Using the ATC and Cyber Range to Upskill your Security Operations Team
In this blog
Keeping your team trained and up to date with current threats is one of the hardest things to do as a leader within Security Operations. Threats change, tools change, even syntax within the tools change. A SOC practitioner must remain competent in all three. But where is the time, and where is the money to support this? Many certificate bootcamps require a week commitment, and training can be anywhere between a couple of hundred dollars to $10,000 for a single class (you know who we're talking about). As leaders, we must find a way to scale these things.
Insert the Cyber Range
"WWT's Cyber Range, hosted within our Advanced Technology Center, provides a hands-on environment where organizations can train and upskill their staff through cybersecurity technology labs, Learning Paths, and red team (attacker) and blue team (defender) challenges or custom-designed exercises."
As a former SOC manager, I was always scrounging up exercises, training pipelines, and building IR tabletops to try to give my team room to learn and expand their skills. This is a time-consuming exercise, and doesn't even touch some of the very costly certifications from a monetary standpoint…
With access to the Cyber Range, here is how I would approach it differently. I would build my own pathway using the Cyber Range's Learning Paths and Labs, then use the CTFs as my IR Tabletops. Both are critically important. I want the underlying theory and tool familiarity, but I also want to see how my team thinks through problems, and then use the theory and tools to work through those problems.
What is a Learning Path?
Learning Path: Our hands-on labs and tailored Learning Paths guide architects and engineers through the latest technologies and provide customized training by grouping content based on solution area and experience level.
Let's dive into building our own pathway for a Security Operations team.
General
- Cyber Range Blue Team This Learning Path provides a great introduction into common blue team tools including Wireshark and Security Onion. Security Onion is an open-source Network Visibility tool and IDS. It's a great prelude to any modern NDR or IDS system you may have within an Enterprise Environment. Heck, SecurityOnion is currently used within many mature Enterprise Environments as well.
- Threat Detection and Incident Response This broad Learning Path touches on Threat Detection, Incident Response, Security Monitoring, Threat Intelligence, Threat IOCs and TTPs. It should be required reading for anyone responding to modern threats today.
- AI Security
- Cyber Range Red Team This Learning Path introduces red team tooling. It includes many exercises around password cracking, using enumeration tools like Nmap and DirBuster. I don't believe every Security Operations member must be fluent with all red team things. However, there is a great benefit to understanding how threats move around a network. The more you know about threats and their tactics, the better you can defend against them.
Endpoint Specific
- Crowdstrike EDR Learning Path
- SentinelOne XDR Learning Path
- Palo Alto Cortex XDR Learning Path
- Elastic Endpoint Security Lab
- Cisco XDR Sandbox Lab
Network Specific
- Network Security Learning Path
- Palo Alto NGFW Or Cisco NGFW Learning Paths
I include multiple lessons using different technologies for a couple of reasons. As a responder, you don't always have a choice in your tools to respond with. If you are lucky, you'll have a full tool stack you are comfortable with to triage and respond. In my experience, it doesn't always shake out that way.
Sometimes, it's a different part of the company and their security stack is different - so you must learn on the fly to get the data you need to respond.
In other situations, EDR may not be implemented. Or that part of the network is not tapped, and you have zero network data; now you must rely on and use those core OS-level skills to triage and respond.
Being familiar with one EDR technology gives you a solid foundation for other EDR vendors. Will the search syntax change? Almost assuredly. However the data points collected are quite similar; it is the responder's job to be able to search, manipulate, and dig for the information they need. The methodologies to do this transcend specific tool knowledge. The key, as with all learning, is repetition. Being presented with a problem, working through it, over and over and over again.
That's what the Cyber Range is for: repetition. Take a look at the entire available library.
Capture the Flag (CTFs)
Time to talk CTFs. WWT's Cyber Range CTFs are a great way to test your metal. They come in many shapes and sizes including On Demand, free monthly CTFs, and OEM-specific CTFs to hone your skillset specific to your enterprise.
On-Demand Labs
Initiation: Consider this demo the tutorial level for our CTF events. You will be introduced to the features and functionality of WWT's Cyber Range CTFs, as well as provided tips for success in future events.
CH3M1C41_SP1LL: Hope your team took the red team training learning path! Use Metasploit, Burp, and Hashcat to weasel your way into an OT environment. Even blue teamers should be familiar with some of these red team tools – it will only help the defenders!
Welcome to the League (Coming soon): As a continuation from initiation, this includes actual phishing, and response scenarios. Super excited to see this one drop in the next couple of months!
Live Labs
🔍 Haystack CTF: The Hunt for IOC's
Immerse yourself in the world of Intrusion Detection in our Blue Team game, Haystack. Your mission is to follow the trail of Indicators of Compromise (IOCs) and spot the tell-tale signs of cyber threats. It's a mix of fun, challenge, and learning - an experience you don't want to miss!
🦅 CrowdStrike CTF: Falcon
A must if your team uses the Crowdstrike platform. This is a mixed CTF style event that will require you and your team to zero in on malicious actors inside of a network, identify vulnerable or outdated services, and brace yourself for a real-time series of cyber-attacks. Points will be awarded for finding those exploits, remediating them to the best of your ability, and defending Iron Guardian's network.
Explore more live and on-demand scenarios, and follow as we add more every quarter!
Use these as tabletops for your IR teams
The importance of tabletops is incredibly important. It is a chance to work on your incident management plan in a scenario or environment that you are not familiar with. This gives leadership and senior responders a great view into the team.
Some questions for those leaders to think about.
- Are there any weakness I can observe either from a methodology or a tooling standpoint?
- How does my team communicate issues? Are they staying calm, cool, and collected (triple C) even if there are disagreements?
- How is my team sharing information? Is one defined in the incident management plan? We must be able to collect evidence, share ideas, and document searches (for repeatable findings).
Use these CTFs to work through your incident management plan. Find the holes. Grade yourself harshly, but fairly. And don't put pressure on the team. These CTFs should be viewed as learning only, and it is for them. It provides your team the much-needed exposure to new tools and new threats. It's also a great opportunity for every leader to see how your team would respond to new situations. Make observations and fill the holes or reinforce where needed.
You will often encounter things you've never experienced before.
Many years ago, I was working through a tabletop as a responder. As I was working on some of the team's work, I found different answers than my team. I could show my work, but my work was wrong (I was only accounting for a subset of DNS requests rather than all the DNS requests (two different Splunk indexes)). The team had the right answer, but since they couldn't provide the search, I was a bit more hesitant to trust their numbers. Adding to the fact that after many weeks had passed from the tabletop and our internal AAR (After-Action Review), we couldn't easily find their searches either.
I learned something important that day…
Each responder will think about a problem differently, and therefore use different methods of searching, analyzing, and filtering (and that's good!) but we must be able to recreate the results. I learned to always keep a running log of the searches you used and screenshots or exports of the results. Oh, and perform your After-Action Review as close to the tabletop/event as possible.
This guidance was then given to my team not only for CTFs, but also for real-life incidents. We realized that most of our logic is sound, but through tiny differences in our searches, we get different results (especially if your Splunk search is 18 lines long).
Finally, these are "real" environments. We, as responders, must be cognizant of our actions. If we blow away the SQL servers that are under investigation, then not only have we degraded the business, but we also lose any evidence sitting on that server (I hope EDR was on that machine!). It has been seen before…
Summary
To hit on the high points:
- Use the ATC Cyber Range, there are so many different labs and learning paths available to the SOC and Responders.
- Get creative with your training plans, and make it fun for the team to go out and learn.
- Test yourselves as a team using the CTFs. The ATC is actively getting support so the Cyber Range can be used for Continuing Education credits! Keeping up with CPEs is always cumbersome, the Cyber Range is looking to make it easier for the practitioners to get credit for their learning.
If you have any questions, please reach out to me, Zach Carnes, or the Cyber Range team (cyberrange@wwt.com).