Combitech Denmark –Supporting education in Incident Response and Cyber Threat Intelligence

Combitech Denmark’s David Thejl-Clayton has been an integral part of the newly launched “Incident Response” course at Erhvervsakademi Aarhus (EAAA). Not only has David helped to create the syllabus for the course, he has also given guest lectures during the course, sharing his knowledge of incident response and cyber threat intelligence.

Lasse Moisen, a student who just finished the incident response course, tells “The course, Incident Response at EAAA has definitely showed me what's on the other end of a red team or hackerengagement. How to detect, respond and to hunt for malicious activity and it's so exciting to find and to investigate an attack. We have been given tonsof tools to further our knowledge about incident response and to prepare us for the real thing”.

Additionally to supporting the course, David has helped EAAA build up their lab concept, ‘Saga Lab’. David says, “The name for Saga Lab came to me when we were first in the whiteboard design phase. I wanted a name that reflected the idea that the lab was for telling stories to the students. We knew at some point we wanted to emulate real threat actors, and this was the whole ‘story’ concept, so the name just stuck instantly, and we rolled with it from then”.

Saga Lab also reflects the kinds of environments that the students will end up working with when they join an organization as a cyber security specialist. “I wanted to give the students some real tools that they could get hands on with, that would be roughly what they could expect to work with when they start their cyber security careers. We focused heavily on open source tooling in Saga Lab to also give the students the opportunity to see how powerful these types of tools are”, David comments further.

The final cherry on top of the support for EAAA came when Andrew Michal, the lead lecturer for the PBA IT-Sikkerhed, asked David if Combitech Denmark would be willing to use our experience with the TIBER framework to emulate a real threat actor inside ‘Saga Lab’ for the students end of course exam. The idea was that the students would be dropped into a real-life scenario, where they would need to research the threat actor and hypothesize the types of tools and techniques they might expect to find within the attack and then create some hunting queries and detections to aid their response.

Combitech Denmark is heavily involved in TIBER engagements, both on the cyber threat intelligence side, but also on the Red team side. With this experience Combitech Denmark was able to lend both David and one of our Red team, Petko Melin, to this task.

The threat actor that was chosen was one that is highly likely that the students will meet when they begin working within an organization. This actor is prolific in their widespread attacks and made the perfect candidate for emulation as Combitech Denmark had recently updated their cyber threat intelligence profile on this actor.

David sculpted the scenario for the exam and then sent it over to Petko for his approval. In this process it was identified that in the essence of “fairness” they would need to tweak the scenario a little. David explains “It is likely that in responding to an attack by this actor that a lot of their attack would be performed in memory leaving fewer artifacts behind for detection. Given that this was the students first time in this sort of environment, we chose to make a few ‘mistakes’ and drop a few more artifacts to disk so that students who used simple hash searches for known tools would also get a leg up in their hunting. It is worth remembering that attackers make mistakes and with these actions we were also emulating those mistakes”.

With the scenarios crafted, it was then up toPetko to perform the attack within the individual ‘Saga Lab’ instances. Utilizing awell-known offensive security tool, Petko set about emulating the threat actorstep by step recording his actions as he went.

Petko comments “To have the chance to support an initiative like this filled me with pride and I am incredibly grateful to have been asked to carry out this attack. It is a very rare type of exam which would give the students as near to a real-life chance at responding to an attack as possible. I thoroughly enjoyed performing the attack scenarios and it gave me good experience that can only benefit my work within the TIBER framework too”.

The exam period ran for 3 weeks, with Petko supporting at various stages ensuring that the environments were continuously calling back to the offensive command and control server setup specifically for this task. At the end of the exam period, Petko and David were invited to give a debriefing of the attack to the students. Petko adds “It wasgreat to have the opportunity to debrief the students on the attack scenarios and give them a brief demonstration of part of the attack so they can get the idea of how things look from the attacker'sperspective too. I learned a lot from giving the debriefing that I can bring back to my daily work with Combitech’s customers."

Lasse Moisen was kind enough to offer his feedback. “Amazing.. Just utterly blown away after I learned that we would actually have a real attack emulation on the Saga Lab.To first study an APT group through cyber intelligence and then utilize that knowledge to hunt for the threat actor in the environment was so exciting. We were able to use the tools and knowledge from the course to do the hunt in a structured way and not feel like looking for a needle in a haystack. And thank you for the debrief yesterday and a crazy good IR exam! It was cool to hear how the attack was done.”

Combitech Denmark is incredibly proud of both David and Petko and has seen the value it can bring upporting this type of education. David and Petko have plans to take the ‘Saga Lab’ concept on the road and bring it to our customers, where they can use it as a demonstration or workshop scenario and give customers near real life experience with some of these scenarios.