TRYZUB Cyberdills
Threat-Emulation eXperiences
Made in Ukraine, Powered by CYBER RANGES
Unique Collaborative Cyber-Range eXercises for Preparedness
“Resilience reflects the strength and flexibility of a society in the face of adversity. Ukraine has shown the world what it means to be resilient in the face of cyberattacks and disruptions of connectivity, and we welcome the opportunity to continue learning from you.”
HE Nathaniel C. Fick (USMC Ret.)
1st Ambassador-at-Large for Cyberspace and Digital Policy
Author of “One Bullet Away: The Making of a Marine Officer”
These emulations have been jointly developed with the Ukrainian warfighters of CERT-UA during the on-going first-ever world cyber war, our goal being to help you bolster your organization’s operational readiness and national resilience against cyber threats addressing critical infrastructure.
JOINT CYBER-RANGE SCENARIOS
These unique Cybersecurity Scenarios are the outcome of the Public-Private Partnership between SSSCIP and CYBER RANGES to build an experiential bridge between the US and Ukraine’s cybersecurity expert communities.
The Partners are working on a set of complex threat emulation scenarios with the goal to educate allied international agencies and critical infrastructure operators on the complex cyberattacks that Ukraine has deterred and fought back before and at wartime.
'TRYZUB is a shining example of public-private partnership at international level and well-implemented win-win strategy.
The synergy of Ukrainian experience and American technologies makes it possible to make our common cyberspace safer.
The use of new scenarios will undoubtedly help train security officers in the most modern methods of countering cyberattacks.
We are grateful to the CYBER RANGES team and the American people for supporting Ukraine and implementing such a project.
The synergy of Ukrainian experience and American technologies makes it possible to make our common cyberspace safer.
The use of new scenarios will undoubtedly help train security officers in the most modern methods of countering cyberattacks.
We are grateful to the CYBER RANGES team and the American people for supporting Ukraine and implementing such a project.
'What if we could safely put our organization through a real cyberattack, with real malware and artifacts and have that attack unfold in a high-fidelity sandbox environment where we can observe our teams respond to it?'
'What if we could experience the attack without the negative impact and play and replay it at will until our team has developed the necessary muscle memory to deal with it in the field?'
'What if, besides the IoCs and threat information, we would actually timely share the experience of dealing with the actual attack among our allies?'
'Well, we have done it!'
'What if we could experience the attack without the negative impact and play and replay it at will until our team has developed the necessary muscle memory to deal with it in the field?'
'What if, besides the IoCs and threat information, we would actually timely share the experience of dealing with the actual attack among our allies?'
'Well, we have done it!'
CERT-UA is the governmental Computer Emergency Response Team of Ukraine which operates within the State Service for Special Communications and Information Protection of Ukraine (SSSCIP). Since 2009 CERT- UA has been an accredited member of the Forum of Incident Response and Security Teams (FIRST).
CERT-UA’s mission is to provide practical assistance in the prevention and detection of and response to cyber incidents for all organizations in Ukraine. CERT-UA deals with different types of cyber threats every day: cyber espionage, intrusions, and other that may be followed by destruction and disruption.
CERT-UA is actively involved in the sharing of best practices regarding the responsible management of cyber fronts, effective cyber defense implementation, cyber threat intelligence and collaboration.
CERT-UA’s mission is to provide practical assistance in the prevention and detection of and response to cyber incidents for all organizations in Ukraine. CERT-UA deals with different types of cyber threats every day: cyber espionage, intrusions, and other that may be followed by destruction and disruption.
CERT-UA is actively involved in the sharing of best practices regarding the responsible management of cyber fronts, effective cyber defense implementation, cyber threat intelligence and collaboration.
CYBER RANGES Corp. provides Cyber Commands across the world with Next-Gen Range Capabilities for Cyber Commands from the schoolhouse to the edge of kinetics.
In April 2022 CYBER RANGES and SSSCIP Ukraine signed a Memorandum of Collaboration for the support of Ukraine’s National Cybersecurity Qualifications Framework. The MITRE Corporation’s innovation accelerator Engenuity selected CYBER RANGES as the cyber-range-of-choice for MITRE ATT&CK DefenderTM and Purple Teaming. This strategic relationship now continues with their spin-off MAD20 Technologies.
CYBER RANGES offers advanced, high-fidelity attack emulations on Cyber-Physical replica infrastructures for Persistent Cyber Training Environments, with Off-the-shelf and Bespoke Missions. It is deployable as SaaS, On-Prem, Transportable.
In April 2022 CYBER RANGES and SSSCIP Ukraine signed a Memorandum of Collaboration for the support of Ukraine’s National Cybersecurity Qualifications Framework. The MITRE Corporation’s innovation accelerator Engenuity selected CYBER RANGES as the cyber-range-of-choice for MITRE ATT&CK DefenderTM and Purple Teaming. This strategic relationship now continues with their spin-off MAD20 Technologies.
CYBER RANGES offers advanced, high-fidelity attack emulations on Cyber-Physical replica infrastructures for Persistent Cyber Training Environments, with Off-the-shelf and Bespoke Missions. It is deployable as SaaS, On-Prem, Transportable.
[*] ‘Tryzub’ is the colloquial name of Ukraine’s national symbol, i.e., a trident that signifies the elements of fire, water and earth. The symbol is said to derive from the shape of a white gyrfalcon diving in fight.
Best-In-Class Threat Emulation Experiences by CYBER RANGES
GARTNER (2024): The importance and criticality of training with "live ammunition" or simulated "live ammunition" cannot be over-emphasized.
Come and train with our Field-hardened Drill Masters on Advanced Attack Emulations running on the CYBER RANGES military-grade Synthetic Training Environment.
– Cyberthreat experience sharing
– Hands-on performance
– Preparedness validation
Everyone who understands the risks posed by the type of cyberattacks being experienced in Ukraine must unite for a more effective containment of those cyberthreat actors.
Threat-eX™ focuses on demonstrable, measurable cybersecurity practitioner abilities immediately employable in the Incident Response Room.
Threat-eX™ offers you:
– Cloud-based access to Cyber Threat Intelligence (CTI)-informed and Advanced Persistent Threat (APT)-focused scenarios designed for immediate use in training and exercise programs for blue, red and purple teams.
– Scenarios with live and after-action assessments.
– Role-mapped, pre-exercise training content.
– A wrap-up and hot-wash session after each exercise.
– Post-event performance reports (individual and team).
– Actionable insights.
– Personal certificates of completion, digital badges, and CPE credits.
– Evidence of participation in support of your organization’s compliance requirements.
– Scenarios with live and after-action assessments.
– Role-mapped, pre-exercise training content.
– A wrap-up and hot-wash session after each exercise.
– Post-event performance reports (individual and team).
– Actionable insights.
– Personal certificates of completion, digital badges, and CPE credits.
– Evidence of participation in support of your organization’s compliance requirements.
Who would benefit from using Threat-eX™
– Security leaders seeking to understand their organization’s potential threat exposure and attack surface, and how to effectively manage these risks.
– Individuals aiming to hone their skills or gain a deeper understanding of the advanced persistent threat (APT) landscape.
– Technical and cybersecurity teams (such as SOC, CERT, IR, DFIR) and their managers.
– Organizations with large or multiple teams.
– Critical industries requiring robust cybersecurity measures.
– Governmental agencies, military, and non-governmental organizations (NGOs).
– Individuals aiming to hone their skills or gain a deeper understanding of the advanced persistent threat (APT) landscape.
– Technical and cybersecurity teams (such as SOC, CERT, IR, DFIR) and their managers.
– Organizations with large or multiple teams.
– Critical industries requiring robust cybersecurity measures.
– Governmental agencies, military, and non-governmental organizations (NGOs).
The TRYZUB schedule for 2024/25
The TRYZUB 1-day cyberdrills are run on-demand for Military, Government, and Critical Infrastructure Operators.
Interested parties can reach out to us by email or contact form:
contact@cyberranges.com
Sandthreat
The Russian state hacking group known as ‘Sandworm’ has targeted STABLE NET, one of the largest Internet providers in the country. Employees have come to work and noticed that their PCs are not working correctly. They have tried to reboot them but it has not helped. The main system administrator has noticed that only his/her workstation DC1 and Zimbra are alive! On checking the availability of servers in the server subnet (BackupServer and ProxMox) such servers do not respond either. There are available Arkime and Wazuh systems, which can help to investigate this cyber incident.
In this scenario, you play the role of a CERT analyst, investigating the cyber incident against the Internet Provider as the attack from this dangerous threat actor unfolds. Your objective is to detect, respond to and investigate the cyberattack.
Threat Actor
Sandworm
Threat Type
Destructive
Attacker Tools
Mimikatz, Awfulshred, Roarbat, Neo-reGeorg, Impacket
Threat Rating
High
Threat Impact
Destruction
Data Exfiltration
Service Availability
Difficulty
Intermediate
MITRE ATT&CK® TTPs Covered:
– Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – T1547.001
– OS credential Dumping – T1003
– Remote Services: SMB/Windows Admin Shares – T1021
– Acquire Infrastructure: Server – T1583.004
– Brute Force – T1110
– Command and Scripting Interpreter: Windows Command Shell – T1059.003
– Exploitation for Privilege Escalation – T1068
– Scheduled Task/Job: Scheduled Task – T1053.005
– Domain or Tenant Policy Modification: Group Policy Modification – T1484
– Impair Defenses: Disable or Modify System Firewall – T1562
– OS credential Dumping – T1003
– Remote Services: SMB/Windows Admin Shares – T1021
– Acquire Infrastructure: Server – T1583.004
– Brute Force – T1110
– Command and Scripting Interpreter: Windows Command Shell – T1059.003
– Exploitation for Privilege Escalation – T1068
– Scheduled Task/Job: Scheduled Task – T1053.005
– Domain or Tenant Policy Modification: Group Policy Modification – T1484
– Impair Defenses: Disable or Modify System Firewall – T1562
– Proxy: Internal Proxy – T1090
– Protocol Tunneling – T1572
– Server Software Component: Web Shell – T1505
– Email Collection – T1114
– Remote Services: SSH – T1021.004
– Command and Scripting Interpreter: PowerShell – T1059.001
– Data Destruction – T1485
– Valid Accounts: Domain Accounts – T1078.002
– Data from Local System – T1005
– Initial Access – TA0001
– Exploit Public-Facing Application – T1190
Gamathreat
Your company has received information from CERT-UA that signals about outbound connections from your network to the C&C server that is related to the Gamaredon (UAC-0010) APT Group. No employee has noticed anything unusual. All systems have been operating with no issues. Services have continued as expected, with no signs of disruptions or anomalies.
You will assume the role of a cybersecurity team that got information about the connections.
Your objectives are:
– To investigate all malicious activities within the network
– To discover how the attacker infiltrated the network
– To identify all indicators of compromise
– To uncover and neutralize any remaining threats
– To determine what data, if any, has been infiltrated
You will assume the role of a cybersecurity team that got information about the connections.
Your objectives are:
– To investigate all malicious activities within the network
– To discover how the attacker infiltrated the network
– To identify all indicators of compromise
– To uncover and neutralize any remaining threats
– To determine what data, if any, has been infiltrated
Threat Actor
Gamaredon
Threat Type
Espionage
Attacker Tools
Gamaload Gamasteel
Threat Rating
High
Threat Impact
Data Exfiltration
Difficulty
Hard
MITRE ATT&CK® TTPs Covered:
– Acquire Infrastructure: Domains – T1583.001
– Application Layer Protocol: Web Protocols – T1071.001
– Automated Collection – T1119
– Automated Exfiltration – T1020
– Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – T1547.001
– Command and Scripting Interpreter: PowerShell – T1059.00
– Command and Scripting Interpreter: Visual Basic – T1059.00
– Data from Local System – T1005
– Data from Network Shared Drive – T1039
– Application Layer Protocol: Web Protocols – T1071.001
– Automated Collection – T1119
– Automated Exfiltration – T1020
– Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder – T1547.001
– Command and Scripting Interpreter: PowerShell – T1059.00
– Command and Scripting Interpreter: Visual Basic – T1059.00
– Data from Local System – T1005
– Data from Network Shared Drive – T1039
– De-obfuscate/Decode Files or Information – T1140
– File and Directory Discovery – T1083
– Modify Registry – T1112
– Peripheral Device Discovery – T1120
– Phishing: Spearphishing Attachment – T1566.001
– System Binary Proxy Execution: Mshta – T1218.005
– System Information Discovery – T1082
– Taint Shared Content – T1080
– Template Injection – T1221
– File and Directory Discovery – T1083
– Modify Registry – T1112
– Peripheral Device Discovery – T1120
– Phishing: Spearphishing Attachment – T1566.001
– System Binary Proxy Execution: Mshta – T1218.005
– System Information Discovery – T1082
– Taint Shared Content – T1080
– Template Injection – T1221
To maximize the economies of delivery and thanks to the high orchestration / automation / scalability of the CYBER RANGES platform, the TRYZUB events are offered as joint participation by multiple organizations, whose respective teams can experience the threat scenario in full confidentiality.
Meet the TRYZUB Drill Masters
Brig. Gen. Oleksandr Potii
Head of SSSCIP
Doctor of Technical Sciences
Professor
Oleksandr Potii earned his PhD in communication security from Kharkiv Military University and became DScTech at the Kharkiv National University of Air Force. His areas of research include information protection standards, cybersecurity and cryptography.
Brig. Gen. Potii has more than 25 years of experience in military service, and 20 years of academic and pedagogical experience. Before joining the State Service, he has hold different technical and administrative positions at important educational institutions, such as Kharkiv National University of Radio Electronicsand National Aerospace University “Kharkiv Aviation Institute”.
In his current position, Brig. Gen. Potii is responsible for a range of important areas, including critical infrastructure protection, IT standardization and certification, cyber defence and cyber workforce development. Oleksandr Potii is a laureate of the National Prize of Ukraine named after Borys Paton (2021).
He authored 5 manuals, more than 100 research articles, and developed several specialized university courses in areas of his expertise.
Dr. Oleksii Baranovskyi
Cybersecurity Researcher
Dr. Oleksii Baranovskyi is a distinguished figure in the field of Ukrainian cybersecurity.
As a senior lecturer and an associate professor in such esteemed institutions as the National Technical University of Ukraine “Ihor Sikorsky Kyiv Polytechnic Institute” and Blekinge Institute of Technology (BTH), Sweden, Oleksii has been instrumental in developing and delivering critical cybersecurity courses, and his doctoral work has been recognized with a Presidential award for Young Scientists in 2018.
Oleksii is an accredited instructor for prestigious organizations like (ISC)², ISACA, and EC-Council.
His contributions to cybersecurity education have been honoured with international awards, underpinning his role as a global educator by EC-Council Instructor (CEI) Circle of Excellence Award in 2022 and the ISACA Educational Excellence Award in 2024.
Oleksii is known for his dedication to public service in cybersecurity with trainings and educational programs, for which he has been commended with national honours acknowledged with the National Security Council order "Defender of Ukraine" in 2020 and medal of honour by State Service of Special Communication and Information Protection of Ukraine (SSSCIP) for his impact of creating and development of cyberpolice and national cybersecurity capabilities. as well as recognitions by OSCE, USAID, the National Bank of Ukraine and the National Police.
Oleksii serves as forensic investigator, penetration tester and application security expert in professional companies.
Eduard Bisceanu
Head of Technology Consulting
Eduard is a highly accomplished and experienced cyber security professional with both strategic and technical expertise in the field.
A graduate of the National Intelligence Academy and Military Communications Institute, Eduard has made significant contributions to the development of national cybersecurity programmes in Romania and played a pivotal role in leading the operationalisation phase of the first civilian government CERT team in the country.
Eduard has worked for several renowned organizations, including serving as the CSO of UniCredit Romania, National Technology Officer at Microsoft, Senior Manager at PwC, ProActive Defense SOC Director, Senior Consultant for Blue Cyber Team, Global Head of Technology and Professional Services for Silensec, CISO of CEC Bank.
Throughout his career, Eduard has been recognized for his exceptional leadership skills, technical acumen, and his ability to deliver innovative solutions that address complex security challenges. He is passionate about promoting cyber security awareness and helping organizations of all sizes build robust cyber security strategies to mitigate risks and protect against evolving threats.
Dr. Wesley Phillips
CCISO CRISC CISM GSLC CASP PENTEST PMP
Director of the Quantico Cyber Range
Wes has gained over 20 years of combined law enforcement, physical security, network security, and risk management experience, plus over 16 years specifically on counterintelligence, technical surveillance countermeasures (NSA graduate).
Wes is a proven project manager, strategist, educator, and technologist. He is a collaborative team leader, college instructor, certification instructor, skill-based instruction, and effective communicator.
His hobbies include conducting CTFs, penetration testing, building anything cyber-related (e.g., SIEMs), martial arts instruction and practice, and playing music (piano, organ, drums, vocals).
Amarjit 'Labu' Labhuram
Threat Emulation Lead
Labu leads the Threat Emulation team at CYBER RANGES specializing in Offensive Security and Red Teaming with over 10 years’ experience in infosec.
His role involves regular training and guiding stakeholders on effective detection, response, and mitigation strategies. He has built strong field practitioner experience in Red Team and Adversary Simulation operations, with offensive capability development. Labu has led on the technical exercises during several cyberdrills for financial and government entities.
Labu is particularly drawn to the intricacies of Microsoft Windows system programming and is actively engaged in research, including the crafting of custom implants and refining Tactics Techniques and Procedures (TTPs) for Simulated Attack missions.
Labu proudly holds such industry certifications as CRTE, SEC565 Red Team Operations and Adversary Emulation, and CRTO, as evidence of his expertise in the security field.
James Billingsley OSCP
Range Master
James has gained 20 years’ experience as an Examiner, Consultant, Trainer and Speaker in the InfoSec and DFIR fields.
He has developed tools for Internet Browser forensics used globally by a number of law enforcement agencies and international corporations.
James has led PCI investigations for major payment providers including Visa and Mastercard.
As a Senior eDiscovery consultant James supported legal eDiscovery reviews for complex global litigation issues hosted on leading vendor platforms.
A course author and lead trainer for internal & external training for leading DFIR software vendors, James has worked together with UN’s ITU on a number of ITU cyberdrills, supporting their effort to build knowledge and skills for national CIRTs.
Developing Cybersecurity Muscle Memory and Organizational Resilience
Threat-eX™ is a comprehensive, enterprise-grade, 6-month program of Live Webinars and CYBER RANGES cyberdrill-grade, simulation-based exercises, delivering effective, threat-informed operations training, professional development and certification
Just as physical strength is built through consistent "sets-and-reps," effective cybersecurity capabilities are developed through rigorous and continuous practice.
Threat-eX™ addresses the missing link in traditional training by integrating comprehensive, hands-on exercises that build practical skills and improve resilience against Advanced Persistent Threats (APTs).
'Meet The Drill Masters' On-Demand Webinar
'CYBER RANGES is the ultimate platform which I've used in my 20 plus years as a cyber security professional.
I've not seen anything like it before because it is closest to the actual thing, and how else can you improve on that?'
'Putting everything all together into a committed, recurring, live series of cyberdrills month to month, helps to tackle the lack of real live incident response experience that many SOC teams lack.'
'This is not just a single player mode kind of event.
You can have teams participate, so this is whereby you have a whole SOC team.
They can all come in together and participate on the same scenario because it involves the realistic attacks that these APT groups perform against enterprises.'
'Getting realistic cyberdrill scenarios including state sponsored cyber attacks against things like critical infrastructure is something the team have done a great job of building into scenarios on the Threat-eX cyber drill series.'
Previous
Next
Your Drill Masters
Dr. Wesley Phillips
CCISO CRISC CISM GSLC CASP PENTEST PMP
Director of the Quantico Cyber Range
Wes has gained over 20 years of combined law enforcement, physical security, network security, and risk management experience, plus over 16 years specifically on counterintelligence, technical surveillance countermeasures (NSA graduate).
Wes is a proven project manager, strategist, educator, and technologist. He is a collaborative team leader, college instructor, certification instructor, skill-based instruction, and effective communicator.
His hobbies include conducting CTFs, penetration testing, building anything cyber-related (e.g., SIEMs), martial arts instruction and practice, and playing music (piano, organ, drums, vocals).
Amarjit 'Labu' Labhuram
Threat Emulation Lead
Labu leads the Threat Emulation team at CYBER RANGES specializing in Offensive Security and Red Teaming with over 10 years’ experience in infosec.
His role involves regular training and guiding stakeholders on effective detection, response, and mitigation strategies. He has built strong field practitioner experience in Red Team and Adversary Simulation operations, with offensive capability development. Labu has led on the technical exercises during several cyberdrills for financial and government entities.
Labu is particularly drawn to the intricacies of Microsoft Windows system programming and is actively engaged in research, including the crafting of custom implants and refining Tactics Techniques and Procedures (TTPs) for Simulated Attack missions.
Labu proudly holds such industry certifications as CRTE, SEC565 Red Team Operations and Adversary Emulation, and CRTO, as evidence of his expertise in the security field.
Csaba Virág
Head of Capacity Programs
Csaba leads Cyber Capability Development at CYBER RANGES. Csaba’s expertise is rooted in both the technical and operational sides of cybersecurity, yet he places a significant emphasis on the importance of a human-centric approach to security and digital transformation.
Csaba collaborates with international organizations such as the International Telecommunication Union (ITU), European Cyber Security Organisation (ECSO), European Commission, and European Union Agency for Cybersecurity (ENISA), European Defence Agency (EDA).
Previously, as the Chief Strategy Officer at Nortal Csaba guided the strategic vision and direction of cybersecurity solutions, delivering future-ready solutions to harvest the benefits of cybersecure ecosystems, environments, and businesses.
James Billingsley OSCP
Range Master
James has gained 20 years’ experience as an Examiner, Consultant, Trainer and Speaker in the InfoSec and DFIR fields. He has developed tools for Internet Browser forensics used globally by a number of law enforcement agencies and international corporations.
James has led PCI investigations for major payment providers including Visa and Mastercard. As a Senior eDiscovery consultant James supported legal eDiscovery reviews for complex global litigation issues hosted on leading vendor platforms.
A course author and lead trainer for internal & external training for leading DFIR software vendors, James has worked together with UN’s ITU on a number of ITU cyberdrills, supporting their effort to build knowledge and skills for national CIRTs.
Everyone who understands the risks posed by the type of cyberattacks being experienced in Ukraine must unite for a more effective containment of those cyberthreat actors.
TRYZUB provides your SOC and Incident Response Teams the chance to build muscle memory in high-fidelity cyberattack emulations, based on the latest Threat Intelligence. By joint practice on TRYZUB participating teams will also have the opportunity to build collaboration and coordination towards an effective digital solidarity against threat actors, thus strengthening ultimate resilience.
Who are the TRYZUB scenarios for?
Practice on the TRYZUB scenarios will be of particular benefit for:
– Military units
– Government and Law-Enforcement Agencies
– Critical Network Operators
NOTE: Right of admission reserved.
All-In-One
$6,000 per user
$25,000 per 5-pax team
– Access to all 6 events in the calendar
– Role-mapped, pre-exercise training content provided
– Post-event Performance Reports and Insights (team and users)
– Certificate of completion / Digital Badge / CPE credits
Want to learn more?
Ready to buy?
Flexi
$1,250 per user, per event
$5,750 per 5-pax group, per event
Choose up to 5 events
– Flexible Access to up to 5 events in the calendar
– Date confirmation is required minimum 72 hours before each event
– Role-mapped, pre-exercise training content provided
– Post-event Performance Reports and Insights
– Certificate of completion / Digital Badge / CPE credits
