Sign In

DE0.9 The NE Training Universe

2-3 hours · Module 0 · Free
Operational Objective
The Training Environment: Every detection rule in this course is built for a specific organization — not abstract examples. This subsection introduces Northgate Engineering: the 810-person precision manufacturing company that serves as the training universe for all 12 modules. You will learn its infrastructure, its security stack, its detection posture, its people, and the six attack chains that thread through the course. When you build detection rules in DE3 through DE8, you build them for this environment. When you tune rules in DE9, you tune against this environment's false positive patterns. When you produce the capstone board report in DE11, you report on this environment's detection program.
Deliverable: Familiarity with the Northgate Engineering environment — infrastructure, security stack, detection gaps, key personnel, and the six attack chains you will detect across the course.
⏱ Estimated completion: 30 minutes

Northgate Engineering

Northgate Engineering Ltd is a precision engineering and advanced manufacturing company headquartered in Bristol, UK. Founded in 1987 as a family business, it was acquired by a private equity firm in 2019. The PE acquisition drove a rapid cloud migration (2020-2022) and the creation of a security team — neither of which existed before the acquisition.

The company operates across 11 locations: 10 physical offices and a remote workforce of 120 field engineers and work-from-home staff. The manufacturing plants produce precision components for aerospace, defense, and industrial clients. The defense contracts include sub-contracts to US Department of Defense prime contractors, which bring NIST 800-171 compliance requirements for the Birmingham office.

The security team is small, capable, and under-resourced for the environment’s complexity. The CISO (Rachel Okafor, hired 2023) built the security function from scratch. The security engineer (your role in this course) leads detection engineering. Two L1 SOC analysts handle triage. A security architect manages infrastructure security. A GRC analyst handles compliance. A managed SOC partner provides 24/7 monitoring.

The environment carries the architectural debt of a rapid cloud migration: Server 2016 systems that cannot be upgraded until a 2027 ERP migration, manufacturing workstations with limited EDR coverage, Linux servers with no Defender for Endpoint, and an SD-WAN mesh that was designed for connectivity rather than security segmentation.

NORTHGATE ENGINEERING — NETWORK TOPOLOGYBRISTOL HQ180 staff · Primary DC · Sentinel · SOCBristol Plant120 · MFG · OT air-gappedSheffield Plant95 · Server 2016 · LegacySunderland Plant85 · Newest · OT connected ⚠Birmingham60 · Defense · NIST 800-171London40 · Sales · BYOD heavyEdinburgh35 · Eng Services · VPN heavyMunich · Detroit · SGP75 total · InternationalRemote Workers120 · Prisma Access VPNFull-mesh SD-WAN (Cisco Meraki)CRITICAL INFRASTRUCTURE◆ SAP ERP (Server 2016) — legacy auth◆ RHEL CAD farm (4 servers) — no EDR◆ 72 endpoints without full EDR◆ OT connected at Sunderland (design flaw)◆ 8 Global Admin eligible (3 unnecessary)◆ 14 shadow IT apps undiscovered

Figure DE0.6 — Northgate Engineering network topology. Full-mesh SD-WAN connects all sites. Critical infrastructure gaps highlighted: Server 2016 ERP, RHEL servers without EDR, OT network connected at Sunderland, and 72 endpoints with limited or no EDR coverage.

The six attack chains

Six canonical attack chains thread through the entire course. Each chain is a realistic multi-phase scenario that targets a specific weakness in Northgate Engineering’s environment. Each phase of each chain maps to specific ATT&CK techniques, specific data sources, and specific detection rules you will build. The chains are not isolated to one module — they span multiple modules and the capstone replays all six against your completed detection library.

CHAIN-HARVEST: AiTM credential theft → BEC → financial fraud. You walked through this chain in DE0.2. The attacker targets Sarah Chen (finance analyst) with an EvilProxy AiTM phishing link, captures her session token, creates an inbox rule for persistence, reads three months of email, and sends a BEC wire fraud request to the CFO. Five detection points across DE3, DE4, DE5, and DE7. This is the highest-probability attack chain for Northgate — financially motivated, commodity tooling, targeting the finance team.

CHAIN-MESH: Ransomware via SD-WAN lateral movement. A ransomware affiliate obtains VPN credentials for a field engineer (j.morrison) through credential stuffing from a third-party breach. The attacker connects via VPN to Edinburgh, moves laterally across the SD-WAN mesh to Bristol and then Sheffield, deploys tools via WMI, and stages ransomware pre-encryption. Seven detection points across DE3, DE4, DE5, DE6, and DE8. The distinctive challenge: the SD-WAN mesh means every site can reach every other site — the attacker exploits this flat connectivity to move from Edinburgh to Sheffield in three hops.

CHAIN-FACTORY: Physical compromise at manufacturing site. A contractor with physical access to Sheffield plant plugs a USB device into a manufacturing workstation. The workstation runs Defender for Endpoint P1 (sensor-only — limited EDR). The contractor runs reconnaissance, identifies engineering drawings on file shares, and copies them to the USB device. Five detection points across DE3, DE5, DE6, and DE7. The distinctive challenge: legitimate manufacturing USB usage (loading CNC programs) must be distinguished from data theft. File type and path filtering is essential.

CHAIN-PRIVILEGE: Insider PIM abuse with app registration persistence. An IT administrator (a.patel) with legitimate PIM access activates the Exchange Admin role, then exceeds authorized scope: creates an Entra ID app registration with Mail.Read and Files.ReadWrite.All permissions, uses the app to access the CEO’s mailbox via Graph API, and exfiltrates sensitive data through the app’s delegated permissions. Five detection points across DE4, DE5, DE6, and DE7. The distinctive challenge: the PIM activation is legitimate. Detection must identify scope creep — the admin’s post-activation actions exceed the purpose of the role activation.

CHAIN-DRIFT: Configuration change exploitation. The IT team disables the “require compliant device” conditional access policy for 48 hours during a device migration. An opportunistic external attacker runs a password spray during the CA gap, compromises an account that would normally be blocked by device compliance, registers an MFA method for persistence, and downloads bulk SharePoint data. Four detection points across DE4, DE5, DE6, and DE7. The distinctive challenge: the CA policy change is legitimate. Detection must monitor security-relevant configuration changes and correlate them with exploitation attempts during the exposure window.

CHAIN-ENDPOINT: Watering hole → Cobalt Strike → crown jewels. A targeted attacker compromises an industry forum frequented by Northgate’s engineering staff. A CAD engineer (m.thompson) visits the compromised forum, triggering a drive-by download that deploys a fileless Cobalt Strike beacon. The attacker dumps LSASS credentials, passes the hash to pivot laterally, and reaches the RHEL rendering farm — Northgate’s crown jewels for IP theft. Seven detection points across DE3, DE5, DE6, DE7, and DE8. The distinctive challenge: the attack spans Windows (Defender for Endpoint) and Linux (Syslog/auditd only) telemetry. Cross-stack correlation is required.

⚠ Compliance Myth: "Our threat model does not include insider threats because we trust our employees"

The myth: Insider threat detection is disproportionate surveillance. The organization’s culture is trust-based and deploying detection rules that monitor employee behavior contradicts that culture.

The reality: CHAIN-PRIVILEGE is not surveillance — it is scope monitoring. The detection rules do not monitor what IT administrators do during normal operations. They monitor whether post-PIM-activation actions exceed the authorized scope of the activated role. An IT admin who activates Exchange Admin to configure a transport rule generates no alert. An IT admin who activates Exchange Admin and then creates an app registration with mail.read permissions generates an alert because app registration is not an Exchange Admin function. This is the same principle as segregation of duties in financial controls — not a commentary on trust, but a structural safeguard.

Your role in the training universe

You are the Senior Security Engineer at Northgate Engineering, reporting to Rachel Okafor (CISO). Your mandate: build the detection engineering program. Rachel has 90 days to demonstrate “meaningful improvement” in detection capability to David Hargreaves (CEO) and Sarah Whitfield (CFO). You are the person who makes that happen.

Your team: Tom Ashworth and Priya Sharma (L1 SOC analysts) triage the alerts your rules generate. Marcus Webb (security architect) manages the infrastructure security controls you detect around. Elena Petrova (GRC analyst) needs your detection evidence for ISO 27001 compliance. Phil Greaves (IT Director) controls the IT team that manages the infrastructure you monitor — and he resists security-driven changes.

Your constraints: budget is limited to existing Sentinel ingestion (no new data source connections without CFO approval). Headcount is fixed (no new analysts). The managed SOC partner triages alerts but does not build rules. You have 40-50% of your time for detection engineering — the rest is SOC operations and incident response.

Try it yourself

Exercise: Identify your crown jewels

In the Northgate Engineering context, the crown jewels are: engineering CAD/CAM files on the RHEL rendering farm (IP theft targets), defense program data in the Birmingham enclave (NIST 800-171 scope), financial data accessible to the finance team (BEC targets), and executive communications (BEC intelligence source).

For your own organization: what are the 3-5 data repositories or systems where a breach causes maximum business impact? These crown jewels drive detection prioritization in DE2. If you do not know, that is the first conversation to have with your CISO.

Check your understanding

CHAIN-MESH starts with compromised VPN credentials for a field engineer in Edinburgh and ends with ransomware pre-encryption activity at the Sheffield plant. What infrastructure characteristic of Northgate Engineering makes this lateral movement possible?

Answer: The full-mesh SD-WAN. Every site can reach every other site directly. The firewall rules between sites are permissive — they allow RDP between corporate VLANs for IT support. The attacker moves from Edinburgh (VPN → spoke) to Bristol (hub) to Sheffield (spoke) using standard RDP, which is allowed by the inter-site firewall policy. The SD-WAN was designed for connectivity and IT support convenience, not for security segmentation. The detection must identify the chain: new VPN session → RDP to a server the user has never accessed → process execution on that server.

What you will build

Across 12 modules, you will build the detection program that takes Northgate Engineering from 10.3% ATT&CK coverage to defensible, risk-prioritized detection. The rules are not generic — they are tuned for Northgate’s specific infrastructure: its IP ranges (RFC 5737 documentation ranges), its user population, its device naming conventions, its data volumes, and its organizational quirks (manufacturing USB exemptions, field engineer travel patterns, PIM over-provisioning).

When you deploy these rules in your own environment, you will adapt them — replacing Northgate’s IP ranges with yours, replacing the fictional user accounts with your watchlists, and tuning thresholds to your data volumes. The detection engineering methodology transfers. The specific KQL adapts.

Troubleshooting: “My environment is nothing like Northgate Engineering”

The principles transfer even if the specifics do not. If your organization does not have manufacturing plants, CHAIN-FACTORY (physical USB theft) is less relevant — but the detection pattern (removable media write with file type filtering) applies to any USB data theft scenario. If your organization does not have on-premises AD, CHAIN-MESH’s IdentityLogonEvents detections are not applicable — but the lateral movement detection patterns (RDP to new servers, WMI remote execution) apply to any Windows environment.

Adapt the relevant chains, skip the irrelevant ones. If your organization is cloud-only with no manufacturing, focus on CHAIN-HARVEST (AiTM/BEC), CHAIN-PRIVILEGE (insider PIM abuse), CHAIN-DRIFT (configuration change exploitation), and the cloud-relevant phases of CHAIN-ENDPOINT. Skip CHAIN-FACTORY and the on-prem phases of CHAIN-MESH. The course produces 44-56 rules — you deploy the subset relevant to your environment.

📋 Operational Artifact — Environment Comparison Worksheet

Your organization vs. Northgate Engineering

CharacteristicNorthgate EngineeringYour Organization
Users810___
Locations11 (10 physical + remote)___
IdentityHybrid AD + Entra ID P2___
Endpoint EDRDefender P2 (655/810 covered)___
SIEMSentinel (18 GB/day)___
Email securityDefender for Office 365 P2___
Current analytics rules23___
Current coverage %10.3%___
Crown jewelsCAD/CAM, defense data, financial___
Relevant attack chainsAll 6___

References used in this subsection

  • NE Training Universe blueprint (DETECTION-ENGINEERING-COURSE-BLUEPRINT.md)
  • Course cross-references: DE2 (threat modeling using NE environment), DE3-DE8 (rules built for NE), DE11 (capstone — complete NE program)

NE infrastructure baseline: the detection surface in numbers

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

// DEVICE INVENTORY: How many devices report to Defender for Endpoint?
DeviceInfo
| where TimeGenerated > ago(7d)
| summarize arg_max(TimeGenerated, *) by DeviceId
| summarize
    TotalDevices = count(),
    Windows = countif(OSPlatform == "Windows"),
    Linux = countif(OSPlatform == "Linux"),
    MacOS = countif(OSPlatform == "macOS")
// NE: 820 workstations + 42 servers + 3 RHEL = 865 devices
// Each device is a potential detection point  and a potential gap if not enrolled
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of Detection Engineering

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← DE0.8 Measuring What Matters DE0.10 The Six Attack Chains →