Real Case Sherlocks: a deep dive into crafting simulated cyber attacks

Investing time and separating reality from fiction is critical to preparing for threats and dealing with a common feeling of uncertainty amongst security teams.

The industry skills gap and lack of proactive security measures are glaringly evident when faced with emerging threats and tactics, escalating faster than the team's ability to mitigate them. 

Within 2023, 25% of high-risk CVEs were exploited on the day of publication and 75% within 19 days, underscoring the urgency for rapid threat detection and mitigation. 

With the introduction of Real Case Sherlocks on HTB Enterprise Platform, organizations can test their processes and procedures by applying them against these real breach scenarios and improve skills development strategies.

What are Real Case Sherlocks?

Sherlocks are defensive security practical labs simulating real-world incidents. You’ll be asked to conduct an investigation based on a provided cyber attack scenario and clues to unravel the dynamics behind them.

But what makes them “Real Cases?”

Real Case scenarios emulate an incident shared by leading Managed Security Service Providers (MSSPs) directly with Hack The Box. 

These scenarios offer unparalleled realism by replicating the exact tactics, techniques, and procedures (TTPs) used by real attackers, providing cybersecurity teams with genuine, hands-on experience. 

Along with testing processes against a real breach scenario, cyber leaders can offer team members experience that directly applies to their daily work, using up-to-date investigative tools and technologies.

40% of CISOs & executives believe their organizations are not well prepared for today’s threat landscape, while according to ISC2, 92% of responders reported “having skills gaps in their organization” when tackling emerging threats.

By practicing with exclusive closed-source incidents, SOC teams can test their skills and knowledge amidst genuine threats and gain valuable insight on areas for further improvement. 

How are Real Case Sherlocks created?

Achieving this level of realism starts with close collaboration with our partnering MSSPs. Our Defensive Content Team regularly receives closed-source incident reports to begin designing and implementing the attack in a real-world simulation.

Let’s examine the creation of Pulse, the latest Real Case Sherlock released in partnership with Aspire Technology Solutions.

Pulse is a scenario in which cyber professionals are tasked to be part of a DFIR consultancy to assist with a possible organization compromise. With the information provided, teams must establish the root cause of the compromise by utilizing the HELK instance provided.

Pulse allows teams to practice and learn:

• Risks associated with the compromise of edge devices.

• TA tool sets utilized to carry out objectives.

• Windows & Web Access Log analysis utilizing SIEM technology.

Analyzing the incident report

The journey of developing Real Case Sherlock starts with thoroughly examining the provided incident report. Here, our team of experts can gain a deep understanding of the infrastructure involved, the flow of the attack, and the methods used by the attackers. 

The team then identifies vital aspects of the attack, such as the vulnerabilities exploited, the tools used, and the artifacts left behind.

The analysis focuses on identifying detailed information, including the specific configuration of the victim's network, the type of edge devices compromised, and the sequence of actions the attackers took post-exploitation. 

This information lays the groundwork for recreating a realistic simulation that mirrors the original incident as closely as possible.

The precedence of Edge device compromises

In the case of Pulse, the incident report highlights the compromise of edge devices, specifically the Ivanti Connect Secure VPN device. 

Edge devices often serve as a network's first line of defense, and their compromise can lead to catastrophic consequences. Let's explore edge device compromise and why it's a prevalent topic.

An upward trend in edge device compromise

Since the beginning of 2023, the number of Edge Service CVEs added to CISA’s Known Exploited Vulnerabilities (KEV) has been trending upwards. There has been a significant jump in the past six months, with eight new edge vulnerabilities added to the KEV in November 2023 and 10 more in January 2024.

In Pulse, we emphasize the risk of edge device compromises by simulating the exploitation of two prominent Ivanti CVEs (Common Vulnerabilities and Exposures). This simulation helps teams understand the initial breach point and the steps attackers take to infiltrate the network.

Designing the simulated infrastructure

The next phase involves designing and setting up infrastructure to simulate the victim's network. We created a comprehensive virtual network featuring a Windows Domain setup and an emulated Ivanti Connect Secure VPN device. 

The selection of tools and forensic artifacts is a critical decision in this phase. Pulse's web server logs are forwarded to a Security Information and Event Management (SIEM) system as a HELK (Hunting ELK) instance. 

This setup allows security professionals to analyze and investigate the incident using techniques that are transferable to their daily workflows.

Simulating the attack flow

With the infrastructure in place, it’s time to delve deeper into the attack flow. Thorough research into the CVE allows us to recreate an attacker's exact steps to exploit these vulnerabilities and gain an initial foothold in the network. 

Following the real-life events of the attack, the team simulates an offensive operation that takes them from the initial breach point to the final objective of full domain compromise.

By mirroring the steps taken by real attackers, we ensure that members gain valuable insights into the tactics, techniques, and procedures (TTPs) employed in real-world incidents.

Incident response and detection

Once the simulated attack is complete, the team switches to an incident responder position. A comprehensive test ensures all offensive actions can be detected using the HELK instance provided, streamlining interaction in any environment. 

Crafting comprehensive questions

To formulate the exercise, a set of questions is generated to cover all aspects of the attack comprehensively. These questions aim to delve into root cause analyses, identify Indicators of Compromise (IoCs), and enable the generation of a detailed timeline of events. 

By answering these questions, teams can deepen their understanding of the incident and enhance their investigative skills.

Upskilling and validating team skills

Cybersecurity professionals: can tackle scenarios independently or as a team to improve critical investigative skills. Working as a team, members can pool their expertise to solve complex problems as they would collaboratively when responding to an incident. 

This can promote knowledge sharing that is applied to technologies and investigative tools they use daily.

Cyber leaders and managers: can take advantage of Real Case Sherlocks to evaluate team performance in a realistic environment and, most importantly, test their strategies and processes against actual incidents. 

This way they can validate team skills and identify critical gaps to refine and update their skills development strategy.

Keeping your finger on the Pulse! 

According to a survey of 400 active cybersecurity professionals, nearly a third (29.5%) of professionals rated Incident Handling Processes and Methodologies as the most important knowledge domain for SOC analysts to master. 

Offering teams visibility into complex threats and exposing them to industry-connected investigative practice can significantly improve organizations’ preparedness for a potential breach.

Continuous practice with Real Case Sherlocks can help reduce time-to-detect (TTD) and time-to-respond (TTR) metrics and boost overall resilience by enabling proactive tactical response strategies.

Are you interested in practicing with more Real Case Sherlocks? Check out Exitiabilis, the first Real Case scenario released in partnership with Aspire. 

Exitiabilis puts participants in the aftermath of a ransomware attack, empowering teams to sharpen investigative skills to handle a recent industry-sourced threat.

GET A DEMO

Choose HTB to boost your cyber performance.

Unskilled teams pose a real risk to any organization’s security. This is why cybersecurity performance programs and continuous improvement are no longer a nice to have but a necessity.

Start now to implement your proactive security strategy!