This webcast was originally published on March 31, 2022.
In this video, members of the Black Hills Information Security team discuss how to play the game Backdoors & Breaches, which they created in 2019. They delve into the specifics of the game’s creation, its reception at Derbycon 2019, and the subsequent demand that led to its sale on Amazon. The video also serves as a tutorial, teaching viewers how to play the game effectively using both physical cards and the online version.
- The webinar effectively demonstrated the ‘Backdoors and Breaches’ game, a cybersecurity training tool simulating real-world attack scenarios.
- Participants learned about various cybersecurity threats and responses, enhancing their understanding through interactive gameplay.
- The game emphasizes team collaboration and problem-solving, reflecting the dynamic and complex nature of real-world cybersecurity incident response.
Highlights
Full Video
Transcript
Jason Blanchard
All right. Hello, everybody. It is 01:00 eastern time. today we are Black Hills information security. And normally I, like, lead into the person who’s going to be speaking, but the person speaking today is me.
So I have leading into myself today, we have some of the members of our SoC team, the Pentest and incident response team, and we’re going to teach you how to play backdoors and breaches. So it’s a game that we created in 2019.
The very first time anyone ever saw it or got it was at Derbycon 2019. Last Derbycon. Rest in peace. And so we gave the game away. And that morning when we showed up to give the game away, there was a line from one side of the hotel to the other.
And we gave out about 800 decks within like an hour and 45 minutes, just constantly handing out the decks. And at that point we’re like, wait a second. This might be something that’s interesting. We were able to reprint it, as quickly as possible, and then we made it available on Amazon.
And the only reason we made it available on Amazon is because a lot of people asked for it and we had to figure out a way to get it to them. And so we made it available on Amazon. We sold out four, 4000 decks in 24 hours.
And I was like, wait a second. This might be like a thing that people want to use. So what we’re going to do today is we’ve learned that over the last year and a half, two years, is that a lot of people bought it, but you didn’t know what to do with it.
Like, you opened up the deck, you saw this website that I currently have available. You see the cards and you’re like, I don’t know what to do with this. And so today we’re going to show you how to play backdoors and breaches.
We already know that a lot of people do play it. Deb and I have been giving demos for the last year and a half to people who are request it. And so what happened is we’re like, we’re like, wait, how about we just do a webcast where we just teach everyone all at once?
My cat’s going to get down. There we go. So we have a couple people here today. We got Corey, noah, Kaitlyn, kirsten, troy, and Hal. They’re going to play the game. But before we do that, I’m going to show you what the game is, why we created it, and what the cards are.
And then we’re going to play the game and learn to play the game while playing the game. Everybody ready to go? All right, so Corey’s never seen this before. This is Corey’s first time Kaitlyn’s played before.
Kirsten, I think you’ve seen it before. No. Of you’ve led a few rounds. Hal, have you seen this game before? Cool. Ran it, and then Troy, you’ve seen it before because I’ve done some demos for our SoC customers.
So there are like, corey’s here for the first time. Like he’s learning about it, just like you’re learning about it. So let’s go ahead and get started. So we have this free website called Play Dot backdoorsandbreaches.com, and it was created by a person named Richard Fong.
Richard Fong reached out to us at some point after we’d given the physical card games away, and he said, is there a way to play on Zoom or is there a way to play online? And we said, no, there isn’t.
We don’t know how to do that. He’s like, well, I do. Can I make an online version? We’re, like, hmm, if how. Sure. So about two weeks later, he came back with this thing.
We’re like, holy cow, this is fantastic. And it essentially became like the first open source version of the game. And so this is free. Go to play dot backdoorsandbreaches.com.
you can use this anytime you want. You can bring up multiple instances. It’s yours, you can use it. It is open source. You do not need to buy the physical copies of the game. The reason why we sell physical copies of the game is some m of you want to actually have physical copies.
And the reason why we charge money for them is because it costs us money. But any profits that we make from that we use to give away decks to educators. So we’ve given away about six or 7000 decks over the last couple of years.
And if you are interested in that, you can always reach out to us and request decks for your classroom. Now, I need to make sure I always enunciate that word just in case.
So the very first card that we have here in the game is the red card, and the red card is the initial compromise card. So everyone’s going to watch what I’m doing here. You’re going to learn about the cards, why we created in the way we did, and what we’re going to use them for.
So the initial compromise card is how the attackers initially get into your organization the very first step of the attack. And so this card right here is the insider threat. So that’s the overall concept of how this attack went down.
We have a brief explanation. An internal disgruntled user exfiltrates information from your network. We have what can detect it. User and entity behavior analytics. Cyber deception. DLP. Ha ha.
kidding. DLP never works. The other co creator of, backdoors and breaches is John Strand. And the tester is a Black Hills. And so there’s some John strand isms in the card.
Another thing here is working with HR. Like, if you just reach out to HR and like, this makes sense, and the person’s like, no, that person’s very disgruntled. All right. The tools to cause this type of attack is being considered a full time expenditure.
Some of you right now are watching like, mm mhm hmm. Yeah, I get that. Huh? Long hours and addiction. So those are types of things that lead to that. Now, here in America, we have the american addiction centers, and so you can go there for help.
Now, if I hit refresh, I get a brand new attack card. Now, it’s web server compromise. That’s the initial compromise. It’s a web server compromise. The attackers take over an external web server, they it to pivot to your internal network.
Once again, it’s a small description explanation of the attack. So that way Kirsten and Hal and Troy and Noah are all talking about the same thing.
So everyone has the same common vernacular. Detections are server analysis, symbol analysis, network threat hunting. Now, the detections correspond to these cards right here.
So the detections correspond to the procedures. And we’ll talk about that in a little bit. But here’s how the detections are created. What happened was we created the game.
We had it on a spreadsheet. We made the cards. And then I brought in a bunch of subject matter experts like Kirsten and Kaitlyn and Troy and Hal and Noah and Corey. And I said, all right, so what would detect a Web server compromise?
And Troy would say something like, well, server analysis and log analysis. Network threat hunting. Like, cool. Kirsten would say, like, server analysis and log analysis. Network threat hunting. But then maybe Hal would say, well, in this organization, we have this tool and it does it this way.
And I could get that result, all right? And then Corey would say, well, I know that in this organization, with this tool and this capability and these procedures, we could get this, okay?
And then Kaitlyn was like, well, what about this? Mhm. And so eventually, after like 45 minutes of this, for every single card, I would say something like, what would always detect it in every organization like, oh, server analysis, same log analysis and network threats like, okay, that.
That’s what goes on the card. And then we moved on to the next guard, and 45 minutes later, we would say, now what always detects it in every organization. So this is the baseline of what detects. Kitty.
No, kitty. No, no, Kitty. I’m on a webcast.
Corey Ham
This is an inject.
Jason Blanchard
He got his claws stuck in my pants.
Corey Ham
Inject. Cat attack.
Jason Blanchard
Yeah, cat attack. Inject. All right, so the tools to do this is that attack proxy, SQL map, and burp proxy. And the tools down here are here. And, if we do have a blog that goes along with it, then we have a blog that goes along with it.
And so we have a lot of blogs at Black Hills. And if there’s something that we could use to teach you about the attack, we do. So now I’m going to hit that refresh button one more time. Kitty, no.
All right, and this one’s a fish. So the attacker sent a malicious email targeting users. What can detect this in log analysis, server analysis, endpoint security protection analysis, and the tools to do so is motaliska, evogenex, and go fish.
And so they are right down here if you want to learn more about it. Now, here’s what I like about this game. These are the tools that we use at Black hills to do the types of things that we do when we’re pen testing. Now, sometimes I get a chance to play with cyberpatriot teams or college teams and stuff.
And when I say that these are the tools that we use, you’ll see, like, high schoolers light up, or like, wait, what? Like, I can use this? And you’re like, yeah, if you want to. They’re like, yay. And the teacher’s like, no.
but yes, these are the tools. And the kitty’s like, now he’s upset. He’s in the background. You wouldn’t let me sit in your lap. Okay, so once you have the initial compromise, that’s done.
Now the attackers have to pivot and escalate. And this is my favorite card in the whole deck broadcast. Multicast protocol poisoning. So now the attackers are pivoting through the your network and escalating privileges.
And the reason why. This is my favorite card. Raise your hand. I’m, talking to you. You all here, raise your hand if how to do this attack.
Noah. Hal. Corey. Troy. All right, Kirsten and Kaitlyn, you did not raise your hands. And that’s okay. That’s exactly what I’m looking for Corey.
Can you explain this relatively quickly?
Corey Ham
Basically this is a windows default that is hard to make it truly go away because things break and it’s executable or exploitable with one tool on the network or it’s super easy.
It’s basically a way to capture credentials or relay credentials, throughout the environment. So it’s basically the gift, that keeps on giving.
Jason Blanchard
And the reason why I asked people whenever I play this game, I always say, we got broadcast multicast protocol poisoning. Raise your hand if how this works, is that a lot of times only one person raises their hand per team.
And some of you right now, you’re at home, you’re looking at this and you’re like, I don’t know what that is. And Corey just explained it. You would almost have no reason to talk about a broadcast multicast protocol poisoning attack unless you had a reason to talk about a broadcast multicast protocol poison attack.
And that’s what this game is about, giving you a reason to talk about the attacks, talk about the procedures, and talk about these things prior to them actually happening in your environment. Now, the tool, wow, kitty.
The tool to do this type of attack is responder. And so I’m going to ask the question to my Soc team, what does it look like when responders run in somebody’s environment?
Noah Heckman
All right, I was quiet. I gave him a chance. what you’re going to see when responders ran is basically connections that would normally be going to one server.
Now, all of a sudden they’re being redirected to a different server, but you’re seeing multiple of those connections being redirected to another server. so anytime you go and ask for an SMB share, it goes to that server.
Anytime you ask for an FTP share, it goes to that share server. Ask for HTTP authentication, goes to that server. it’ll relay it through, but yeah, that’s what it’ll look like.
Jason Blanchard
And the reason why I asked is because do what these tools look like if they’re run in your environment? Like what alerts do you get? What does it look like? How would if this was actually run?
And so I asked every organization I play with, what does it look like with responders running your environment? And a lot of times what I get is people who don’t, no. And this is an opportunity to do threat emulation, threat SIEMulation, to do these types of attacks and see if it works.
Now, if an organization is like, well, Jason, is it okay or is it safe? To run responder in my environment, the answer is, I have no idea. So, that is up to you and your organization. Okay, so once the attacker has started pivoting and escalating, well, now they need, some way of communicating with all the things that are inside your network and get information out of your network.
So this is DNS as C2. So DNS is, the attackers use DNS as C2 because it’s always DNS. The way to detect this is network threat hunting. Fiber log review. The tools to do this is DNS cat.
And if you want to learn about this, we have a blog series on how we bypass Cylance. It was a five part series because I think at some point Cylance said we can’t be bypassed. We’re like, wait a second.
And so we have a five part series on how to do that. So if you want to go ahead and check that out, you can there. I don’t know if those things still work, but they did at the time. All right. And lastly, we have the persistence mechanism.
So how the attacker maintained persistence, or where they left persistence throughout your environment so that they could get back doors or whatever it is. And this one here is evil firmware. The attackers update the firmware of a network of network cards, video cards and bios, or UEFI, with evil.
All these are very difficult to detect and very difficult to update. So we have what detects it here, the tools to do so here, and then some more information here if you want to learn more about that.
Okay, so what we just did, essentially we created the cyber kill chain. Thank you, Lockheed martin. We have the initial compromise, how to pivot and escalate the C2 and excel.
And the persistence, it’s the whole part of the kill chain. Now what’s going to happen is we’re actually going to play the game. And the way that the game works is my team here will have ten turns. And, Troy, the way that you have here, is still throwing me off.
Like how? You have to think tight. No, that’s fine, it’s fine. So what we’re going to do is we’re going to play through the game. The defenders slash incident responders will have ten turns to try to solve my four cards.
And what that looks like is I’m going to hit refresh, so we get a brand new scenario. And if I look down here, I get to see, I get to see the solution, that it’s an insider threat that leads to an internal password spray where they’re using HTTP as xl and using malicious service as they’re forming persistence, I get to see that, and then I hide it.
Well, essentially, I would take a screenshot of it, put it at somewhere else on my monitor, and then I would give a scenario based on the cards. And then the team here is going to use these procedure cards to try to solve my four cards within ten turns.
Now, the way they solve the cards is by choosing the right procedure for that attack and then rolling well. So rolling unwell is one through ten.
Rolling well is eleven through 20, or rolling unsuccessfully is one through ten. Rolling successfully is eleven through 20. So, for those of you that are at home and want to play along, but for Kaitlyn, kirsten, Hal, Noah, Corey, and Troy, if you, please go ahead and bring up, like, another tab, on Google.
So go ahead and bring that up. Unless you have a physical D20 dice in front of you, you can roll that as well. I just want to make sure the reason why I like having cameras on when we play this game is because I’ll know if Corey actually rolled badly, because Cory would be, like, 17.
I was like, I don’t think so. Now with that facial expression, it’s no way. So I like having cameras on. You don’t have to, but I definitely like having cameras on. Now, I already have a situation prepared ahead of time.
Now, we’re using the expansion deck today because, most of the people who are playing with me today have played before, and we do have both versions. I recommend using the original version when you’re first getting started, the core version here.
And then I recommend using the expansion deck once you’ve gotten used to that. And the reason why is because there’s additional cards. There’s also things like consultants. There’s more inject cards, and there’s more attack cards.
And so I am ready and prepared. So, today the team is going to be using crisis management, endpoint security protection analysis, cyber deception, physical security review, SIEM log analysis, endpoint analysis, isolation, call the consultant, network, threat hunting, firewall log review, user and entity behavior analytics, memory analysis, and server analysis.
If at this time, you’re still confused about how this game works, that’s okay, because we’re going to learn to play it by playing it. Okay, team, any questions?
Any questions? Yes. Okay.
Kaitlyn Wimberley
Charlotte O asked, where do the consultant cards come into play?
Jason Blanchard
So, the consultant cards come into play anytime you want to use them. So this, you all, at the very beginning of this, could choose to call a consultant at the beginning of this, of the scenario, and then the consultant cards come up and then you can choose which consultant you want based on the modifier that they give you.
So Eric Conrad here gives you a plus three modifier for all procedure cards that mentioned deep blue CLI for the rest of the session. But if I go over here, Tim Medine would reveal the pivot and escalate card.
Or we have, Marcus Carey would give you a plus two modifier on all dice rolls for the rest of the session. So from the very beginning, you can choose to call a consultant that would help you with the modifier.
Any other questions? No? All right, so I’m going to give you your scenario. You will then have ten turns to try to solve my four cards. You’re going to use the procedures or anything at all?
Like, you could come up with anything that you want to do. Most likely the thing that you want to do falls into one of these categories of procedures. So here. Ready? Here is your scenario.
It is Thursday afternoon. On Monday afternoon. So last Monday. So a couple days ago, the, maintenance person of your building. So we’re going to just assume we’re a mid sized company of about 200 employees.
We have two or three different locations, buildings, offices, places that people can come. Some people work from home, but a lot of people have started coming back to the office on Monday, the maintenance.
The person in charge of the maintenance for the whole building got an email from our HVAC provider. The HVAC provider said, we got an. So the HVAC provider sent an email that says, we were compromised in a cyber attack about three months ago.
So they were compromised in the cyber attack about three months ago. Through an extensive incident response process and mediation and things like that, we determined the cause of the attack and we don’t believe it affected you in any way.
but due to our own policies and due diligence, we are sending you an email letting that we were compromised, but we don’t believe it spread to any of our customers. Thank you for your patronage, essentially.
Thanks for being a customer. and that’s it. So the email went to the. The, maintenance manager of the building. The maintenance manager got it on Monday, looked at it, didn’t think much about it, and then now it’s Thursday.
Like, yeah. The security team, has now forwarded it to you all, the security team, the instant response team. And if that was. If this was your scenario, what would you do first?
Troy Wojewoda
Do you have a point of contact?
Jason Blanchard
Do you have a point of contact.
Troy Wojewoda
For the HVAC company?
Jason Blanchard
Talk to them directly you could. Yeah, there’s a phone number and contact at the bottom of the email that was sent.
Corey Ham
Our HVAC isn’t connected to our corporate network, is it guys?
Noah Heckman
Oh, there was that temporary firewall rule, but I think we got rid of that one.
Corey Ham
Oh, okay. oh.
Noah Heckman
I said I think we got rid of it.
Jason Blanchard
So if this was your scenario, what would you do first? Hal has already mentioned the point of contact. there’s a little bit of like not sure if it’s, I mean if.
Noah Heckman
We’Re not sure about the firewall it would make sense to maybe do a firewall log review. Just throwing that out there now what’s.
Jason Blanchard
Happening is there’s some of you at home who do incident response and you do this for a living and you’re already starting to think of possible scenarios or possible like routes to go down. Now here’s the one thing you don’t want to do.
You don’t want to go like, oh, I would do this, then this, then this, then this, then this, then this, then this. Like I’m sure a lot of you are like, oh, I know exactly what I would do. The way this works is that they will throw out what they want to do and then they will have a discussion about it and then they will come to a consensus for step number one.
Once they figure out what they want to do first, then they’ll let me know as at that point they’ll roll the dice to see if it works or not. If it does work then we’ll talk about that. If it doesn’t work then we’ll talk about that.
Kiersten Gross
So I have a question so on hows response. So would you say your contact, the point of contact that the company has with the HVAC company?
Jason Blanchard
Sure.
Kiersten Gross
Is that what youre right.
Troy Wojewoda
I would open up a communications with that company that suffered the breach and see if they could share their instant report or some iocs related to that. and then that would kind of give us a baseline on how we could scope our environment.
Jason Blanchard
Okay.
Corey Ham
I feel like we should just assume it’s compromised.
Kiersten Gross
I was going to say backdoors and.
Noah Heckman
Breaches conversation about it. I’m just saying.
Kiersten Gross
Sure. I was going to say I like Hal’s response. I was going to say I thought where you’re going with this is what I probably would have done. would do is contact. Like you said, the point of contact that our company has with the HVAC company and confirm that the actual email is a valid email.
Corey Ham
Mark.
Jason Blanchard
Oh, you think it might be a fish?
Kiersten Gross
It, could be a fish. it could be. It could be something along those lines, right? It could be somebody overreacted, and they had a buddy within the company that said, hey, I heard a rumor, and Jane was talking two cubes over, and we believe we were hacked.
And then they sent an email.
Jason Blanchard
Right.
Kiersten Gross
So, I would just try to get, to house point, open up line of communications with, the valid points of contact at that company, and then confirm, that message.
The information that’s being sent is valid.
Jason Blanchard
Is that a consensus among you all, to reach out to the point of contact and get some more?
Corey Ham
I’m cool with that. I’d probably just google it, right? Because it’s probably public at this point, too.
Jason Blanchard
Okay, so what’s going to happen right now is the thing that you’re doing doesn’t require any dice rolling. You’re seeking clarity. there’s two types of questions. You can ask them backdoors and breaches is seeking clarity about the situation and then other things where you would actually have to do some analysis.
And this is not analysis. This is seeking clarity. So to seek clarity, this is a real email from the real HVAC provider. And, they have a report, but they can’t get it to you, until maybe, like, next week.
They have to clear it through their legal department before they can show it to you. So you’re in the dark right now for any of the IOCs. Cool.
Corey Ham
I say we do the firewall log review like Noah said. I mean, it is like asset discovery. Like, seeing what HVAC assets we even have would be like. But firewall analysis could be a way to do that, right?
Kiersten Gross
Yeah, I would say the same thing. A little bit kind of related to that would be to do a, To do a look back on, any emails coming to and from that company within the last.
I would say I would go a little bit beyond three months. So three months is the value they gave us. I would do, like, three months in a week or four months to be safe.
Troy Wojewoda
So I have a little bit of a different opinion. since we know this is our HVAC, and, we’re just going to probably assume that this has some type of network communication, I would probably do, like, a review of, network traffic based on our Zeek data, see if we can baseline something that’s out of the ordinary.
Corey Ham
Do, we have log data from our HVAC stuff going into Zeek?
Jason Blanchard
That’s a good question.
Noah Heckman
That’s up to the dice roll.
Troy Wojewoda
Does it have Internet connection? So if it has an Internet connection, then if the sensor is put out correctly, it should have visibility.
Noah Heckman
as far as things that we actually know how to do and are actually good at, network threat hunting or firewall log review are both, not ideal for that, but I think we have to start on the network side of things one way or another.
Corey Ham
I’m going with either, if I understand the discussion so far. Hal’s saying that the HVAC itself is being attacked, but I think Troy was talking about maybe they had attacked us some other way through some other means of phishing or somehow some different avenues.
So I’m not. I’m not sure exactly they’re talking about the same.
Kiersten Gross
So just to clarify, that firewall review was already kind of put out there. I was lumping in. I was assuming, and the assumptions are probably not, something that you want to be too, careless about, but I was assuming, to me, firewall review met, kind of looking at what policies we have from our infrastructure to their infrastructure already in place.
and to look at either, both allowed and denied traffic, leaving our infrastructure going to their infrastructure and vice versa. I, thought that’s what was included in firewall review.
So, then, what I was getting to Kirsten’s, question was, assuming that this company was compromised of some threat activity was happening within that company.
We were doing. We’re business partners with that company. A lot of business partner communications happens over email. and so to look, to see if any suspicious emails were coming from that environment in the span of that three month window.
Jason Blanchard
Sue, I need a consensus. Kaitlyn, let me know what you all want to do.
Kaitlyn Wimberley
So I think that, if we find out if the HVAC system can communicate with the rest of our network or not, then that kind of tells us the direction that we need to go.
Right. Because if it doesn’t have any sort of connection into the rest of the company, then that’s probably not an issue. Right. And we might want to explore, like, other ways that this compromise could have affected us.
Corey Ham
I agree.
Noah Heckman
Valid point.
Corey Ham
Plus, assuming the company was compromised and they just, instead of pivoting in through the assets the company has in our network, they just sent us fishes from the company or sent us other things from the company, it’s probably, like, would be detected by our other controls, theoretically, right?
I mean, we have. Hopefully we have, like, some kind of email filtering that would have caught that kind of stuff but, yeah.
Kiersten Gross
and that’s kind of where I was going to is because a lot of times when you have established business partnerships, sometimes email gateway solutions are a little bit more lenient towards business partners.
So, like, they have to have certain spam rules and av and certain things tweaked because, email has gotten stopped over the. Over years, and people have called up and says, allow this email because you keep quarantine my email.
Jason Blanchard
So.
Noah Heckman
So we stop shipping a straight executable. We wouldn’t go through just fine.
Corey Ham
That’s how they update the HVACs.
Noah Heckman
Yeah.
Kiersten Gross
Depending on the scenario, I could see where business partner relationships have a little bit more. Less leniency when it comes or, more leniency when it comes to security. posture.
Jason Blanchard
So, for everyone watching right now, we haven’t even rolled once. But look at all the discussion that has taken place. There’s so many different theories. Different, like, reasons, to.
Kiersten Gross
It’s a good thing there’s, like, five of six of us, because then I would say, oh, I’ll do this, you do that, and we can all do at the same time.
Noah Heckman
Right?
Jason Blanchard
Sure. All right, so I need either. Are we doing firewall log review or.
Noah Heckman
Well, I think there’s a. The latest one has been, that we need clarification as to whether or not the HVAC system has network connectivity.
Jason Blanchard
Yes.
Noah Heckman
Yes, it does.
Jason Blanchard
It does.
Kiersten Gross
That was via the firewall review, right?
Jason Blanchard
No, you haven’t done any review.
Noah Heckman
We just needed to know. It doesn’t make any sense. Like Kayla said, it doesn’t make any sense to do a firewall log review if the HVAC system is not actually networked. Yes, because it wouldn’t be compromised.
Jason Blanchard
The HVAC is networked. you have a special system set up just for the HVAC to be, taken care of.
Corey Ham
I’m cool with the threat hunting. I feel like the firewall log review, we were doing that more for asset discovery. I don’t know. That’s my opinion.
Noah Heckman
But you can do asset discovery, too.
Corey Ham
Yeah. Means both networks, so threat hunting sounds fancier. Loggerhouse. Kind of boring.
Jason Blanchard
All, Right, so network threat hunting. Who was the first one to say network threat hunting?
Noah Heckman
That would have been Hal.
Jason Blanchard
All right, Hal, you’re going to roll the dice. One through ten is unsuccessful. Eleven through 20 is successful.
Troy Wojewoda
Seven.
Noah Heckman
Poker face.
Corey Ham
What do you. Did you not have your coffee this morning?
Jason Blanchard
So, a couple things that are happening right now. First, I’m putting the number three on top of it because you have a three turn co op period before you can do this again. Also, it doesn’t mean that you can’t do it ever again.
You just have to wait three turns to do it again. Because sometimes when you try to do something, it’s not set up properly, like, the person who you need to do it isn’t there, like, there’s a cool off period.
The other reason that we have a cool off period is so you don’t keep brute forcing the same thing over and over again because you rolled badly. But here’s where the power of backdoors and breaches comes in. I’ve played this game with over 100 different organizations over the last year and a half, and here is the question that really reveals their security.
Now, today we’re going to be a little generic with our responses because, one, we don’t want to reveal the actual security of Black Hills information. And two, information security. And two, we’re a fictional company at this time, so we’re going to be a little generic with our response.
So here’s the question to the team. Ready? Can you give me a reason financially, politically, personnel wise, or technologically why network threat hunting would be unsuccessful at this time?
Not for forever, just in this moment.
Troy Wojewoda
So networking needed to borrow the span that’s feeding the network sensor, and they’re doing troubleshooting right now. So we’re not getting any data.
Jason Blanchard
Okay, what else?
Corey Ham
No, and double check. The database is being updated.
Jason Blanchard
What else?
Corey Ham
We don’t have sensor data for Wi Fi. And it’s only a Wi Fi device.
Noah Heckman
The Wi Fi connected HVAC system. I like it.
Jason Blanchard
How. How much or how many days of data are you collecting? probably.
Corey Ham
We can’t afford three quarters.
Noah Heckman
We can’t afford three quarters of a day.
Corey Ham
We can’t afford big ourselves.
Troy Wojewoda
Big cells are down. So, I mean, I think we had a, cut back on a retention. So I think we only have, like.
Jason Blanchard
A day or two.
Kiersten Gross
The only guy that can get in, the only guy or gal that can get into the sensor quit two weeks ago. Nobody can get into the sensor.
Noah Heckman
We don’t know their password. We don’t know their password and.
Corey Ham
Yeah, or on a trial license, and we ran out of index data.
Jason Blanchard
Sorry. So here’s the. Whenever you ask that question, like financially, politically, personnel wise or technologically, anything you can think of, and this is for everyone who is currently watching at work or at home, anything you can think of is a possible finding.
That’s what you’re looking for. Is like, where do we have maybes? Where do we have, like, not 100% visibility? Where do we have. We are not quite sure what our capabilities are. Where do we need training?
Like, where do we need authorization and, the ability to do the thing that we want to do. So once you, like, write all that stuff down, here’s what I don’t want you to do. Please, please, please don’t have a long list of things that you learned while playing backdoors and breaches that you feel like you have to fix when the game is over.
Only pick one thing from your list to look into. What I’ve learned from playing this game with people is that when human beings think they’re going to have a long list of things to do after playing this, they don’t want to play this anymore.
So only one thing. One thing when you play. All right, so network threat hunting didn’t work because Hal rolled a seven.
Noah Heckman
Hal, you’re gonna have to work on a better poker face.
Troy Wojewoda
so it’s funny because choices. I have a terrible poker face.
Jason Blanchard
All right, so what would you do? Yeah, what would you do?
Corey Ham
Who’s down for SIEM review?
Noah Heckman
It’s basically, what exactly are we reviewing in the SIEM, though?
Corey Ham
We’re reviewing, like, any alerts related to HVAC stuff, right?
Noah Heckman
Shouldn’t we already be taking action on alerts?
Corey Ham
It’s a low. It’s a low. Wait, wait.
Kiersten Gross
We don’t do that. Sorry, what was the problem? What do we try and throw a circumvent.
Noah Heckman
We don’t know. The fact that network threat hunting didn’t work.
Kiersten Gross
Oh, it didn’t work.
Noah Heckman
We were on the fence about network threat hunting or firewall log review. I’m kind of like we should try the firewall log review, but true.
Jason Blanchard
Sure.
Noah Heckman
No, because I think that pivoting to their SIEM usually indicates that your, you have a host that you’re investigating or a specific thing that you’re investigating. We don’t know what we’re investigating.
Troy Wojewoda
But also, don’t you, like, put your firewall logs in your summit as well?
Corey Ham
Yeah, but there’s a low severity alert in there that we didn’t look at because we didn’t care.
Jason Blanchard
All right, so. No, I believe you mentioned firewall review. Is that the consensus of the team or someone else got something?
Noah Heckman
We’ll see if I know my asas.
Jason Blanchard
All right, Noah, go ahead and roll the dice for us and see what happens.
Kiersten Gross
So does the three go on that card, Jason?
Jason Blanchard
No, no, no. We’ll talk about that in a second.
Noah Heckman
Okay, I got a 1616. Yes.
Jason Blanchard
All right, I trust you. All right, so doing, firewall log review, you see that you have four different systems inside your environment, all using bits to send out data to the same location.
They’re all using four different systems. One’s in accounting, one’s in the, this other department, ones over here. but essentially you have four different systems, all using bits to send out information to the same location.
Corey Ham
Can anyone HVAC systems run bits?
Noah Heckman
It’s really windows. It’s. Yeah, it’s Windows based. It’s, running on Windows Vista.
Corey Ham
I guess we should have mentioned m that.
Jason Blanchard
Is this possible? And what is bits? I have a question for what is bits?
Noah Heckman
background intelligent transfer service. It’s a traffic, it’s like your HTTP or your HTTPs, web traffic, but it allows you to transfer files built into Windows.
Jason Blanchard
Do organizations use this regularly or is.
Noah Heckman
This built into Windows? So pretty much all of your Windows updates is ran through bits usually. so probably what we would have seen was actually that four hosts were using bits for non Windows update stuff, and that would have made them stand out because we would expect to see a fair amount of traffic on bits in general.
Jason Blanchard
So one time I asked an organization like, do what bits is, Jason? We hate bits so much, we have a script that runs every hour in case someone accidentally turns on bits.
Noah Heckman
I was like, right.
Jason Blanchard
Here’S why that card was revealed. If you take a look at the card, it’s got network threat hunting and firewall review. That means if they were successful in network threat hunting, I would have possibly revealed this card.
But they were successful in firewall log review. They rolled successfully for a card that reveals a part of attack. Now, if a procedure card would reveal multiple parts of the attack, I will still only reveal one part of the attack at one time, and I get to choose which part that I want to show.
And the reason why is because when you do incident response, you do something. You don’t find everything. You do something and you find a thing, and if you do it some more, you might find another, a, thing. And so that’s why I only reveal one card at a time.
So, firewallog review revealed this. You have four systems inside your organization that are all using bits for some unknown reason, all to the same location. All right, so I have a three over here, two over here.
Noah Heckman
Hold up. When you say some unknown reason, like, that’s the C2 card. So, do we know that it’s being used for C2?
Jason Blanchard
Yes.
Noah Heckman
Okay.
Jason Blanchard
It’s for the C2.
Noah Heckman
Okay, cool.
Jason Blanchard
So you still have to figure out, does this have anything to do with the HVAC company or at all? What is the initial compromise? How do they escalate to four different systems inside your organization and what do they use for that?
And how are they maintaining persistence?
Corey Ham
I feel like we should run an analysis on one of those compromised endpoints.
Jason Blanchard
Yep.
Noah Heckman
Specifically, I would recommend endpoint security protection analysis on those endpoints.
Troy Wojewoda
Yeah, absolutely.
Jason Blanchard
It’s plus three, so why is that not?
Noah Heckman
Because it’s a plus three and I know this game pretty well.
Jason Blanchard
Okay. So some people here have already noticed that there’s the established procedures and the other procedures. Established procedures means you have taken training on it. You have a run book on it or something like that.
Or you literally wrote down what you would do in this situation. Because I know all organizations have things that they do, and they have things that they write down that they do. I know on my team, like the team that I work on at Black Hills, if I got hit by a bus tomorrow, everything I did would cease to exist because I don’t write down anything that I do, which is bad.
So what we, are trying to encourage is for organizations to write down these things. And I know how hypocritical that sounds for me to say you should write down things.
I don’t write down things that I don’t do security. I do content communities. And you’re like, you should still write it down, Jason, I get it. All right. I understand. Thank you. All right. So established procedures means you get a plus three modifier for everything that you want to do.
So if you roll an eight, then you get plus three. So it’s a 910 eleven means it’s successful. So writing things down can help you in the incident response process. These other things over here is just stuff that how to do.
And so, those are just whatever you roll is what you roll. Now, some of you watching right now, like, well, at our organization, we have an amazing isolation policy, but it’s down here in the other procedures. Well, give it to yourself.
Give yourself that plus three for that other card. If you have an amazing memory analysis policy, then give yourself a plus three for that. And I just have these x’s here to remind myself that I get a plus three for those.
And if you want to play this game, however, it works best inside your environment, you’re like, hey, we have all this stuff written down. Fantastic. You get a plus three for everything. Or if you’re like, we don’t write down anything, Jason. We’re like you then, you don’t get a plus three for anything.
Corey Ham
So isn’t endpoint security protection analysis like analyzing the tool, not analyzing the actual endpoint?
Jason Blanchard
It is analyzing the log data coming off of the endpoints. in this game, that’s what that means. So it’s the actual log data coming off the endpoints, and then the other endpoint analysis is like a forensics look or remote access into an endpoint to then, take a look at how things are running.
Corey Ham
I say we log it. Do it. Do it. What Noah said. Plus, he rolled a 16, so he’s lucky he’s got those hot dice.
Jason Blanchard
I’m hearing endpoint security protection analysis. Is that the consensus? Taking a look at the, Who wants to roll the dice besides Noah and Hal.
Kiersten Gross
Overall.
Jason Blanchard
All right, Troy, end with product one.
Noah Heckman
Troy, you didn’t do us proud.
Kiersten Gross
I mean, I can’t help the roll.
Jason Blanchard
Did you roll a one?
Kiersten Gross
I, rolled a one.
Corey Ham
All right, he’s an insider threat. Let’s kick him off the team.
Noah Heckman
Troy, you’re fired.
Kiersten Gross
I am the HVAC.
Corey Ham
He just runs into rooms.
Noah Heckman
Troy, this is. We told you that you can’t learn everything for your job solely off YouTube. You need to take some formal training one of these days.
Jason Blanchard
Okay, so, can you give me a reason, financially, politically, technologically, or personnel wise, why endpoint security protection analysis would be unsuccessful this time?
You, might have to dig deep.
Corey Ham
For it, because he didn’t even show up to work.
Noah Heckman
Our vendors said everything would be fine, but it was not.
Corey Ham
He rolled a one, which means he wasn’t even there when we asked him to do it.
Troy Wojewoda
License expired.
Jason Blanchard
License expired.
Kiersten Gross
The trial license expired.
Noah Heckman
Yes, those trial licenses.
Jason Blanchard
Okay. Anything else? what could possibly be, disabled?
Kiersten Gross
It wasn’t there.
Noah Heckman
Install it on those agents. Because those users had specific use cases that.
Kiersten Gross
No, no, no.
Corey Ham
It’s a Windows XP box. It isn’t compatible. Sensor.
Noah Heckman
There you go. Why is accounting running on an XP box, though?
Corey Ham
because they have smartbooks 2003.
Noah Heckman
Oh, okay. Makes sense.
Troy Wojewoda
So our developers needed, no security stacks at all on their machine so they could do their job.
Jason Blanchard
Okay. Yeah, so there’s a lot of reasons why it’s possible. So. Okay, so since you rolled a one, Troy, what’s going to happen now is an inject card is going to come in, and this is the expansion deck, which means we have a lot more inject cards.
So I have no idea what’s about to happen. Right now, we added a lot more, like cringy m inject, cards in the original. They’re somewhat good, somewhat bad. The new one, they’re just all bad.
it is getting hot in here. HVAC systems. Oh, my God. The actual HVAC system. The HVAC systems are important, and they will fail at the worst times. This is one of those times.
Your data center HVAC system is infected with a worm. Hmm. Wonder how that. It’s supposed to be air gapped is 103 outside, and the server temperatures are rising.
All servers need to be shut down right now.
Noah Heckman
Point of order.
Kiersten Gross
Configure. We’re done.
Corey Ham
It said it was a worm. And we know we’re dealing with XP on, the accounting system.
Noah Heckman
Also, I would like to propose a different inject card because this completely conflicts with the scenario. It says that the HVAC system is air gapped.
Corey Ham
Wait, no. It says it’s supposed to be aircraft.
Jason Blanchard
It’s supposed to be air gap.
Noah Heckman
Okay.
Jason Blanchard
It’s supposed to be air gap. That is correct.
Corey Ham
But it’s not. Also, I think, confickers. Black holes. We should be. Okay, guys. It’s fine.
Troy Wojewoda
You’d be surprised.
Jason Blanchard
Back, surprisingly, is gone down. So if you need to shut the servers down, what’s some things that might, be at, issue now?
Corey Ham
Well, we use go to, help self hosted. So this meeting is going to die when we turn off the servers.
Jason Blanchard
That is the thing. what is your alternative form of communication amongst your team?
Noah Heckman
Everyone makes a free google, like a free gmail account. We all join a g meeting.
Jason Blanchard
Does that mean you’re going to switch over to hotspots, so that way you have your own Internet? Or.
Corey Ham
I say we got.
Noah Heckman
I mean, the Internet should still work.
Kiersten Gross
We, don’t have an out of band procedure.
Corey Ham
We don’t have DHCP. Dude, our networks, our entire. All of our drives just dropped off the wifi because we can just use.
Noah Heckman
Like, a cheap Walmart netgear router to get us up and going.
Corey Ham
Everyone hotspots engage. I don’t know what that means. I just feel like.
Jason Blanchard
So we have a couple things. Like dale says bye bye SIEM and bye bye firewalls. Is that true? Would you.
Noah Heckman
Depends on how we are using our, what kind of SIEM we have. If it’s cloud hosted, we’re fine.
Corey Ham
We cloud host, we can’t be bothered.
Noah Heckman
Yeah, I think that we’re on a cloud.
Corey Ham
It might be a trial, but it’s cloud hosted.
Jason Blanchard
Yeah. So Michael asked the question, is rolling a one, the only dice roll, that means inject. Yeah. no, if you roll a 20 or a one, or have three failed rolls in a row, meaning like a six, a seven, and a two, then an inject card would come in during that third roll.
So since Troy rolled a one, a natural one, even though it had a lot of plus three to it, it’s still a natural one. So anyone who write rolls a critical, hit is a one.
so with that, an inject card came into play. So, so far, you have not revealed the initial compromise. I don’t know, maybe those two things are related.
we have a pivot. Escalate cards. revealed and persistence. And you’re on turn number four right now. So here is a piece of advice. There is one consultant card that nullifies inject cards.
If you call a consultant, it would nullify your in jet card, which means your servers would come back up.
Corey Ham
Do we need our servers? Who determines if we need our servers?
Noah Heckman
We pretty much just keep those servers around for the fun of it anyhow, because it looks cool to have the blinking lights and the.
Kiersten Gross
Can the consultant be Mister cool?
Corey Ham
Well, so we should mention that we are the store store. And that we’re conglomerate, which means all of our branch locations have their own, like, retail. Like, retail sales will continue even if our servers, are down.
So I think we should just nuke them. Yeah, plus it could help us from getting X fill, right? I mean, they’re probably exfilling right now, so if we turn everything off.
Noah Heckman
Yeah, we just disabled. We just disabled some of the hosts that they’re using bits of C2 on.
Corey Ham
Exactly.
Jason Blanchard
What I’m hoping is the people who are watching at their organization are thinking right now, what would it be like if they had to shut off the servers? What capabilities would they lose if they had to?
Kiersten Gross
Do you have a backup center? Do you have a high availability?
Noah Heckman
We can put them in my garage. We could just move the data center to my garage. It’ll be fine.
Kiersten Gross
So, I mean, that’s what I would. I mean, seriously, though, that’s what I would. I’d be looking. Is there a backup center? Is there a high availability, kind of a separate physical center?
Troy Wojewoda
What’s your continuity of operations?
Jason Blanchard
Yeah, yeah. And, Troy, we were recently doing a tabletop with an organization, and this card, this thing happened, and so they had to figure what their alternative communications plan was, because all their communications were tied into their server.
So they had a side signal channel that they would use for that. And so they already had it ready to go. Just in case their main, line of communications were killed.
Corey Ham
I think in this case we should turn them off. Just because of our business isn’t dependent on our central corporate servers. We really just use it for business intel, and it doesn’t directly make us money, so.
Jason Blanchard
All right, so it looks like we’re killing the servers. do you want to keep moving along with this incident or do you want to focus on something else?
Troy Wojewoda
So, I have a question about the. So the crisis management card talks about legal team and stuff.
Jason Blanchard
Sure.
Troy Wojewoda
but is that something we can invoke to, like, initiate the doctor or the high availability site if we want to do that? I mean, I know we’re talking about we could just survive without our corporate data center, so to speak, but, we need to, pick a card or something.
So is that something that we might be able to play?
Jason Blanchard
And, Hal, what I really appreciate is whenever I play with a team, I always ask them, at what point does an incident become a crisis? At, what point?
Where’s the threshold? What’s the. Like. Oh, my God, like, at this point, how does it go from an incident to a crisis? Would you all say that this has become a crisis or this still part of an incident?
Corey Ham
I don’t think it’s a crisis. We have one data center that has a failed HVAC unit. The guys on the way. Plus the HVAC company owes us a favor since they got hacked, so they better be quick. And we have only four systems compromised.
Noah Heckman
So it’s a crisis.
Corey Ham
Yeah, four system compromises. That happens to accounting every other week.
Noah Heckman
Deb is recommending in the chat, by the way, that we buy some new servers from the server store and set them up.
Corey Ham
We can’t buy our own service because our systems are down. Wait, that’s.
Jason Blanchard
Sure.
Kiersten Gross
So, yeah, I say we continue. It’s crisis mode in my opinion. and it’s really about impact.
Jason Blanchard
Right?
Kiersten Gross
So how many. What’s the business impact? If the business impact is we can’t buy anything. So if we can’t buy anything, then we’re pretty much impacted. Right?
Troy Wojewoda
So then we talk about payroll. You can’t pay your employees. You can’t do any purchases on that. you can’t operate as a business. Sure, we can still buy stuff the.
Jason Blanchard
Store store can’t sell store.
Corey Ham
Yeah, but it’s just an HVAC outage. What are we going to do, tell our clients, hey, we had an HVAC outage? Like, I mean, that’s such a minor thing. Plus, they’ll fix it. Like this happens. Remember what happened last week at the toys store?
Noah Heckman
The door open or something?
Corey Ham
Yeah, it’s just, it’s just HVAC outage. They’ll come and fix the condenser or whatever and it’ll be, 8 hours.
Noah Heckman
Specifically say he was infected with a worm. But, this is what I’ve.
Jason Blanchard
Learned over, what I’ve learned over doing this with so many different organizations is that this thing happens. The conversation is it, this is it. This, you need someone to say either it is or it is.
So there’s someone on the team who authorizes it has now become a crisis. And if you don’t know who that person is, that’s something to define ahead of time. All right, so what would you like to do next?
Corey Ham
I say we focus on the endpoint still.
Noah Heckman
This is me do the other endpoint analysis.
Corey Ham
That’s, that’s my opinion.
Noah Heckman
Let’s get on there, run some netstat.
Corey Ham
The HVAC remediation is kind of like, we don’t know what that, like. Yeah, I don’t know. In the subtext of the game, can you like fix an inject card or is it just there?
Jason Blanchard
There is a, call a consultant. So, like, if you needed to call somebody to fix the, the HVAC, possible, we, have one consultant that nullifies any inject card.
And so that’s a way of just like bypassing, like moving on to something else. So if you wanted to just potentially hire that person by rolling eleven through 20 and nullifying that in jet card, you could.
Or you could just say, what, that’s someone else’s problem. Let’s continue with the incident.
Noah Heckman
I would just keep going.
Corey Ham
Personally, I say continue, but that’s just me. I want to know why we have four compromised systems. The HVAC systems are, we already know they’re kind of screwed anyway.
Kaitlyn Wimberley
So, like, in the context of the game, does this actually have an effect on anything that, like we can choose to do, or like, do we still have the same capabilities regardless?
Jason Blanchard
It’s one of the questions that I would ask in actual organizations. Like, if the server went down, would this cause you to lose any of your security?
Noah Heckman
If you’re self hosting the SIEM, then like, all of a sudden your SIEM is deactivated.
Jason Blanchard
Yeah.
Corey Ham
In the context of this game, we decided it was cloud. Right?
Jason Blanchard
Right.
Corey Ham
Yeah. we’re just a conglomerate. We have limited servers, like, we have no payroll. We can’t like, we have no invoicing and purchasing, but we still have our SIEM, we still have our stores. Like, our retail locations have separate infrastructure.
So we won’t get any reports about the year end sales or whatever, but we’ll still be churning out that money. Well, if that’s the case, if we, if we know what four hosts are affected, should.
I, would say we should look at the syn logs.
Kaitlyn Wimberley
But can we still do server analysis if all of our servers are shut.
Troy Wojewoda
Down or far retention policies on?
Kiersten Gross
Yeah, you can get to your SIEM, but your servers all stop sending logs because the data center is down.
Noah Heckman
Well, and the server analysis card, if I remember right, is effectively like the endpoint analysis. It’s just like, running, like, on site forensics with, on the servers.
Jason Blanchard
Yeah, it’s any server, anything that you would call a server inside your organization. The reason why we called it server analysis because we didn’t know what kind of servers you had. And so we were, just went very generic with it.
This is our last turn to actually show the process of the game, and then we’re going to talk about how it all wraps up. So, so far, you revealed one card, lots of discussion, lots of knowledge sharing, and lots of, like, possible, like, hypothetical.
Speaking of, what is this? What? What’s this? So this is typically how a game goes. A game takes about 30 minutes to an hour, depending on how much conversation takes place among the team and how well your own security.
So if you’re like, well, this is why. This is why. This is why I move on. This is why this, why this, why move on? All, right, so last turn.
Corey Ham
It sounds like SIEM or endpoint. I’m cool with either SIEM or endpoint. I mean, we know we have compromised endpoints. I’m cool with, like, looking at the logs in the SIEM for those endpoints or just.
Just doing actual deep dives.
Jason Blanchard
All right, let’s let the audience decide. In discord or on Zoom? Go ahead, type in. Do you think we should go SIEM or endpoint?
Noah Heckman
Just like a real scenario? Just reach out to the online community, say, hey, what do you recommend? Post it on Reddit.
Corey Ham
So many SIEMs.
Noah Heckman
Yeah, I think SIEM is winning.
Corey Ham
Well, we, should give the end. It’s a Longer Word. It’s four letters versus, like, eight letters.
Noah Heckman
Oh, here’s some more endpoints.
Corey Ham
We got SIEM.
Noah Heckman
We had to type longer letters just.
Corey Ham
Because someone just typed Ep. I think they’re releasing an album soon.
Jason Blanchard
All right, so it looked like if I was going to just SIEM. All right, so we’re going to roll the SIEM. Who wanted to use the SIEM first? Who said that? I think it was Kaitlyn.
Jerry, roll the dice.
Kaitlyn Wimberley
No, but I will roll it.
Jason Blanchard
All right, Kaitlyn, Go Ahead and roll the dice for us.
Kaitlyn Wimberley
19. This is why I don’t trust the computer dice.
Jason Blanchard
All right, so with your Sid log analysis, you find indication of internal password spray took place. An internal password spray took place, all originating from.
Noah Heckman
But we follow PCI guidelines. Our passwords are minute like. They require a minimum of eight characters. It’s fantastic.
Jason Blanchard
Mhm. How could they spray that?
Corey Ham
The HVAC systems are just.
Jason Blanchard
All right, so if I take the, three over here and then put the two over here and the one over here, what would happen now is your network threat hunting card would be available again, so you could do network threat hunting if you wanted to.
Well, what’s happening right now is that we’re going to wrap up the game. So, that way we can do some q and A and also, let people know what happens when the game is over. So if you were either successful with revealing all the cards, or we get all the way to the 10th card and you haven’t revealed it yet, then I would then reveal the, final cards.
And so here’s what happened. It was a trusted relationship attack where the attackers used a service level account through the HVAC into your organization. From that, they were able to do an internal password spray where they compromise for other systems, and that is where they use bits to, exfiltrate data and they use the malicious driver as a form of persistence.
Now, here’s the part that I need your help. Is this a plausible attack? That’s the question you always ask when it’s over. Is this a plausible attack in our environment, the answer could be yes, no, or maybe.
Corey shook his head no. Why not going to go with kind.
Corey Ham
Of not because the trust relationship. I mean, it depends on what the trust relationship is. Like, Troy said, it could be, oh, you just have emailing, stuff. Or it could be, like you said, a service account.
If they had a service account, it doesn’t really make sense for them to be spraying also since they already had credentials. But I mean, other than that, it depends on the context of how you define trusted relationship.
But yeah, well, I would, I would.
Noah Heckman
I would pose this one, Corey, because working with some OT stuff over time, it is not terribly uncommon for these providers to install some sort of back calling, like openssl backwards VPN in your network, and they usually require it if you want, their support.
So it’s not uncommon that in that kind of environment, you would have a complete tunnel, going back to them.
Corey Ham
Right? Yeah. If that’s the case, and they just have a compromised tunnel, basically a point of presence in your network, then it would make sense that they would spray. So. Sure.
Jason Blanchard
So Dmitry asks, so was the story about the HVAC breach notification just made up by Jason based on the initial compromise card? Yes. I can either make up the story or scenario based on the initial compromise, or I could make it up on the pivot and escalate.
most likely it’s one of those two cards where I make up the scenario. Like, you see some SIEMilar, or you see this or something like that. Generally I use it based on the initial compromised card.
Now, once you get good at playing this game, a lot of times I’ll give a scenario that has nothing to do with the cards at all. And the reason why is because sometimes you find an incident by looking for an incident.
And so I just give you a, hey, this is a thing. There was, like, a fish, and then all of a sudden, you find out it was like an external, exploitable service. You’re like, whoa, that’s been, like, compromised for six months. That nothing to do with the fish.
But it’s because we went digging is that we found something. All right, what other, So it was yes, nor maybe, is this plausible?
And then you could also do each card. Is the trusted relationship a yes, no, or maybe, let’s do that. Is a trusted relationship a yes, no, or maybe. Is that a possible attack vector in our organization?
Kiersten Gross
Yes.
Corey Ham
Oh, the store. Store has many partners. We have to partner with a lot of different companies to get all of our products.
Jason Blanchard
And if the answer is yes, then you understand the risk that you have, and either you mitigate it or you say, this is the risk that we have in order to do business. Is an, internal password spray possible?
Yes, or maybe?
Kiersten Gross
Yeah, yeah, I think so. I think that the attacker having that, like, trusted tunnel through the HVAC system and doing all that password spraying caused the HVAC actually to overload and shut down.
It wasn’t intentional by the attacker to shut down.
Noah Heckman
It couldn’t handle that much.
Kiersten Gross
It couldn’t handle all that processing. And so by the attacker leveraging that. That conduit, if you will, basically, killed the HVAC system.
Corey Ham
So definitely they locked their own service account, and it caused the HVAC to turn off due password spraying.
Kiersten Gross
No, the HVAC just couldn’t process all that processing power.
Troy Wojewoda
What about ran, out of disk space?
Corey Ham
They were logging the attack, and it ran out of disk space.
Jason Blanchard
What about using bits as a form of, exfiltration or command and control in the organization?
Troy Wojewoda
Absolutely.
Jason Blanchard
Yeah.
Corey Ham
That’s pretty underground, but sure, yeah.
Jason Blanchard
And what you’re really looking for when you ask these questions is the work. Maybe, like, if anyone on the team says maybe, well, then that is an opportunity to either find out if it’s a yes or no.
Maybe is like, the worst word you could use during the tabletop exercise. Like, well, maybe like, maybe. Oh, God, maybe like, we should know either yes or no.
Okay. malicious driver, would that be possible in some of the systems inside the organization?
Noah Heckman
So this is the card that I dislike the least out of this whole chain SIEMply just because it doesn’t match the rest of the profile. I mean, our attackers go through a trusted tunnel, they do a password spray, then they reuse bits.
I mean, none of those are extremely technical. And then you go to malicious driver all of a sudden, which is, like, incredibly hard to do.
but most organizations are susceptible to it. It just doesn’t match the profile of the attacker.
Jason Blanchard
All right, everybody, thank you so much for watching. I know you’re probably going to have lots of questions, so go ahead and ask those questions. Now, we’ll most likely go into some post show banter here in the next few minutes, but we really appreciate you taking the time to watch us play backdoors and breaches today.
And hopefully, what you saw was the knowledge transfer happening while playing. Sometimes you don’t know the stuff until you have an opportunity to talk about the things And sometimes the people on your team don’t know the things they don’t know until they hear you talk about the things you do know.
And I know that’s a lot for you to try to process, but thanks to Noah, Corey, Kaitlyn, Kirsten, Hal and Troy today. Thanks for playing the game, for being, just willing to, go in this.
I didn’t tell them what this scenario was going to be. They completely went into this blind, and so thanks for that.