CSIRTS (Cyber Security Incident Response Simulation)
Participants can be either teams or individuals and will be able to use a limited number of laptops provided by us, OR bring their own which we encourage. There will be wired & wireless access to the environment. Upon logging into the environment, participants will act as “blue team” incident responders seeking to identify a network breach that is actively in progress. The range is a small, but realistic mock-up of an enterprise network complete with Active Directory, Exchange, firewalls, SIEM, workstations, etc. Participants will have access to a SIEM/log aggregation tool, and multiple security appliances to try and identify the malicious activities that are taking place on the network.
This is not a defensive challenge, as those often require a significant amount of time. This is simply an “identification” challenge, which is honestly the best starting place for most incident response training functions. The challenge is simple: can you find the hostile activities and identify key components of the threat?
There will be a scoreboard that will prompt the participant to answer Jeopardy-style questions to measure their progress through the challenge. A sample question might be, “What is the external IP address of the malicious activity detected by the perimeter firewall?” or “What protocol is the attacker using to exfiltrate data from within the network?” This will nudge
the participant in the right direction for systematically tracing and identifying unauthorized activity on an enterprise network.