Also this year in Tallin (but actually across Europe) will be held, as usual, the largest Cyber exercise in the world: Locked Shield.
Using the information from previous exercises and doing a minimum of OSINT let's understand what it could be focused on.
What do we know?
- we know that last year the exercise was held between 24 and 28 April;
- we know that the workshop entitled "Locked Shields Forensics Challenge" will be held between 15 and 17 May next, in which the results of the exercise will be discussed and possible solutions for the forensic aspects will be presented.
- we know that last year the dates were more or less similar.
To begin with, although there is still no official news, I expect the exercise to take place on the same dates, probably between 23 and 27 April or at most in the following week.
To understand what will be focused I refer to the topics that will be treated in the "Forensics Challenge", those already available even if very generic and in the main challenges that the world Cyber has had to face in the last year.
Let's see if anything useful emerges from the analysis. Between 15 and 17 May during the "Locked Shields Forensics Challenge" the following aspects will be covered:
Malicious traffic analysis
Ntfs file system analysis
File analysis
Various OS artefacts analysis
User behavior analysis
Malware identification.
While during the year we have faced the following main problems:
- NotPetya and WannaCry;
- Specter and Meltdown.
Among the emerging threats we find:
- possible variants of WannaCry, Specter and Meltdown;
- "Ghostly Cryptomining" attacks;
- cloud hacking;
- social engineering tactics;
- new denial of service attack tactics;
- sandbox vulnerability;
- Process Doppelganging.
Among the new technologies we have instead:
- quantum computer and quantum cryptography;
- digital identity on blockchain;
- IoT.
I did not find anything on the internet of the exercise scenario but it is probable that the system to defend is a system of the size of a nation that uses known technologies, based on cloud and perhaps with digital identities and a cryptomata on blockchain. It would not be surprising if even generic devices (IoT) were found on the network, which are notoriously designed to be safe.
Now, putting the above system into operation I can make some assumptions about how the exercise could take place and about some types of attacks that the Blue teams could be called to deal with.
First of all, seeing that in the May "Forensics Challenge" session there is the entry "user behavior analysis", it makes me think that the attack will start from internal users, perhaps infected through e-mail attachments containing malicious code. Blue teams will therefore need to focus on user and device behavioral analysis (IoT).
Probably the malware could take advantage of the call injection technique Process Doppelganging, emerged at the end of 2017, this would also justify the indication to perform analysis on File System NTFS.
The final goal of the attacker could be to take possession of the distributed computing resources to make money through the activities of ghostly mining.
Naturally all this is nothing but speculation based on the very little information available. One thing is certain, soon there will be the exercise and then, once again, Blue Teams and Red Teams will face off in the Cyber field.
Good luck and, since it's a game, you win the best!
To learn more:
- https://ccdcoe.org/locked-shields-forensics-challenge-workshop-2018.html
- https://ccdcoe.org/new-research-red-teaming-technical-capabilities-and-c...
- https://www.cybersecurity-insiders.com/most-dangerous-cyber-security-thr...
- https://www.cdnetworks.com/en/news/2018s-most-dangerous-cyber-threats/6812
- https://www.tripwire.com/state-of-security/featured/5-notable-ddos-attac...
- https://niccs.us-cert.gov/training/search/champlain-college-online/opera...
- https://thehackernews.com/2017/12/malware-process-doppelganging.html
(photo: Defense archive)
