The SANS Cyber Situational Training eXercise (Cyber STX) is our premiere in-depth training and validation cyber range. Teams of participants engage in active Red-on-blue battle during an intense free-flowing week defending critical cyber terrain. The red team develops a comprehensive campaign based on one or more specific Advanced Persistent Threat(s), utilizing their same Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs) as the given APTs.
SANS instructors and Teaching Assistants (TAs) play the part of blue team coaches and red team / OPFOR operators, creating a highly realistic environment that can measure a blue team’s abilities, the capabilities of their tools and communications, and the effectiveness of their TTPs. Additionally, the Cyber STX can take red teamer skills to the next level. SANS offers the Cyber STX on-site for private events, virtually in a cloud-based environment, or in a mixed mode with participants both local and remote. Cyber STX can include both Information Technology (IT) and Operations Technology (OT) infrastructures, depending on the specific environments participants are called on to protect. From an OT perspective, SANS runs Cyber STX missions with Industrial Control System (ICS) devices for power distribution, power generation, water refinement, port crane operations, manufacturing systems, and more.
Characteristics of Cyber STX
- Live fire red-on-blue engagement lasting a week
- Custom, detailed campaign utilizing the TTPs and IOCs of one or more specific Advanced Persistent Threats
- SANS instructors act as blue team coaches, red teamers and coaches, and white cell organizers
- Daily shot validation emphasizing lessons learned and planning for subsequent days
- After Action Review on final day
- IT and OT environments, with the amount of OT and types of ICS infrastructures determined based on participants’ job needs
- Run anywhere, with local participants, remote participants, or mixed mode
- Ideal for teams of 30 to 100+ participants
- Blue team can utilize their own tools or a set of SANS recommended tools
Who should participate?
- Military groups seeking in-depth training and validation
- Cyber Protection Teams
- Government agencies with responsibilities for defending critical systems
- Large private industry organizations protecting complex infrastructure
Cyber STX in Action
Hear from cyber range creators Ed Skoudis and Josh Wright about how the Cyber STX red-on-blue exercises were used to simulate multiple attacks on water, transportation, and other infrastructure systems at a Muscatatuck Urban Training Complex training event in this video.