SDL Example Script
An example script of a full exercise containing all SDL building blocks.
name: example-sdl
stories:
story-1:
speed: 1
description: "This is a story for the general user in the scenario"
scripts:
- script-1
story-2:
speed: 1
description: "This is a story for the developer in the scenario"
scripts:
- script-2
story-3:
speed: 1
description: "This is a story for the red team in the scenario"
scripts:
- script-3
scripts:
#General user
script-1:
description: "Imitates the daily activities of general use"
start-time: 0
end-time: 10 hour
speed: 1
events:
event-1: 0
event-2: 10 min
event-3: 45 min
#Developer
script-2:
description: "Imitates the daily activities of developer"
start-time: 10 hour
end-time: 25 hour
speed: 2
events:
event-4: 10 hour 30 min
event-5: 10 hour 30 min
#Red team
script-3:
description: "Imitates the activities for the red teamer"
start-time: 20 min
end-time: 40 min
speed: 1
events:
event-6: 30 min
event-7: 30 min
events:
#General user
event-1:
conditions:
- condition-12
injects:
- inject-4
event-2:
conditions:
- condition-12
injects:
- inject-5
- inject-6
event-3:
conditions:
- condition-16
injects:
- inject-6
#Developer
event-4:
conditions:
- condition-11
- condition-17
injects:
- inject-7
event-5:
conditions:
- condition-11
injects:
- inject-8
#Red team
event-6:
conditions:
- condition-9
- condition-10
injects:
- inject-1
- inject-2
event-7:
conditions:
- condition-11
- condition-12
injects:
- inject-3
injects:
inject-1:
description: "does sql injection to get authentication"
source: executable/inject-1/path.sh
from-entity: international-org
to-entities:
- ministry.it-department.it-1
- ministry.it-department.it-2
tlos:
- tlo-5
- tlo-6
capabilities:
executive: capability-8
inject-2:
action: executable/inject-1/path.sh
description: "does bruteforce to VPN"
from-entity: international-org
to-entities:
- ministry.it-department.it-1
- ministry.it-department.it-2
- ministry.operation-department.operation-1
- ministry.operation-department.operation-2
tlos:
- tlo-3
- tlo-4
- tlo-5
capabilities:
executive: capability-8
inject-3:
action: executable/inject-12/path.sh
description: "Logs in to the VPN"
from-entity: international-org
to-entities:
- ministry.it-department.it-1
tlos:
- tlo-3
capabilities:
executive: capability-9
inject-4:
action: executable/inject-3/path.sh
description: "Logs in to the VPN"
from-entity: ministry.operation-department.operation-1
to-entities:
- ministry.it-department
capabilities:
executive: capability-11
inject-5:
action: executable/inject-1/path.sh
description: "Sends Email to IT"
from-entity: ministry.operation-department.operation-1
to-entities:
- ministry.it-department
capabilities:
executive: capability-11
inject-6:
action: executable/inject-1/path.sh
description: "Uploads a file"
from-entity: ministry.operation-department.operation-1
to-entities:
- ministry.it-department
tlos:
- tlo-7
capabilities:
executive: capability-13
inject-7:
action: executable/inject-1/path.sh
description: "Rather updating to patch it downgrades version"
from-entity: ministry.it-department.it-1
to-entities:
- ministry.operation-department
tlos:
- tlo-6
capabilities:
executive: capability-15
inject-8:
action: executable/inject-1/path.sh
description: "Logs in to vulnerable server with admin credential"
from-entity: ministry.it-department.it-2
to-entities:
- ministry.operation-department
capabilities:
executive: capability-11
secondary:
- capability-13
- capability-14
conditions:
condition-1:
source: log-server-package
description: "Monitoring all agents in log server"
condition-2:
source: digital-library-package
description: "Monitors VPN access"
condition-3:
command: executable-path.sh
interval: 300
description: "Check if executable is running"
condition-4:
source: digital-library-package
description: "Check if executable is running"
condition-5:
command: executable-path.sh
interval: 300
description: "Check if executable is running"
condition-6:
source: digital-library-package
description: "Script to defend against powershell"
condition-7:
command: executable-path.ps1
interval: 60
description: "Check if ad has been infected with privilege escalation"
condition-8:
source: executable-path.ps1
description: "Check if patch is done or not"
condition-9:
source: executable-path.sh
description: "Check if any entities from IT department logs in to web server"
condition-10:
source: executable-path.sh
description: "Check if any db contains SQL injection"
condition-11:
source: executable-path.sh
description: "Check if any db is running"
condition-12:
source: executable-path.sh
description: "Check if vpn is running"
condition-13:
source: executable-path.sh
description: "Cleans up the traces in VPN log"
condition-14:
source: executable-path.ps1
description: "Does random browsing on web"
condition-15:
source: executable-path.ps1
description: "Sends email using the powershell email script"
condition-16:
source: executable-path.ps1
description: "Check file server is up"
condition-17:
source: executable-path.ps1
description: "Check if user is logged in VPN"
condition-18:
source: executable-path.sh
description: "Check if web server is available"
entities:
ministry:
name: "Top Ministry"
description: "A large, prominent ministry responsible for various important tasks and operations."
role:
mission: |-
"To maintain the highest standards of integrity, professionalism, and public service while
achieving its goals and objectives."
categories:
- "Government Services"
- "Public Policy Implementation"
tlos:
- tlo-1
- tlo-2
- tlo-3
- tlo-4
- tlo-5
vulnerabilities:
- vulnerability-9
- vulnerability-10
- vulnerability-11
- vulnerability-12
entities:
operation-department:
name: "Top admin operation"
description: "The department responsible for providing administrative support to the various departments within the ministry."
role:
mission: "To ensure the smooth and efficient functioning of the ministry by providing quality administrative support."
categories:
- "Facility Management"
- "Record Keeping"
tlos:
- tlo-4
- tlo-5
- tlo-7
vulnerabilities:
- vulnerability-6
entities:
operation-1:
name: "William Johnson"
description: "William is a 40-year-old administrative assistant who has been working in the field for over 15 years. He is highly organized and detail-oriented, making him a valuable asset to his team. In his free time, William enjoys reading and playing chess."
operation-2:
name: "Emily Davis"
description: "Emily is a 35-year-old office manager who has a talent for managing complex projects with ease. She is friendly and approachable, making her well-liked by her coworkers. In her free time, Emily enjoys practicing yoga and volunteering at a local animal shelter."
it-department:
name: "Top IT"
description: "The department responsible for maintaining the ministry's IT systems and ensuring their security and efficiency."
role: Blue
mission: "To ensure the smooth and secure functioning of the ministry's IT systems by providing quality IT support."
categories:
- "IT Management"
- "Monitor and Maintenance"
vulnerabilities:
- vulnerability-7
tlos:
- tlo-1
- tlo-2
- tlo-3
- tlo-6
- tlo-7
entities:
it-1:
name: "Olivia Smith"
description: "Olivia is a 22-year-old IT specialist who is part of the Gen Z generation. She is tech-savvy and highly knowledgeable about the latest advancements in the field. Olivia is passionate about using technology to solve real-world problems and is always looking for ways to improve her skills."
vulnerabilities:
- vulnerability-8
it-2:
name: "Ryan Johnson"
description: "Ryan is a 35-year-old IT expert who has been in the field for over a decade. Although he is highly skilled and experienced, Ryan has developed a reputation for being lazy and not putting in the effort required to stay on top of his game. Despite this, his expertise and knowledge of the industry make him a valuable asset to any team."
international-org:
name: "Attacker"
description: "A highly organized and well-funded hacking group."
role: Red
mission: "To spread ransomware and extort organizations for financial gain."
categories:
- APT
- TEAM
entities:
red-player:
name: "Shadow Syndicate"
description: "A top-tier ransomware attacker known for their highly sophisticated and effective tactics. The group is made up of skilled and experienced individuals who constantly work to stay ahead of their targets' defences."
vulnerabilities:
- vulnerability-2
- vulnerability-5
tlos:
tlo-1:
name: "Identify privilege escalation for Active Directory"
description: "Identifying the privilege escalation in AD"
evaluation: evaluation-1
capabilities:
- capability-1
- capability-2
tlo-2:
name: "Patching the Active Directory"
description: "Patching the Active Directory"
evaluation: evaluation-2
capabilities:
- capability-3
- capability-4
tlo-3:
name: "Report the identified incident"
description: "Report any identified incident or suspicious activity"
evaluation: evaluation-3
capabilities:
- capability-5
- capability-6
tlo-4:
name: "Analyzing situation and writing report"
description: "Analyze the whole situation and write a report"
evaluation: evaluation-4
capabilities:
- capability-7
- capability-8
tlo-5:
name: "Distribute task to all entities"
description: "Depending on the roles divide the tasks"
evaluation: evaluation-5
capabilities:
- capability-9
- capability-10
tlo-6:
name: "Patching the DB"
description: "Patching the DB"
evaluation: evaluation-2
capabilities:
- capability-3
- capability-6
tlo-7:
name: "Communication with other department in organization"
description: "Communication with other department in organization"
evaluation: evaluation-6
capabilities:
- capability-11
- capability-12
goals:
goal-1:
name: Secure Active Directory
description: Ensure the security and stability of Active Directory
tlos:
- tlo-1
- tlo-2
- tlo-3
goal-2:
name: Analyze and Report Incidents
description: Analyze and report on incidents or suspicious activities
tlos:
- tlo-4
goal-3:
name: Efficient Task Distribution
description: Ensure efficient distribution of tasks in incident response
tlos:
- tlo-5
goal-4:
name: Interdepartmental Communication
description: Ensure effective communication with other departments in the organization
tlos:
- tlo-7
capabilities:
capability-1:
description: "Can execute any powershell script"
condition: condition-5
capability-2:
description: "Can defend against active directory attacks"
condition: condition-6
vulnerabilities:
- vulnerability-1
- vulnerability-2
capability-3:
description: "Can identify threats and vulnerabilties"
condition: condition-4
capability-4:
description: "Can patch system misconfiguration"
condition: condition-3
vulnerabilities:
- vulnerability-2
- vulnerability-3
- vulnerability-4
capability-5:
description: "Can monitor unauthorized access"
condition: condition-2
capability-6:
description: "Can defend against database vulnerabilities"
condition: condition-6
vulnerabilities:
- vulnerability-3
- vulnerability-4
capability-7:
description: "Can monitor whole organization"
condition: condition-1
vulnerabilities:
- vulnerability-1
capability-8:
description: "Can execute any bash script in db"
condition: condition-11
capability-9:
description: "Can execute attack the active directory"
condition: condition-7
capability-10:
description: "Can clean up the access footprint in VPN"
condition: condition-7
capability-11:
description: "Can browse using the browser"
condition: condition-14
capability-12:
description: "Can send email"
condition: condition-15
capability-13:
description: "Can upload files in cloud storage"
condition: condition-16
capability-14:
description: "Can log in to web service"
condition: condition-17
capability-15:
description: "Can execute any bash script in web server"
condition: condition-18
vulnerabilities:
vulnerability-1:
name: "Weak or Stolen User Credentials"
description: "This vulnerability occurs when an application or system does not properly protect user credentials, such as by using weak passwords, storing them in plaintext, or failing to properly validate them. This can allow an attacker to gain unauthorized access to the application or system using stolen or guessed credentials."
technical: true
class: "CWE-522"
vulnerability-2:
name: "System misconfigurations"
description: "This vulnerability occurs when a system or component is not properly configured, such as by using weak or easily guessable credentials, or failing to properly enforce access controls or permissions. This can allow an attacker to gain unauthorized access to the web application or the underlying active directory."
technical: true
class: "CWE-918"
vulnerability-3:
name: "SQL Injection"
description: "This vulnerability occurs when an attacker is able to insert malicious SQL code into a web application's query, which can allow the attacker to gain unauthorized access to the underlying database. This can lead to data leakage, data manipulation, or even complete compromise of the application and its data."
technical: true
class: "CWE-89"
vulnerability-4:
name: "Unpatched SQL Database"
description: "This vulnerability occurs when the database management system is not kept up to date with the latest security patches and updates. An unpatched SQL database can be vulnerable to known exploits and attacks that have already been addressed in more recent versions of the software. This can allow an attacker to easily gain unauthorized access to the database and potentially steal or manipulate sensitive data."
technical: true
class: "CWE-16.2"
vulnerability-5:
name: "Unauthorized Access"
description: "This vulnerability occurs when an application or system does not properly authenticate users, allowing unauthorized access. This can happen due to a number of issues, such as weak or easily guessed passwords, lack of proper access controls, or the use of hard-coded credentials. An attacker can take advantage of this weakness to gain unauthorized access to the application or system and potentially steal or manipulate sensitive data."
technical: true
class: "CWE-287"
vulnerability-6:
name: "Lack of awareness on IT system"
description: "This vulnerability occurs when users, employees, or administrators are not properly trained or informed on the security of the IT systems they use. This can lead to actions that compromise security, such as using weak passwords, accessing sensitive data without proper authorization, or falling for phishing scams. This type of vulnerability is often due to a lack of security awareness training and education programs within an organization."
technical: false
class: "CWE-1300"
vulnerability-7:
name: "Lack of proper security testing for production release"
description: "This vulnerability occurs when software or applications are not thoroughly tested for security prior to release into production. This can lead to unknown security vulnerabilities or exploits that can be exploited by attackers. The lack of proper security testing before release can also result in the failure to detect and fix known security issues that have already been discovered and addressed."
technical: true
class: "CWE-787"
vulnerability-8:
name: "Insufficient Access Control"
description: "This vulnerability occurs when an application or system does not properly enforce access controls or permissions, allowing unauthorized access to sensitive information. This can happen due to a number of issues, such as weak or easily guessed passwords, lack of proper authentication mechanisms, or the failure to properly validate user roles and permissions. An attacker can take advantage of this weakness to gain unauthorized access to sensitive data and potentially steal or manipulate it."
technical: true
class: "CWE-284"
vulnerability-9:
name: "Lack of Security Policy and Procedures"
description: "This vulnerability occurs when an organization does not have formalized security policies and procedures in place, or when existing policies and procedures are not being properly followed. This can lead to inconsistent and insecure practices, as well as increased risk of security incidents and data breaches."
technical: false
class: "CWE-737"
vulnerability-10:
name: "Insufficient Security Awareness and Training"
description: "This vulnerability occurs when employees and personnel within an organization lack proper security awareness and training, leading to poor security practices and increased risk of security incidents and data breaches. This can include issues such as weak passwords, the sharing of sensitive information, and the downloading of malicious software."
technical: false
class: "CWE-807"
vulnerability-11:
name: "Lack of Incident Response Plan"
description: "This vulnerability occurs when an organization does not have a formalized incident response plan in place, or when existing plans are not being properly followed. This can lead to poor and inconsistent handling of security incidents, as well as increased risk of data loss and damage to reputation."
technical: false
class: "CWE-739"
vulnerability-12:
name: "Third-Party Security Risks"
description: "This vulnerability occurs when an organization relies on third-party vendors and service providers to handle sensitive information and data, but does not properly assess and manage the security risks associated with these relationships. This can lead to data breaches, theft of sensitive information, and loss of reputation."
technical: false
class: "CWE-698"
evaluations:
evaluation-1:
description: "This evaluates if privilege escalation has happened or not"
metrics:
- metric-1
min-score: 50
evaluation-2:
description: "This evaluates if the patching was done or not"
metrics:
- metric-2
min-score: 50
evaluation-3:
description: "This evaluates if the incident was reported or not"
metrics:
- metric-3
min-score: 80
evaluation-4:
description: "This evaluates if the report was written or not"
metrics:
- metric-4
min-score: 30
evaluation-5:
description: "This evaluates if the tasks were distributed or not"
metrics:
- metric-5
min-score: 50
evaluation-6:
description: "This evaluates if there were any communication within department"
metrics:
- metric-6
min-score: 50
metrics:
metric-1:
max-score: 80
type: conditional
condition: condition-7
metric-2:
max-score: 70
type: conditional
condition: condition-8
metric-3:
max-score: 100
type: manual
artifact: true
metric-4:
max-score: 60
type: manual
artifact: true
metric-5:
max-score: 90
type: manual
artifact: true
metric-6:
max-score: 50
type: manual
artifact: true
nodes:
switch-1:
type: switch
switch-2:
type: switch
switch-3:
type: switch
switch-4:
type: switch
switch-5:
type: switch
linux-vm-1:
type: vm
os: linux
source: ubuntu-20.04
resources:
ram: 4GiB
cpu: 4
roles:
admin:
username: "root"
entities:
- ministry.it-department.it-1
features:
web-server: admin
web-server-application: admin
web-server-db: admin
web-server-configuration: admin
vulnerabilities:
- vulnerability-1
conditions:
condition-9: admin
condition-10: admin
condition-11: admin
condition-17: admin
active-directory:
type: vm
os: windows
source: windows-server
resources:
ram: 4GiB
cpu: 4
roles:
admin:
username: "root"
entities:
- ministry.it-department.it-1
features:
active-directory: admin
active-directory-configuration: admin
vulnerabilities:
- vulnerability-1
- vulnerability-5
conditions:
condition-6: admin
condition-7: admin
condition-8: admin
vpn-server:
type: vm
os: linux
source: linux-server
resources:
ram: 4GiB
cpu: 4
roles:
admin:
username: "root"
entities:
- ministry.it-department.it-1
features:
vpn-server: admin
vpn-configuration: admin
vulnerabilities:
- vulnerability-1
- vulnerability-5
conditions:
condition-2: admin
condition-12: admin
condition-13: admin
log-server:
type: vm
os: linux
source: linux-server
resources:
ram: 8GiB
cpu: 4
roles:
admin:
username: "root"
entities:
- ministry.it-department.it-1
features:
log-server: admin
log-configuration: admin
conditions:
condition-1: admin
windows-vm-1:
type: vm
os: windows
source: windows-10
resources:
ram: 4GiB
cpu: 4
roles:
admin: "root"
user:
username: "root"
entities:
- ministry.it-department.it-1
features:
browser: user
development-ide: user
vulnerabilities:
- vulnerability-1
- vulnerability-5
conditions:
condition-3: admin
condition-14: admin
windows-vm-2:
type: vm
os: windows
source: windows-10
resources:
ram: 4GiB
cpu: 4
roles:
admin: "root"
user:
username: "root"
entities:
- ministry.it-department.it-1
features:
browser: user
development-ide: user
conditions:
condition-4: admin
condition-15: admin
windows-vm-3:
type: vm
os: windows
source: windows-10
resources:
ram: 4GiB
cpu: 4
roles:
admin: "root"
user:
username: "root"
entities:
- ministry.it-department.it-1
features:
browser: user
conditions:
condition-5: admin
condition-16: admin
condition-17: admin
infrastructure:
switch-1:
type: switch
switch-2:
link:
- switch-1
type: switch
switch-3:
link:
- switch-1
type: switch
switch-4:
link:
- switch-1
type: switch
switch-5:
type: switch
linux-vm-1:
link:
- switch-5
- switch-3
active-directory:
link:
- switch-1
vpn-server:
link:
- switch-1
dependencies:
- active-directory
log-server:
link:
- switch-1
dependencies:
- active-directory
windows-vm-1:
link:
- switch-2
dependencies:
- active-directory
count: 1
windows-vm-2:
link:
- switch-3
dependencies:
- active-directory
count: 1
windows-vm-3:
link:
- switch-4
dependencies:
- active-directory
count: 1
windows-vm-2:
link:
- switch-1
dependencies:
- active-directory
count: 1
features:
active-directory:
name: "win.top.xyz"
type: "service"
description: "Active Directory is a directory service that Microsoft developed for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services, and can be used to provide user authentication, authorization, and other directory services to network resources."
source: active-directory-0.1.0
active-directory-configuration:
dependencies:
- active-directory
type: "configuration"
description: "Active Directory Configuration is a configuration that Microsoft developed for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services, and can be used to provide user authentication, authorization, and other directory services to network resources."
source: active-directory-configuration-0.1.0
vulnerabilities:
- vulnerability-1
- vulnerability-2
vpn-server:
name: "vpn.top.xyz"
type: "service"
description: "VPN Server is a service that allows users to connect to a private network from a remote location."
source: vpn-server-0.1.0
vpn-configuration:
dependencies:
- vpn-server
type: "configuration"
description: "VPN Configuration is a configuration that allows users to connect to a private network from a remote location."
source: vpn-configuration-0.1.0
vulnerabilities:
- vulnerability-5
log-server:
name: "log.top.xyz"
type: "service"
description: "Log Server is a service that allows users to connect to a private network from a remote location."
source: log-server-0.1.0
log-configuration:
dependencies:
- log-server
type: "configuration"
description: "Log Configuration is a configuration that allows users to connect to a private network from a remote location."
source: log-configuration-0.1.0
browser:
type: "service"
description: "Web browser"
source: browser-0.1.0
development-ide:
type: "service"
description: "Development IDE"
source: development-ide-0.1.0
web-server:
type: "service"
description: "nginx Web server"
source: nginx-web-server-0.1.0
web-server-application:
dependencies:
- web-server
type: service
description: "nginx Web server application"
source: nginx-web-server-application-0.1.0
vulnerabilities:
- vulnerability-2
web-server-db:
dependencies:
- web-server
type: service
description: "nginx Web server database"
source: nginx-web-server-db-0.1.0
vulnerabilities:
- vulnerability-3
- vulnerability-4
web-server-configuration:
dependencies:
- web-server
type: "configuration"
description: "nginx Web server configuration"
source: nginx-web-server-configuration-0.1.0