Introduction
Modern enterprise networks face relentless threats from ransomware, insider attacks, and increasingly sophisticated breaches. With the shift to hybrid and multi-cloud architectures, software-defined networking (SDN) platforms like VMware NSX-T are now critical for defense, detection, and rapid containment. Security war games, structured exercises using real-world attack and response scenarios, are the gold standard for building cyber resilience. In this article, we’ll walk through designing and executing advanced tabletop exercises and red/blue team drills using NSX-T, including complete end-to-end automation, SIEM/SOAR integration, and industry best practices.
Scope & Objectives
Key Goals
- Validate Detection: Test NSX-T’s ability to surface threats across East-West and North-South flows.
- Improve Response: Drill containment, isolation, and restoration workflows for various attack types.
- Measure & Improve: Track key metrics—dwell time, detection speed, and policy effectiveness.
Industry Applicability
Scenarios are relevant for finance, healthcare, government, and retail environments, adaptable to on-premises, hybrid, or cloud-first deployments.
Tabletop Exercise Design with NSX-T
Example Scenario: Healthcare Ransomware Outbreak
Narrative:
An attacker exploits a vulnerability in a legacy medical device, moves laterally, and attempts to encrypt sensitive patient records.
Roles:
- SOC Analyst: Detects initial compromise.
- NSX Admin: Deploys emergency microsegmentation.
- Incident Response (IR): Coordinates recovery and communication.
Injects:
- Suspicious SMB traffic detected between VLANs.
- Unusual PowerShell command from a medical device.
- Critical data transfer to external site.
Decision Points:
- Block or quarantine segment?
- Enable deeper packet inspection?
- Escalate to legal/compliance?
Red Team / Blue Team Drill Execution
Planning the Attack & Response Phases
- Red Team: Simulates attacker behavior (exploiting SMB, lateral movement via RDP, triggering C2 callbacks).
- Blue Team: Monitors NSX-T events, deploys distributed firewall (DFW) rules, isolates affected VMs, and validates containment.
Example Workflow
Automation Playbooks for War Games
End-to-End Playbook: Simulate Ransomware, Detect, Contain, Rollback
Sample PowerShell Workflow
# Authenticate with NSX-T Manager
$nsxMgr = "https://nsx-manager.local"
$creds = Get-Credential
Connect-NsxServer -Server $nsxMgr -Credential $creds
# Deploy a new emergency quarantine segment
New-NsxSegment -Name "Quarantine-Segment" -TransportZone "TZ1"
# Apply DFW policy to isolate affected VMs
$policy = @{
Name = "Ransomware-Containment"
AppliedTo = "Compromised-VMs"
Action = "DROP"
Source = "Compromised-VMs"
Destination = "Any"
Service = "Any"
}
New-NsxDFWRule @policy
# Monitor traffic in real-time
Get-NsxDFWStats -Policy "Ransomware-Containment"
# Rollback after exercise
Remove-NsxDFWRule -Name "Ransomware-Containment"
Remove-NsxSegment -Name "Quarantine-Segment"
Disconnect-NsxServer
Sample YAML Automation (Ansible Playbook)
--
- name: NSX-T Security War Game Playbook
hosts: localhost
tasks:
- name: Create quarantine segment
vmware.nsxt.nsxt_logical_switch:
hostname: "{{ nsx_manager }}"
username: "{{ nsx_user }}"
password: "{{ nsx_pass }}"
display_name: Quarantine-Segment
transport_zone_id: "{{ tz_id }}"
state: present
- name: Apply microsegmentation DFW rule
vmware.nsxt.nsxt_firewall_section:
hostname: "{{ nsx_manager }}"
username: "{{ nsx_user }}"
password: "{{ nsx_pass }}"
section_name: Ransomware-Containment
action: DROP
sources: "{{ compromised_vms }}"
destinations: Any
services: Any
state: present
- name: Remove DFW rule (cleanup)
vmware.nsxt.nsxt_firewall_section:
hostname: "{{ nsx_manager }}"
username: "{{ nsx_user }}"
password: "{{ nsx_pass }}"
section_name: Ransomware-Containment
state: absent
Playbook Workflow
Integration with SIEM/SOAR
Pushing NSX-T Alerts to SIEMs (Splunk, Sentinel, Cortex XSOAR, etc.)
Syslog Forwarding Example
- Configure NSX Manager to send logs to SIEM:
- Go to NSX Manager > System > Fabric > Syslog Servers.
- Add your SIEM server’s IP and UDP/514.
- Sample log (detect DFW DROP):
2024-07-10T13:22:16.501+0000 nsx-firewall[DFW]: DROP TCP 192.168.10.15:445 -> 192.168.20.45:445
REST API Alert to SOAR Example
curl -X POST \
'https://xsoar-instance/api/incidents' \
-H 'Authorization: Bearer <API_TOKEN>' \
-H 'Content-Type: application/json' \
-d '{
"name": "NSX-T War Game Alert",
"type": "Network Security",
"rawJSON": {"event": "Ransomware detected", "source_ip": "192.168.10.15"}
}'
Example Integration Diagram
MITRE ATT&CK Mapping
| Exercise Step | MITRE Technique | Description |
|---|---|---|
| Initial Access (SMB exploit) | T1190 (Exploit Public-Facing App) | Legacy device entry |
| Lateral Movement (RDP/SMB) | T1021 (Remote Services) | Move across VLANs |
| Data Exfiltration | T1041 (Exfiltration Over C2) | Send sensitive files out |
| Persistence (Reg keys, tasks) | T1053 (Scheduled Task/Job) | Remain after reboot |
| Quarantine/Containment | N/A (Defender action) | Automated DFW/segment action |
Reference:
Zero Trust Microsegmentation: Advanced NSX-T Policy Design
Dynamic Group Example
{
"resource_type": "Group",
"display_name": "Compromised-VMs",
"expression": [
{
"resource_type": "Condition",
"key": "Tag",
"operator": "EQUALS",
"value": "ransomware"
}
]
}
Adaptive Firewall Rule Example (JSON)
{
"action": "DROP",
"sources": ["Compromised-VMs"],
"destinations": ["Any"],
"services": ["Any"],
"direction": "IN_OUT",
"applied_to": ["Compromised-VMs"],
"logged": true
}
NSX CLI Quarantine Example
set dfw section "Ransomware-Containment" rule 100 action drop
set dfw section "Ransomware-Containment" rule 100 sources group "Compromised-VMs"
set dfw section "Ransomware-Containment" rule 100 destinations group "Any"
Diagram: Segmented Network Zones
Flow Policy and Threat Containment Examples
Sample DFW Policy (JSON)
{
"display_name": "Ransomware-Containment",
"sequence_number": 100,
"rules": [
{
"display_name": "Block Lateral Movement",
"sources": ["Compromised-VMs"],
"destinations": ["All"],
"services": ["All"],
"action": "DROP"
}
]
}
Traffic Flow Diagram
Incident Simulation Metrics & Reporting
Technical & Business Metrics
| Metric | Description | Example Value |
|---|---|---|
| Detection Time | Time from attack to first alert | 2 minutes |
| Dwell Time | Time attacker remained undetected | 5 minutes |
| Containment Speed | Time to apply DFW/quarantine | 1 minute |
| Business Impact | Downtime, data at risk, compliance hit | < $10k, 0 records |
PowerShell Script: Capture Exercise Metrics
$metrics = @{
DetectionTime = (Get-Date) - $attackStart
DwellTime = (Get-Date) - $initialCompromise
ContainmentTime = (Get-Date) - $containmentInitiated
}
$metrics | Export-Csv -Path "C:\NSXWarGameMetrics.csv" -NoTypeInformation
Sample Executive Summary Table
| KPI | Value |
|---|---|
| Total Incidents | 3 |
| Detection Rate | 100% |
| Mean Response Time | 90 sec |
| ROI (reduced risk) | High |
Security Baseline Validation
Checklist
- All VMs tagged and grouped
- Baseline DFW policies applied
- SIEM/SOAR integration tested
- Quarantine segment validated
- Logging and alerting functional
Sample Automated Test Script (PowerShell)
# Check for baseline DFW policy
$dfw = Get-NsxDFWRule -Name "Baseline-Policy"
if ($dfw -eq $null) { Write-Host "Policy missing!" }
# Validate SIEM connectivity
Test-NetConnection -ComputerName "siem.local" -Port 514
# Test quarantine segment exists
$segment = Get-NsxSegment -Name "Quarantine-Segment"
if ($segment) { Write-Host "Quarantine segment OK." }
Response Readiness: Detection, Mitigation, and Quarantine
Workflow
- NSX-T detects suspicious traffic.
- Automated alert sent to SIEM/SOAR.
- Policy pushes quarantine action to affected group.
- Blue team monitors, confirms containment.
- Automated rollback post-exercise.
Lessons Learned and Continuous Improvement
After-Action Review (AAR) Template
- What worked well?
- Where did detection or response lag?
- Was business impact minimized?
- How will playbooks, policies, or tooling change?
- Next steps and owner assignments
References
- VMware NSX-T Data Center Security Documentation
- MITRE ATT&CK Framework
- VMware Security Blog
- Cortex XSOAR Integrations
- Ansible NSX-T Collections
- Microsoft Sentinel Data Connectors
- Splunk NSX-T Integration Guide
Disclaimer: The views expressed in this article are those of the author and do not represent the opinions of Broadcom, my employer or any affiliated organization. Always refer to the official Broadcom documentation before production deployment.