It’s not hard to guess what defensive teams are tasked with in our new Alert Triage exercise. We took five minutes with Team Exercise Engineering Lead, Ivan Volkov, to understand this unique new format.
Q: It’s that awkward minute of small talk at the beginning of a Zoom call. Explain Alert Triage to:
A SOC Lead - Ivan: Triage is a big part of your team’s day job - but you probably haven’t had a simple and scalable way of practicing it with real tools, against real threats, in live networks. Our new exercise does this.
A CISO - Ivan: Effective triage is as much about decision making, soft skills and process execution as it is tooling. We now allow teams to hone this capability in live environments.
A Board member - Ivan: You are always under cyber attack. Tools might detect this, but swift action by front-line defensive teams stops it impacting operations. Alert Triage improves this.
An Analyst - Ivan: Whether you are a Junior Analyst needing to build confidence in how you use tools, or a senior one looking to share experience, we’ve got you! You might even have some fun..
Q: Without giving too much away, how does it work?Ivan: To simulate SOC operations, we drop teams into a full environment through the browser where they receive an alert from an XDR. Initially, this is Crowdstrike Falcon. Set in detect-only mode - participants have high threat visibility - but need to rely on technical skills to deploy mitigations. Tools such as Splunk, PAN, The Hive, MISP and more are also available.
Beyond this, I can’t give too much away to protect the experience for customers. Needless to say, like in a real incident, the responding team is pushed to work together - balancing softer skills such as prioritisation and communication with threat analysis and technical remediation. Once resolved - their CIRT report writing skills for upper management are also tested.
Q: Who is it for?Ivan: Practically, teams of up to ten can participate. The added benefit of a cloud range means you can spin up numerous exercises - good for SOC teams in shifts. For Analysts with less ‘time on the tools’ it is an excellent way of levelling up. Too often - people only get this kind of opportunity over the shoulder of a more experienced analyst. This is either not scalable (you have to wait for the combination of a real attack and a willing analyst) or, to put it bluntly, risky, as you are throwing a lesser skilled person in at the deep end.
It’s also a great opportunity to unlock the power of skills cascading - allowing numerous people to watch / work alongside an experienced practitioner. From a capability development point of view, I would also see it as a good step towards developing deeper teams of Threat Hunters.
Q. Sounds good. But as an admin, and because it uses a range, it must be hard to set up?Ivan: Not at all. Select your date and time in the platform, add the participants and we do the rest. Your team even gets a pre-exercise set of labs to ensure they know the basics.
Ivan: Wrong again, I'm afraid. The Rangeforce Team Readiness platform collects data on the technical abilities demonstrated in every exercise, as well as SOC metrics such as Time to Detect, Respond and Analyze.
Q: It must be expensive?Ivan: Alert Triage is just one of a catalog of exercises bundled into Team Ready Cycles - available at a fraction of the cost of other skills platforms. Run quarterly - these cycles also include solo skills labs.
To understand Alert Triage, or our new Team Readiness platform, in more detail get in touch here