Back Story!

The company is going through a merger, and there have been some concerning activities. To make sure our systems are safe from future attacks, McSkidy has put together a team, led by McHoneyBell, to focus on protecting the company. You're part of this team, and your job is to find out how we can defend against attacks and be proactive about security.

Learning Objectives

In today's task, you will:

• Learn to understand incident analysis through the Diamond Model.

• Identify defensive strategies that can be applied to the Diamond Model.

• Learn to set up firewall rules and a honeypot as defensive strategies.

What is intrusion detection?

Detecting and preventing unauthorized access is a crucial part of keeping our computer systems safe from cyber threats. When done ahead of time, it becomes a way to be proactive about security. However, in our story, the Best Festival Company needs to find ways to make their security better after some serious breaches. In this big task, we'll explore important ideas, strategies for detecting issues, and how to use the Diamond Model of Intrusion Analysis to protect our systems. It's like going on an exciting adventure to make sure our company stays secure!

Understanding the Diamond Model for Incident Analysis

In the face of recent cyber threats at Best Festival Company and AntarctiCrafts, adopting a robust incident analysis framework is crucial. The Diamond Model, utilized by cybersecurity professionals, encompasses four key facets: Adversary, Victim, Infrastructure, and Capability.

Adversary: Unraveling the Intruder's Web

Our narrative unfolds a suspected insider threat disrupting merger plans—a savvy adversary operator. Whether individuals or organizations orchestrating cyberattacks, these entities, including adversary customers, form a consortium akin to advanced persistent threat (APT) groups, orchestrating widespread security breaches.

Victim: Shielding Best Festival Company

The victim, Best Festival Company, finds itself under attack, necessitating a resilient defense against potential harm.

Infrastructure: Tools of the Adversary's Trade

Adversaries require tools, represented by infrastructure—whether directly or indirectly owned or controlled. The story takes a turn with the discovery of a disruptive USB drive, showcasing tangible elements employed by adversaries.

Capability: Unveiling Adversary Tactics

Capabilities encompass the tactics, techniques, and procedures (TTPs) employed by adversaries. From phishing to exploiting vulnerabilities, adversaries exhibit a range of skills and tools.

Defensive Diamond Model: Fortifying Best Festival Company

To shift from a vulnerable target to a formidable defender, Best Festival Company harnesses the defensive components of the Diamond Model—capability and infrastructure.

Defensive Capability: Equipping for Battle

The company arms itself with threat hunting and vulnerability management, forming a solid foundation for incident response.

Defensive Infrastructure: Constructing Cyber Bastions

Best Festival Company establishes layers of defense with hardware and software tools, incorporating firewalls and honeypots—a deceptive mechanism that diverts attackers away from genuine targets.

Firewall: The Mighty Guardian

Firewalls, vigilant guardians of network traffic, monitor and control data flow to protect against unauthorized access and malicious activities. The focus shifts to configuring the uncomplicated firewall (ufw) on Ubuntu, illustrating rules setup and firewall reset.

Honeypot: The Art of Deception

Honeypots, a deceptive mechanism, lure attackers away from real targets. The tutorial demonstrates setting up a honeypot using PenTBox, with options for auto or manual configuration.

Van Twinkle's Challenge: Navigating the Cyber Maze

Armed with knowledge, Van Twinkle sets up firewall rules to protect a hidden website. The challenge involves updating rules to expose the site publicly and uncovering a hidden flag.

In this journey through the Diamond Model and defensive strategies, Best Festival Company transforms from a vulnerable target into a proactive defender, ready to face the complexities of the cyber realm.

Task 1:

Which security model is being used to analyse the breach and defence strategies?

Answer 1: diamond model

Task 2:

Which defence capability is used to actively search for signs of malicious activity?

Answer: threat hunting

Task 3:

What are our main two infrastructure focuses?

Answer: firewall and honeypot

Task 4:

Which firewall command is used to block traffic?

Answer: deny

Task 5:

There is a flag in one of the stories. Can you find it?
Answer: THM{P0T$_W@A11S_4_S@N7@}