This webcast was originally published October 21st, 2019.
In this video, the speakers discuss the card game ‘Backdoors and Breaches’ which involves incident response and cybersecurity tactics. They explain the rules, procedures, and strategies for playing the game, using it as a tool for security training and awareness. Throughout the discussion, they demonstrate gameplay, showing how to handle various security incidents and decisions that players will need to make during the game.
- The webinar introduces a card-based security training game that simulates network threat hunting and incident response.
- The game is designed to improve understanding of cybersecurity incidents and enhance incident response skills through interactive and scenario-based learning.
- It includes various tools and techniques for detecting and responding to cyber threats, providing a practical experience in handling security incidents.
Highlights
Full Video
Transcript
John Strand
So, welcome to backdoors and breaches. it’s kind of the release party, I guess. Even though it was sort of derbycon. We should have had some pictures of Derbycon, whenever we handed them out.
How many did we hand out in that hour? Was it like 800 of them in less than an hour? Yeah.
Jason Blanchard
So we ended handed out 802 hours, but 300 in the first like 20 minutes.
John Strand
Yeah, it was, it was insane. People were lining up like it was an iPhone release event. so one of the questions that’s going to be coming up again and again and again is where can I get these and when?
And Deb has her copy and paste ready to rock and roll to let people know when you can get these and, where you can actually track. But, it’s a lot of work to get to the point where you have a dac, like this.
There’s a tremendous amount of effort that went into designing the game, designing the cards and the box, and then ordering the boxes, getting demo sets. And, how many are we buying?
Are we buying 8000 or 10,000 of these? Jason?
Jason Blanchard
We purchased 10,000 plus the 1000 for Derbycon. So we’re at 11,000 and we have pictures.
John Strand
Maybe Jason can bring up some pictures at the end of the webcast to show you what a thousand of these cards actually looks. Yeah, but it comes in a palette. It’s like Brewster’s millions.
Since we’re talking about eighties movies, whenever there was like $3 million on a pallet, it looks like that, only not $3 million. And, we’ll go through and kind of describe the game, but I’m going to go through and do the opening with the, sound because people love that we were talking about it before the show.
So open that up with a satisfying pop and a crack. Pull it out. And once you get it, it’s all wrapped. Makes that crackling noise that the kids seem to like.
And, it actually has a relatively easy way of opening up the actual package. Zip that, go. And you promptly throw the plastic on the floor and then got your deck.
So the deck is broken down into a series of different types of cards. And I’m going to walk through what the different colored cards are. but each of the cards has a specific color on the back that is, representative of its role within the game.
You also have some additional cards I guess you could call jokers. one for ADHD and Rita, another one. We’ve got to get some marketing in for AI Hunter. And then also a card marketing for Black Hills information security and then a card dedicated to backdoors and breaches.
And it gives you the website, I don’t know if people can see this. It gives you the website of where you can go to get the instructions to play. Now, these will be for sale here shortly, the next couple of months, we have to get a pallet of like two 3000, and then we have to send it to Amazon and Amazon has to load it in store and all of that.
And Jason, we settle on a price of dollar ten for a deck, right?
Jason Blanchard
Correct.
John Strand
Yep. Do you want to talk a little bit about that $10 and why?
Jason Blanchard
Yeah. So when we analyze, like, the amount of money that went into the development, the production, the printing, the cost that Amazon taps on tags.
Tags tax.
John Strand
Let’s go with tags taxes.
Jason Blanchard
Yeah. the amount that Amazon adds to, each shipment, it came out to about $8.95 per deck.
So the development cost, printing cost, all the costs that went into. It’s about $8.95 deck. And, then we added a dollar onto it to help, for all the things that we don’t know about.
So, like sales tax or this or something that. Cause we never sold a product before. So there’s that extra dollar. So it’s dollar ten. we’re not really making any money on these. We just want to get them out to people.
John Strand
Yep.
Jason Blanchard
We wanted to figure out what was the least amount of money we could charge and still not, lose money. It was $10.
John Strand
So there’ll be $10 a pack. And then eventually we’re going to start coming up with, boosters and expansion packs. And I’ll talk more about that a little bit later. All right, so let’s jump in. marketing, of course, this is brought to you by Black Hills information security.
It is also brought to you by AI Hunter. AI does not stand for artificial intelligence. Stands for actual intelligence. actual intelligence hunter. And instead of a demo, one of the things that we’re doing now for people joining the webcast is we’re now offering free training.
if you want to register for free network threat hunting training, and this is all about free tools using things like Ntop and Rita and using t shark. And you really want to become packet hunting guru, you need to sign up for this.
It’s going to be about a one to two day training. It’ll be coming out in the next couple of months, and it’s going to be taught by Sans instructors. It’s going to be taught by me. It’s going to be taught by Sans instructor fellow Chris Brenton, and also sans instructor, Bill Stearns.
So it is really, truly and completely, that sans quality training, two days network threat hunting packets and finding evil on the network, and it’s all free.
So if you’d like to get signed up for this free training, just type in training into the questions window, and we will capture just type in training. Or you can type in the entire string training. script alert, document, cookie, close the script, or one equals one semicolon dash dash, and that’ll get you set up, for training.
And like I said, it’s completely free. It’ll be about two days. We will record it, there will be labs, all kinds of hands on stuff. So please check that out. All right, so let’s get started. So why did we go through the effort to create this?
there was a couple of reasons. Jason and I have been kind of working on various games, for years now. I think the first one was cubicles and compromises, and that was basically using 20 sided dice as part of an incident response tabletop exercise where every single action, you would have to roll a dice.
And if you had the procedures for that action, you would get a plus three modifier. And that was the core game. We ran into a huge problem with the game, though.
we ran into a problem whenever anybody else tried to play that game. If they didn’t have a dedicated scenario associated with that game, then they completely fell apart.
And people didn’t understand scenarios. They didn’t know how to create the scenarios. And it was a big issue. So that kind of worked. Then Jason was working on a game. I think it was myself, Larry Pesci.
I can’t remember who the other instructors were. that was, pivots and payloads and pivots and payloads was like a chutes and ladders or candy land style game where you would go through a penetration test and there would be the different things helping the pen tester or not.
And we kind of been working on these games for a long time. And I was, the whole concept of how we came up with backdoors and breaches is a bit weird.
it actually started, I don’t have the cards with me, me. it actually started, there was a vendor from China that had a card deck that was malware’s most wanted, and they had a whole bunch of malware on each of the cards.
And it was a regular playing deck of cards and they had cool pictures of each of the malware for representation purposes. And I thought that was really, really neat. So I’m playing with this deck of cards, and we do a lot of tabletop exercises at Black Hills information security.
And when, most of the time when we do tabletop exercises, I do it. And, that’s mainly because I can come up with scenarios relatively quickly. I can roll with the punches. If they say that there’s weird things in their network, we can make that happen.
When we tried to have someone else at Bhis do it, it would have varying levels of success. some people did great, some people did less than great. And we wanted to standardize a way that we could very quickly and easily create a tabletop, exercise.
And I created four columns, initially. So there were four columns. And I basically made it so the Bhis employee could choose, which of the different tactics in each of the four columns they wanted to actually deal with.
So the four columns were initial compromise, pivot, and escalate, persistence, and then c two and exfil. And that started out as a spreadsheet.
And I think I was talking with Jason. We’re kind of talking about this, and Jason’s constantly pushing for new cool things, whether it’s posters or games or any of these different things kind of bring people in for, creating content for the community as a whole.
And I’m like, we could create a card game around this. And that’s really how this all started. And took, took a lot of those ideas from pivots and payloads, cubicles and compromises and rolled it into this game.
And the core goal of the game was to try to make it fun, and it was also to get around the arguments over what and what does not work. when you’re doing a tabletop exercise, it’s very, very common for people to say, well, we got malware on that system.
Well, that’s not possible. We’re running silence or like crowdstrike or something like that. And the vendor told me that there’s no way malware can run on this system. So that scenario is completely broken because we have this product. And you get into these huge arguments over what would and would not work in what scenarios.
Also, you run into these problems with incomplete attack scenarios where it’s like, okay, I’m going to do this tabletop exercise, and it’s on a spearfish. And, okay, we’ve contained it, but now what?
And that’s why we came up with the four different cards kind of taking the attack and really, really boiling it down to like, the four things that people can deal with insofar as incident response. And there was also magical unicorn hacks.
I would sit on tabletop exercises and then people would say, well, what if somebody was able to come up with a zero day for our firewall and our proxy and then another zero day for our database server and another zero day for a web server?
We do that like, well, then you’re dealing with magical unicorn attacks. And as the little pitcher says, some days you just got to say, screw it, I’m going to be a unicorn. But those, those really messed up magical unicorn style attacks don’t actually help organizations because you have organizations that fall into the trap of, well, we’ve got a patch against Rohammer or Specter or meltdown.
And while those are important, more than likely those aren’t the things that are actually going to get, they’re not actually going to get used against your organization.
now that changes over time when you’re looking at a lot of the attack strategies. We wanted the attack strategies to actually be applicable to real world organizations and what they would actually encounter as well.
So state of play, if you’re playing this game, you have some, you have three roles, right? So the first role is the incident master. when we created the game, it was there to facilitate the incident master.
It was basically designed so the incident master very quickly and easily choose one card from the initial attack and compromise one from the pivot, one from the c two and one for the, lateral movement, and they could build that incident on the fly.
They didn’t have to spend a lot of time knowing exactly how it was going to work and storybooking it because cubicles and compromises was all based off of dungeons and dragons. Whenever I play that with my kids, and we’d walk through it, the scenarios were rich and there were stories, and that was awesome.
But I found out that in order for cubicles and compromises to work, you needed to have a literal story in a scenario for every single one of the games. And that didn’t allow for complexity, that didn’t allow for replayability, that didn’t allow for imagination and all those different things.
So with the four cards, it allowed you to build the incident and made that incident creation dynamic. And, the incident master is also there to keep the game going. As you’re going through cubicles and compromises and then eventually into backdoors and breaches.
You were recording what procedures your organization was missing and how those procedures could actually be useful and actually dealing with that incident, that’s the whole goal, right?
We want to find procedures and technical failings in our organization that we need to fill as an organization. And the only way you can do that is by gaming this and doing this again and again and again and again and identifying those different procedures that are missing.
Now, the players, the players can be the incident response team, it can be the entire company that’s part of the tabletop exercise. And the players themselves, they will pull, one of these random procedure cards.
And these procedure cards, when you’re playing it just as a standalone, you pull four. If you’re playing it for your company, you will get a procedure card for each of the procedures that your company has.
So if you have procedures for user behavioral and entity analytics, you get that card. If you have one for endpoint security protection analysis, you get that card. Internal segmentation, you get that card. So you get the card for the procedures that you have.
And you’ll see just how much easier the game is once you have those procedures. But by default, you get four, in the state of play and you discuss and you take actions and any action you take in dealing with the incident moving forward, every single action that you’re going to take, you’re going to roll dice.
And the dice, really the third roll, the dice, they get rolled. If it’s eleven and over, then the action you take is successful. If it’s ten and lower, not lover, fix that.
This game just got weird, kinky. Incident response games, if it’s ten and lower, then the action that you take fails. Now, anytime you take an action associated with the procedures that you have, you get a plus three modifier on your role.
And that’s to highlight if an organization actually has documented procedures and the technology in place, then they’re far more effective in incident response. So whatever procedure cards you pull, you’re able to, get a higher probability of that being successful.
Now, a couple of other things that didn’t make it into the slides. If you roll a one or a 20, then an inject card is pulled. And I’ll talk more about the inject cards here in just a little bit.
And the inject cards are designed to add some additional randomization to the game and create more conversation topics. Now the injects, will be like, management approves a new procedure, you get a new randomized procedure.
legal takes your only skilled incident handler into a meeting to explain the incident. I’ll talk about that some more. Bobby the intern kills the system. You’re reviewing the lead handler has a baby and takes family medical leave.
give the defenders a random procedure card, take one procedure card away. That’s where procedure you find out is actually broken. Sim analyst returns from splunk training. So anything, associated with log action gets a plus two modifier.
The data is uploaded to pastebin in the middle of an incident, because that sucks. We, also have. It was all just a pen test. So this ends the game immediately, and the incident master has to turn over all the cards.
Basically, you’re able to detect a pen test and that actually happens. And then honey pots deploy. As soon as you deploy honey pots, then you have to give the, pivot and escalate card to the defenders.
So you pull one of these cards in the event that a one or a 20 is ruled or if you fail at rolling three times in a row. So here in a bit, CJ is going to play.
You can hear him rolling. He’s practicing and warming up. If he fails at his rolls three times in a row, then we’re going to pull a procedure card. And that’s once again, we do that to keep the game moving.
otherwise, you just sit there and watch somebody rolling the dice again and again and again. Now, if CJ rolls ten times, if CJ rolls ten times, boom, then you fail.
we have to have an end to the game. so you can see what procedures would have been more helpful in that particular scenario. All right, so d and d roots. the goal is to build conversation.
the best thing about dungeons and dragons is that was a non deterministic game when I was a kid. it wasn’t like, like I said, chutes and ladders or candy, land where you just kind of go around the board and then things happen.
It was building conversations. you’d have a conversation about how you take out a dragon and how you take down a whole bunch of skeletons, and, and the dungeon master was there to keep that game moving, make sure that everyone was having a good time.
Also, it’s designed to track missing procedures. If you’re playing this game and you find out that you’re missing some procedures, it’s time to write those down and then go back and say, we need to have this technology, these procedures in place whenever we’re dealing with an incident.
Also to talk through how your organization would handle certain issues. when you’re working through incident response and you’re playing a game, you get these things, like all of a sudden the data is uploaded on pastebin.
How are we going to handle that? In, fact, we have a card in here, a procedure card called crisis management. And the crisis management card is designed to get people to say, okay, we need to have a team whose sole purpose in life is dealing with crisis management.
If we all of a sudden have an incident, how are we going to deal with that incident? How are we going to deal with this in the public? How are we going to communicate with Brian Krebs? so that crisis management card kind of neutralizes that data is uploaded to pay spin card.
So like I said, it’s not monopoly you’re not going through, and every single action tells you exactly what you’re going to do. The incident master decides, so if you try to do something stupid like, well, we decide to give up and take a nap, well, you can roll a dice on that, but that doesn’t actually forward you through the game.
The incident master can make a call one way or the other about what’s being done. It also helps to get into the roles. Yeah, go ahead, CJ.
Jason Blanchard
Yeah.
CJ Cox
It’s just very important to remember. I mean, I remember years and years and years of role playing. The purpose of the game, and this one particularly, is to learn, to facilitate learning. If something’s not working or you feel like doing your own inject or modifying it, it’s a game folks play.
John Strand
Yep, yep. And we like those injects and modifiers to be sent to us so we could put it into an expansion pack. but that’s just it. It’s meant to be a game. And I would also say if you’re an incident master and you’re playing this game, the goal is not to punish.
If you ever played dungeons and dragons and you have a DM, that’s just an ass where you’re like, okay, you confront a dragon, what are you going to do? Whoa, I’m going to attack it. And he’s like, well, the dragon steps on you because you’re stupid. It’s like, that’s not fun.
that doesn’t make the game interesting. It’s just being mean. So the incident master isn’t there to be mean. The incident master is to facilitate the uncovering of missing procedures and technologies in organizations as well.
So, I want to break down the cards. so all of the cards are broken down into these common sections. Of course, you have the title, you have text. There’s, a little bit of text that kind of describes the overall approach for the attack or the c two or the pivot or the escalation.
but it’s getting you kind of a little taste as far as what that is. If anything, it’s there mainly to help you google. If you’re googling certain tools, you can google certain words and maybe it’s going to help you out.
Suggested d text that’s kind of important. For each one of the attack cards that’s drawn, there’s a section called detection and it’s suggested detects.
so we have all the procedures here and the detection section basically says if any of the defenders take those actions and they roll successfully, then they should get this card.
And that helps any of the incident masters that say, well, I don’t know if that would detect this or not. We actually have the detection built right into the card. Now the incident master can make a decision no matter what they want to do.
so if it’s not on this card, but the defending team is doing something in a novel way. Like we’re trying to detect spear phishing and we’re trying to use honey pots to detect if our website was actually scraped.
That’s really crafty and that’s super creative. It’s not on the card as a detection, but give them credit for it, let them roll, and see how it actually works out. But it’s there to help those junior incident responders or those incident handlers and those incident masters that are playing the game get a better idea.
As far as what cards tie up with different stages of the attacks, then we also have example tools, and I took the logos of a bunch of these different tools.
no, I was not able to get permission from all the developers of these tools. We predominantly used open source tools, for these as much as possible. If anyone is wondering why, one, m I was lazy and I was very busy.
And two, you can use logos for tools if it’s done for educational purposes and comparisons. and that’s exactly what we’re doing with this game. It’s all part of education. We have tools like evil Nginx, we have go fish, we have cred sniper, and then at the bottom we have, instead of example tools, we have links, that you can do.
This is what I get for actually writing the slides at 03:00 a.m. we have links that you can go to to get, more information about what this card actually means.
And yes, a lot of the links are actually black hills information security blogs because we do a lot of blogs and this is also kind of marketing, but there’s some other websites, that are not bhis centric websites as well.
So you’ve got a whole bunch of things. If you’re trying to learn this approach of this attack. You have tools, you have blogs, you have walkthrough, you have example detections. So it really helps you get better at your trade craft as a security professional.
if we’re trying to deal with phishing, how do we fish? How do we test our organization? what are some pitfalls that you run into with fishing? And what are some tools that I can use to evaluate our ability to be resilient against fishes as well?
I want to pause for a couple of seconds. Is there any, questions that I should be answering? Oh my God, that’s a lot of people that want training.
Jason Blanchard
Yeah, I got one for you.
John Strand
Yeah, thanks.
Jason Blanchard
Like a d and d monster. Is there a way to determine the difficulty for the scenario given combination of cards?
John Strand
No, there isn’t. there are some cards that I actually threw in here, whenever I was setting up the scenario, and really a lot of it is just rolling and trying to identify those procedures, but there are some that I actually threw in, that were really, really, really hard.
so like this one is evil firmware. evil firmware. If I read it to you, it says the attacker updates the firmware of a network card, video cards, Bios, UEFI with evil.
All of these are very difficult detect and very difficult to update. And it says detection is endpoint security protection analysis. Endpoint analysis and prayers to an engaged and merciful God. so, no, we didn’t actually set up modifiers for how difficult each of these dtechs would be, for the expansion pack, I am planning on doing that, for certain types of attacks, like if we do WNF malware, one of the things that we want to do is your role is automatically reduced by two because it’s just that much more difficult to detect.
But the goal for this game is to try to make it as easy and as approachable as possible. We didn’t want to have to have people whip out an abacus for, every single action that was going to be taken. So any other questions?
Jason Blanchard
that’s it for now. I just want to, some of the feedback we’ve gotten is people went from never playing to playing within 45 minutes and having some of the best conversation they’ve ever had in their organization.
John Strand
So the goals break out as well.
Jason Blanchard
The goal is to get up and running as quickly as possible.
CJ Cox
Yeah, people were asking about the dice and then, so here is the bhis dice that we have.
John Strand
Yeah. And I’ve got, one of these tubs is filled with black Hills information security dice. If you ever want dice, just come to, just come to just come into any conference that we’re at, we have.
All this is handed out for free. All right, so I want to go through each of the cards, not each of the cards, but each of the categories of cards. So the first one that we have is initial attack and compromise.
so we call it just initial compromise cards. And with the initial compromise cards that’s how an organization was actually attacked. So that is the vector. So we have credential stuffing, exploitable external services, bring your own exploited device, social engineering, trusted relationships, password spraying, insider threat, cloud access, web server compromises and phishing.
so when we’re looking at how we initially get access to environments, in our penetration test and incident response, these are the main ways that we see, and that doesn’t mean that these are the only ways. I’ve already had some people that are like, well, you don’t have this card, you don’t have this card.
You don’t have this card. We had to keep it to 52, for the core deck. So there will be more with expansion packs, but this will cover the vast majority of the exploits that your organization will encounter.
So in a bit, when I’m playing with CJ, I’m going to pull one of these randomized, initial compromise cards and I’m going to go and shuffle those real quick because I want it to be randomized.
The next set of cards we have are internal password spray. Now the internal password spray is part of the pivot and escalate cards. So the pivot and escalate cards, we have local privilege escalation, new service creation, accessibility features, credential stuffing, weaponizing active directory.
That would be like bloodhound style attacks, broadcast, multicast poisoning, like link, local multicast name resolution, kerberoasting and internal password spraying. So that’s how an attacker, after they initially compromised the system, will actually move laterally within the organization and escalate their privileges in that organization.
the next card that we have are persistence cards. How is the attacker going to maintain access? Now here’s the sad thing about this deck of cards.
the persistence cards are pretty much the only thing that organizations react to in an incident, just persistence. They find the malware and that’s it. They just got to walk away.
And really we want to make sure if you’re doing incident response that we have all four, right. You want to know how they got in, how they pivoted, did they escalate, how did they maintain access to the system and how did they communicate?
So the persistent mechanisms we have are evil firmware, which we already talked about, logon scripts, malicious browser plugins, that’s the one that’s up here. Application shimming, new, user is added, malicious driver, DLL injection attacks, and malware service.
Just standard everyday malware. So that’s the persistence card. So I’m going to randomize these, I’m going to shuffle these cards really quick, get the audio aspect of this in. There we go then.
The final set of cards that we have for the ATT and Ck deck for the incident master are c two and exfil. Now, c two and xfil is how the bad hacker communicates with their malware and gets their data off of the environment.
So for that we have HTTPs exfil, Windows background intelligent transfer service, domain fronting, Gmail, tumblr, Salesforce as a command and control, DNS as a command and control, and HTTPs as exfil.
So those are all the different main ways that we see attackers communicating on a network. So I’m going to randomize those as well. So now I have those four types of cards are the cards that, that are absolutely, absolutely essential for building up the incident.
For me is the incident master. Now I have someone that just put in, Lars just said Grammarly is a keylogger. Yeah. Think about what Grammarly does. Grammarly, takes everything that you type and it sends it up to the cloud, and then it comes back and it’s like gives you spelling and grammar corrections.
So literally everything that you type in your browser is Grammarly is getting that and then coming back and it’s basically saying, yeah, yeah, the spelling looks good. so that absolutely terrifies me.
I just really, really think that, that’s terrifying, for anybody as well. All right, so we’ve got somebody said to typo on social engineering card. Yes, there’s going to be typos.
Absolutely. there’s no, there’s no question about typos because I was involved in this process. All right, so let’s move on. I got one quick question.
Jason Blanchard
Is the intent to align these cards roughly with the mitre, ATT and CK framework?
John Strand
Yes. so yes and no. so whenever I was looking for cards, I was pulling from, bhis Pentest reports and also making sure it showed up in the mitre, ATT and CK framework.
I used to have in here the actual mitre number. the big problem that I ran into with putting in the mitre numbers is it made the cards a little bit more cluttered. so we might add them in and the links as well.
But yes, it is absolutely, something that went into heavy consideration in actually building these. And these are based predominantly on the attacks that are very successful for us at Bhis as well, which also aligns to the mitre framework.
Great question. Any other questions?
Jason Blanchard
That’s it for now.
John Strand
All right, sounds good. All right, so the procedure cards. the procedure cards are the defender cards. Remember, you’ve got tools, you’ve got techniques, you’ve got links, you’ve got an overview of what each of these cards does.
And each of these cards ties again to the actual attack. So there’ll be a card called, Netflow, Brozik and Rita analysis. There’ll be a card for endpoint security protection analysis, web proxy log review.
There’ll be a card for user behavioral and entity analytics and Sim log analysis. Another one for firewall log review and endpoint protection analysis. So every single one of those dtechs has a corresponding procedure card for the defenders.
Remember, the defender pulls four. So we have crisis management, host, isolation, endpoint analysis, user behavioral and entity analytics, endpoint security protection analytics.
that’s different than endpoint analytics. Endpoint security protection is actually reviewing the av logs internal segmentation between the environment, Netflow, zeek bro, Rita analysis, firewall log review and then siem log analysis, or SIEM M, as some people call it, and then server analysis.
And that server analysis card is really designed to, be a catch all. So if you have a web server that’s compromised, you can do server analysis. If you’re going to review your proxy server, well, you could look at the server analysis.
So you can use that for a variety of different things, as well. But it’s just basically the ability to analyze any server that’ll give you a plus three modifier for that specific, action on it as well.
So those are the procedures. Then the injects, as I said, the injects are pulled anytime, a one or a 20 is rolled and inject is also pulled if you fail at rolling three times in a row.
And it’s meant to add some randomness to the game as a whole. So the injects that we have, our honey pots are deployed, and that means the attacker has to give the pivot and escalate card.
It was all just a pen test. Management has just approved the release of a new procedure. Legal, takes your only skilled incident handler into a meeting. I’m going to come back to that one in a second.
Bobby the intern kills the system you’re reviewing. It happens far too often. And as I say, murder is never okay. Don’t even think about it. Lead handler takes family medical leave.
Give the defender a random procedure card. Take one random procedure card away from the defenders. Sim analysis analyst work comes back from training, and of course, the data is uploaded to pastebin.
This one is evil. this one. Anytime I’m working with an organization, I try to just sneak this one in, because seeing how an organization handles an incident is fun. Seeing how an organization handles an incident that’s out on the public interwebs is even funner.
So these two cards, and then I’m going to break for some questions are essential. I have two cards that basically deal with taking your lead incident handler out of the game.
The reason why I have two cards for taking the lead incident handler out of the game is because when you play in a, tabletop exercise, there’s almost always that one person that bogarts the whole conversation, that answers the questions for absolutely everyone.
That is like, well, yeah, yeah. Well, what we do is we do this. And, we would look in the sim, and we’d be able to handle that alert, and we’d be able to handle this. We’d be able to do that, or, that’s stupid, that’s dumb.
Let’s not do that. And there’s that one person, I guess it’s usually referred to in it as mansplaining. I think, I think it’s not just it, but, there’s always that one person that, just basically just handles the incident for everybody.
So if you have, like, ten people on a team, that one guy talks 95% of the time. So I literally have two calls or two cards to neutralize that person. And, to be honest, I’m pretty sure that I would be that person as well.
so those two cards are there to get other people to start talking about incident response as well. All right, so any questions? I see just a ton of things coming in, so, yeah, go ahead.
Jason Blanchard
So one of the questions is, is it allowable for you to choose the incident cards instead of just randomly selecting them.
John Strand
Yeah, absolutely. the question, is a very good one. If you, if you’re the incident master and you have a set of cards that just make sense to you, then absolutely, you can choose your own incident cards and build your own.
There’s, there’s no rules. If you’re the incident master, you can do whatever you want. You can use specific cards. You can say, I’m not going to use this card, but I’m going to use something else. It’s completely up to you. these cards are designed to give you a good foundation of what these things, look like.
Of course, I just had somebody, we need more neutralized cards as well. All right, so any other questions?
CJ Cox
Hey, John, how does it work with non technical people?
John Strand
So how it works with non technical people, I’m going to show that here in a second. specifically with procedures. one of the ways I used to play this, and I found out at Derbycon that I needed to change the way that I was playing it, is I would only give people four procedure cards and they would seize up.
They’d be like, well, these are the only things we can do. And they weren’t able to start thinking through what were some of the additional activities they could do. They were completely fixated on the four procedure cards that they drew.
And I would say things, well, you could do whatever you want, you just don’t have to do those four things. They’re like, I have no idea. I just have no clue. What else could I do? And, what I discovered is if you put all of the procedure cards down, so, they can see all the different procedures and then they get four of those, but they can still see the four procedure cards, and all the rest of the cards.
Then they know that they get plus modifiers for these four cards, but then having the other cards displayed gives them the opportunity to think outside of those four cards that they’ve been given.
So all of those are valid actions that can be taken, but, the four cards are the only ones that they get the modifiers on. So this will really help. If people are non technical, they’ll have a range of options that they can work with to actually deal with the incident as a whole.
And as they play it more, they’re going to get more familiar as far as what cards are more powerful and more useful in more scenarios. Like endpoint analysis is huge. Endpoint analysis is basically riddled through the entire persistence deck.
it just works so well for detecting so many of those different types of attacks, so they get a better idea on how that all works, as well. So, great question. All right, any other questions?
CJ Cox
Just a little addition to that. they were asking about HR and legal people, and we definitely like to have those people in the room. We’ve done this a number of times, where those people get a sense of what’s going on and the interaction that goes on during a cyber incident between, your legal team, your HR team, things like that.
So having that person, those people participate is a really good thing.
John Strand
And if I was setting up a tabletop exercise like we do for customers, instead of having the random injects and the one and the 20, I’ll just throw them in the middle of the game. And like this one would be one that is designed specifically to pull in HR and legal.
if we go back to, data is uploaded up on. Oh, I don’t have that here. Data is uploaded up on Pastebin. Absolutely. You’re going to get management and HR into that. A, user clicks a link, so you play the game and you try to pull those people in.
So it isn’t a purely technical exercise. it also helps whenever you have legal in the room, when you’re talking about procedures that are not written, when you’re talking about technologies that you do not have, it really helps to get legal, basically saying, yeah, do we need that?
That seems like something that would be important. and it just works out really well to get everyone going together. Right. Any other questions before we go and play, two sample hands of this game?
Jason Blanchard
I think we’ll do the sample games, and that should either answer questions or create new ones.
John Strand
All right, sounds good. So let’s get started. so I basically set up two games, and you’re going to see, what CJ’s hand is. And I’m going to pull four random, four random cards.
So I’ve just built the incident. so I have the initial attack and compromise. I have the pivot and escalate. I have the persistence and the c two. So as part of this game, as CJ’s playing, he wants to take the actions that are on the screen to turn over these cards.
Now, remember, for each one of the cards, I have the detection mechanisms that you can use. Now, the actions that are big, those are the four procedures that CJ has, that he can utilize as part of this incident.
So right now, he’s reviewing, he’s planning, he’s plotting. These are the four different steps that he can do, to start turning over these cards that display the incident, and he will get a plus three modifier on any of those roles.
However, down here we have all of the procedure cards. I just took a screenshot of it this morning, dropped it in the slide deck. So you can see all of the procedure cards that are available to him.
So he doesn’t have to just do these four things. He can do any of those things that are down below, but only those four. He gets the plus modifiers. So I’m going to go through, and, I’m going to go through really, really, really quick and I’m going to look at my cards and we’re good to go.
All. right, I’ve got it. All right. So CJ, you come in Monday morning at 08:00 and you are quickly notified by ASOC, the intern who’s watching the intrusion detection alerts, that your web server on the outside of your environment received something like 10,000 different attack alerts last night.
Completely overloaded him. he has no idea what to do. There’s so many alerts and so many attacks that hit this web server. he’s just completely overwhelmed. So if you get that indication that you have a web server that was attacked brutally in the night before, what would be your next steps as part of, seeing and working through that incident?
CJ Cox
I’d like to go look at the sim log, I think.
John Strand
Okay, so we can actually check the sim. And if you notice, CJ has this card and he gets a plus three modifier on his roll for his ridiculously large dice.
So, CJ, go ahead and roll and tell us what you rolled.
CJ Cox
19.
John Strand
So he rolled a 19. Now, what I like to do, with the rolls, there’s two ways that you can play it. You can be either a natural 20 or a natural one.
Gets, you the, inject, card. But in this situation, I’m going to, do two things. One, I’m going to give him the card because he was successful in actually identifying this.
So he was able to identify that that particular system was compromised through an exploitable service. It, says an external service was misconfigured or publicly available. The attacker took advantage of this attack to pivot to internal resources and for his detection, he was able to do that for log analysis as far as the sim.
So I’m going to turn that card over. So CJ now knows that that system was compromised. So we got that card on his first roll. But because it’s a plus three modifier. I’m also going to give him m a.
I’m going to give him another inject. And the inject, says the Sim analyst, returns from splunk training. So now, any log related actions you take, you now get a plus two modifier in addition to every single role.
So that’s pretty cool. All right, CJ, so now that that system is compromised. It does not mean that that incident is over. No, no, no, it does not. We have to identify, did the attacker pivot and escalate? Did the attacker do anything to persist?
And how did the attacker communicate? As command and control. So if we wanted to turn over these three cards, what would be some additional activities that you could do to identify what the attacker did to pull over these three things?
CJ Cox
Well, segmentation would probably be good, but I’m heavily eyeing, my threat analytics, Rita.
John Strand
Okay, so you’ll. So you’re basically going for the c two card at that point. The c two and XFL card. So let’s go ahead and do a roll on that.
CJ Cox
I get the plus three, right?
John Strand
You do get the plus three. Yep. It’s one of the cards.
CJ Cox
20.
John Strand
So you got a natural 20. All right, awesome. So the first thing he gets is he gets DNS as a command and control. So the attacker took over the computer system with an exploitable service and put malware on that system.
And we’re able to identify that that malware is communicating through DNS. And of course, you can pick that up pretty easily with tools like, Rita. So what we’re going to do is we’re going to pull a random card and we pull.
Okay, so the random card that you just pulled on that, because you roll exceptionally well, is honey pots are deployed. Now, what this card does is the honey pots are set up, and it basically says the incident master must show the pivot and escalate card, which just so happens to be a card he does not have.
So this flips over via honey pots, he’s able to identify that the attacker was doing an internal password spray on the environment. Like I said, you can do the card that’ll actually turn that over as the inject.
You also could have detected it with user behavioral and entity analytics or doing SIm log analysis again, so, very, very good. This, game is going very quickly because you roll very well.
You still have to figure out, is there any malware on that system. Now, one of the reasons why this is key is, yeah, we know that system’s compromised, but we need to develop a better detect as far as what is the malware the attacker used, because they might be using that malware on other computer systems.
So CJ, if you wanted to look at a computer and identify how the attacker is able to get malware on that computer system, what would be some techniques that you could use that’ll actually assist you in identifying what is the malware or the persistence mechanisms, because it’s not always malware, that the attacker had used.
CJ Cox
I guess the endpoint analysis.
John Strand
Yep, do endpoint analysis. You can use incident response cheat sheets to look for anything untoward on that computer. So let’s go ahead and roll.
All right, so that failed, even with the plus three modifier. it absolutely failed. you did not identify endpoint analysis. Now, that doesn’t mean that that’s the only way that you can identify if there’s malware on that system.
you can do endpoint analysis. If you look down on the bottom, there’s also endpoint security protection analysis that’s checking like, the av logs on that computer system as well. since it is a server, you could do server analysis and you could also do sim.
You could actually check the logs coming off of that computer system so you still have actions that you can take.
CJ Cox
So I already played the sim, but, yep. So can I play it again?
John Strand
you have to wait three turns before you can rerun the same procedure card.
CJ Cox
I’ll do the endpoint security protection analysis for a thousand, Alec.
John Strand
All right, let’s give it a go.
CJ Cox
20. This game is so easy.
John Strand
Is that the dice that lights up every time you hit a 20?
CJ Cox
It’s blinking. You have to bang it, it has to land, and then it was blinking.
John Strand
By doing the endpoint protection analysis, you’re able to identify that there was a malicious driver that was installed on that computer system. you were able to identify that. So pretty cool.
So that is the first game. So let’s go through and let’s answer some questions. CJ did an exceptional job. I’m going to quote, unquote, trash the cards for that incident that we just did because we’re going to do a brand new incident here in just a second.
So let me pause for any questions that people may have.
Jason Blanchard
once a procedure card is used, can it be used again?
John Strand
Yeah, you have to wait three turns. otherwise people would just do the exact same procedure again and again and again. so, yes, you have to wait three turns.
Any other questions?
Jason Blanchard
So we need a 20 set of dice to play.
John Strand
You do. you can also get dice apps as well. so I have.
So I actually have an app on my phone, that I can set up. I can roll d 20. I can roll d twelve. I can roll d 100 if I want.
But you can actually run these apps. And there’s tons of free apps available on various app stores, to get that set up. Good question. So, any other questions?
Jason Blanchard
That’s it for now.
John Strand
All right, let’s move on to the next scenario. So he pulled a whole bunch of new procedure cards. Hold on. And when he pulled the new procedure cards, he ended up with a couple of procedures that were the same as the last time he got Rita again, and he got endpoint analysis, but this time he pulled crisis management and firewall log review.
So, as you can see, different procedures will give you different strengths, and it also changed the way you approach dealing with the incident as a whole. So now I’m going to build the incident. I’m going to pull one initial compromise card.
I’m going to pull one lateral movement card, pivot and escalate. I’m going to pull one persistence card and I’m going to pull one c two exfil. We have now built an entirely different incident with different techniques.
So let me look at this one. All right, so you come in Tuesday afternoon at 315, coming back from lunch, of course.
CJ was eating at Chipotle for, lunches he’s wanted to do on Tuesdays, Wednesdays, Thursdays and Fridays. And when he gets back to the office after a nice long lunch, the organization is actually blocking a lot of social media sites.
And, they noticed that one of the systems was going to a whole bunch of social media sites. And the user swears that he never goes to any social media sites ever.
So if you have a system that’s trying to go to some social media sites and the user’s like, dude, we totally don’t do that. What would be your next actions, sir?
CJ Cox
endpoint analysis.
John Strand
Cool. All right, so we go to the user’s workstation, we do some endpoint analysis. Go ahead and do a role.
CJ Cox
Did I have a margarita at Chipotle?
John Strand
No, you did not.
CJ Cox
Oh, good, because that’d be like saying.
John Strand
Margaritas for Thursdays and Fridays. eight, 8910, eleven.
Oh, wow, that was close. So what you were able to detect, with that very, very close roll, once again, showing you how much procedures help is that the attacker was using application shimming.
So on Windows computer system, they used to have something called, the application compatibility toolkit, now called the Windows assessment and deployment kit. This allows you to create executables that, when they run, they think that there’s different directories and different processes and folders and files.
And, it’s a way to fake out executables into running on newer windows systems, but it can also be used as a, persistence mechanism. So you can actually use application shimming.
So the attackers use application compatibility to trick applications into not seeing the ports, directories and files or services that an attacker wants to hide. And of course, we have two links associated with, with this.
We actually do have the mitre, ATT and CK technique and this one is t 1138. And then also the Microsoft documents on how to get started with the, application assessment deployment kit.
So you got that card right out of the bat. So you saw that those were there. And usually when you’re looking at application compatibility toolkit or shims, they usually show up in the installed programs directory.
So if you go into add remove programs, you’ll see the shims, unless of course you shim that and, and then you’re hiding the shims from showing the thing that shows the shims. But that gets really, really confusing. But we have a couple of places where you can do that.
So you got one card out of the way immediately. So, what did you roll again? What was that? It was just barely. Right. 8910. Eleven. All right, so that’s fantastic.
So that shows the value of doing the procedures. but we still haven’t figured out how we got compromised in the first place, how they may have pivoted and moved laterally and escalated privileges, and how they were communicating for command and control.
So what would be your next action? To try to pull down these three.
CJ Cox
Cards, how they got compromised. hmm. I guess I want to do the endpoint security protection analysis.
John Strand
All right, let’s go ahead and do a roll on that.
CJ Cox
All right. Nine.
John Strand
All right. endpoint security protection analysis is a procedure, but it’s not a procedure that you have. So that particular procedure fails, which, believe it or not, whenever I turn it over, it’s actually going to make sense why that one would not have worked all that well for that particular scenario.
So that one didn’t work. So what would be another thing that you could do to try to identify how a system or a user was compromised?
CJ Cox
M. Endpoint analysis.
John Strand
Go ahead, we can try endpoint analysis. Let’s go for it.
CJ Cox
Five.
John Strand
Oh my gosh. Just completely failing at rolling. so how many failed rolls? Is that. That’s just two so far. Yep. That’s two failures in a row, and that’s a problem.
and how many rolls are we in now? We’re three rolls in.
CJ Cox
Just three?
John Strand
Yep. I’m keeping track now, because if we get to ten, you lose. All right, so that one failed as well. So what would be the next action that you might try to take? And remember, one failed rule.
We’re pulling an inject crap.
CJ Cox
So if I don’t see how, like, Rita will work on that specific thing, do I just get to play that card randomly?
John Strand
Do I have to try to do that card randomly? And that card may work for another one of these techniques as well. So you may not work for that initial compromise, but you may be able to figure out how they’re communicating.
C two. And maybe how they pivoted and escalated as well.
CJ Cox
I just. I feel like I need my, pause three here. Okay, I’m gonna go Rita.
John Strand
All right, go with Rita. Give it a roll. Two rolled. A two. so now we’re at how many failed rolls in a roll?
That’s three. And we are also, three failed rolls. And we’re at three rolls in. This isn’t looking good. And a lot of these techniques you can’t use again.
So what I’m gonna do is I’m gonna kind of cheat on the inject, and I’m going to pull. The data is uploaded to pastebin. inject. Now, when we’re working tabletop exercises, this is really where the legal and management team come in and shine.
And it takes an hour sometimes to get through these. So how would they actually deal with that? Now, lucky for you, you have the crisis management card. And the crisis management card counteracts the data uploaded to pastebin inject card.
Now, usually, whenever that card is pulled, as I said, it’s for conversation purposes. How would the organization handle it? How would we contact Pastebin to have it removed? Did it show up anyplace else?
All of those different things, would come into play, but, I like to show how those two cards counteract each other. Now, we’re four rolls in, and we still have three cards that we need to pull.
Now, where Rita and security onion and network traffic analysis failed you, you could still do things like firewall log review, segmentation, those types of things, to try to counteract some of these other cards.
CJ Cox
Yeah, I need a win. I’ll, do firewall log rule review.
John Strand
All right, let’s go for it. Give it a roll.
CJ Cox
19.
John Strand
Oh, finally, 19. So with that one, you pull over the card and it says that Gmail, tumblr and Salesforce and Twitter is used as command and control, which is kind of a pirate victory.
You kind of knew that’s what was going on because you had that initial, stage from the incident that you were reviewing, but the firewall was able to confirm it, so. Very good.
We’ve got that. We’re on roll five, right? Is it five or is it six?
CJ Cox
I think this will be roll six.
John Strand
This is roll six. So we still have to do. How are we compromised and how do we pivot and escalate now? with the. How we were compromised, you could use, like, you could look at, I don’t know, you could look at Sim analysis.
You still have a bunch of things that you can actually.
CJ Cox
I’ll do the sim analysis.
John Strand
All right, let’s give it a roll.
CJ Cox
Two.
John Strand
Sorry, as an incident responder, I shouldn’t take so much joy, from your rolling, but your first game was. Was damn near a perfect game. Yeah, yeah, we’ve got it. We’ve got to do that.
So Sim analysis has failed you, we can now look at, like, I don’t know, user behavioral and entity analytics. Let’s go ahead.
CJ Cox
No, I did that one.
John Strand
You did Ubea.
CJ Cox
I thought I did that one.
John Strand
I don’t think you’ve done that one.
CJ Cox
I should have written them down. If we were playing, we’d have the.
John Strand
Yeah, we were playing them. We would actually be writing these down as we’d go, for doing incident response with this, but no one’s calling you on it, so go ahead and. Let’s go ahead and roll it.
CJ Cox
A two.
John Strand
Two. What are we at? We’re at seven rolls or eight?
CJ Cox
Seven. I’m writing them down.
John Strand
We’re at seven rolls. seven rolls. So we’re gonna pull another random inject out of this. Let’s see if there’s any of these random injects. I gotta pull out some of them.
That, That’s not.
CJ Cox
That’s not another three fails. I get one?
John Strand
Yeah, you did. You rolled. Are you at three folds or is it just.
CJ Cox
Fail, fail, fail, success, fail, fail. I get one more.
John Strand
You got one more. You get one more.
CJ Cox
I’m just gonna go random isolation.
John Strand
Isolation. Go for it.
CJ Cox
A two.
John Strand
Now, I get it. So now with this random card you cut, it was all just a pen test.
CJ Cox
Must have been black hills.
John Strand
Yeah, it does actually say that for the link. It says black Hills information security.com. at the bottom, somebody’s like, does he have a loaded dice? I don’t know. The last one he rolled like 400 twenties. So that was, that was cool.
CJ Cox
I had two twenties and then three, two s in a row.
John Strand
Yeah. so now I turn over everything because it’s a pen test. So initially you were compromised via password spraying. And we talk about blog posts on how to do password spraying and tools and how you could have detected it.
And unfortunately, this has three different ways that you can detect it. And you failed at rolling at all three. And then also kerberoasting was what was used for pivot and escalate inside of the environment.
which really, really, absolutely. just, you failed at rolling all of those as well. So that kind of sets up the game. so let’s hand it over to questions, for anybody that they have.
No, I didn’t make 420 as a joke and a reference. So the question was, does the incident master decide which card to reveal based on the procedure?
Absolutely. it is absolutely up to the incident master on how they would, decide which cards are turned over based on which actions. Because as an incident master, you’re going to fill them trying to figure out how that system was compromised, lateral movement, things of that nature.
So it’s completely up to the incident master. And I’ve played this with college, students and I’ll help them out a lot in going in the right direction to try to get them moving.
but after somebody plays this game and they start going through the cards and they try to learn what each of the cards are, it tends to make them much better at the game over time. Another question is, what happens if they fail without getting bailed out by a pen test card?
You keep going until you get to ten rolls. so if CJ would have rolled two more times, success, or fail for those last two, he would have failed the entire incident. And I do that because I want even failed incidents to have a defined endpoint where, we can turn over everything and we can start having conversations about what we would do, if things fail.
And that is actually kind of a key point because so many customers and organizations get so hung up on. we would use this tool, we would, we would check our logs for carbon black and it’s like, well, carbon black has failed.
You what now? And that is a huge question. The what now? As well. so, let me see.
Do we have any other ones? Yeah, I like this one. Dave just said you should have a card that if things are going really bad, just pay the ransom in bitcoin.
Jason Blanchard
John, one comment, because we’re on time. a lot of people were asking, like, can I do this? Can I do that? Can I, can I add this modifier? Can I do these things? And I was just getting, everyone is like, yes, you’re the incident master.
You can, you can detail to your.
John Strand
Organization, or I would just say, no, if you start modifying my game, I’m coming to your house, I’m coming to your place of work, and I’m showing you how to play it. Right. No,
CJ Cox
Games. I have, have house rules. So absolutely feel free to be creative. I wanted to inject levels, right? Like, to have levels of malware and levels of training in your organization so that you can have, plus one, plus two, plus three, and the plus five vorpal weapon.
But, yeah, but modify it, make it. Because, again, the point is to, highlight and to learn and to have conversations. So that’s what you’re facilitating and,
John Strand
with cubicles and compromises. There’s a rule that you can add into this as well. Like, anybody that is trained in that action gets a plus two modifier on that action. So you may not have the procedures, but someone’s trained in it.
You get a plus two modifier. If you have a procedure and someone who has training on it, then you would get a plus five modifier for that action. so really, like CJ said, house rules work really, really, really well.
with, with this entire thing. And honestly, the way most people are using this, aside from tabletop exercise education just, going through, and it’s like, I’ve never heard of LLMNr. I’ve never heard of cred sniper.
I’ve never heard of these different tools. And it gives them kind of an opportunity to try to learn as much as they possibly could. Oh, I like this. Lucas just said you should add some blank cards.
and I think he’s kind of talking about, legacy. So, like, if you play risk legacy or pandemic legacy, there are stickers and things that you can get that are actually blank, and you can kind of add that in however you want as well.
All right, well, everybody, that’s kind of it for our time. We’re going to stick around, for a little bit longer, and we can answer some more questions. But as far as the core webcast, that’s it. Thank you very much for attending.