About the Author Avinash Sinha is a Security Consultant working with Aujas. Previously he has worked with

IBM India Pvt Ltd as an Application Security Consultant. His key area of interests includes

Vulnerability assessments, Secure Code review, Security research, Penetration testing,

Mobile Application security and Network Infrastructure protection.

Today I will be walking you through how to survive a CERT Cyber Drill. Well, many people get

confused between a CERT Empanelment process and CERT Cyber Drill. There is a huge difference

between the two. In CERT Empanelment process you will be provided with a DVD that contains a

vulnerable application image and you have to find out all the vulnerabilities in that vulnerable

application image. CERT already has a list of findings for that application and they compare the

findings with your reported findings and generate a compliance score for the same. If they see fit

you will progress to next round and have to solve some challenges which are a bit complex part.

In this article we will not be focusing on CERT Empanelment process but on CERT Cyber Drill. We will

cover what is the flow of drill, who will be involved, who does what so that next time when you

participate in a CERT Cyber Drill you can keep this handy ☺

Pre-requites Before the Drill Equipments:-IBM ISS Site Protector, CISCO ASA Firewall, IBM ISS Proventia and IBM Q-Radar (These

can be different for different organizations)

CERT CYBERCERT CYBERCERT CYBERCERT CYBER DRILLDRILLDRILLDRILL

avisinha87@gmail.com Page 2

CERT Cyber Drill starts at 10 Am, so make sure you are all set with your NIPS, SIEM and firewall in

place. CERT team sends you a DVD 12-15 days before the actual drill. So you have all that time for

the preparation of how and where you need to install the vulnerable application image. First thing

you would want to do, is just install it on a test server had have your Application security team

analyse the application. As goes by the saying “knowing is half the battle”, you would want to know

all the vulnerabilities within the application both at network and application level. This way you

would be already aware if the CERT team launches and attack, where would be the pin point or

which way they will getting into your server .The objective of this drill is to analyse how efficiently

can you detect an attack, raise an incident level ticket along with the remediation and share the

same with the corresponding team which in this case is CERT team itself.

CERT Cyber drill takes in 2 parts. The first part consist to an attack Phase (10 AM- 2 PM) and the

second part consist of an incident response and escalation matrix (2PM -5 PM). I will share my

experience with you with the recent CERT Cyber drill I was part of. To tell you the truth one must

always go through at least one CERT Cyber drill, it’s amazing to learn and know how an attacker

plans an attack, how he takes over your system, how you data gets compromised and the best how

your system starts attacking other system without your knowledge. On the other hand you will also

get to know and learn when there is a real time attack ,how it gets detected, how your Network

Intrusion Prevention System (NIPS) works, how your firewall works (If at all they work or not) ,whom

to reach out to in your organization. This is the one place where you can see and observe how your

AppSec team, Network Team, SIEM Team and SOC team work i.e. one complete cycle from an attack

detection to raising an incident ticket with the appropriate team and believe me it’s a lot Fun !!!

A day before the drill make sure you have installed the image and all your devices and software are

properly configured and conduct a prior drill by having your Penetration Testing team perform the

attacks which they have discovered during the analysis phase .This is done to check if all your

Firewalls and SIEM tool is detecting the attack or not. If not rules/signatures must be written to

detect them. It is made clear by CERT team to enable your Detection system but not block an attack.

So make sure you do this activity in an isolated environment. Although all the guidelines for

installation will be provided by CERT team make sure to follow them thoroughly. Install the IRC chat

client provided by CERT team .CERT team will warn you every time they start an attack and your

responsibility is to detect the attack and make sure you mention the time accurately with every

attack as time is a very crucial factor. This is because your SIEM system, here in our case it was IBM

Q Radar, you would see that multiple different attacks will get detected and getting logged. Ensure

that you mention the correct attack, vulnerability, IP Source and Time when they say that they are

launching an attack. Also only port 80 and 21 are kept open during the drill. Don’t panic as you may

see attacks coming from various externals IP’s belonging to Taiwan, Canada, Belgium and India of

course. Make sure to note down the Source IP and segregating them country wise as this will help

you when you will raise an incident ticket and also narrow the scope of finding the attackers ip.

Phase I- The Attack

At approximately 10 AM you will see a lot to traffic coming and hitting your vulnerable server. Your

SIEM and firewall will start detecting it as it as a DOS attack. This is just done by CERT team to check

the connectivity if properly set up or not. In our case they started the attack at 10:20 .They started

with a Port scan and scanned all the ports .During this scan you can observer on IBM Q-radar that a

series of port are getting scanned. You can observe it also showing teardrop, SMURF attack, Ping of

CERT CYBERCERT CYBERCERT CYBERCERT CYBER

avisinha87@gmail.com

death, UDP flood etc. Next will be web application scan, you will see a lot of XSS, SQL injections, LFI ,

unauthorized ftp login attempts , shell command injection, HTML Injection in Q Radar.

Now as per our analysis we had a list

those that may have been leveraged during the attack

1. XSS

2. SQL injection

3. Vulnerable XAMP

4. PhpMyAdmin blank password

5. Code generator Word Press Plug

6. ftp unauthorized access

7. Vulnerable version of FCK Editor

8. Vulnerable version of Filezilla

Phase II- The Incident Escalation MATRIX

This attack ends at around 2 PM and now you are asked to share the POC’s of the attack detection.

In this phase all your teams have to share the POC’s of attacks that

for every attack such as the “Malicious File Upload” you will be required to share POC with all the

details. Make sure your Q-Radar and Firewalls are set to informational level logging during the attack

period. I know there will be a lot of logs generated but this is required and you will know in the end

why ☺.So In second phase the CERT team

ticket based on the type of att

Manager for ex for any network based attacks your SOC Manager. In all such emails your CISO/GM

IT Security are kept in loop. This is not because you had a Network/Application scan or hits for

different attacks but your system/customer

Attacking other Targets using your compromised system as source

System is completly compromised and becomes part of Zoombie Network

File upload vulnerablity

Malicious Fie upload (Code Generator Wordpress)

CERT CYBERCERT CYBERCERT CYBERCERT CYBER DRILLDRILLDRILLDRILLdeath, UDP flood etc. Next will be web application scan, you will see a lot of XSS, SQL injections, LFI ,

unauthorized ftp login attempts , shell command injection, HTML Injection in Q Radar.

Now as per our analysis we had a list of vulnerabilities in the vulnerable image, however below are

leveraged during the attack

PhpMyAdmin blank password

Code generator Word Press Plug-in

of FCK Editor

Vulnerable version of Filezilla

The Incident Escalation MATRIX

This attack ends at around 2 PM and now you are asked to share the POC’s of the attack detection.

In this phase all your teams have to share the POC’s of attacks that occurred and were successful.

“Malicious File Upload” you will be required to share POC with all the

Radar and Firewalls are set to informational level logging during the attack

will be a lot of logs generated but this is required and you will know in the end

.So In second phase the CERT team asks you question such as while raising the incident level

ticket based on the type of attack, identifying the owner of asset, identifying the corresponding

Manager for ex for any network based attacks your SOC Manager. In all such emails your CISO/GM

IT Security are kept in loop. This is not because you had a Network/Application scan or hits for

different attacks but your system/customer data got stolen and your website got defaced

Attacking other Targets using your compromised system as source

System is completly compromised and becomes part of Zoombie Network

vulnerablity used to upload a DoS/DDoS script

SQL database export

PhpMyaAdmin access

Website Defacement

Uploading C99 shell

Malicious Fie upload (Code Generator Wordpress)

Web Application scan

Port Scan

DRILLDRILLDRILLDRILL

Page 3

death, UDP flood etc. Next will be web application scan, you will see a lot of XSS, SQL injections, LFI ,

unauthorized ftp login attempts , shell command injection, HTML Injection in Q Radar.

of vulnerabilities in the vulnerable image, however below are

This attack ends at around 2 PM and now you are asked to share the POC’s of the attack detection.

and were successful. So

“Malicious File Upload” you will be required to share POC with all the

Radar and Firewalls are set to informational level logging during the attack

will be a lot of logs generated but this is required and you will know in the end

such as while raising the incident level

ing the corresponding

Manager for ex for any network based attacks your SOC Manager. In all such emails your CISO/GM-

IT Security are kept in loop. This is not because you had a Network/Application scan or hits for

data got stolen and your website got defaced and all

Attacking other Targets using your compromised system as source

System is completly compromised and becomes part of Zoombie Network

script

CERT CYBERCERT CYBERCERT CYBERCERT CYBER DRILLDRILLDRILLDRILL

avisinha87@gmail.com Page 4

other attacks that were successful. Every organization has an Incident Management Escalation

Matrix just make sure you follow that. Make a compact report and share with CERT Team.

FUN Facts during the CERT CYBER DRILL

During the drill everyone’s is alert about the attack which is going to next. For an hour you will have

your lunch break. Make sure you don’t leave your seat empty and have someone monitor during

that period too. During this CERT Drill they launched an attack when you were supposed to be on

break. Though many technical spocs were out for lunch still few of them were present and

monitoring was still on, so everything was captured right on time. It’s a good lesson that attacker

won’t tell you that he will attack only when you do your shift but also when you are having your

lunch or sleeping at night.

Now if you have observed IBM Q-Radar though many attacks were detected but not all successful

attacks were shown Q-Radar. Now let’s see why this happened. This is because the way how C99

shell was uploaded. It was not shown in Q-Radar however as the logging level was set to

informational at syslog, all logs were captured and you could observe that it was a series of 3 php

files. One was code to provide an upload facility, second was upload of C99 shell and 3rd

was a code

to perform a DoS/DDoS attack. If there is a feature to upload anything, it will go unnoticed unless it’s

based on signature of that particular file or Analytics such as to call any system level commands

present in that file. You may share POC’s close to PHP Script injection.

Make sure the in last POC for DoS/DDoS Attacks, the traffic generates from your system as source so

all attacks that were previously coming from an external ip to your ip now its vice-versa.

Hope you Njoyed reading. ☺