In this article we will be focusing on CERT Cyber Drill. We will cover How the attack is planned, what is the flow of drill, who will be involved, who does what so that next time when you participate in a CERT Cyber Drill you can keep this handy :)
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
How to Survive CERT Cyber Drill--By Avinash Sinha
1. About the Author
Avinash Sinha is a Security Consultant working with Aujas. Previously he has worked with
IBM India Pvt Ltd as an Application Security Consultant. His key area of interests includes
Vulnerability assessments, Secure Code review, Security research, Penetration testing,
Mobile Application security and Network Infrastructure protection.
Today I will be walking you through how to survive a CERT Cyber Drill. Well, many people get
confused between a CERT Empanelment process and CERT Cyber Drill. There is a huge difference
between the two. In CERT Empanelment process you will be provided with a DVD that contains a
vulnerable application image and you have to find out all the vulnerabilities in that vulnerable
application image. CERT already has a list of findings for that application and they compare the
findings with your reported findings and generate a compliance score for the same. If they see fit
you will progress to next round and have to solve some challenges which are a bit complex part.
In this article we will not be focusing on CERT Empanelment process but on CERT Cyber Drill. We will
cover what is the flow of drill, who will be involved, who does what so that next time when you
participate in a CERT Cyber Drill you can keep this handy ☺
Pre-requites Before the Drill
Equipments:-IBM ISS Site Protector, CISCO ASA Firewall, IBM ISS Proventia and IBM Q-Radar (These
can be different for different organizations)
2. CERT CYBERCERT CYBERCERT CYBERCERT CYBER DRILLDRILLDRILLDRILL
avisinha87@gmail.com Page 2
CERT Cyber Drill starts at 10 Am, so make sure you are all set with your NIPS, SIEM and firewall in
place. CERT team sends you a DVD 12-15 days before the actual drill. So you have all that time for
the preparation of how and where you need to install the vulnerable application image. First thing
you would want to do, is just install it on a test server had have your Application security team
analyse the application. As goes by the saying “knowing is half the battle”, you would want to know
all the vulnerabilities within the application both at network and application level. This way you
would be already aware if the CERT team launches and attack, where would be the pin point or
which way they will getting into your server .The objective of this drill is to analyse how efficiently
can you detect an attack, raise an incident level ticket along with the remediation and share the
same with the corresponding team which in this case is CERT team itself.
CERT Cyber drill takes in 2 parts. The first part consist to an attack Phase (10 AM- 2 PM) and the
second part consist of an incident response and escalation matrix (2PM -5 PM). I will share my
experience with you with the recent CERT Cyber drill I was part of. To tell you the truth one must
always go through at least one CERT Cyber drill, it’s amazing to learn and know how an attacker
plans an attack, how he takes over your system, how you data gets compromised and the best how
your system starts attacking other system without your knowledge. On the other hand you will also
get to know and learn when there is a real time attack ,how it gets detected, how your Network
Intrusion Prevention System (NIPS) works, how your firewall works (If at all they work or not) ,whom
to reach out to in your organization. This is the one place where you can see and observe how your
AppSec team, Network Team, SIEM Team and SOC team work i.e. one complete cycle from an attack
detection to raising an incident ticket with the appropriate team and believe me it’s a lot Fun !!!
A day before the drill make sure you have installed the image and all your devices and software are
properly configured and conduct a prior drill by having your Penetration Testing team perform the
attacks which they have discovered during the analysis phase .This is done to check if all your
Firewalls and SIEM tool is detecting the attack or not. If not rules/signatures must be written to
detect them. It is made clear by CERT team to enable your Detection system but not block an attack.
So make sure you do this activity in an isolated environment. Although all the guidelines for
installation will be provided by CERT team make sure to follow them thoroughly. Install the IRC chat
client provided by CERT team .CERT team will warn you every time they start an attack and your
responsibility is to detect the attack and make sure you mention the time accurately with every
attack as time is a very crucial factor. This is because your SIEM system, here in our case it was IBM
Q Radar, you would see that multiple different attacks will get detected and getting logged. Ensure
that you mention the correct attack, vulnerability, IP Source and Time when they say that they are
launching an attack. Also only port 80 and 21 are kept open during the drill. Don’t panic as you may
see attacks coming from various externals IP’s belonging to Taiwan, Canada, Belgium and India of
course. Make sure to note down the Source IP and segregating them country wise as this will help
you when you will raise an incident ticket and also narrow the scope of finding the attackers ip.
Phase I- The Attack
At approximately 10 AM you will see a lot to traffic coming and hitting your vulnerable server. Your
SIEM and firewall will start detecting it as it as a DOS attack. This is just done by CERT team to check
the connectivity if properly set up or not. In our case they started the attack at 10:20 .They started
with a Port scan and scanned all the ports .During this scan you can observer on IBM Q-radar that a
series of port are getting scanned. You can observe it also showing teardrop, SMURF attack, Ping of
3. CERT CYBERCERT CYBERCERT CYBERCERT CYBER
avisinha87@gmail.com
death, UDP flood etc. Next will be web application scan, you will see a lot of XSS, SQL injections, LFI ,
unauthorized ftp login attempts , shell command injection, HTML Injection in Q Radar.
Now as per our analysis we had a list
those that may have been leveraged during the attack
1. XSS
2. SQL injection
3. Vulnerable XAMP
4. PhpMyAdmin blank password
5. Code generator Word Press Plug
6. ftp unauthorized access
7. Vulnerable version of FCK Editor
8. Vulnerable version of Filezilla
Phase II- The Incident Escalation MATRIX
This attack ends at around 2 PM and now you are asked to share the POC’s of the attack detection.
In this phase all your teams have to share the POC’s of attacks that
for every attack such as the “Malicious File Upload” you will be required to share POC with all the
details. Make sure your Q-Radar and Firewalls are set to informational level logging during the attack
period. I know there will be a lot of logs generated but this is required and you will know in the end
why ☺.So In second phase the CERT team
ticket based on the type of att
Manager for ex for any network based attacks your SOC Manager. In all such emails your CISO/GM
IT Security are kept in loop. This is not because you had a Network/Application scan or hits for
different attacks but your system/customer
Attacking other Targets using your compromised system as source
System is completly compromised and becomes part of Zoombie Network
File upload vulnerablity
Malicious Fie upload (Code Generator Wordpress)
CERT CYBERCERT CYBERCERT CYBERCERT CYBER DRILLDRILLDRILLDRILL
death, UDP flood etc. Next will be web application scan, you will see a lot of XSS, SQL injections, LFI ,
unauthorized ftp login attempts , shell command injection, HTML Injection in Q Radar.
Now as per our analysis we had a list of vulnerabilities in the vulnerable image, however below are
leveraged during the attack
PhpMyAdmin blank password
Code generator Word Press Plug-in
of FCK Editor
Vulnerable version of Filezilla
The Incident Escalation MATRIX
This attack ends at around 2 PM and now you are asked to share the POC’s of the attack detection.
In this phase all your teams have to share the POC’s of attacks that occurred and were successful.
“Malicious File Upload” you will be required to share POC with all the
Radar and Firewalls are set to informational level logging during the attack
will be a lot of logs generated but this is required and you will know in the end
.So In second phase the CERT team asks you question such as while raising the incident level
ticket based on the type of attack, identifying the owner of asset, identifying the corresponding
Manager for ex for any network based attacks your SOC Manager. In all such emails your CISO/GM
IT Security are kept in loop. This is not because you had a Network/Application scan or hits for
different attacks but your system/customer data got stolen and your website got defaced
Attacking other Targets using your compromised system as source
System is completly compromised and becomes part of Zoombie Network
vulnerablity used to upload a DoS/DDoS script
SQL database export
PhpMyaAdmin access
Website Defacement
Uploading C99 shell
Malicious Fie upload (Code Generator Wordpress)
Web Application scan
Port Scan
DRILLDRILLDRILLDRILL
Page 3
death, UDP flood etc. Next will be web application scan, you will see a lot of XSS, SQL injections, LFI ,
unauthorized ftp login attempts , shell command injection, HTML Injection in Q Radar.
of vulnerabilities in the vulnerable image, however below are
This attack ends at around 2 PM and now you are asked to share the POC’s of the attack detection.
and were successful. So
“Malicious File Upload” you will be required to share POC with all the
Radar and Firewalls are set to informational level logging during the attack
will be a lot of logs generated but this is required and you will know in the end
such as while raising the incident level
ing the corresponding
Manager for ex for any network based attacks your SOC Manager. In all such emails your CISO/GM-
IT Security are kept in loop. This is not because you had a Network/Application scan or hits for
data got stolen and your website got defaced and all
Attacking other Targets using your compromised system as source
System is completly compromised and becomes part of Zoombie Network
script
4. CERT CYBERCERT CYBERCERT CYBERCERT CYBER DRILLDRILLDRILLDRILL
avisinha87@gmail.com Page 4
other attacks that were successful. Every organization has an Incident Management Escalation
Matrix just make sure you follow that. Make a compact report and share with CERT Team.
FUN Facts during the CERT CYBER DRILL
During the drill everyone’s is alert about the attack which is going to next. For an hour you will have
your lunch break. Make sure you don’t leave your seat empty and have someone monitor during
that period too. During this CERT Drill they launched an attack when you were supposed to be on
break. Though many technical spocs were out for lunch still few of them were present and
monitoring was still on, so everything was captured right on time. It’s a good lesson that attacker
won’t tell you that he will attack only when you do your shift but also when you are having your
lunch or sleeping at night.
Now if you have observed IBM Q-Radar though many attacks were detected but not all successful
attacks were shown Q-Radar. Now let’s see why this happened. This is because the way how C99
shell was uploaded. It was not shown in Q-Radar however as the logging level was set to
informational at syslog, all logs were captured and you could observe that it was a series of 3 php
files. One was code to provide an upload facility, second was upload of C99 shell and 3rd
was a code
to perform a DoS/DDoS attack. If there is a feature to upload anything, it will go unnoticed unless it’s
based on signature of that particular file or Analytics such as to call any system level commands
present in that file. You may share POC’s close to PHP Script injection.
Make sure the in last POC for DoS/DDoS Attacks, the traffic generates from your system as source so
all attacks that were previously coming from an external ip to your ip now its vice-versa.
Hope you Njoyed reading. ☺