The exercise overview
Cyber Resilience Helsinki is an extremely effective and engaging pre-set exercise aimed to bring together Estonian and Finnish private and public organizations working with large scale IT systems for exercising together in a large-scale cyber incident.
The main goal of the exercise is to give the participants defensive training experience with IT-systems under intense cyber-attacks. The main mission for the blue teams is to defend & protect their IT infrastructure against real-time attacks from red teams while maintaining required IT services availability. All of this happens in a competitive environment as participating teams are rivalling each other to come out on top.
Threat Hunting is a task-driven live-fire exercise with a focus on response and investigation activities. The exercise is designed for practicing response to a cyber crisis according to a pre-defined scenario. The scenario background is designed to be wider than it is usual in the case of technical exercises.
Threat hunting exercise are carried out in a Blue vs Red setup where the Blue Teams must monitor the environment for detecting Red Team attacks and perform post attack investigations on Red Team activities. There is no focus on system hardening and other general defensive tasks.
There will be friendly competition between Blue Teams – score is awarded for solving incidents by providing relevant details about attacks. Additional bonus points can be gained from cooperation initiatives among blues mostly related on sharing helpful information via MISP.
The goal of the exercise is to improve skills of the participants in following areas:
- Detection and Prevention of attacks
- Network & system monitoring
- Situational awareness and control
- Handling cyber incidents
- Teamwork: delegation, dividing and assigning roles, leadership
The exercise has the following learning objectives:
- Fostering cooperation between various actors in the cyber defence at the organizational level
- Rehearse specific defensive measures in case of an attack against a particular field or combination of fields
- Live reaction, planning of defence and enhancement of the environment
- Monitoring and analysis of attacks
- Generalization and synthesis of information on the attacks, in particular from the point of view of validating appropriate defence plans and scenarios
- Discovery and understanding of sophisticated attack patterns and vectors against the targets
- Stress-handling and decision-making under multiple bad choices
The Gamenet represents a typical IT organisation (infrastructure company) and consist of about 40 different virtual machines that are under full control and management of defending Blue Teams. Besides regular business IT systems the Gamenet includes a very simple Power Generation and Distribution system with a Control Centre, which is fully virtualized. The Gamenet comprises the following network segments:
- Demilitarized Zone (DMZ) – DMZ hosts internet facing publicly available services of the Blue Team.
- Internal Office Segment (INT) – INT or internal office network hosts Blue Team internal services and end user workstations.
- Security and Monitoring Segment (SEC) – SEC host various security tools that the Blue Teams can use for monitoring purposes.
- WiFi Segment (WiFi) – This network segment should be considered as guest WiFi network. Hosts inside WiFi network are not under the Blue Team management.
- Critical Infrastructure Control Center (CI) – This network segment hosts Energy Company control room related systems that are used to manage energy distribution network.
- Cloud zone hosts one customer website that is managed by Blue Team and also one test virtual machine.
The target audience for the exercise is technical personnel involved in technical IT-security and cyber defence. The aim is to take the Blue Teams out of their comfort zone and give them the challenge to deal with the unknown environment. Each Blue team should have between 4-6 members covering different roles and responsibilities.
Evaluation of participants
CybExer has developed a situational awareness and participant scoring software (ISA) that provides real-time visualisation and comparison of exercise data. The scoring of the Blue Teams’ performance is displayed live as the exercise progresses, detailing the status of each team, team scores with score breakdown, exercise timeline, and individual scores. Such scoring contributes enormously to the overall training experience, enhances later analysis, and improves the general observability of the exercise.
- Venue: Estonian Business School Helsinki (Mechelininkatu 3C, 00100 Helsinki, Finland)
- Date: May 4-5, 2023
- Cost: 8,000.00 EUR + VAT for one Blue Team (4-8 participants).
- Ask for Individual Seats in the shared Blue Teams!
- Registration for exercise: email@example.com
- Contact: firstname.lastname@example.org
Day 1 (4th of May)
- 09:00 – 10:30 Preparational Training
- Verifying access to Cyber Range Platform tools – visualization & scoring system, documentation, reporting & task submission, green team ticketing system, virtual machine access
- 10:30-12:00 Gamenet familiarization & team setup
- 12:00 – 13:00 Lunch
- 13:00 – STARTEX of the exercise
- Exercise starts. Blue Teams must monitor the environment for detecting Red Team attacks and perform post attack investigations on Red Team activities. There is no focus on system hardening and other general defensive tasks.
- 16:30 Deadline for Blue Team Situation Report I (SITREP I)
- 17:00 End of day 1
Day 2 (5th of May)
- 09:00 – Threat Hunting Exercise
- 12:00 Deadline for Blue Team Situation Report II (SITREP II)
- 12:00 – 13:00 Lunch
- 13:00 – Threat Hunting Exercise
- 15:30 Deadline for Blue Team Situation Report III (SITREP III)
- 16:00 – 17:00 Hotwash Session
- White Team feedback to Blue Teams
- Red Team campaign overview
- Award ceremony
- 17:00 – End of day