Unknown and unseen, the cyberwar between Crimsonia and Berylia

Splunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we no longer use. For more information on our updated terminology and our stance on biased language, please visit our blog post. We appreciate your understanding as we work towards making our community more inclusive for everyone.

This is a fictional scenario.

First week of December, unbeknown to many the island of Berylia engaged in cyberwarfare with their neighbors Crimsonia after a number of months of heightened tensions. The goal of the Berylian attackers was to disable as many critical infrastructure components of the Crimsonian Ministry of Defense in order to prevent the Crimsonian Navy from sailing. This would give the Berylian fleet the time to aid and protect critical locations and assets.

Four offensive cyber operations were carried out:

Operation Hidden Ghost, to stop the Crimsonian Ministry of Defence (MOD) from performing effectively by infiltrating their IT systems.

Operation Golden Predator, to stop the Crimsonian Office of the President (COP) from performing effectively by infiltrating their IT systems.

Operation Iron Oak, The goal of Operation Iron Oak is to stop the Crimsonian News Service (CNS) from performing effectively by infiltrating their IT systems.

Operation Urban Sun, to stop the Crimsonian Foreign Ministry (CFM) from performing effectively by infiltrating their IT systems.

The attacks would lead attackers to gain foothold, exfil and report any intelligence, place misinformation and destroy enemy systems when given the command.

-- end of fictional scenario

This was the fictional scenario for the technical red-teaming exercise by NATO affiliated CCDCOE Crossed Swords 2022 event in Tallinn, Estonia. The popular cyber security event attracts talent from many countries across the world. This impressive scenario contains multiple virtual organizations as targets and hundreds of realistic systems and virtual users as targets.

It allows participants to experiment with some of the best technologies available in order to simulate offensive cyberspace operations in a modern battlefield with the goal of testing product security and improving cyber resilience through proactive monitoring and detection.

Splunks role was to assist the Yellow Team in providing detailed, timely feedback on the offensive operations through the use of Splunk Enterprise and Enterprise Security. This crucial task helped the other teams understand the footprint left on the network and infrastructure when suspicious activity occurs. Splunkers Kendrick Tugwell - Principal Architect, Floris Ladan - Security Strategist attended the event in Tallinn, Estonia.

Enterprise Security was set up with multiple out-of-the-box detections enabled, with the addition of the latest content packs installed. This coupled with some custom searches and dashboards specifically targeted at the operation created by members of the Yellow Team.

This image shows Enterprise Security’s Posture Dashboard which highlights the scale of the attack.

At the end of every day, the Yellow Team used Splunk along with other tools to produce a report for the attackers and defenders. This report included links to Splunk dashboards, screenshots, and recommendations of how to better avoid detection.

The image below shows a custom dashboard that utilizes Splunk Machine Learning Toolkit to detect outliers in Windows Process Execution. In some instances this dashboard managed to detect attacks on hosts before they were fully compromised.

At the end of a successful event, the red team were able to compromise many of the hosts within the various Crimsonia networks. Splunk was there, mapping them all and providing insights into the vast amount of data generated throughout this attack.

This image shows the attack link analysis where attackers penetrated multiple hosts.

The details, commitment, effort and resources utilized in this exercise have been exceptional, CCDCOE has been able to get and commit the best people to implement this exercise in order to train and spread awareness of the importance of cybersecurity and cyberwarfare in the future.

If you’re interested in improving your businesses cyber resilience and want a deeper dive into the tools used here, please contact your Splunk representative.

Crossed Swords runs yearly, if you would like to participate, please contact our friends at CCDCOE.

Kendrick & Floris