INCIDENT RESPONSE IN PRODUCTION ENVIRONMENTS

The most effective way to learn how to respond to cybersecurity incidents is through real-world cyberattacks conducted within a company's production environment, engaging the personnel responsible for cybersecurity management in handling these scenarios. Training in testing environments cannot provide this invaluable experience. It is unwise to wait for an actual breach to occur; the Cyber Soldier Project application* allows for the safe, controlled execution of realistic cyberattack scenarios in production networks, enabling incident response training using the organization's available tools, such as EDR, NGFW, SIEM, and more.

WHY PERFORM INCIDENT RESPONSE EXERCISES IN THE PRODUCTION ENVIRONMENT?

1. Real-World Cyberattack Scenarios: The use of Cyber Soldier Project tools enables the safe, controlled execution of realistic cyberattack scenarios (based on Threat Intelligence) within a company’s production network. This approach enhances the skills of cybersecurity personnel in detecting cybercriminal activities early using the organization’s existing cybersecurity tools. Many cyberattack techniques (e.g., reconnaissance, brute force, Kerberos attacks) may be detected but not blocked by security systems. Early and accurate human response determines whether attackers can be removed before causing damage.
2. Regulatory Compliance: Conducting realistic cyberattack scenarios in production environments helps organizations prepare to meet the stringent requirements of the national cybersecurity act (aligned with NIS2) and, in the financial sector, DORA standards for red team testing in production environments according to TIBER-EU (Threat Intelligence-Based Ethical Red Teaming).
3. Real-World Vulnerability Detection: Simulating cyberattacks in production environments identifies vulnerabilities exploited during real-world breaches that cannot be detected using vulnerability scanners. Examples include excessive Active Directory privileges, weak service account passwords (Kerberoasting), configuration files with passwords in SMB directories, easy access to MS SQL, Oracle, and MySQL databases, misconfigured Microsoft Certificate Authority, service accounts vulnerable to Constrained Delegation, older Windows versions exposing high-privilege credentials (e.g., NTLM hashes, Kerberos tokens), exploitable web servers, systems prone to Command and Control operations, and more.
4. Identifying Cybersecurity Gaps: Performing realistic cyberattack scenarios in production environments enables organizations to identify gaps in their cybersecurity systems (e.g., undetected attack scenarios requiring specialized tools). This ensures that cybersecurity expenditures are fully justified.

Cyber Soldier Project is an educational that helps IT professionals without deep offensive knowledge (red team, hacking) execute realistic attack scenarios in IT systems. All attack scenarios are based on reliable Threat Intelligence sources, ensuring realism. The application mimics the behavior of real cybercriminals. However, it is not a “black-box automation” tool - it provides step-by-step insights and explanations of real-world attack scenarios.

Training Program

Scenario 1. Active Directory Reconnaissance

Scenario 2. Network Reconnaissance (SSH services, SMB directories, Web, databases)

Scenario 3. Cracking Service Account Passwords in Windows Domain (Kerberoasting)

Scenario 4. (Slow Option) Cracking Service Account Passwords in Windows Domain (Kerberoasting)

Scenario 5. Searching for Credentials and Other Sensitive Data in SMB Network Directories

Scenario 6. Exploiting SMB Vulnerabilities on Older Windows Servers - MS17-010 Eternal

Scenario 7. Password Spraying on Domain Accounts

Scenario 8. Password Spraying on Local Administrator Accounts

Scenario 9. Password Spraying on Linux Systems, SSH Access

Scenario 10. Password Spraying on MS SQL Databases, System Command Execution

Scenario 11. Password Spraying on MySQL Databases, Cracking Database Account Hashes

Scenario 12. Web Shell Using Editable SMB Share on Web Server, Command Execution on Windows

Scenario 13. Evading AV/EDR Using a Local Administrator Account

Scenario 14. Dumping SAM Credentials Using an Administrator Password or NTLM Hash

Scenario 15. Dumping LSASS Credentials Using an Administrator Password or NTLM Hash

Scenario 16. Exploiting Vulnerabilities of Microsoft Certificate Authority (MSCA) to Obtain Domain Administrator Privileges

Scenario 17. Capturing Net-NTLMv2 Credentials in the Network and SMB Relaying

Scenario 18. Lateral Movement to Windows Systems Using Various Protocols (SMB, WinRM, WMI, RDP)

Scenario 19. Exploiting Active Directory Vulnerabilities for Privilege Escalation and Credential Retrieval (DCSync)

Scenario 20. Using Backup Operators Privileges to Dump Domain Account Credentials

Scenario 21. Exploiting Constrained Delegation to Gain Windows Administrator Access

Scenario 22. Using Account Operators Group Privileges to Retrieve LAPS (Local Administrator Password Protection)

Scenario 23. Using Account Operators Group Privileges to Retrieve gMSA (Group Managed Service Accounts)

Scenario 24. Stealing Kerberos Tokens and Performing Lateral Movement Using Privileged Account Tokens

Scenario 25. Evading AV/EDR and Escalating Service Account to Windows Administrator (SYSTEM Level)

Scenario 26. Command and Control - Tunneling Internal Network Attacks Through SOCKS Proxy

Scenario 27. Reconnaissance of Web Services in the Network

Scenario 28. Exploiting WordPress to Deploy a Web Shell and Execute Operating System Commands

Scenario 29. Password Spraying Attack and Accessing Postgres Databases

Scenario 30. Password Spraying Attack and Accessing Oracle Databases

Other Attack Scenarios Based on the Specificity and Existing Vulnerabilities of the IT Systems

PREREQUISITES FOR PARTICIPATION

Cybersecurity personnel must complete basic Incident Response or Red Team trainings in a Cyber Range environment.

EXERCISES ORGANIZATION

Reporting: Blue Team/SOC periodically receives reports on executed attack scenarios. Critical vulnerabilities are immediately reported with remediation recommendations.

SECURITY MEASURES DURING EXERCISES

1. The Cyber Soldier Project machine (a Linux image for VMware) is connected to a user network segment and assigned an IP address from this network (Assume Breach scenario).

2. Access to the Cyber Soldier Project machine is secured via VPN using SSH and VNC protocols.

3. Cyber Soldier machine is isolated from the Internet (blocked at the firewall and Web Proxy, if applicable).

4. Cyber Soldier machine is permanently deleted after testing due to sensitive data processing.

TRAINER COMPETENCIES

The „Incident Response” and „Red Team” training programs have been developed by a team of experts with top-level offensive and defensive competencies, validated by renowned certifications, including:

• OffSec Experienced Penetration Tester (OSEP)
• OffSec Web Expert (OSWE)
• OffSec Certified Professional (OSCP)
• (ISC)² Certified Information Systems Security Professional (CISSP)
• EC-Council Certified Ethical Hacker (CEH) Master
• EC-Council Certified Chief Information Security Officer (CCISO)
• Certified SCADA Security Architect
• Certified security engineers for Check Point, CyberArk, Palo Alto Networks, SentinelOne, Trend Micro, and others.