Cyber Exercise Jason Kick Playbook The views, opinions and/or findings contained in this report are those of The MITRE Corporation and should not be construed as an official government position, policy, or decision, unless designated by other documentation. November 2014 Approved for Public Release; Distribution Unlimited. 14-3929 This technical data was produced for the U.S. Government under Contract No. W15P7T-13-C-A802, and is subject to the Rights in Technical Data-Noncommercial Items clause at DFARS 252.227- 7013 (NOV 1995). ©2014 The MITRE Corporation. All rights reserved. MP140714 Wiesbaden, Germany Approved By Mr. Charles Best Date Project Leader ii Abstract This paper provides an overview of the cyber exercise process from inception to reporting. It introduces the terminology and life cycle of a cyber exercise and then focuses on the planning and execution aspects of such exercises, to include objectives, scenarios, reporting and assessment procedures, network architecture, tools, and lessons learned from utilizing the scenarios outlined during an exercise with Partner Nations. Reading this document and reviewing the reference materials should enable exercise planners to understand the purpose, objectives, planning, and execution processes for conducting cyber exercises. iii This page intentionally left blank. iv Acknowledgements Several MITRE staff members contributed to this paper, either by reviewing it or by writing certain sections. Thank you to everyone who took part in ensuring this paper’s accuracy and completeness, especially: • Mr. Nathan Adams • Mr. Dan Aiello • Mr. Charles Best • Mrs. Margaret MacDonald • Mr. John Modrich • Mr. Scott Wilson Several staff of the US Army also reviewed this paper. Thanks are due to: • Mr. Aaron Smith • Mr. Dennis Freed • Mr. Daniel Crandall v This page intentionally left blank. vi Table of Contents Overview .................................................................................................................................................................. 1 Terminology ............................................................................................................................................................ 1 Exercise Planning .................................................................................................................................................. 4 Objectives ............................................................................................................................................................ 4 Exercise Outcomes ........................................................................................................................................... 5 Know the Training Audience ....................................................................................................................... 7 Types of Cyber Exercises ............................................................................................................................... 8 Table Top (scripted events) .................................................................................................................... 9 Hybrid (scripted injects with real probes/scans) ........................................................................ 10 Full Live (real and scripted events) ................................................................................................... 10 Ranges................................................................................................................................................................ 11 Threats .............................................................................................................................................................. 12 Sample Exercise Threats ........................................................................................................................ 12 Exercise Planning Cycle ................................................................................................................................... 13 Concept Development Meeting ................................................................................................................ 14 Initial Planning Meeting .............................................................................................................................. 14 MSEL Planning Meeting .............................................................................................................................. 15 Mid-Term Planning Meeting ..................................................................................................................... 16 Final Planning Meeting ............................................................................................................................... 17 Exercise Execution ............................................................................................................................................. 18 Observation ..................................................................................................................................................... 18 Observation Scenario .............................................................................................................................. 19 Post Exercise ........................................................................................................................................................ 19 Lessons Learned ............................................................................................................................................ 20 Exercise Planning Pitfalls ...................................................................................................................... 20 Exercise Logistical and Technical Considerations ....................................................................... 22 Conclusions .......................................................................................................................................................... 22 Appendix A: Sample Master Scenario Event List ................................................................................... 23 Appendix B: Sample Exercise Incident Response Plan ........................................................................ 24 Exercise Incident Response Plan ....................................................................................................... 24 Reporting Procedures ............................................................................................................................. 25 Appendix C: Sample Incident Response Form ........................................................................................ 26 vii Appendix D: Sample Exercise Roles and Responsibilities .................................................................. 27 Training Audience User Role Responsibilities ............................................................................. 27 Training Audience System Administrator Role Responsibilities ........................................... 28 Appendix E: Sample Network Architecture ............................................................................................. 29 Appendix F: Sample Red Team Exercise Data......................................................................................... 30 Email Address List.................................................................................................................................... 30 IP addresses for Exercise ....................................................................................................................... 30 Logs from web server ............................................................................................................................. 30 Access logs: ................................................................................................................................................. 30 Logs accessing the contaminated zip file ........................................................................................ 30 Initial Spearphishing email: Site Introduction Email (non malicious) ................................ 31 Water contamination report spearphishing (malicious link to website) ........................... 31 Appendix G: Sample Red Team Event Log ................................................................................................ 32 Appendix H: Sample Inject Observation Form ....................................................................................... 34 Appendix I: Sample Master Station Log .................................................................................................... 35 Appendix J: Sample After Action Report ................................................................................................... 36 Appendix K: Software Tools ........................................................................................................................... 37 Appendix L: References ................................................................................................................................... 39 Papers ........................................................................................................................................................... 39 Web Resources .......................................................................................................................................... 39 Appendix M: Acronyms ...................................................................................................................................