The red team went ahead with malicious data encryption. They moved onto sensitive IT systems, escalating their privileges along the way, before extracting sensitive corporate data and emails. The attack team decided against carrying out any operational disruption since they had no desire to be considered or treated like terrorists — they were strictly in for the money, going forward with attempt to extort Springfieldshire Water Treatment for up to £20 million.
Meanwhile, over on the blue team, incident response kicked in as the defenders put together a plan attempting to contain the attack and restore affected systems.
During this phase of the exercise, the blue team receive a call from their legal department advising them to inform the UK’s National Cyber Security Centre and regulators about the attack, warning that failures could result in fines or liability issues. Notifying partners and bringing in the expertise of external incident response specialists becomes a major focus for the defenders at this stage of the game.
