Report: Incident Response Tabletop Exercise (IRTx)

1. Introduction The Incident Response Tabletop Exercise (IRTx) was conducted to simulate
real-world attack scenarios and test the incident response capabilities of the Red and Blue
Teams. The objective of the exercise was to validate the team objectives against the project
targets and enhance the overall incident response capabilities of the organization.

The team members involved in the exercise were Luke Fincher (Red Team Lead),
Mohammed Jaber (Red Team), Phillip Wood (Blue Team Lead), Jake Seung Nam (Blue
Team), and Sam Prevett (Blue Team). Each team member actively participated in the
exercise, contributing their skills and expertise to the success of the event.

2. Objective and Target Validation The team objectives were closely aligned with the
project targets. The Red Team aimed to successfully perform an active nMap scan of the
target network, implant a reverse shell using Netcat with remote code execution via SSH, and
orchestrate a DDoS attack using SlowLoris. The Blue Team's responsibilities included
detecting and defending against the nMap scan, preventing and responding to the reverse
shell, and mitigating the DDoS attack.

Throughout the exercise, the team successfully achieved a minimum of three targets,
validating their objectives against the project targets. The Red Team effectively executed the
nMap scan, implanted the reverse shell, and launched the DDoS attack, while the Blue Team
detected, defended, and mitigated these attacks.

3. Individual Team Member Achievements The achievements of each team member were
reviewed and verified during the exercise. Luke Fincher demonstrated strong leadership as
the Red Team Lead, guiding the team in executing their objectives effectively. Mohammed
Jaber contributed to the Red Team's successful execution of the nMap scan, reverse shell
implantation, and DDoS attack. Phillip Wood excelled as the Blue Team Lead, leading the
detection and defense efforts against the Red Team's attacks. Jake Seung Nam and Sam
Prevett actively participated in the Blue Team's response, effectively mitigating the attacks
and ensuring network security.

4. Project Evaluation The project timeframes, scope, and quality expectations were
evaluated against the actual exercise. The exercise was completed within the allocated time
frame, and the scope was comprehensive, allowing for thorough testing of the incident
response capabilities. The quality expectations were met, with both teams demonstrating their
skills and knowledge in detecting and responding to the simulated attacks.

5. Risk Strategy Review and Recommendations The project risk strategy was reviewed,
and recommendations were made to enhance the incident response process. It was identified
that continuous monitoring and proactive vulnerability management should be emphasized to
mitigate potential risks effectively. Implementing intrusion detection and prevention systems
and conducting regular security awareness training for all team members were recommended
to strengthen network security and incident response capabilities.

6. Incident/Event Identification Strategy The effectiveness of the incident/event

identification strategy was reviewed. The Blue Team successfully detected and identified the
nMap scan, reverse shell implantation, and DDoS attack using monitoring, logging, and
mitigation services. The use of Kali Purple OS, terminal commands, PortSentry tool, and
Wireshark enabled efficient identification and analysis of the attacks.

7. Communication Effectiveness The communication between team roles was evaluated and
found to be effective. The established chain of command, including the manager, shift
supervisor, and analyst, facilitated seamless communication and coordination during the
exercise. Regular updates, reports, and documentation were shared among team members to
ensure effective collaboration.

8. Recommendations for Improvement Based on the lessons learned from the exercise,
several recommendations were made to improve the effectiveness of the incident response
process:

 Implement intrusion detection and prevention systems to enhance threat detection

capabilities.
 Conduct regular security awareness training for all team members to enhance their
knowledge of current threats and best practices.
 Establish a centralized incident response platform for efficient coordination and
documentation of incidents.
 Enhance vulnerability management processes to proactively identify and remediate
vulnerabilities.
 Develop a comprehensive incident response plan that includes clear guidelines and
procedures for different attack scenarios.

9. Conclusion The Incident Response Tabletop Exercise (IRTx) provided valuable insights
into the incident response capabilities of the Red and Blue Teams. The exercise validated the
team objectives against the project targets, reviewed individual achievements, evaluated
project timeframes and quality expectations, and assessed the effectiveness of the
incident/event identification strategy and communication between team roles.
Recommendations were provided to improve the incident response process and enhance
network security. Overall, the exercise served as a valuable learning experience and
contributed to the organization's readiness to respond to real-world security incidents.

10. Questions & Answers The presentation will conclude with a Q&A session, allowing
participants to seek clarifications and further insights regarding the incident response
exercise.

11. Appendix
Luke Fincher: Minutes + Agenda x1, AT3 Red Team document, Red team Playbook,
Evaluation + negotiation plan + CSO email Document, Performance evaluation form,
Communication report, This report.
Phillip Wood: Minutes + Agenda x1, AT3 Blue Team document, Blue Team playbook,
Evaluation + negotiation plan + CSO email Document, IRP evaluation document (AT2
part2), Briefing report (AT1), This report.
Mohammed Jaber: Minutes + Agenda x1, AT3 Red Team document, Observer Checklist,
Evaluation + negotiation plan + CSO email Document, Statement of work, This report.
Jake Seung Name: Minutes + Agenda x1, AT3 Blue Team document, Rule of Engagement,
Evaluation + negotiation plan + CSO email Document, This report.
Sam Prevett: Minutes + Agenda x1, AT3 Blue Team document, Stakeholder status report,
Evaluation + negotiation plan + CSO email Document, Gant chart, This report.