# Service Priority Matrix ## Understanding Service Priority in CCDC > **The Cardinal Rule:** Not all services are equal. Prioritize based on points AND business impact. --- ## PRIORITY CLASSIFICATION ### TIER 1 - CRITICAL (Protect First) _These services typically carry the highest point values and business impact_ | Service | Why Critical | Typical Points | Recovery Time Target | |---------|--------------|----------------|---------------------| | **Active Directory** | Authentication backbone | Indirect (affects all) | < 5 min | | **DNS** | All services depend on name resolution | High | < 2 min | | **Web (Primary)** | Usually highest-weighted scored service | Very High | < 5 min | | **Email (SMTP)** | Business communication critical | High | < 10 min | ### TIER 2 - HIGH PRIORITY _Important services that should be secured early_ | Service | Why Important | Typical Points | Recovery Time Target | |---------|---------------|----------------|---------------------| | **Database** | Backend for web apps | High | < 10 min | | **HTTPS** | Secure web traffic | Medium-High | < 5 min | | **POP3/IMAP** | Email retrieval | Medium | < 15 min | | **FTP** | File transfers | Medium | < 15 min | ### TIER 3 - STANDARD _Maintain but don't over-invest early_ | Service | Notes | Typical Points | Recovery Time Target | |---------|-------|----------------|---------------------| | **SSH** | Admin access (secure it, but it's a tool not a business service) | Low-Medium | < 10 min | | **Secondary Web** | If multiple web servers | Medium | < 20 min | | **Internal Apps** | Custom applications | Varies | < 30 min | --- ## DECISION MATRIX Use this matrix when you must choose what to fix first: ``` HIGH POINTS │ ┌────────────────────┼────────────────────┐ │ │ │ │ QUICK WINS │ TOP PRIORITY │ │ (Do Second) │ (Do First) │ │ │ │ LOW ├────────────────────┼────────────────────┤ HIGH TIME│ │ │ TIME │ │ │ │ DELEGATE │ SCHEDULE │ │ (Assign to │ (Plan for │ │ Support) │ later) │ │ │ │ └────────────────────┼────────────────────┘ │ LOW POINTS ``` --- ## SERVICE RECOVERY PRIORITY ORDER When multiple services are down, restore in this order: 1. **DNS** - Nothing works without name resolution 2. **Active Directory** - Authentication for Windows environment 3. **Primary Web Server** - Usually highest points 4. **Email (SMTP)** - Business communication 5. **Database** - Backend services 6. **Secondary Services** - Everything else --- ## RED FLAGS: When to Escalate Immediately notify Captain if: - [ ] Primary web server down > 2 minutes - [ ] DNS completely unresponsive - [ ] Domain Controller compromised - [ ] Multiple services failing simultaneously - [ ] Unable to authenticate to critical systems - [ ] Evidence of data exfiltration --- ## SERVICE HEALTH CHECK COMMANDS ### Quick Status Check (Run Every 5 Minutes) **Windows:** ```powershell # Check critical services Get-Service -Name DNS, W32Time, NTDS, ADWS | Select Name, Status # Check listening ports netstat -an | findstr "LISTENING" ``` **Linux:** ```bash # Check web server curl -s -o /dev/null -w "%{http_code}" http://localhost/ # Check all listening services ss -tlnp # Check service status systemctl status nginx apache2 mysql named --no-pager ``` --- ## INJECT vs SERVICE: THE BALANCE ``` TIME ALLOCATION GUIDE (8-hour competition) Services (50% of time): ├── First Hour: Initial hardening (heavy focus) ├── Hours 2-4: Active defense + monitoring ├── Hours 5-7: Maintenance + incident response └── Hour 8: Final checks + documentation Injects (50% of time): ├── Continuous: Monitor inject queue ├── Assign immediately when received ├── Quality > Speed (but don't miss deadlines) └── Documentation parallel to technical work ``` --- ## WHEN TO LET A SERVICE DIE Sometimes it's better to sacrifice a low-priority service: **Let it go IF:** - [ ] Recovery time > 30 minutes AND points < 5% - [ ] Fixing it risks breaking higher-priority services - [ ] It's clearly a Red Team trap/honeypot - [ ] Team is overwhelmed with higher priorities **NEVER let go:** - [ ] Any Tier 1 service - [ ] Any service related to active inject - [ ] Domain Controller - [ ] Primary DNS --- _Template by CCDC.x1000.ai - Elite Blue Team Training Platform_