have a subset of their organization at the exercise Red Team: Dedicated Penetration Testers White Cell: Often from simulations and exercise groups Black Cell: Cyber specialists and maybe ORSAs

  8. Blue/Red Teams Blue Team Red Team Defenders Attackers Under evaluation Simulates an agressor Executes TTPs Often trained to emulate aggressor TTPs Tactics Stimulates training, tied to objectives Techniques Procedures Injects events into the exercise from the Master Scenario Events List (MSEL)

  9. White/Black Cells White Cell Black Cell Exercise Control (EXCON) Data collection Evaluates outcomes Event correlation Synchronizes injects based on the exercise schedule Provides data for reporting and visualization Collects lessons learned Injects events into the exercise from the Master Scenario Events List (MSEL) Often these responsibilities are merged into the White Cell

  10. Red Team Tools of the Trade Scanning Malicious Traffic Traffic Analysis nmap Scapy hping3 Wireshark Frameworks Metasploit Powershell Empire Cobalt Strike Core Impact Scripting Python Ruby Powershell Bash Other sqlmap Burp Suite AirCrack-NG Kali Linux

  11. Red Teaming vs. Penetration Testing Red Team Penetration Testing Objective-driven Designed to find vulnerabilities Disrupt ability to launch counterattack Loud, scan the most devices in the shortest amount of time Evasion Often on air-gapped networks, can degrade and disable Blue Team systems Don t damage production systems Often integrates social engineering and physical security See Rapid7 Pirates vs. Ninjas discussion https://community.rapid7.com/community/infosec/blog/2016/06/23/penetration-testing-vs-red-teaming-the-age-old-debate-of-pirates-vs-ninja

  12. Black Cell

  13. Vulnerability Assessments Longer Time Period System/Product focused White/Gray/Black Box Testing Rules of Engagement & Written Agreements

  14. Common Attacker TTPs The majority of hacks start with an email Weakest link is user Advanced Persistent Threats (APTs) After exploitation, goal is to maintain access and escalate privileges (root) Reverse shells Command and Control nets Covering your tracks

  15. Offensive Security Penetration Testing / Red Teaming Vulnerability Assessment Exploit Research Tools Development

  16. Exploit Research Local Desktop, mobile or similar applications Often exploits poor memory management You re going to learn assembler Remote Exploits network/server applications SQL Injections, Shell Injects, Cross Site Scripting (XSS), etc. Bug Bounties Contract Gigs CVEs

  17. Traditional Exploit Dev Find Memory Vulnerability Gain Control of EIP Develop Payload Debuggers/Decompilers/Tools gdb WinDBG OllyDBG Immunity lddb Radare2 Hopper IDAPro Metasploit Mona Fuzzers Sulley AFL hongfuzz QuickFuzz

Related


More Related Content

giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#giItT1WQy@!-/#