Exercise 9
Exercise 9: Large Scale Incident Handling
| Main Objective | The main objective of the exercise is to teach incident handlers the key information and actions required for the successful resolution of large-scale incidents. | |
|---|---|---|
| Targeted Audience | Technical CERT staff | |
| Total Duration | Roughly 5 hours | |
| Time Schedule | Introduction to the exercise | 15 min. |
| PART 1 LARGE SCALE PHISHING ATTACK | ||
| Task 1: Source of information | 10 min. | |
| Task 2: Initial investigation | 10 min. | |
| Task 3: Takedown | 10 min. | |
| Task 4: Warning & mitigation | 10 min. | |
| PART 2 LARGE BOTNET SPREADING THROUGH A NEW VULNERABILITY | ||
| Task 1: Source of information | 10 min. | |
| Task 2: Initial investigation | 10 min. | |
| Task3: Takedown | 10 min. | |
| Task 4: Warning & mitigation | 10 min. | |
| PART 3 INTERNAL WORM OUTBREAK | ||
| Task 1: Internal worm outbreak | 10 min. | |
| Task 2: Type of attack | 10 min. | |
| Task 3: Malware capture & analysis | 10 min. | |
| Task 4: Worm/botnet controller identification | 10 min. | |
| PART 4 LARGE SCALE DDoS ATTACK AGAINST AN ENTIRE COUNTRY | ||
| Task 1: Case study: hypothetical cyber attack against country X | 60 min. | |
| Task 2: Another perspective: your country is under cyber-attack | 30 min. | |
| Task 3: Analysis of a particular DDoS method | 30 min. | |
| Task 4: Lessons learned | 15 min. | |
| Summary of the exercise | 15 min. | |
| Frequency | The exercise should be carried out when the team is first setup or whenever new team members arrive or a new type of threat appears. (In the last case you should expand the exercise to accommodate this threat.) | |
General Description
The purpose of the exercise is to introduce incident handlers to the complexity of handling large-scale incidents. After completion of this exercise, the students should be able to:
- Understand the nature and the consequences of a common large-scale incident;
- Determine the key information required for the successful resolution of such incidents; and
- Coordinate the exchange of information with various authorities.
This exercise does not require Internet access. It is recommended that you, the trainer, carefully read through the handbook to understand what is required from you. The exercise is split into four different parts, concerning different types of large-scale incidents. The exercises listed here are intended as examples, so you are welcome to create additional examples of your own. Similarly, any solutions presented are not intended to be complete – you and the students are encouraged to present solutions of your own. The form of the exercise is a moderated discussion, lead by the trainer.
Download Exercise 9 Toolset - 191 kB
