NG-SOC-eu/lm8-1a-3

# NG-SOC LM8 子案例 1a-3 – 事件响应与数字取证 **学习模块 8：事件响应与数字取证** CyberRangeCZ / KYPO 平台 | NG-SOC WP5 培训场景 ## 安全提示 ## 网络拓扑 ``` WAN / Management (100.100.100.0/24 – platform automatic, all nodes) │ │ ▼ ▼ ┌─────────────────┐ ┌──────────────────────┐ │ router-perimeter│◄─────► router-internal │ │ gw: 10.10.20.1 │ WAN │ gw: .30.1/.40.1 │ │ debian-12 │ │ debian-12 │ │ standard.small │ │ standard.small │ └────────┬────────┘ └──────────┬───────────┘ │ │ ┌────────▼────────┐ ┌──────────▼───────────┐ │ net-dmz │ │ net-corp │ │ 10.10.20.0/24 │ │ 10.10.30.0/24 │ │ (user-access) │ │ (no user-access) │ │ │ │ │ │ web-banking │ │ employee-ws │ │ 10.10.20.10 │ │ 10.10.30.10 │ │ ubuntu-noble │ │ ubuntu-noble │ │ std.medium │ │ std.small │ │ │ │ │ │ c2-server │ │ file-server │ │ 10.10.20.20 │ │ 10.10.30.20 │ │ debian-12 │ │ ubuntu-noble │ │ std.small │ │ std.small │ │ hidden: true │ │ │ └─────────────────┘ │ db-server │ │ 10.10.30.30 │ ┌─────────────────┐ │ ubuntu-noble │ │ net-security │ │ std.medium │ │ 10.10.40.0/24 │ └───────────────────────┘ │ (user-access) │ │ │ ┌───────────────────────┐ │ siem │ │ net-redteam │ │ 10.10.40.10 │ │ 10.10.50.0/24 │ │ ubuntu-noble │ │ (user-access) │ │ std.large │ │ │ │ Wazuh+OpenSearch │ kali │ │ │ │ 10.10.50.10 │ │ analyst-host │ │ kali │ │ 10.10.40.20 │ │ std.large │ │ ubuntu-noble │ └───────────────────────┘ │ std.medium │ │ Velociraptor │ │ │ │ cti │ │ 10.10.40.30 │ │ ubuntu-noble │ │ std.large │ │ MISP (Docker) │ └─────────────────┘ ``` **单个实例的资源占用：** 约 14 个 vCPU，约 70 GB RAM ## 仓库结构 ``` lm8-1a-3/ ├── topology.yml # CyberRangeCZ topology (MUST stay in root) ├── README.md # This file ├── VALIDATION.md # Resource & tool validation table │ ├── provisioning/ │ ├── playbook.yml # 7-play Ansible playbook │ ├── requirements.yml # Galaxy dependencies (empty) │ ├── group_vars/ │ │ ├── all.yml # Global variables │ │ ├── grp-security.yml # Wazuh/MISP config │ │ └── grp-corp.yml # Corp host config │ └── roles/ │ ├── common/ # Baseline: timezone, locale, hosts, user, MOTD │ ├── router-config/ # ip_forward, iptables, static routes │ ├── web-banking-vuln/ # DELIBERATELY VULNERABLE Apache+PHP+MySQL │ ├── c2-server/ # Synthetic C2 simulator (Python TCP listener) │ ├── employee-ws/ # Wazuh agent, beacon cron, pre-seeded logs │ ├── file-server/ # Samba, .locked files, ransom note, enc log │ ├── siem/ # Wazuh manager, custom rules, pre-seeded alerts │ ├── forensics-host/ # DFIR tools, Velociraptor, CoC template │ ├── kali-redteam/ # Pen-test tools, SecLists, engagement brief │ ├── cti-misp/ # MISP Docker, seed script (Black Falcon event) │ └── artifacts/ # Student handout templates, artefact deployment │ ├── trainings/ │ ├── exercise-1-soc-triage.json # SOC Analyst – SIEM triage │ ├── exercise-2-containment.json # Incident Responder – containment/eradication │ ├── exercise-3-cti-briefing.json # CTI Analyst – MISP threat intel │ ├── exercise-4-pentest.json # Pen Tester – SQLi + brute force │ └── exercise-5-tabletop.json # IR Coordinator – ransomware tabletop │ ├── artifacts/ │ ├── phishing/ │ │ ├── phishing-email.eml # Synthetic spear-phishing email │ │ ├── phishing-sms.txt # Synthetic smishing message │ │ ├── phishing-call-script.txt # Synthetic vishing transcript │ │ └── suspicious-attachment.txt # Static attachment metadata (no code) │ ├── forensic-bundle/ │ │ ├── wazuh-alerts-ex2.json # 8 synthetic SIEM alerts │ │ ├── endpoint-process-list.txt # Synthetic ps/netstat output │ │ ├── netstat-employee-ws.txt # Synthetic network connections │ │ ├── web-banking-access.log # Synthetic Apache log with SQLi evidence │ │ ├── file-metadata.txt # Synthetic file listing + encryption events │ │ └── timeline-clues.txt # Ordered clues for timeline reconstruction │ └── ex5-ransomware/ │ └── tabletop-scenario.txt # Inject sequence + ransom note text │ └── docs/ ├── instructor-guide.md # Full instructor reference (32KB+) └── student-handouts/ ├── exercise-1-handout.md # SOC Analyst tasks ├── exercise-2-handout.md # Incident Responder tasks ├── exercise-3-handout.md # CTI Analyst tasks ├── exercise-4-handout.md # Pen Tester tasks ├── ex5-tabletop-scenario.md # IR Coordinator tabletop guide ├── ex5-after-action-report.md # AAR template (Ex 5 / Activity 2.0.2) └── express-forensic-report-template.md # Activity 2.0.3 report template ``` ## WP5:M8 覆盖矩阵 | 主题 | 练习 1 | 练习 2 | 练习 3 | 练习 4 | 练习 5 | 2.0.1 | 2.0.2 | 2.0.3 | |---|:---:|:---:|:---:|:---:|:---:|:---:|:---:|:---:| | 事件响应生命周期 | ✅ | ✅ | | | ✅ | | ✅ | ✅ | | 数字取证基础 | | ✅ | | | | | | ✅ | | 多渠道钓鱼 / 社会工程学 | ✅ | | | | | ✅ | | | | SIEM 驱动的威胁检测 | ✅ | ✅ | ✅ | | | | | ✅ | | CTI 与威胁行为者画像 | | | ✅ | ✅ | ✅ | | | | | 监管合规义务 (NIS2, GDPR) | | ✅ | | | ✅ | | ✅ | | | 威胁情报驱动的渗透测试 | | | ✅ | ✅ | | | | | **所有 7 个主题均已覆盖。** ✅ ## ECSF 角色映射 | 练习 | 角色 | ECSF 配置文件 | |---|---|---| | 练习 1 | SOC Analyst Tier 1 | Cyber Incident Responder | | 练习 2 | CSIRT Analyst / Incident Responder | Cyber Incident Responder | | 练习 3 | CTI Analyst | Cyber Threat Intelligence Specialist | | 练习 4 | Penetration Tester | Penetration Tester | | 练习 5 | IR Coordinator | Cyber Incident Responder / CISO | ## MITRE ATT&CK 技术覆盖 | 技术 | 名称 | 练习 | |---|---|---| | T1566.001 | Spearphishing Attachment | 练习 3, 练习 5, 活动 2.0.1 | | T1190 | Exploit Public-Facing Application (SQLi) | 练习 2, 练习 3, 练习 4 | | T1078 | Valid Accounts | 练习 2, 练习 3, 练习 4 | | T1071.001 | C2 via Application Layer Protocol | 练习 1, 练习 3 | | T1053.005 | Scheduled Task/Job: Cron | 练习 1, 练习 2, 练习 5 | | T1486 | Data Encrypted for Impact | 练习 2, 练习 3, 练习 5 | | T1005 | Data from Local System | 练习 2, 练习 3, 练习 4 | | T1041 | Exfiltration Over C2 Channel | 练习 2, 练习 5 | | T1021.002 | Lateral Movement: SMB | 练习 5 | | T1083 | File and Directory Discovery | 练习 4 | ## 部署说明 ### 前置条件 - CyberRangeCZ / KYPO 平台访问权限 - 具备充足配额的 OpenStack 租户（每个实例约需 14 个 vCPU，约 70 GB RAM） - 沙箱主机的互联网连接（用于在 provision 阶段下载软件包） ### 部署 1. 将此仓库上传至 KYPO 平台 2. 创建一个新的沙箱定义，并指向 `topology.yml`（位于本仓库根目录） 3. Provision 大约需要 30–45 分钟 4. Provision 完成后进行验证： - Wazuh Dashboard: http://10.10.40.10:5601 (admin / admin，首次登录时需修改) - MISP: https://10.10.40.30 (admin@admin.test / admin，首次登录时需修改 → NGSOCAdmin2025!) - 网上银行：http://10.10.20.10 (admin / admin123 – 故意设置的弱口令) - Kali：以 `analyst` 用户 SSH 连接至 10.10.50.10 ### 讲师检查清单 有关完整的 REP 会话准备检查清单，请参见 [docs/instructor-guide.md](docs/instructor-guide.md) → 第 3 节。 ## 评分标准 | 评分项 | 权重 | 及格线 | |---|---|---| | 练习 1–5（知识考核） | 60% | 任一练习成绩不得低于 40% | | 活动 2.0.1（多渠道钓鱼分流） | 15% | — | | 活动 2.0.2（协同响应链） | 15% | — | | 活动 2.0.3（快速取证报告） | 10% | — | | **总体通过** | — | **总分 ≥ 60%** | *NG-SOC WP5 | 学习模块 8 – 事件响应与数字取证 | 子案例 1a* *CyberRangeCZ KYPO 沙箱定义 | 英式英语 | 2026*

标签：安全培训, 库, 应急响应, 数字取证, 流量捕获, 系统提示词, 网络安全, 网络拓扑, 自动化脚本, 请求拦截, 逆向工具, 隐私保护, 靶场环境