Anatomy of a Cyber Attack
Updated: May 22
Most cyber professionals don't have the opportunity to see an actual cyberattack play out. They understand concepts and they hear about different TTPs, but rarely does somebody have the opportunity to see an entire attack flow and how it affects systems in real time.
Watch and learn as a real cyberattack plays out in front of your eyes on the Cloud Range virtual cyber range.
A live instructor will demonstrate how cyber defenders detect and respond to an attack as it occurs in real time, while showing attendees how security tools play a part in the process. For this unique experience, participants won’t know what type of attack they will witness until it happens. Participants will have the opportunity to engage with peers and with the instructor to discuss the steps that the attackers appear to be taking, as well as the necessary defense methods as the attack unfolds.
This immersive learning experience allows participants to simply observe or to also verbally engage during the session. At the end, learners will be assessed on their understanding of the attacker’s tactics, and the steps that were taken by the instructor to detect and respond to the attack.
As founder and CEO of Cloud Range, Debbie Gordon is a globally recognized entrepreneur leading a new category in cybersecurity. Cloud Range was founded on the premise of closing the cybersecurity skills gap by giving security teams the ability to gain real-life experience and practice defending against live cyberattacks in a protected customized dynamic environment. A consummate entrepreneur, Debbie began her career 25+ years ago in the technical education/certification space and has since built and sold several companies in eCommerce, IT asset management, and training.
Marcus Linder has over five years of incident response and cyber range development experience. A United States Navy veteran, he has led multiple cybersecurity engineering teams to develop and implement fully independent incident response training cycles.
Full Session Text
📍 My name is Debbie Gordon. I'm a founder and CEO of Cloud Range. We are a full service cyber range provider. We help security teams around the world. Be prepared for cyber attacks by immersing them in live simulations on a very protected environment.
For this upcoming session, I am very excited to have Marcus lender here with me. Virtually Marcus is one of our attack masters. So he's going to be leading an actual simulation on our range.
Just a couple of quick things, just to recap what we talked about this morning. There are a few reasons that cyber ranges important number one is that there's a huge skills gap and it's really an experienced shortage. So people are only as good as the experience that they have. So we need to immerse people in simulations in order to accelerate experience.
And the skill shortage is only getting worse. The number of attacks, the number of technologies and there's just not enough people to that have enough experience. Traditional education and certifications are not enough. One reason is that most of them are most programs are very.
Theoretical and don't have the ability until recently to have hands-on experience. And we're able to address that with live simulation. And then finally on the job training is really not an option. It happens, but it's not really a practical or dependable way to ensure that people are trained and have the right experience that they need to protect their, to protect companies.
We have seen an increase in utilization of cyber ranges. Cloud range was founded in 2018 and in just that short time, we've seen just a huge increase in adoption rate of the use of a cyber range. Because as I indicated earlier, it's like a flight simulator once it's available.
Nobody doesn't use it. You don't want to crash the plane. If you have the way, a way to practice in a safe environment. We're able to simulate and then accelerate, people's learning. As a result
traditionally for testing really a lot of red teaming, but what we've done is moved the the use cases of a cyber range to training the defenders. And so SOC and DFI, our teams are able to practice, detecting and responding to attacks. We also do red teaming and purple teams. As well as advanced tabletop exercises.
But what we're going to see today is an example of a live simulation of an attack. And I'm not actually going to say which one it is because I'm not sure what Marcus has pulled out of the hat today. But he's going to show you how how it happens and the environment that you'll be seeing is an actual enterprise environment on the range. It's a multi-segment network. There are live tools in it. So you'll see fully licensed tools. I'm not sure which ones you'll see today, but we have things like QRadar and Splunk and Palo Alto and checkpoint, and many others in the range so that people are able to train on using tools that they use in their live environment.
Usually we have about. Somewhere between eight and 10 people logged into an exercise at one time, it is a team exercise. So this is something that's typically scheduled and facilitated similar to a sports practice, because if you just say to a sports team, go on the field and practice without a coach it's probably not going to be that productive.
So people like Marcus part of cloud range who helped teams by facilitating the simulation exercises. With that. I am going to turn it over to Marcus Linder I'm hailing from central Illinois with cloud range. Thank you very much, Marcus.
Hello. Thank you, Debbie. As she said, I am Marcus Linder. I am a senior, attack master with cloud range, and I am going to run you through an attack. Now, the big thing to remember is that from a training defensive side, it is. Primarily about leading the team down a trail of breadcrumbs so that it engages their analytical brain.
When they have a real attack on their network, they're thinking in the way they should to remediate that attack. I'm going to be going through those breadcrumbs and those major points of this attack from a defensive side. We're going to start out and right as you open up into your workstation.
You see that. Workstation Windows 7 CTN2 to an employee called and said, that is acting weird. As a SOC analyst, I should probably investigate that, which I actually have it open right here. That's not good. So early understanding of what's going on is everything has been encrypted. But I don't necessarily want to take their word for it, but I'm going to start looking at files that have been recently modified.
And sorting by date modified today, then you can see that a bunch of files have been encrypted, but also because something had to launch this encryption attack, we find actually a PowerShell. Found in these, and obviously this is significantly close to the bottom because it encrypted quite a few files.
If we open that in notepad plus we can actually find that there are a couple of registries keys here for H key current user software, Microsoft UAD. So if we look at this registry entry, we'll go ahead and open up the registry editor and we go to H key current user software, Microsoft, and then you add, we can actually find a key right here, which. It's most likely the public key that our files were encrypted with. So that's good.
That's good information to know, but it doesn't actually help us decrypt anything because we need the private key that the attacker has. Now, if we look at components, we can actually see everything that was encrypted on the system, which is a lot. So if we So from this we need to think of some sort of initial access vector.
W what could that be? And one of the earliest and simplest things you can look at is Microsoft outlook. And if you look at Microsoft outlook, there is a message today. It says, hello, attached to the salary report for last year. Please review it. For executive branch only. I'm not going to click on it, but if you go to the location of that PowerShell script, which is C user 82 epi at a local temp, which is a very suspicious for a location.
Anyway if you look there there's actually a salaries dot doc X, but if we open that with no pad plus it's a bunch of. Gobbly goop, except there's a couple of strings in here. So this PowerShell that exe, which is not great, and a windows document and then we actually have this IP of where it's actually going out to and grabbing in images dot PHP with a password of, there is no cow level and pulling that down.
Oh, and there's that PowerShell script that we. And then it is going to execute PowerShell again and execute the PowerShell script. But now we have a potential IP to look for. So if we go back to our machine and open up our Palo Alto firewall,
And I've already thrown in the query for that IP, if it's still in here. It is. So if we look at that IP that we got from that salary dot doc, we can find that it's connecting to two machines within our network, the 110 and the 100 dot 11. The windows seven CT and two is the dot 11. So we need to look at the dot temp. Oh, it was encrypted as well. Wonderful. So if we
if we go ahead and look Regedit on this machine. And we go back to the components that were encrypted. We can actually find that the Z drive was also encrypted. So not our necessarily our local drive. If we look at the file Explorer, we see that the Z drive is actually a file share. And if we were to open this, we see that these were also encrypted, but these files are on our file server.
So we should probably go look at our files. On our file server, we can look into that file, share, see the secret documents and see that everything is also encrypted. However, our files share, this is something I know, but the teams have to discover for themselves along with all of this information.
Is that if you actually have the folder go to properties and go to previous versions, there's actually shadow copies of all these files. So without paying any ransom demand, without paying, without needing to decrypt anything, we can just go ahead and restore that entire folder to the last known good.
And so if we open it, we can actually see our good files and the encrypted files for side-by-side.
So once, so the file server is successfully remediate. Now, something that would happen right now that I'm not going to do in this demonstration is that we would act like the FBI seized some server from the known attacker. And they're giving a copy to you saying if you need to decrypt your state, here's a copy of that server.
So then they'd have to actually connect to the attacker server and try to find in there the decryption keys and the the decrypt script that the attacker would have on his box.
And so then we would have conversations with the teams about, okay, how would you. Prevent this from happening in the future. And they would say better firewalls firewall policies blocking this IP, which is also a good idea activating different group policies to stop local users from being able to run PowerShell commands theirs.
And then we have them do it. So then not only are they, do they know how the attack happens and where it goes through, but also the remediation process. Also what I found as the most valuable component to this is did this attack as I've gone through. Somewhat simple in design. However, the key is when they are looking at the file server and don't know what to do.
And then you say, oh how would you look at. Previous versions of the files, and then they would see that their shadow copies or if they can't find the initial attack vector. Okay. How would an attacker potentially get to this box with no previous connections? And normally they'd be, they wreck their brains and go maybe phishing and then they check the emails and then you can see that those that the attack came from a phishing email.
And then once we have all of the remediation actions done throughout the network, we ask them not just what physical things you could do, but Policy changes you can make, as in give, making sure users have education about potential spear, phishing attacks, or the dangers of certain types of malware and ransomware and things like that.
And so it's. I think it's a very valuable method to train people because it leads them down this bread trail. And when they get to a point where they're stuck, they have to engage that analytical brain and fight through to find the next breadcrumb.
Does anybody have any question?
Or did I possibly lose anybody anywhere,
Marcus? Yes. Here we go. Hey. Yeah. So questions. So in a comment right now, you talked about, and I just seeking clarification And your range. You made a comment. I think that you solicit an action from the user. As in I interpreted as a verbal response. So is there like a digital twin in your environment that the system and illustrator or network administrator actually gets to then in my speech this morning, I actually talked about friction.
So you're providing. The CIS admin would friction. So do they actually get to go implement those changes and the infrastructure to then see if it rectifies the breach?
Yes. And they not only do they get to implement the changes, but they also can see them happen. For instance, in the firewall, you can see these connections and you can instantly go into policies.
And create a policy to block that IP if you want it. And most of the time, since this is free range, not care and it's virtual. We don't care about you burning it down. If something catastrophic happens, normally there's no provisions other than the incident commander or whoever's running this particular exercise from the team perspective. If one of their analysts says, Hey, can I block that IP at the firewall? And they say, go ahead. At no point, do I say, oh no, you need to wait a second and make sure Nope. If you want to block it in. Normally in this instance, they, I know they've tried to isolate the boxes from the internal firewall.
So then they can't communicate out in further infect anything. All of that stuff is completely up to the teams and if they want to implement it, they implemented, I will ask a probing question like how could they have gotten on the box or something like that. And then if a team is very much struggling, then we can go to a much more coaching role of, okay if this box is infected and this box is infected.
Does this box have a spear phishing email on it either. And walk them through that analytical process a little bit more if they're struggling really badly, but most of the time it's, they run free. And then there's a couple proddings. If they get stuck somewhere and run down a rabbit hole for 45 minutes.
Thank you. Great response. One more question. So environment that range that you provide, is it a generic range or does the customer have the opportunity to export their environment? So that way they have a familiar environment. And the reason I say familiar is because, when we're defending our or your environment. I've always argued that you have to understand your environment. So while I was the chief engineer at CENTCOM, I could look at the ports and protocols of 4,000 applications. And I can tell you, based on IP address, what country they were coming from. And so when you block a, when you block something in and whether IDs IPS, router what's the impact to the network.
So what's the outcome, the mission outcome of the application. What did you just stop when you were denying the adversary? The point of the question is that a generic environment that you're doing the training or is it customized for the. For the customer. So they know exactly what the impact is to their environment.
So from a. Default perspective, it's a generic environment, but it's also simple enough that it's simple and complex. It's not too complex, but it's simple enough so that the any team that comes in here can understand it relatively quickly. And if they need reference, they can look at like the network map and just see, oh, is our server segment, our user segment, our SIEM segment.
But if a customer does want a customized environment, we will do that as well. We, a little bit more of a headache obviously recreating their environment, but we will do that if that is what the customer is adamant about.
Nope. Perfect. Thank you.
And I'll just add to that. It's really about the objectives of the exercise.
Fortunately, or unfortunately for a lot of the fortune 1000 companies that we work with even what may seem like a really great security team still needs to focus on even how to detect and investigate things and respond to them versus making assessments about the actual environment and where things came from.
So there are. We can replicate anything. They're just often diminishing returns on the time to do that. Based on the objectives of the exercise, but it is absolutely. But what you're seeing here is is a generic environment. We do, we have custom environments for OT networks in different segments.
But this, what you're looking at here is relatively generic, but it represents the different segments within an enterprise network.
So my question was about whether I'm really your customer base. Do you tend to find that this is about teams that are, just doing some early training and trying to prepare, is it people that are having. Fairly well trained teams, but want to be more advanced or is it people who, yeah, we got compromised.
And so now we're behind the eight ball already and we need you to come in and help. Who do you see most frequently as your customers?
I would say in my experience, it is the first two the the early team that needs some experience. We have some very early level exercises that let them start developing those processes, not just in remediating a attack, but also with working together and understanding how they communicate and things. And then we give full feedback of, Hey this team member, I was watching their screen. They found all of the breadcrumbs and everything important, but they didn't speak up. And so they we need to. Probably encouraged communication with this group.
There's also more senior teams that we have taken through some earlier levels and they've excelled. So then we give them harder scenarios and to that to really comes and it's something to the benefit of the generic network is. There's not a simple tool that just tells you exactly what's going on X, Y, and Z place.
And you become reliant on the tool. You actually have to analyze how it's working together. What is potentially trying to communicate with where your gaps in the knowledge or alerts that you'd be seeing are I had a senior team go through last week and I hadn't destroyed any scenario we put in front of them.
And I actually had to help them last week because they couldn't see a very hidden man in the middle attack. They could see the rogue box, but they weren't understanding what was happening from it. And so it's very much those first two, I would say the third is probably something we've seen. I haven't been on any calls where someone has says we're coming in because of this.
But I know many times teams that we've trained have come back. I know a team went through ransomware and then came back the next week and was like, oh, we got hit by ransomware two days ago and remediated it in two hours. And that, that just makes you super excited. But no, the it's mostly teams looking who have seen the value of this and are looking to increase knowledge, whether that's from an early intermediate or advanced perspective.
Did that answer your question?
I heard that there are some services that bounce around different IP address. So you cannot see the source how you found this.
I know actually I was having a conversation, but that it most of our stuff is statically routed in this. But we can throw on a DHCP router that then gives everything within a, sub-net just a random IP.
And then, so you have to discover that a little bit more. That's not a difficult change in something we could emulate on one of our networks quite easily.
How many different tools do you guys typically put into your cyber cloud? And can you give us, I know you've talked about some of these, but is there a typical number that an organization will have and use during a particular session?
I would say, I know we have we have different firewall licenses but we can only have one of those.
So we'll do one of those. We normally have a primary SIEM and then we have a. A secondary SIEM in most, I know we're working on getting a couple other licenses and there, so as far as number of tools, I would say normally three to four, if they if they request more, we can throw more on there.
Whether they want to keep the older, have a brand new, just now everything goes to. A Splunk server or something like that. We can set that up, but I would say normally three, sometimes four.
Hey Marcus, Dave wills again. So the companies that are coming in or the customers that are coming in and training are they training primarily IPv4 IPv6 or mixture?
It's mostly been IPv4, we haven't gotten a request for IPv6 yet. But. That's a couple of routing changes that shouldn't be bad or hard to do.
Yeah. I just wonder because as you think about it and maybe applies more so from an external perspective, a lot of people were in favor of natting because then, not only did it provide obfuscation, it limited the adversary's ability to, pinpoint your IP address and then launch an attack with IPv6. Essentially it's like unlimited IP addresses, which makes it a whole lot harder to determine where the attack coming from. And so then in the department of defense, IPv6 has been. Mandated since 2011. But as we look across industry pick VM-ware for example as you look across our product line, there's different levels of implementation of IPv6.
It's not standard as they go out and acquire, a product from, a small business. There's a lot of work to bring it up to a certain level. And so I'd just be interested. And as you guys make progress towards. Implementing IPv6 in the range. What you see as far as I'll say maturity and the customer's ability to respond appropriately,
I don't think it would be. I'm assuming that this range was just instantly transformed into an IPv6 range. I don't think it would cause a substantial issue because in our trainings, we ensure that there's always an. An instant reporter. So somebody logging and cataloging all the information, regardless if they have some communication that they always use for incidents that we encourage them to use and continue to communicate.
But we always ensure that there is somebody designated to that role. So if there is an IPv6 address it would take slightly more time to ensure that you wrote that down correctly. I don't think the relevance of IPv6 would change the outcome of the scenario too much, or with the teams that we know about, they would be able to just keep continuing and stride.
They'd be like, oh, that's IPv6. And that would, I think, would be their biggest comment.
Hey, I've got a question. Do you guys have the ability to allow incident responders to. Bring up a VM of their own, maybe running tools my TCP dump or Kali Linux or anything like that. Can they run that in the environment and kind of interacting? With those types of tools, as well as, the actual hardware devices.
Yes, cause we actually have, they're not on the network map obviously, but if somebody requests that we have Kali boxes in the environment and we have sysinternals on a hidden share in the environment. So then they can actually pull all of those tools down and running them on any box in the.
Okay yeah that's super useful. The difference between looking at the dashboard provided by vendors versus a real deep level SOC analysts would want to look at things at the packet level and kind of look at the cooler, viewpoint that they might have.
Okay. That's cool. Thank you.
You're welcome. And honestly, I, in that. Scenario. I mentioned where that advanced team was having trouble. They ended up pulling down Wireshark and throwing it on one of the individual user stations to be able to see that path HTTP traffic was getting repackaged. So it's, all of those tools are there and they're meant to be used.
Excellent. Thank you.
Hey Marcus, this is Jim Wheat. I was just wondering what SIEMs you're currently running in your range.
So I know currently it is, we have Q radar in Splunk currently, and this one that's running right now. The the one we have, we also have an ArcSight and I believe we're getting a. SIEM. And and oh, we also have a security onion incidence on here as well.
Okay. Thank you.
The, there are anything that can be can be virtualized, can be put into the range. Most of the tools that we have in there are ones that most of our customers, it's the usual suspects of tools in there. So as we add them as because customers request them and then they just become generally available.
Yes. Got one more question. Here
Will Smith with the question don't slap me.
So I have a question. So you started the, this cloud range in 2018. What are the biggest friction points or pain points that your customers or clients have come across that you have overcome? What would some of those be? Thanks.
Okay. So I would say the biggest hiccups we have that we overcame was the idea that we talked to a customer. You need to do training there. They're like, that's a great idea. Okay.
Give us training. And then that's where it would just, they'd come to us at the end of the year and be like, oh we paid for this training. And it's nobody ever came and got training. So I think that the most effective use is we now schedule and annotate. Who's going to be there when they're going to be there.
And. We already assigned which scenario we're going to run beforehand. Normally with the CISO or whoever's in charge is not going to be actually be in the exercise. And we'll say, what do you need to work on? How does that, what would help you succeed as a team? And so now we tell them you'll be here on Monday.
At 1:00 PM and we're going to do this scenario. So then the team shows up all into a zoom meeting and they start running. I make sure everybody's ready to go and we'd go in and do a scenario. And it ensures that those companies and customers get that training A, they're paying for, but B get the value out of the training of, okay.
We know that these eight people got trained last month in ransomware. And so now. Are confident in their ability to continue progressing as a team and not just, oh, we have this money for training, but no one's taking advantage of it, okay. So I would say that's the biggest struggle I've seen that we've overcame that way.
Yeah. And that just to add to that that goes to the I just didn't Eisenhower quadrant of urgent versus important that the last thing we want to do is have a customer spend a bunch of hard earned money with us and not take advantage of it. And so it has to be scheduled out. If I get a guarantee, if I'm.
If we didn't schedule these things out for them, that they would probably get to a year later and say, gosh, we never found time. This goes back to the, going to the gym. You don't, you have to make time. You don't just, nobody has extra time in their life. So training is one of those things that unless prioritized it doesn't get done because there's always something that's going to be more urgent.
So Marcus, you're absolutely right that, that's something that I think it's a good lesson learned by us and our customers that it does have to be planned out.
Glenn. Do you have any any thing that you think our customers have overcome besides the obvious Glenn Ewing's here in the audience? Chief revenue officer of cloud range.
Everyone glen Ewing CRO at cloud range, I think to build on. Marcus's response and answer your question a little bit more. I think another thing that customers appreciate is as Debbie mentioned, really that programmatic discipline that we bring to the process. And we've talked a lot about teams and, there are a lot of analogies we can use from a sports perspective.
But think of a coach that tells her team, Hey guys, we're going to have a game at 10 o'clock on Sunday. Have a great week practice on your own and show up, ready to play versus we're having game it's Sunday at 10:00 AM. You have the day off tomorrow to say, we have film at eight, you get taped at 12 you're on the field at one, and we're doing that.
And the entire week, who's going to be better prepared. That's, and I think customers appreciate that by the way, because they're all busy. And are the chief information security officers, many of whom that we do. I don't have time to think about that. And they don't want to think about it.
Hey, want you to bring that program to them? Bring a solution, not just describe the problem. And that's a lot of what we're doing in the market.
I could just add to what you just talked about, think about it. You have that team and you tell them all, yeah, go get training. Here's your training budget and they all get training with a different team, and then they're expected to come together and win. Yeah. Now you need to train with the people that you're going to be with, or at least a contingent of the same group of people that you're going to fight the battle with.
It's military training, let's go, everybody do something different. You need to train with the team that you're going to work on. The problem with.
Thank you bill. And one more thing I'll add going back to the organizational behavior and management of humans, part of this a lot of people in positions in security and leadership especially if they didn't come from the military they don't have a lot of training on managing people.
A lot of them came up through technology and they, that's what they're doing. And so when we're able to help them see things about their team and make observations and recommendations about how their team is working it is a huge weight off their shoulders because that's not something that.
They often have the time or energy to think about doing a lot of people want to become better managers and better leaders, but when things are moving so fast and security, I'm a SOC manager. Doesn't always have time to say, Hey, how am I going to make sure this person gets better leadership skills?
And that this person gets better, better communication skills. And so by doing these exercises, All of that stuff happens at once. And people like Marcus are attack masters. They're able to then provide feedback and say, Hey, I saw this person they're really good at this, but they can use some more work on this.
This person really shined on this. We recommend a little more work on this and that takes a huge burden off security leaders because people need to be focused on what they do best and sometimes observations and management of their team. From a non-technical standpoint is not what they're focusing on.
So this really helps them. They're too.
Marcus any anything left in the scenario that you wanted to show?
Oh not in the scenario, but I did want to run through a couple of sections of the debrief just to show what we do then after the scenario. And this is a very cut down portion. This is not the real thing. We've got three minutes.
I can be super fast. Oh, I got to share my screen. Okay. Fast fast.
Okay. So this is part of one of our debriefs, the we'd go through what the objectives were, what kind of skills are supposed to be gained and flexed during this incident? We tell you how the scenario is. We give it a difficulty level and in the estimated time of about seven to 10 people doing it and then we'd go through and say every single one of the breadcrumbs that we discussed and how.
You're potentially supposed to think about that after the fact. So once they've gone through the whole scenario, they then get reinforcement on what was done, how well they did it, what information they should have gotten from those pieces of information. So then they can know after what they not necessarily should have done, but how the thought process would have been best implemented to achieve.
The remediation of the attack. Okay. And now that's all Debbie.
Really appreciate it. And just a little bit also when we go through the exercises, these, we usually block off about 40, excuse me, four hours for these. The first three hours are usually the actual scenario. And then the last hour consists of. The debrief, which was an extended version of the slides.
The Marcus just went through really quickly. And then the participants do a few different types of feedback. So they go into our learning management system. They take a quick quiz that assesses their understanding of things that happened, even if they weren't the ones that were hands on keyboard for specific actions.
We're able to track that. And those can track back to the MITRE, excuse me, to the NIST framework. So we can look at different KSA codes that they're achieving. And then they also they also give some feedback about themselves. What did they learn? What do they want to get better at? Where were they challenged?
What types of things do they want to work on in their careers? That kind of information is then presented back to their leadership within about a week of the exercise and that stuff is gold. Because the leaders are able to see, what does this person say about themselves? Oh, I had no idea that they wanted to move into forensics or something else.
And so it gives them the ability to start thinking about career paths for their teams as well. And then also what exercises and scenarios we can work on with them in the future. So it really helps set out a plan for them.
All right. Marcus, thank you so much. Great job. And thanks everybody. Thank you everyone.