Skip to main contentSkip to main content
Room Banner
Back to all walkthroughs
Room Icon

Defensive Security Intro

Introducing defensive security, where you will investigate an ongoing attack at FakeBank

easy

20 min

5

User profile photo.

To access material, start machines and answer questions login.

Become the Defender

Defending an organisation is no easy task. In this room, you'll be working alongside Cassidy within the Security Operations Centre () - the central hub for defending an organisation.

As you'll come to discover, there are many parts and responsibilities within a defensive security team.

 

Are you ready to get stuck in?

Answer the questions below

What does the acronym "SOC" stand for?

An Attack Begins

You sit down at your new workstation and are greeted by FakeBank's security dashboard.

Security Operation Centres use a variety of tools (such as a monitoring dashboard) to gain an overall picture of what is happening within the organisation's digital landscape. These dashboards capture activity across devices, the network, and more.

Setting the Scene

It's a Monday, the start of your new career in defensive security. You enter the of FakeBank, an up-and-coming banking institute and are greeted by Cassidy, who will be helping you get up to speed with things.

It looks like you've joined at the perfect time. Currently, someone is making hundreds of attempts to log in to FakeBank's systems. Press the green "View Site" button below to start investigating.

Character
 
 
 
 

You'll need to...

1. Open the monitoring dashboard by pressing the green button above
2. Take a look at the alert in front of you
3. Reveal the information within the alert to answer the question below.
Why you're doing this

The monitoring dashboard shows a history of what has happened on FakeBank's systems. Tools like the monitoring dashboard are able to understand what happens day-to-day, to build what is called a baseline. When events deviate from this regular activity, the team is alerted.

However, it's all well and good knowing that something bad is happening, we need to understand exactly what is happening, and who, to stop this.

Answer the questions below

Review the "Suspicious Login" alert. What username is being used?

Stopping the Attack

Now that we have confirmed that an attack is indeed happening. Using the information we discovered in the previous task, we can immediately stop the attacker in their tracks.

For the defensive security team, stopping an attack - or incident - is a high priority. The sooner we can stop the attacker, the less harm that will come to the organisation.

Stopping an attacker can be harder than it sounds. Modern attackers are smart, and often change their behaviour if they know they have been spotted. What stopped them once may not stop them again.

Protecting FakeBank

Cassidy now wants to begin stopping the attacker by disabling the dave.saunders account. Time is running out before the attacker finds the correct password. Press the green "View Site" button below for this portion.

Character
 
 
 
 

You'll need to...

1. Open the practical by clicking on the green "View Site" button above
2. View the usernames on the "Account Management" page
3. Disable the account dave.saunders by pressing the padlock next to the username
4. Once done, a green success message will appear. Provide the value of this message in the question below.
Why you're doing this

We can see that the attacker is targetting this specific username. Submitting random passwords until one works. This is known as bruteforcing, and it's only a matter of time before the attacker manages to find the correct password.

As a member of the defensive security team, if we can disable dave.saunders before the attacker logs in, we are stopping the incident from becoming much more severe. Especially for a bank, unauthorised access to an account can lead to serious penalties for the organisation. Being proactive is the name of the game in defensive security.

Answer the questions below

Lock the dave.saunders account by clicking the padlock icon next to the name. What value (flag) has appeared once this was done?

Investigating the Attacker

Phew, that was close. Great job on stopping the attacker.

Remember from task 3: the monitoring dashboard suggested that this attacker may be the notorious ShadowFigures group, which is targeting banking organisations like FakeBank.

It turns out, it's not this group's first time. In defensive security, we share information about attackers. This is known as threat intelligence.

Now that dave.saunders has been locked, what will ShadowFigures try next?

Creating Threat Intelligence

For this portion of the room, we will be using FakeBank's threat intelligence system to note what ShadowFigures has just done.

The key to good threat intelligence is keeping it updated. Cassidy wants you to update FakeBank's systems to include what just happened. Press the green "View Site" button below to get started.

Character
 
 
 
 

You'll need to...

1. Open the practical by clicking on the green "View Site" button above
2. Search for "ShadowFigures"
3. Update the intelligence report with what we have discovered.
4. Once done, a green success message will appear. Use the value of that to answer the question below.
Why you're doing this

The monitoring dashboard shows a history of what the attacker is trying to find on our website. You will see that the dashboard has captured the attacker trying many attempts to access hidden pages, very quickly.

Once we know what the attacker is trying to achieve, we can then begin to take measures to stop the attacker and then finally fix the problem that allowed this attack in the first place.

Answer the questions below

Update FakeBank's systems to include what page - and username - ShadowFigures tried to hack.
A green success message will appear. What is the value (flag) of that?

Incident Reports

Great, your colleagues thank you for updating FakeBank's systems about ShadowFigures.

But there is one last step for us to do. We need to create an incident report of what has just happened. We use these reports in defensive security to summarise what has just occurred and use them as training opportunities.

Submitting an Incident Report

Thankfully, FakeBank has another tool that lets us create an incident report based on what we have already done.

Deploy this part of the practical by clicking the green "View Site" button below to fill out your incident report.

Character
 
 
 
 

You'll need to...

1. Open the practical by clicking on the green "View Site" button above
2. Within the incident report, enter both the username that we previously locked and the page that the attacker was trying to access.
3. Once you've submitted your report, return to the room.
Why you're doing this

Incident reports allow us to reflect, train, and detail this attack. This is helpful for us in defensive security - could we have done something quicker, or better? But also for other members within the organisation, such as improving our defences.

Moreover, if the attack became something much more serious, law enforcement and government officials would need to be able to see what we had done when.

Answer the questions below

What is the identifier of the incident report that you submit?

This looks like SOC-2026-XXX

Ready to learn Cyber Security?

TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.

Already have an account? Log in

We use cookies to ensure you get the best user experience. For more information see our cookie policy.