Mohammed Jaber: Slide 1

Esteemed attendees, I extend my warm greetings to you all. My name is Mohammed Jaber, and I
was privileged to have been a member of the Red Team during the Incident Response Team
Exercise. Our dedicated team executed a diverse array of simulated attack scenarios, designed to
rigorously test and subsequently enhance the incident response capabilities of the RightPoint
organization. Today we will present an account of the Incident Response Team exercise (IRTx)
along with the lessons we have learned and our consequent recommendations. Firstly, Phillip and
Luke will go over the AT3 IRTx itself and what happened:
[TALK ABOUT IRTx] Slide 2 - 25
Luke Fincher: Slide 26
1. Introduction

The IRTx was carefully designed and implemented with the primary objective of simulating
realistic cyber attack scenarios, thereby testing the defensive and responsive capabilities of the
Red and Blue Teams. This intensive exercise strived to align our team objectives with the
broader project targets, thereby honing RightPoint’s overall incident response framework..
2. Objective and Target Validation
The Red Team, under my guidance, and the Blue Team, capably led by Phillip Wood, worked
assiduously towards fulfilling their respective objectives. The Red Team's strategic intent was to
execute an active nMap scan of the targeted network, implant a reverse shell using Netcat with
remote code execution via SSH, and conduct a DDoS attack using SlowLoris. The Blue Team
was tasked with detecting and fortifying defenses against the nMap scan; responding to, and
preemptively countering, the reverse shell implantation; and detecting and effectively mitigating
the DDoS attack.
3. Individual Team Member Achievements

As the Red Team Leader, I endeavored to exhibit exceptional leadership skills throughout the
exercise, directing the team towards effective execution of their objectives. Mohammed Jaber, a
key player from the Red Team, contributed immensely to the successful execution of the nMap
scan, reverse shell implantation, and DDoS attack. On the Blue Team, Jake Seung Nam and Sam
Prevett actively participated in response efforts to ensure the threats were detected and handled
in a timely and efficient manner. Phillip Wood exhibited a thorough and practiced understanding
of the Blue Team playbook and procedures, ensuring that everything went as planned on the day
and the IRTx met all objectives.
Lessons Learned:
Performing this exercise has underscored to us the importance of effective leadership and
collaboration in ensuring successful outcomes during such critical incident response exercises. It
emphasized the need for an intricately coordinated and well-prepared effort, without which we
could not have successfully performed even this small exercise. A technical understanding of
cybersecurity is not sufficient without effective project management.
Phillip Wood: Slide 27
I am Phillip Wood, and I had the honor of leading the Blue Team through the Incident Response
Team exercise. Our team was tasked with the critical responsibility of detecting, mitigating and
fortifying defenses against the cyber attacks unleashed by the Red Team.
4. Project Appraisal
We have undertaken an exhaustive review following this exercise, including analysis of the
projected versus actual timeframes, scope, and quality expectations. I am pleased to announce
that the exercise itself was performed within the predetermined timeframe. As a whole, we
reached project milestones at the expected times, but did not anticipate all the challenges of
designing the Red and Blue Team playbooks and finalising this took about a week longer than
intended. Troubleshooting issues with our LAN connectivity also used up a day we had intended
to use for more substantial practice; in future we would set aside specific time for debugging /
troubleshooting. Regarding scope, we took on enough that it was a worthwhile challenge,
choosing three attack vectors which satisfied the objectives while being within our skillset to
implement and mitigate. The outcome of the exercise and overall quality of project deliverables
was as anticipated, if not a little higher. Having never planned or performed an IRTx before, we
did not have much of an expectation regarding quality, other than that we would meet the project
objectives, which we have done.
Lessons Learned:
Our experience underscored how crucial it is to continuously monitor all systems – without
proactive detection of the Red Team intrusions, their attacks would have gone unnoticed and the
impact been far greater. Vulnerability management needs to be continuous and proactive to
effectively foresee and mitigate security risks. To this end, we recommend the implementation of
sophisticated intrusion detection and prevention systems, coupled with regular security
awareness training to facilitate fast and effective incident detection and response from all team
members.
Mohamed Jaber: Slide 28
My name is Mohamed Jaber, and I am proud to have been an active member of the Red Team.
During the IRTx, I helped to execute a number of tasks critical to our three planned attacks, and I
feel privileged to have had the opportunity to participate in and learn from this comprehensive
project.
6. Incident/Event Identification Strategy
We have assessed the efficacy of our incident and event identification strategy following the
exercise, and believe that the Blue Team exhibited remarkable proficiency in detecting and
identifying the series of simulated cyber threats– namely, the nMap scan, the implantation of the
reverse shell, and the DDoS attack. This was achieved through the strategic utilization of
monitoring, logging, and mitigation services within the Kali Purple OS, such as the PortSentry
command-line tool; Wireshark packet sniffing software; and contextually-applied Linux terminal
commands. This significantly aided the identification and containment of the simulated attacks.
The success of this strategy is a testament to the efficient use of these resources, and to the
preparation and practice which the Blue Team undertook in order to do so.
Lessons learned:
Utilizing specialized tools and monitoring services enhances incident detection and analysis
capabilities, and it is vital to understand the inputs, mechanisms and outputs of these tools, to use
them effectively in time-sensitive scenarios.
Jake Seung Nam: Slide 29
Esteemed colleagues and guests, my name is Jake Nam and I was part of the Blue Team. It has
been an enriching experience to contribute to our team's efforts and to witness their culmination
in a successful outcome.
7. The Efficacy of Communication:
The well-structured hierarchy within our team, comprising the roles of manager, shift supervisor
and analyst, was instrumental in facilitating fluid and uninterrupted communication. This greatly
enhanced our coordination efforts throughout the duration of the exercise. Critical aspects of
information sharing, including regular updates and coordinated logging of monitored evidence,
demonstrated the efficiency of our collaborative efforts.
Lessons Learned:
The exercise has shown that clear communication channels are key to driving an effective
incident response. Our response to threats was dependent on the level of coordination between
team members. Human error is itself a threat to cybersecurity and needs to be minimised by
ensuring everyone knows their role and has the appropriate information as soon as possible.
Sam Prevett: Slide 30
Esteemed attendees, it is a privilege to address you today. I am Sam Prevett of the Blue Team. I
am grateful for the opportunity to have participated in this exercise.
8. Recommendations for Enhancement:

Reflecting on the lessons gleaned from the exercise, we have derived a set of recommendations
to improve the incident response process:
a. We suggest the implementation of advanced intrusion detection and prevention systems,
thereby augmenting our capacity to promptly identify and neutralize potential threats.
b. To bolster team-wide cyber proficiency, regular security awareness training programs
should be conducted, effectively enhancing our collective understanding of prevailing
threats and industry-standard mitigation strategies.
c. The establishment of a centralized incident response platform is recommended for the
efficient orchestration and documentation of incidents.
d. Our vulnerability management processes can be further refined to proactively detect and
remediate system weaknesses, thereby fortifying our defenses.
e. We propose an update to the incident response plan, detailing unambiguous guidelines
and procedures tailored for further common and uncommon attack scenarios.
Lessons learned: Continuous testing, evaluation and improvement are crucial for maintaining a
robust incident response process.
 9. Conclusion:

In summary, the IRTx furnished us with insights into the capabilities of our Incident Response
Team to respond efficiently to cybersecurity incidents. The exercise successfully validated our
team objectives, demonstrating effective procedures for detection, containment, mitigation and
recovery from cyberattacks. The recommendations put forth today would serve to enhance our
response strategy and further solidify network security. This exercise has been a constructive
learning experience and has equipped us with the necessary skills to counter real-world security
incidents effectively.
Thank you for your attention. If you have any questions about any of what we have discussed,
please feel free to do so now. Slide 32

[Wait for Q & A]

Slide 33