TBT570: Team Based Training - Blue Team and Red Team Dynamic Workshop
This course is designed for groups of three to five or more people from each participating organization.
TBT570: Team Based Training - Blue Team / Red Team Dynamic Workshop is a unique team-based training course. Organizations send three to five participants to function together as part of a Blue team battling an adversary in real-time over multiple days. The technical terrain is a realistic enterprise environment: The SANS Red/Blue Cyber Range.
Student Blue Teams use a variety of enterprise tools to analyze and respond to an Advanced Persistent Threat deeply embedded in the environment. During the course, the Blue team will build skills along a variety of fronts, including:
Analyzing network traffic for malfeasance
Identifying attacker artifacts and activities on a variety of different enterprise systems
Collecting and analyzing intel associated with the attack
Analyzing the malware used by attackers
Handling an incident in an enterprise network
Eradicating the attackers' presence from the environment
Thwarting the attacker's plot to disrupt the enterprise mission
The various groups participating in the exercise include:
The Blue Teams, made up of student attendees and lead by a SANS instructor
The SANS Red Team, consisting of SANS offensive experts who will engage the Blue Team
The White Cell, the overall organizer and authority in the exercise
The SANS Cyber Range Ops team, who run the Cyber Range to ensure its operation and stability
A SANS instructor will direct the Blue teams as they uncover the attacker's command-and-control (C2) channels and work to eradicate the adversary from compromised systems. SANS will provide skilled Red Team operators who will utilize the Tactics, Techniques, and Procedures (TTPs) to throw various Indicators of Compromise (IOCs) from real-world APT cases throughout the class as they work through a detailed Red Team campaign designed to build skills of the Blue Team.
The SANS White Cell oversees the exercise and ensures that it runs smoothly, while the SANS Ops team runs the underlying cyber range infrastructure. Each day finishes with a live hot-wash discussion where the Red and Blue Teams review the activities from the day with the White Cell and each other to level-set and ensure specific learning objectives have been met. These afternoon discussions will also allow Blue Team members from different organizations (including commercial companies, government agencies, military groups, and more) to share their prospective and insights for dealing with such attacks.
The live, interactive battle will occur over five days, with a sixth and final day focused on the Blue Teams and the Red Team presenting their After Action Reviews (AARs) describing lessons learned. These reports make up a deliverable that students can bring back to their organization to share lessons learned and improve the security stance of their organization.