▲ CLASSIFICATION: CONFIDENTIAL — RTA EVIDENCE ▲
KEOLIS · MHI // DUBAI METRO // SECOPS

OPERATION IRON GATE

CYBER DRILL · USB-BORNE MALWARE · RTA DEMONSTRATION
EXERCISE DESIGNED & FACILITATED BY DEEPTI TOMAR · SECOPS LEAD
Scenario: A third-party contractor inserts an unauthorised USB drive into engineering workstation FIN-WS-022. The drive carries a payload designed to drop a Cobalt Strike loader and pivot laterally across the Business ICT network.

Our defence-in-depth stack — Symantec SEPM, Symantec EDR, Microsoft Sentinel, Microsoft Defender, Kaspersky USB Scan, and FortiGate — detects the threat within minutes. As SecOps Lead, you will guide your team through the response: validate, classify, contain, recover.

Outcome to demonstrate to RTA: a mature SOC that detects USB-borne malware fast, halts lateral movement, protects Rail OT, and keeps trains running — with full audit trail and aligned to DM001-CYB-ALL-PC-04934 A1.
KEOLIS · MHI
SOC // DUBAI METRO
OPERATION IRON GATE
DM001-CYB-ALL-CD-2026 · ALIGNED W/ PC-04934 A1
STATUS MONITORING
EXERCISE T+ 00:00
▸ Shift Roster RACI · §3
Command
DT
Deepti Tomar
SecOps Lead · YOU
ON DUTY
JM
JM. Briffaut
Head of Cyber / ISO
STDBY
BK
Bhumika K.
Snr. Info Sec Specialist
STDBY
On Duty (4 of 6)
T2
Senior Analyst A
Tier-2 · 12hr shift
ON DUTY
T1
Analyst B
Tier-1 · Sentinel/Tickets
ON DUTY
JC
Junior C
BAU Custodian
BAU
JD
Junior D
EDR / Threat Intel
ON DUTY
On Rest Day (3)
SA
Senior Analyst B
Tier-2
REST
AC
Analyst C
Tier-1
REST
JE
Junior E
Tier-1
REST
▸ Detection Stack
Symantec SEPMACTIVE
Symantec EDRACTIVE
MS DefenderACTIVE
MS SentinelACTIVE
Kaspersky USBACTIVE
FortiGate FWACTIVE
▸ BAU RAIL OPS
Train ServiceNOMINAL
SignallingNOMINAL
Traction PwrNOMINAL
SCADACLEAN
Stations31/31 OK
P4 · LOW
0
P3 · MEDIUM
0
P2 · HIGH
0
P1 · CRITICAL
0
▸ Network Topology · Live Threat Map MITRE: —
▸ Live Inject Feed events: 0
▸ Mission Console YOU · §4.6
▸ Console Metrics BAU: GREEN
SCORE
0
MTTD
--
DECISIONS
0
CWR
SOC READINESS · 0%
TICKETS
IRM
IOCs
#07Windows Malware
#02Windows Intrusion
#05Malicious Network
#12Insider/Vendor Abuse
#11Information Leakage
#01Worm Infection
IOCs collected during drill:
DRILL PROGRESS
STEP 1 OF 17
▲ CYBER WAR ROOM ACTIVATED ▲
UNAUTHORIZED USB DETECTED
Device: USB Mass Storage Class
Host: FIN-WS-022 · Engineering ICT
User: contractor.vendor.42
EXERCISE COMPLETE · POST-INCIDENT REVIEW
DRILL DEBRIEF
0
/ 100
◆ AUDIT-READY ◆
MTTD
8 min
CONTAINED IN
42 min
ENDPOINTS AFFECTED
3
ENDPOINTS RECOVERED
3 / 3
OT IMPACT
NONE
BAU CONTINUITY
GREEN · TRAINS RUNNING

▸ KEY OBSERVATIONS FOR RTA

    ▸ COMMITTED IMPROVEMENTS

    • Block all USB mass storage by default; whitelist via SEPM device control — Owner: SecOps Lead — +4 weeks
    • Mandatory Kaspersky USB scan station at every site entrance for vendors — Owner: IT Ops + Security — +6 weeks
    • Vendor escort policy + USB inventory log per site — Owner: ISO + Compliance — +3 weeks
    • Add Sentinel rule: USB device insert + suspicious process spawn within 60s window — Owner: SecOps — +2 weeks