The Battle is on! Are you Ready to Experience an Epic Red Team vs Blue Team Cyberwar Challenge?
This is an ultimate aim to test organization’s’ security as well as ability to detect and respond to an attack. Challenge yourself and join the Red Team vs Blue Team Cyberwar Challenge!
• Is your security program effective?
• Are you able to stop simulated attacks?
• Are you ready for this cyberwar challenge and who will win?
Red team and blue team members, enterprise administrators, infrastructure architects, security professionals, systems engineers, network administrators, IT professionals, security consultants and other people responsible for implementing network and perimeter security.
To attend this training, you should have a good understanding of basic security concepts, as well as, good hands-on experience in working with Windows and Linux infrastructure (as administrator or developer). At least 5 years in the field is recommended.
- Analyze emerging trends in attacks
- Identify areas of vulnerability within your organization
- Prepare a risk assessment for your organization
- Report and recommend countermeasures
- Develop a threat management plan for your organization
- Organize Red Team – Blue Team exercises
Red Team Training (Cyber-Attack)
- In this world where most of the things happen online, hacking provides wider opportunities for the hackers to gain unauthorized access to the unclassified information like credit card details, email account details, and other personal information. So, every red teamer and blue teamer should know the modern hacking techniques that are commonly used to get your personal information in an unauthorized way.
- 1. OS platform threats and attacks
- 2. Web based threats and attacks
- 3. E-mail threats and attacks
- 4. Physical access threats and attacks
- 5. Social threats and attacks
- 6. Wireless threats and attacks
- The term Cyber Kill Chain defines the steps used by cyber attackers in today’s cyber based attacks. The reconnaissance is the first phase, during which the attacker gathers information on the target before the actual attack starts. The data gathering is essential skill of every red teamer.
- 1. Open Source Intelligence (OSINT)
- 2. Google hacking
- 3. Shodan
- 4. DNS
- 5. Port scanning
- 6. Service discovery
- After successful data gathering, advanced attacker will prepare dedicated tools and attacks scenarios to increase chances of successful attack. For example, known vulnerability in identified product could be exploited in order to execute remote code or spawn remote shell into internal network. Without remote code execution vulnerability even the most sophisticated payload needs to be delivered to the victim. There are plenty of ways to achieve that but the final result often depends on social engineering skills
- 1. Generating malicious payload
- 2. Hiding malicious content in Office Suite documents
- 3. Reverse shells
- 4. Metasploit
- 5. Empire
- 6. AV evasion techniques.
- 7. Building phishing campaign
- 8. Planting malicious device
- 9. Attacks on 3rd parties
- 10. Stage-less and staged payloads / C&C
- After successful delivery, malicious code often needs to exploits a vulnerability to execute code on victim’s system. There are multiple common patters to achieve that.
- 1. Types of vulnerabilities
- 2. Establishing foothold
- 3. Stage-less and staged payloads
- 4. Command and Control (C2)
- The successful exploitation attack often results in code execution with limited privileges. Gaining more privileges might be critical aspect of further operations.
- 1. Privileged accounts
- 2. System services security
- 3. Common misconfigurations
- 4. Security tokens
- The next step is a lateral movement that gives access to additional resources within the company and allows to spread all over the network. Attacker will also want to ensure persistency and possibility of returning to compromised hosts. Thus, even after attack is stopped and contained, it might be possible to return to the system and hide even better.
- 1. Credential harvesting
- 2. Mimikatz
- 3. Network reconnaissance
- 4. Building network map
- 5. Responder
- 6. Pass-the-hash
- 7. Pass-the-ticket
- 8. Sleeping agents
- 9. Piggybacking on network packets
- 10. Rootkits
- This part introduces the new cybersecurity challenges and trends, emphasizing on data security and integration through and into the cloud and the challenges of the coordination of the cloud and on-premise security solutions. Security is a business enabler, and it is only when it is viewed from a business perspective that we can truly make the right decisions. You will learn how to define values of your company which needs to be protected or restricted. You will know how to find obvious and not so obvious sensitive information which can be monetized by adversaries. Having that scope defined and knowing your resources you will know where the biggest gaps in your security posture are.
- 1. Defining the assets which your company needs to protect
- 2. Defining the other sensitive information that needs to be protected
- We can’t detect every kind of recon ops but it doesn’t mean we can’t detect some of them. It is crucial to understand what kind of information is publicly available and to learn how to protect that information by proactively analyzing network traffic. Attacker can use many different methods to deliver malicious payload. Blue team needs to ensure that even if delivered, payloads are detected and blocked at early stage.
- 1. Setting up firewall
- 2. DNS hardening
- 3. Log collectors and SIEM
- 4. Intrusion Prevention Systems
- 5. Security awareness
- 6. O365 / Safe links
- 7. Smart Screen
- 8. Secure proxy
- 9. Sandboxing
- 10. Sinkholing
- 11. APT campaigns
- Executed payload doesn’t have to mean that system is compromised. There are many mechanisms that, if properly configured, significantly reduce attack scope.
- 1. Anti-Virus
- 2. Firewall
- 3. Application Whitelisting
- 4. WDAC
- 5. Living Off the Land Binaries
- 6. Exploit Guard
- 7. AMSI
- The chances of privilege escalation will be significantly reduced if the principle of least privilege will be properly used. The principle means giving a user account, service or process only those privileges which are essential to perform its intended function.
- 1. Patch management
- 2. Group Managed Service Accounts
- 3. Just Enough Administration
- 4. Vulnerability Management
- Internal network shouldn’t be treated as trusted. Plenty of things can go undetected if proper mechanisms aren’t deployed. Before red teamer can reach Domain Controller or other critical servers, blue team can implement numerous protections against that threat to detect and neutralize infected hosts.
- 1. Logging
- 2. GPO policies
- 3. LAPS
- 4. Credential Guard
- 5. Windows ATA
- 6. Defender ATP
- Once attack is detected and neutralized, it is important to locate all other infected hosts. Attacker can leave multiple backdoors or intentionally introduce security problems. It is crucial to test entire environment for that threat.
- 1. Searching for rogue servers
- 2. Looking for network anomalies
- 3. Looking for backdoors
Cyber-Competition Red Team vs Blue Team (Capture the Flag!)
- Both will have a mix of Red Team and Blue Team people. Both groups would get their own small set of machines to configure and protect. The machines would server various purposes – some of them will have services configured, such as WWW, DNS or SMB.
- The first two hours would be used to understand the architecture, found out what services are running, what is the configuration, and so on. Cooperating as a group, their job would be to harden the configuration, find and fix misconfigurations and plan future services – such as logging the events!
- After two hours, the big firewall between two groups is disabled, and groups can see each other’s networks. The fun starts here. Red Team members will try to find vulnerabilities in target systems and recover some sort of secret (the flag). At the same time Blue Team members will try hard to prevent that - by deploying set of protections, monitoring the network and actively stopping the attacks.
- To make things even more exciting, automated clients will also interact with the services. Each group has to make sure, that work of the services is not interrupted, and regular clients can still use them.
- After obtained, it should be sent to our scoring systems, where groups can see the description of all challenges, as well as, current scoreboard! Each flag is scored differently, the harder it is to get it, the more points at the end! Points can also be used to buy additional hints if group can’t move forward with one of other challenges.
- The last hour would be used to summarize what worked and what not – groups would describe what they did to retrieve the flag or what they did to prevent the other team from recover that. Instructor would also answer all the questions and show what was the intended solution to beat some of the challenges.
Author’s unique tools, presentation slides with notes.
CPE Point (Continuing professional education)
It will be possible to earn CPE points after completion this course.
Har du faglige spørgsmål, så kontakt:
- Jette Ravn Merkel
- +45 72202695