The Blue Team Village’s Project Obsidian is an immersive, defensive cybersecurity learning experience that provides attendees with the opportunity to gain knowledge of Incident Response (IR), Digital Forensics (DF), Reverse Engineering Malware (REM), Cyber Threat Intelligence (CTI), and Cyber Threat Hunting (CTH). Deep dive into technical topics through workshops and exercises that provide practical hands-on experience across each discipline. Workshops provide the training necessary to help attendees develop skills needed to be successful in their current and/or future role in cybersecurity.
Two of the most important takeaways we highlight is how to strategically approach a task and the operational processes that support the goals and objectives behind each task. Knowing ‘how’ to do something is only part of the challenge. Knowing ‘when’ and ‘why’ to perform certain tasks adds the required context for developing the full story of defensive security.
Workshops will take place throughout the year and are free of charge. Join the blue team village discord server for updates, discord.blueteamvillage.org
Goals and Objectives
Our primary goal is to remove the barrier to entry for cybersecurity training.
Our objective is to provide trainings for the following topics…
- Incident Response
- Digital Forensics
- Reverse Engineering Malware
- Cyber Threat Intelligence
- Cyber Threat Hunting
Content for trainings will include the following resources…
- Workshops (live and recorded)
- Demonstration videos
- Reading material (online and downloadable)
- Lab exercises and challenges
Watch this space for more details
The IR Station will focus on how to run an incident while teaching students how the sausage is made with the processes and procedures that are the foundation of effective incident response. Using adversary kill chains based on real-world scenarios, the students will have the opportunity to see an entire attack chain and what goes into investigating and responding to the events. The incident response station will answer the following questions:
What is Incident Response and how does it differ from normal SOC work? What data is needed to make a decision on an alert or reported incident? The alert is a true positive, what are the next steps? Why is good note taking and case management important? Who to engage and when during an incident? How does the communication on the incident occur? What goes into final reporting?
- Alert and Reported Incident intake
- Initial investigation and escalation
- Gathering artifacts & data enrichment
- Communication and leadership escalation
The Forensics station is designed to educate anyone (whether brand new, or battle hardened) in the discipline and practical application of digital forensics. We do this by showing students how to extract, parse, and analyze forensic artifacts and telemetry from the Project Obsidian compromised environment.
The artifacts and telemetry that we use will be original source data that the students can take back to their personal labs to verify and experiment with. All the telemetry and artifacts will be released as open source, and students will be encouraged to further analyze it on their own systems and at their own pace.
We will provide a channel on our Discord server to allow the conversations to continue throughout the year, as students discover new findings in the data.
- Digital Forensics concepts (Imaging, Chain of Custody, Order of Volatility, etc..)
- Forensic Collection / Triage
- Forensic artifact and telemetry analysis
- Memory analysis
Reverse Engineering Malware
The malware analysis station introduces foundational skills that cybersecurity defenders can immediately implement. Training sessions are for anyone interested in learning more about malware analysis. We explore malware analysis tools and techniques as we analyze artifacts found during the Project Obsidian incident response simulations.
Understanding the capabilities of malware is a critical skill in order obtain threat intelligence, respond to cybersecurity incidents, and strengthen cybersecurity defenses.
- Malware analysis concepts
- Examining static properties of suspicious documents and scripts
- De-obfuscating commands and code
- Decoding data
- Understanding malware’s behavior
Cyber Threat Intelligence
The Cyber Threat Intelligence (CTI) station provides essential training for anyone aspiring to enter the field of CTI. We cover the primary skills and concepts that CTI analysts need to understand and develop. Developing these skills and understanding these concepts will enable participants to better inform stakeholders and to operationalize CTI more effectively. We do this by integrating with other Project Obsidian stations during incident response simulations.
Understanding who might target your organization and why is a critical step that will enable stakeholders to prioritize cybersecurity investments and defend against threats.
- CTI fundamentals
- Threat profiling
- Threat intelligence requirements
- Generating intelligence from an incident
- Operationalizing intelligence from a report
Cyber Threat Hunting
The Cyber Threat Hunting (CTH) station provides participants the knowledge and skills required to conduct an effective Threat Hunt. Participants will be introduced to hypothesis driven analysis and the threat hunting life cycle. We incorporate threat intelligence and leverage Mitre ATT&CK to enhance threat hunts. Effective documentation and reporting, including strategies for quantifying the maturity and success of a threat hunting program will be discussed. Participants will learn about the relationship between threat hunting and detection engineering, culminating in the development of detections.
Participants will be able to choose their own SIEM adventure: Splunk, Elastic or Graylog.
Participants will leverage a series of kill chains designed to take them in a journey of exploration to learn how to create data-driven hypotheses, perform data analysis to recognize patterns and leverage that information to create meaningful detections.
- Conduct Threat Hunts
- From Idea to hypothesis
- Strategies for Threat Hunting
- Detection Methodology and Engineering
- Threat Hunting Reporting and Documentation