I thought this would be a great example of Open Sourcing an idea I’m working on here at work. I’ll basically be quoting parts of a document I am preparing to provide context, but I’d like other people’s thoughts on the types of Exercises that could be run. This could actually be quite the resource if we could beef up the number a bit. I’ll release the full document once it’s done.

Background

As attempts to penetrate an enterprise’s security measures become more proactive through activities like viruses, malware and abuse of power, enterprises are having to become more and more reactive. At the same time, the amount of information which must not only be collected, but properly digested is increasing at an astronomical rate. In an attempt to reduce our ‘reaction mentality’, I am proposing that [Company] adopt several levels of ‘security exercises’.

Goals & Objectives

There are several key areas that these exercises will cover:

1. External attacks (known vulnerabilities)
2. External attacks (hacking)
3. Internal attacks (abuse of power)
4. Internal attacks (hacking)

These cover the large majority of issues which [Company] is likely to face. It will not cover malware or virus-related attacks, for several reason, the biggest of which is that we wouldn’t want to release something into our environment that we couldn’t control. The second reason is that, by and large, these security threats fall under External Attacks.

Besides the general security concerns we would like to address, there are several knock-on benefits to doing security exercises:

1. Increased communication / cross-team awareness
2. Increased information dissemination
3. Post-exercise documentation

Communication

One of the core tenets of the Security Exercises will be that teams will need to communicate (both in order to attack and defend); and that each exercise will see different team members involved, and even rotated through responsibilities. As a result, teams are forced to communicate issues which they are aware of (an unpatched server, for instance) as well as issues they weren’t aware of (cascading effects of changes made to systems which teams weren’t aware of, for example).

In communicating, cross-team awareness and a building sense of a single identity will naturally occur.

Information Dissemination

In preparation for exercises, teams will need to read and research the expected areas of attack (both as individuals and groups). As a result, current security issues and techniques will naturally make their way onto the teams’ radar. For instance if SQL Server were a target in late 2002, a Security Exercise would have brought forward the need to patch the servers, thus eliminating any threat of Blaster.

The Security Exercises are all about proactiveness, instead of reactiveness. By putting our staff on the ‘front lines’, so to speak, we can more easily anticipate security concerns.

Documentation

One of the key goals of every exercise is, at a very minimum, a series of ‘lessons learned’, ‘best practices’ and ‘items to tackle’ during the coming month before the next exercise. While more extended documentation can be useful, these bare minimum objectives provide the highest value for effort.

Exercises

The Security Exercises are all structured with 3 main ‘teams’:

1. Attackers
2. Defenders
3. Moderators

The Defenders are the team that ‘owns’ the system (in the Exercise, not necessarily in real life). The Attackers are those who are attempting to compromise a system, or remain in a compromised position (if the exercise is one where an infection must be patched, it could be viewed that the Defenders are actually on the offensive).

The final group, the Moderators is optional, and may be used for scoring, for keeping track of events and/or for ensuring that the activity continues moving and does not get stalled. In addition, the Monitors group may decide to move onto another exercise if it is determined that there is no real benefit to continuing one exercise.

There are 3 types of Security Exercises which [Company] will look at conducting:

1. Targetted, protected
2. Targetted, unprotected
3. Generic

Each of these exercises can be either on White Services (Production) or on Brown Services (Test / Isolated) and can be run in Active (teams reacting to each other as events occur) or in Scenario modes (Protecting team sets up defenses, attacking team does whatever they want).

An example of an exercise:

Capture the Mailbox
Attacker Objective: To send 1000 emails from the Defenders_Mailbox to the Attackers_Mailbox located on [Server_Name].
Defenders Objective: Defend the mailboxes, servers and applications at all costs.
Time limit: 2 hours.
Attacker Win: If 1000 emails are successfully sent and received, the attackers have won. Do not get Tagged.
Defender Objective: Defenders may either be reactive and defend the mailbox for the full exercise Time Limit, or they may be proactive and attempt to ‘tag’ the Attackers. A Tag occurs when the Defenders are able to force the attackers to use another workstation (port blocking, corruption of file system, virus infection, etc). Each Tag decreases the Remaining Time by 20 minutes. 3 successful tags and the Defenders win.

To be honest, I think the example Exercise is crap. I’d actually prepared a list of about 20 of these at my last job, and I’m not in the right state of mind.

These ideas, and any others that are submitted, are released under a ‘feel free to redistribute, but you must attribute the source’ license, just like all of Ensight.