Last month, Sekoia.io took part to NATO Cooperative Cyber Defence Centre of Excellence (CCDOE) Crossed Swords cyber exercise (aka XS23) organized in Tallinn, Estonia. Involving high-level expert teams from dozen of NATO member countries, Crossed Swords is a three-day unique opportunity to train cyber specialists to conduct offensive cyber operations.
For our team, it was a first… and what an experience! We are happy to share some feedback in this blogpost.
A full-spectrum cyberwar (in a fictional scenario)
On a cold winter day in the middle of the Atlantic ocean, the small country of Berylia (ie. the good guys) finds itself under attack from the neighbouring island, Crimsonia (the really bad guys). Not a surprise, analysts familiar to the region would say, as Berylia and Crimsonia had long been in dispute over valuable natural resources - and as part of Berylian territory is now under control of Crimsonian military.
In reactions to the Crimsonian military incursion, Berylian Ministry of Defense decides to launch offensive non-kinetic cyber operations. The objective is clear: breaking the territorial stalemate to prepare for a future counter-offensive, without endangering critical infrastructure. Do not forget that occupied territories include several power stations and a railway network (among others).
This fictional but quite impressive scenario was the basis of the exercice which objectives included testing cyber and red-teamers in a cyber operational context and testing coordination between and within the involved operational teams. The detection team (Yellow team), on their side, were challenged with hundreds of attacks over the course of 72 hours and had the opportunity to practice Digital Forensics and Incident Response (DFIR) execution and synchronization.
A technology to detect threats on a unified SOC platform
XS23 allowed participants to experiment with some of the best technologies available worldwide, with the goal of testing product security and improving cyber resilience through proactive monitoring and detection.
Sekoia.io’s threat intelligence-powered SOC Platform was brilliantly used by the Yellow team in charge of threat hunting and identifying incursions. In addition, our team assisted the team in providing feedback on the offensive operations through the use of Sekoia XDR. This important task helped all trainees understand the footprint left on the network and infrastructure when suspicious activity occurs.
At the end of the day, Sekoia XDR withstood a huge workload, generating thousands of relevant alerts. An exceptional figure explained by the exceptional offensive cyber operation scenario described above - and reflecting the amazing work done by highly motivated Berylian folks.
Brand-new features of the SOC Platform were also appreciated by trainees, including:
- the extended visibility on the information system based on painless event collection and normalization by the Sekoia Endpoint Agent which was installed on all workstations during the exercise,
- the extended catalog of Sigma detection rules: over 800 built-in rules in Sekoia SOC Platform allow to leverage collected logs to detect suspicious activity within your perimeter - and respond to threats as fast as possible.
- the Query Builder which facilitates extracting key analytics, hunting advanced threats and fine-tuning detection to reduce false positives. Take a deep dive of the Query Builder here.
- Not to mention seamless integration with other solutions used during the exercise such as NDR systems from our friends at Stamus Networks. Full catalog of 180 integrations is publicly available on this page.
Below you will see some screenshots of the platform during the operation, providing a full vision of the extent of the attack and easy-to-use dashboards for training participants.
“The ongoing success of Crossed Swords is in part due to our industry partners and the expertise that they bring to the event. Companies like Sekoia not only support our organizing team with their knowledge, but are integral for introducing the training audience to cutting edge technologies. We look forward to working with all of this year’s industry partners again for Crossed Swords 2024!“ LTC Urmet Tomp, CCDOE Head of Cyber Exercises, Crossed Swords 2023 OPR
“Participating to Crossed Swords 2023 was a great opportunity for our teams to interact with high-level experts from various horizons but also to confirm the strong efficiency of our technology to detect threats in a large-scale offensive scenario”. Georges Bossert, Chief Technology Officer of Sekoia.io
You can also read here the CCDOE conclusions of Crossed Swords 2023. Thank you to the NATO CCDOE and CR14 for your trust and to and all officers and partners involved for the fruitful collaboration. We hope to see you again next year!
