IT Training Scenarios

1. SQL Injection

In this scenario, the organization is directly targeted by an attacker. A series of security flaws in the implementation of the environment enables the attacker to utilize externally accessible services in order to gain access to internal systems, extract privileged information and interfere with business processes. With this attack, trainees experience how various "simple" misconfigurations can be used by an experienced attacker and chained to generate critical business impact.

2. WMI Worm

In this scenario, trainees are faced with a worm outbreak in the internal network. They are required to analyze the attack flow, utilize forensic tools and perform basic malware analysis / reverse engineering in order to mitigate the threat. The attack simulates the characteristics of a modern Bot-Net and focuses on developing real time response capabilities.

3. Apache Shutdown

This scenario emulates an attack on an organization’s publicly accessible services. The attack disrupts operation of services and utilizes basic methods to strengthen the attacker's foothold in the system. In this scenario, trainees are confronted with a disruption to critical business components and need to act swiftly in order to maintain as much up-time as possible and to mitigate the attack. They are also witnessing basic levels of other aspects of the attack chain such as housekeeping and persistence.

4. Trojan Data Leakage

Spear phishing, one of the most widely used notorious modes of infiltration into an organization, takes advantage of human factor weakness through Social Engineering. The trainees experience first-hand the entire attack chain of a successful spear phishing attack that includes both breaking-in as well as exfiltration of sensitive information.

5. Java Applet NMS Kill

This attack emulates a watering-hole attack in which the attacker sits and waits for the victim to perform an expected action such as browsing a certain website. The second emphasis in this scenario is on the attacker "blinding the eyes" of the organization by taking down the monitoring services while performing other malicious activities.

6. Java Applet Send Mail

The scenario starts as a watering-hole attack, and then proceeds to emphasis on exfiltration of internal data by "eavesdropping" on all internal email communications in the company.

7. Killer Trojan

The attack vector chosen by the attackers in this scenario is infecting an office installation CD. This could have been executed by intervening in the supply chain or by replacing the disk inside the targeted company itself.

8. Ransomware

In this scenario, the system sends an email infected with ransomware. The email poses as legitimate email with a Word attachment. After an unsuspecting employee opens the document, the files on the system are encrypted and the employee is asked to pay a ransom to receive the decryption key. The trainee is trained to detect and analyze the attack and how to respond to it. How to investigate an image of the CNC server and use the revealed information to solve the case.

9. Trojan Share Privilege Escalation

In this scenario, a Trojan is sent by email to a user’s mailbox. The unsuspecting user executes the Trojan. The Trojan is then executed with user privileges and thus is limited. To escalate its privileges, the Trojan locates a script file in a publicly-available network share. The Trojan then injects the script with a command that enables it to create a new administrative account. Using the new account, the Trojan breaks into the database server and uses it as a gateway to upload secret files to the organization’s website and causes a major public data leak.

10. DDoS SYN Flood

In this scenario, the attacker uses many internet bots to generate a large amount of traffic on one of the organization’s web sites. The traffic floods, and eventually overloads the bandwidth and resources of the target, crippling the server and causing a denial-of-service (DoS) to the web server.

11. DDoS DNS Amplification

In this scenario, the attacker is using the organization’s DNS server to conduct a much wider DNS amplification attack, which is a reflection-based distributed denial of service (DDoS) attack on a target. The attacker sends DNS lookup queries with spoofed IP address of the target to vulnerable DNS servers that support open recursive relays, such as our DMZ-DNS server. The large number of DNS responses are sent "back" to the target as if it requested them, flooding the bandwidth and resources of the target, crippling the server and causing a denialof-service (DoS).

12. DB Dump via FTP Exploit

In this scenario, the system emulates an attack by exploiting a known vulnerability in the Pro FTP daemon ftp server [OSVDB 69562] to gain root permissions on the FTP server. The attacker then shuts down the FTP service and opens an SSH service listening on the same port as the original FTP service. Using the SSH service on the FTP port, the attacker uses its privileges to map the internal network in search of a DB server. When it finds a DB server, the attacker creates an SSH tunnel through the FTP server, which enables a direct SQL connection to the DB server. Once a direct SQL connection is achieved, the system uses brute force to gain access to the SQL server, and extracts the data using table enumeration. The attack is performed from a malicious laptop that is connected to the user segment.

13. Web Defacement

In this scenario, the system emulates an attack using brute-force against the SSH daemon on the Apache web server. After a successful brute-force, the attacker will replace the default website with its own uploaded “hacked” web site. The Trainee must identify and understand this attack, and recommend how to stop it.

14. SIEM-Disable

In this scenario the attacker uses a brute force attack to gain access to the public router. Upon successful login, the attacker modifies the router configuration web page to redirect users to a PDF that contains the malicious payload. When the document is opened, the malicious payload is executed, which opens a remote session to the attack machine.

15. WPAD Man-in-the-middle

In this scenario, the system performs a Man-in-the-Middle (MiTM) attack on the network. The attacker deceives hosts by impersonating a legitimate proxy in the segment. He does this by exploiting the Web Proxy Auto-Discovery (WPAD) Domain Name System (DNS) queries. Once all traffic from the user segment goes though the attacker, sensitive data is extracted and exfiltrated to the CNC server on the internet using two different methods - ICMP packets and DNS queries.

SCADA protocol scenarios (critical infrastructure)

1. HMI – Overloading the Plant

This scenario shows the dangers of attacks that originate from the internal network. In the scenario, the attacker initiates the attack on the SCADA network from the company's internal network. He exploits and compromises the management station of the SCADA system, the HMI (human-machine interface). After a full compromise, the attacker uploads a malware designed to stay on the HMI and connect to the physical PLCs (Programmable logic controller) in order to destroy the plant completely by overloading the turbines.

2. VPN – Shutting Down the Plant

This scenario demonstrates the dangers of attacks that originate from the internet and securing VPN access to the SCADA network. In the scenario, the attack starts by exploiting the well-known vulnerability, Heartbleed, on the VPN server, which resides inside the SCADA network. After successful exploitation, the attacker is able to gain access to the SCADA network from the internet (using the VPN). The attacker continues to connect to the PLCs and shut down the plant.

3. Field 2 Field – Silent Attack

This is an advanced scenario in which trainees are required to investigate a "silent" attack on the SCADA network by analyzing the protocol that is being used in SCADA networks. The attacker infiltrated into the network, which is located outside of the plant itself (a remote 'field'). From there, he scans the network and attacks the PLCs that are located inside the factory. The attack is executed in a "silent manner" without raising any physical indicators. In order to understand what the attack accomplishes exactly, trainees will have to investigate the Modbus protocol used in SCADA networks. The trainees will be given a cheat-sheet with references on the protocol and the PLCs.

Range Tools-

SIEM: Arcsight.

FW: Check Point FW.


VSphere Client.