Shopping Cart

No products in the cart.

How to Use Backdoors & Breaches for Tabletops

How to Use Backdoors & Breaches to do Tabletop Exercises and Learn Cybersecurity

This webcast was originally published on March 31, 2022.

In this video, members of the Black Hills Information Security team discuss how to play the game Backdoors & Breaches, which they created in 2019. They delve into the specifics of the game’s creation, its reception at Derbycon 2019, and the subsequent demand that led to its sale on Amazon. The video also serves as a tutorial, teaching viewers how to play the game effectively using both physical cards and the online version.

  • The webinar effectively demonstrated the ‘Backdoors and Breaches’ game, a cybersecurity training tool simulating real-world attack scenarios.
  • Participants learned about various cybersecurity threats and responses, enhancing their understanding through interactive gameplay.
  • The game emphasizes team collaboration and problem-solving, reflecting the dynamic and complex nature of real-world cybersecurity incident response.

Highlights

Full Video

Transcript

Jason Blanchard

All right. Hello, everybody. It is 01:00 eastern time. today we are Black Hills information security. And normally I, like, lead into the person who’s going to be speaking, but the person speaking today is me.

So I have leading into myself today, we have some of the members of our SoC team, the Pentest and incident response team, and we’re going to teach you how to play backdoors and breaches. So it’s a game that we created in 2019.

The very first time anyone ever saw it or got it was at Derbycon 2019. Last Derbycon. Rest in peace. And so we gave the game away. And that morning when we showed up to give the game away, there was a line from one side of the hotel to the other.

And we gave out about 800 decks within like an hour and 45 minutes, just constantly handing out the decks. And at that point we’re like, wait a second. This might be something that’s interesting. We were able to reprint it, as quickly as possible, and then we made it available on Amazon.

And the only reason we made it available on Amazon is because a lot of people asked for it and we had to figure out a way to get it to them. And so we made it available on Amazon. We sold out four, 4000 decks in 24 hours.

And I was like, wait a second. This might be like a thing that people want to use. So what we’re going to do today is we’ve learned that over the last year and a half, two years, is that a lot of people bought it, but you didn’t know what to do with it.

Like, you opened up the deck, you saw this website that I currently have available. You see the cards and you’re like, I don’t know what to do with this. And so today we’re going to show you how to play backdoors and breaches.

We already know that a lot of people do play it. Deb and I have been giving demos for the last year and a half to people who are request it. And so what happened is we’re like, we’re like, wait, how about we just do a webcast where we just teach everyone all at once?

My cat’s going to get down. There we go. So we have a couple people here today. We got Corey, noah, Kaitlyn, kirsten, troy, and Hal. They’re going to play the game. But before we do that, I’m going to show you what the game is, why we created it, and what the cards are.

And then we’re going to play the game and learn to play the game while playing the game. Everybody ready to go? All right, so Corey’s never seen this before. This is Corey’s first time Kaitlyn’s played before.

Kirsten, I think you’ve seen it before. No. Of you’ve led a few rounds. Hal, have you seen this game before? Cool. Ran it, and then Troy, you’ve seen it before because I’ve done some demos for our SoC customers.

So there are like, corey’s here for the first time. Like he’s learning about it, just like you’re learning about it. So let’s go ahead and get started. So we have this free website called Play Dot backdoorsandbreaches.com, and it was created by a person named Richard Fong.

Richard Fong reached out to us at some point after we’d given the physical card games away, and he said, is there a way to play on Zoom or is there a way to play online? And we said, no, there isn’t.

We don’t know how to do that. He’s like, well, I do. Can I make an online version? We’re, like, hmm, if how. Sure. So about two weeks later, he came back with this thing.

We’re like, holy cow, this is fantastic. And it essentially became like the first open source version of the game. And so this is free. Go to play dot backdoorsandbreaches.com.

you can use this anytime you want. You can bring up multiple instances. It’s yours, you can use it. It is open source. You do not need to buy the physical copies of the game. The reason why we sell physical copies of the game is some m of you want to actually have physical copies.

And the reason why we charge money for them is because it costs us money. But any profits that we make from that we use to give away decks to educators. So we’ve given away about six or 7000 decks over the last couple of years.

And if you are interested in that, you can always reach out to us and request decks for your classroom. Now, I need to make sure I always enunciate that word just in case.

So the very first card that we have here in the game is the red card, and the red card is the initial compromise card. So everyone’s going to watch what I’m doing here. You’re going to learn about the cards, why we created in the way we did, and what we’re going to use them for.

So the initial compromise card is how the attackers initially get into your organization the very first step of the attack. And so this card right here is the insider threat. So that’s the overall concept of how this attack went down.

We have a brief explanation. An internal disgruntled user exfiltrates information from your network. We have what can detect it. User and entity behavior analytics. Cyber deception. DLP. Ha ha.

kidding. DLP never works. The other co creator of, backdoors and breaches is John Strand. And the tester is a Black Hills. And so there’s some John strand isms in the card.

Another thing here is working with HR. Like, if you just reach out to HR and like, this makes sense, and the person’s like, no, that person’s very disgruntled. All right. The tools to cause this type of attack is being considered a full time expenditure.

Some of you right now are watching like, mm mhm hmm. Yeah, I get that. Huh? Long hours and addiction. So those are types of things that lead to that. Now, here in America, we have the american addiction centers, and so you can go there for help.

Now, if I hit refresh, I get a brand new attack card. Now, it’s web server compromise. That’s the initial compromise. It’s a web server compromise. The attackers take over an external web server, they it to pivot to your internal network.

Once again, it’s a small description explanation of the attack. So that way Kirsten and Hal and Troy and Noah are all talking about the same thing.

So everyone has the same common vernacular. Detections are server analysis, symbol analysis, network threat hunting. Now, the detections correspond to these cards right here.

So the detections correspond to the procedures. And we’ll talk about that in a little bit. But here’s how the detections are created. What happened was we created the game.

We had it on a spreadsheet. We made the cards. And then I brought in a bunch of subject matter experts like Kirsten and Kaitlyn and Troy and Hal and Noah and Corey. And I said, all right, so what would detect a Web server compromise?

And Troy would say something like, well, server analysis and log analysis. Network threat hunting. Like, cool. Kirsten would say, like, server analysis and log analysis. Network threat hunting. But then maybe Hal would say, well, in this organization, we have this tool and it does it this way.

And I could get that result, all right? And then Corey would say, well, I know that in this organization, with this tool and this capability and these procedures, we could get this, okay?

And then Kaitlyn was like, well, what about this? Mhm. And so eventually, after like 45 minutes of this, for every single card, I would say something like, what would always detect it in every organization like, oh, server analysis, same log analysis and network threats like, okay, that.

That’s what goes on the card. And then we moved on to the next guard, and 45 minutes later, we would say, now what always detects it in every organization. So this is the baseline of what detects. Kitty.

No, kitty. No, no, Kitty. I’m on a webcast.

Corey Ham

This is an inject.

Jason Blanchard

He got his claws stuck in my pants.

Corey Ham

Inject. Cat attack.

Jason Blanchard

Yeah, cat attack. Inject. All right, so the tools to do this is that attack proxy, SQL map, and burp proxy. And the tools down here are here. And, if we do have a blog that goes along with it, then we have a blog that goes along with it.

And so we have a lot of blogs at Black Hills. And if there’s something that we could use to teach you about the attack, we do. So now I’m going to hit that refresh button one more time. Kitty, no.

All right, and this one’s a fish. So the attacker sent a malicious email targeting users. What can detect this in log analysis, server analysis, endpoint security protection analysis, and the tools to do so is motaliska, evogenex, and go fish.

And so they are right down here if you want to learn more about it. Now, here’s what I like about this game. These are the tools that we use at Black hills to do the types of things that we do when we’re pen testing. Now, sometimes I get a chance to play with cyberpatriot teams or college teams and stuff.

And when I say that these are the tools that we use, you’ll see, like, high schoolers light up, or like, wait, what? Like, I can use this? And you’re like, yeah, if you want to. They’re like, yay. And the teacher’s like, no.

but yes, these are the tools. And the kitty’s like, now he’s upset. He’s in the background. You wouldn’t let me sit in your lap. Okay, so once you have the initial compromise, that’s done.

Now the attackers have to pivot and escalate. And this is my favorite card in the whole deck broadcast. Multicast protocol poisoning. So now the attackers are pivoting through the your network and escalating privileges.

And the reason why. This is my favorite card. Raise your hand. I’m, talking to you. You all here, raise your hand if how to do this attack.

Noah. Hal. Corey. Troy. All right, Kirsten and Kaitlyn, you did not raise your hands. And that’s okay. That’s exactly what I’m looking for Corey.

Can you explain this relatively quickly?

Corey Ham

Basically this is a windows default that is hard to make it truly go away because things break and it’s executable or exploitable with one tool on the network or it’s super easy.

It’s basically a way to capture credentials or relay credentials, throughout the environment. So it’s basically the gift, that keeps on giving.

Jason Blanchard

And the reason why I asked people whenever I play this game, I always say, we got broadcast multicast protocol poisoning. Raise your hand if how this works, is that a lot of times only one person raises their hand per team.

And some of you right now, you’re at home, you’re looking at this and you’re like, I don’t know what that is. And Corey just explained it. You would almost have no reason to talk about a broadcast multicast protocol poisoning attack unless you had a reason to talk about a broadcast multicast protocol poison attack.

And that’s what this game is about, giving you a reason to talk about the attacks, talk about the procedures, and talk about these things prior to them actually happening in your environment. Now, the tool, wow, kitty.

The tool to do this type of attack is responder. And so I’m going to ask the question to my Soc team, what does it look like when responders run in somebody’s environment?

Noah Heckman

All right, I was quiet. I gave him a chance. what you’re going to see when responders ran is basically connections that would normally be going to one server.

Now, all of a sudden they’re being redirected to a different server, but you’re seeing multiple of those connections being redirected to another server. so anytime you go and ask for an SMB share, it goes to that server.

Anytime you ask for an FTP share, it goes to that share server. Ask for HTTP authentication, goes to that server. it’ll relay it through, but yeah, that’s what it’ll look like.

Jason Blanchard

And the reason why I asked is because do what these tools look like if they’re run in your environment? Like what alerts do you get? What does it look like? How would if this was actually run?

And so I asked every organization I play with, what does it look like with responders running your environment? And a lot of times what I get is people who don’t, no. And this is an opportunity to do threat emulation, threat SIEMulation, to do these types of attacks and see if it works.

Now, if an organization is like, well, Jason, is it okay or is it safe? To run responder in my environment, the answer is, I have no idea. So, that is up to you and your organization. Okay, so once the attacker has started pivoting and escalating, well, now they need, some way of communicating with all the things that are inside your network and get information out of your network.

So this is DNS as C2. So DNS is, the attackers use DNS as C2 because it’s always DNS. The way to detect this is network threat hunting. Fiber log review. The tools to do this is DNS cat.

And if you want to learn about this, we have a blog series on how we bypass Cylance. It was a five part series because I think at some point Cylance said we can’t be bypassed. We’re like, wait a second.

And so we have a five part series on how to do that. So if you want to go ahead and check that out, you can there. I don’t know if those things still work, but they did at the time. All right. And lastly, we have the persistence mechanism.

So how the attacker maintained persistence, or where they left persistence throughout your environment so that they could get back doors or whatever it is. And this one here is evil firmware. The attackers update the firmware of a network of network cards, video cards and bios, or UEFI, with evil.

All these are very difficult to detect and very difficult to update. So we have what detects it here, the tools to do so here, and then some more information here if you want to learn more about that.

Okay, so what we just did, essentially we created the cyber kill chain. Thank you, Lockheed martin. We have the initial compromise, how to pivot and escalate the C2 and excel.

And the persistence, it’s the whole part of the kill chain. Now what’s going to happen is we’re actually going to play the game. And the way that the game works is my team here will have ten turns. And, Troy, the way that you have here, is still throwing me off.

Like how? You have to think tight. No, that’s fine, it’s fine. So what we’re going to do is we’re going to play through the game. The defenders slash incident responders will have ten turns to try to solve my four cards.

And what that looks like is I’m going to hit refresh, so we get a brand new scenario. And if I look down here, I get to see, I get to see the solution, that it’s an insider threat that leads to an internal password spray where they’re using HTTP as xl and using malicious service as they’re forming persistence, I get to see that, and then I hide it.

Well, essentially, I would take a screenshot of it, put it at somewhere else on my monitor, and then I would give a scenario based on the cards. And then the team here is going to use these procedure cards to try to solve my four cards within ten turns.

Now, the way they solve the cards is by choosing the right procedure for that attack and then rolling well. So rolling unwell is one through ten.

Rolling well is eleven through 20, or rolling unsuccessfully is one through ten. Rolling successfully is eleven through 20. So, for those of you that are at home and want to play along, but for Kaitlyn, kirsten, Hal, Noah, Corey, and Troy, if you, please go ahead and bring up, like, another tab, on Google.

So go ahead and bring that up. Unless you have a physical D20 dice in front of you, you can roll that as well. I just want to make sure the reason why I like having cameras on when we play this game is because I’ll know if Corey actually rolled badly, because Cory would be, like, 17.

I was like, I don’t think so. Now with that facial expression, it’s no way. So I like having cameras on. You don’t have to, but I definitely like having cameras on. Now, I already have a situation prepared ahead of time.

Now, we’re using the expansion deck today because, most of the people who are playing with me today have played before, and we do have both versions. I recommend using the original version when you’re first getting started, the core version here.

And then I recommend using the expansion deck once you’ve gotten used to that. And the reason why is because there’s additional cards. There’s also things like consultants. There’s more inject cards, and there’s more attack cards.

And so I am ready and prepared. So, today the team is going to be using crisis management, endpoint security protection analysis, cyber deception, physical security review, SIEM log analysis, endpoint analysis, isolation, call the consultant, network, threat hunting, firewall log review, user and entity behavior analytics, memory analysis, and server analysis.

If at this time, you’re still confused about how this game works, that’s okay, because we’re going to learn to play it by playing it. Okay, team, any questions?

Any questions? Yes. Okay.

Kaitlyn Wimberley

Charlotte O asked, where do the consultant cards come into play?

Jason Blanchard

So, the consultant cards come into play anytime you want to use them. So this, you all, at the very beginning of this, could choose to call a consultant at the beginning of this, of the scenario, and then the consultant cards come up and then you can choose which consultant you want based on the modifier that they give you.

So Eric Conrad here gives you a plus three modifier for all procedure cards that mentioned deep blue CLI for the rest of the session. But if I go over here, Tim Medine would reveal the pivot and escalate card.

Or we have, Marcus Carey would give you a plus two modifier on all dice rolls for the rest of the session. So from the very beginning, you can choose to call a consultant that would help you with the modifier.

Any other questions? No? All right, so I’m going to give you your scenario. You will then have ten turns to try to solve my four cards. You’re going to use the procedures or anything at all?

Like, you could come up with anything that you want to do. Most likely the thing that you want to do falls into one of these categories of procedures. So here. Ready? Here is your scenario.

It is Thursday afternoon. On Monday afternoon. So last Monday. So a couple days ago, the, maintenance person of your building. So we’re going to just assume we’re a mid sized company of about 200 employees.

We have two or three different locations, buildings, offices, places that people can come. Some people work from home, but a lot of people have started coming back to the office on Monday, the maintenance.

The person in charge of the maintenance for the whole building got an email from our HVAC provider. The HVAC provider said, we got an. So the HVAC provider sent an email that says, we were compromised in a cyber attack about three months ago.

So they were compromised in the cyber attack about three months ago. Through an extensive incident response process and mediation and things like that, we determined the cause of the attack and we don’t believe it affected you in any way.

but due to our own policies and due diligence, we are sending you an email letting that we were compromised, but we don’t believe it spread to any of our customers. Thank you for your patronage, essentially.

Thanks for being a customer. and that’s it. So the email went to the. The, maintenance manager of the building. The maintenance manager got it on Monday, looked at it, didn’t think much about it, and then now it’s Thursday.

Like, yeah. The security team, has now forwarded it to you all, the security team, the instant response team. And if that was. If this was your scenario, what would you do first?

Troy Wojewoda

Do you have a point of contact?

Jason Blanchard

Do you have a point of contact.

Troy Wojewoda

For the HVAC company?

Jason Blanchard

Talk to them directly you could. Yeah, there’s a phone number and contact at the bottom of the email that was sent.

Corey Ham

Our HVAC isn’t connected to our corporate network, is it guys?

Noah Heckman

Oh, there was that temporary firewall rule, but I think we got rid of that one.

Corey Ham

Oh, okay. oh.

Noah Heckman

I said I think we got rid of it.

Jason Blanchard

So if this was your scenario, what would you do first? Hal has already mentioned the point of contact. there’s a little bit of like not sure if it’s, I mean if.

Noah Heckman

We’Re not sure about the firewall it would make sense to maybe do a firewall log review. Just throwing that out there now what’s.

Jason Blanchard

Happening is there’s some of you at home who do incident response and you do this for a living and you’re already starting to think of possible scenarios or possible like routes to go down. Now here’s the one thing you don’t want to do.

You don’t want to go like, oh, I would do this, then this, then this, then this, then this, then this, then this. Like I’m sure a lot of you are like, oh, I know exactly what I would do. The way this works is that they will throw out what they want to do and then they will have a discussion about it and then they will come to a consensus for step number one.

Once they figure out what they want to do first, then they’ll let me know as at that point they’ll roll the dice to see if it works or not. If it does work then we’ll talk about that. If it doesn’t work then we’ll talk about that.

Kiersten Gross

So I have a question so on hows response. So would you say your contact, the point of contact that the company has with the HVAC company?

Jason Blanchard

Sure.

Kiersten Gross

Is that what youre right.

Troy Wojewoda

I would open up a communications with that company that suffered the breach and see if they could share their instant report or some iocs related to that. and then that would kind of give us a baseline on how we could scope our environment.

Jason Blanchard

Okay.

Corey Ham

I feel like we should just assume it’s compromised.

Kiersten Gross

I was going to say backdoors and.

Noah Heckman

Breaches conversation about it. I’m just saying.

Kiersten Gross

Sure. I was going to say I like Hal’s response. I was going to say I thought where you’re going with this is what I probably would have done. would do is contact. Like you said, the point of contact that our company has with the HVAC company and confirm that the actual email is a valid email.

Corey Ham

Mark.

Jason Blanchard

Oh, you think it might be a fish?

Kiersten Gross

It, could be a fish. it could be. It could be something along those lines, right? It could be somebody overreacted, and they had a buddy within the company that said, hey, I heard a rumor, and Jane was talking two cubes over, and we believe we were hacked.

And then they sent an email.

Jason Blanchard

Right.

Kiersten Gross

So, I would just try to get, to house point, open up line of communications with, the valid points of contact at that company, and then confirm, that message.

The information that’s being sent is valid.

Jason Blanchard

Is that a consensus among you all, to reach out to the point of contact and get some more?

Corey Ham

I’m cool with that. I’d probably just google it, right? Because it’s probably public at this point, too.

Jason Blanchard

Okay, so what’s going to happen right now is the thing that you’re doing doesn’t require any dice rolling. You’re seeking clarity. there’s two types of questions. You can ask them backdoors and breaches is seeking clarity about the situation and then other things where you would actually have to do some analysis.

And this is not analysis. This is seeking clarity. So to seek clarity, this is a real email from the real HVAC provider. And, they have a report, but they can’t get it to you, until maybe, like, next week.

They have to clear it through their legal department before they can show it to you. So you’re in the dark right now for any of the IOCs. Cool.

Corey Ham

I say we do the firewall log review like Noah said. I mean, it is like asset discovery. Like, seeing what HVAC assets we even have would be like. But firewall analysis could be a way to do that, right?

Kiersten Gross

Yeah, I would say the same thing. A little bit kind of related to that would be to do a, To do a look back on, any emails coming to and from that company within the last.

I would say I would go a little bit beyond three months. So three months is the value they gave us. I would do, like, three months in a week or four months to be safe.

Troy Wojewoda

So I have a little bit of a different opinion. since we know this is our HVAC, and, we’re just going to probably assume that this has some type of network communication, I would probably do, like, a review of, network traffic based on our Zeek data, see if we can baseline something that’s out of the ordinary.

Corey Ham

Do, we have log data from our HVAC stuff going into Zeek?

Jason Blanchard

That’s a good question.

Noah Heckman

That’s up to the dice roll.

Troy Wojewoda

Does it have Internet connection? So if it has an Internet connection, then if the sensor is put out correctly, it should have visibility.

Noah Heckman

as far as things that we actually know how to do and are actually good at, network threat hunting or firewall log review are both, not ideal for that, but I think we have to start on the network side of things one way or another.

Corey Ham

I’m going with either, if I understand the discussion so far. Hal’s saying that the HVAC itself is being attacked, but I think Troy was talking about maybe they had attacked us some other way through some other means of phishing or somehow some different avenues.

So I’m not. I’m not sure exactly they’re talking about the same.

Kiersten Gross

So just to clarify, that firewall review was already kind of put out there. I was lumping in. I was assuming, and the assumptions are probably not, something that you want to be too, careless about, but I was assuming, to me, firewall review met, kind of looking at what policies we have from our infrastructure to their infrastructure already in place.

and to look at either, both allowed and denied traffic, leaving our infrastructure going to their infrastructure and vice versa. I, thought that’s what was included in firewall review.

So, then, what I was getting to Kirsten’s, question was, assuming that this company was compromised of some threat activity was happening within that company.

We were doing. We’re business partners with that company. A lot of business partner communications happens over email. and so to look, to see if any suspicious emails were coming from that environment in the span of that three month window.

Jason Blanchard

Sue, I need a consensus. Kaitlyn, let me know what you all want to do.

Kaitlyn Wimberley

So I think that, if we find out if the HVAC system can communicate with the rest of our network or not, then that kind of tells us the direction that we need to go.

Right. Because if it doesn’t have any sort of connection into the rest of the company, then that’s probably not an issue. Right. And we might want to explore, like, other ways that this compromise could have affected us.

Corey Ham

I agree.

Noah Heckman

Valid point.

Corey Ham

Plus, assuming the company was compromised and they just, instead of pivoting in through the assets the company has in our network, they just sent us fishes from the company or sent us other things from the company, it’s probably, like, would be detected by our other controls, theoretically, right?

I mean, we have. Hopefully we have, like, some kind of email filtering that would have caught that kind of stuff but, yeah.

Kiersten Gross

and that’s kind of where I was going to is because a lot of times when you have established business partnerships, sometimes email gateway solutions are a little bit more lenient towards business partners.

So, like, they have to have certain spam rules and av and certain things tweaked because, email has gotten stopped over the. Over years, and people have called up and says, allow this email because you keep quarantine my email.

Jason Blanchard

So.

Noah Heckman

So we stop shipping a straight executable. We wouldn’t go through just fine.

Corey Ham

That’s how they update the HVACs.

Noah Heckman

Yeah.

Kiersten Gross

Depending on the scenario, I could see where business partner relationships have a little bit more. Less leniency when it comes or, more leniency when it comes to security. posture.

Jason Blanchard

So, for everyone watching right now, we haven’t even rolled once. But look at all the discussion that has taken place. There’s so many different theories. Different, like, reasons, to.

Kiersten Gross

It’s a good thing there’s, like, five of six of us, because then I would say, oh, I’ll do this, you do that, and we can all do at the same time.

Noah Heckman

Right?

Jason Blanchard

Sure. All right, so I need either. Are we doing firewall log review or.

Noah Heckman

Well, I think there’s a. The latest one has been, that we need clarification as to whether or not the HVAC system has network connectivity.

Jason Blanchard

Yes.

Noah Heckman

Yes, it does.

Jason Blanchard

It does.

Kiersten Gross

That was via the firewall review, right?

Jason Blanchard

No, you haven’t done any review.

Noah Heckman

We just needed to know. It doesn’t make any sense. Like Kayla said, it doesn’t make any sense to do a firewall log review if the HVAC system is not actually networked. Yes, because it wouldn’t be compromised.

Jason Blanchard

The HVAC is networked. you have a special system set up just for the HVAC to be, taken care of.

Corey Ham

I’m cool with the threat hunting. I feel like the firewall log review, we were doing that more for asset discovery. I don’t know. That’s my opinion.

Noah Heckman

But you can do asset discovery, too.

Corey Ham

Yeah. Means both networks, so threat hunting sounds fancier. Loggerhouse. Kind of boring.

Jason Blanchard

All, Right, so network threat hunting. Who was the first one to say network threat hunting?

Noah Heckman

That would have been Hal.

Jason Blanchard

All right, Hal, you’re going to roll the dice. One through ten is unsuccessful. Eleven through 20 is successful.

Troy Wojewoda

Seven.

Noah Heckman

Poker face.

Corey Ham

What do you. Did you not have your coffee this morning?

Jason Blanchard

So, a couple things that are happening right now. First, I’m putting the number three on top of it because you have a three turn co op period before you can do this again. Also, it doesn’t mean that you can’t do it ever again.

You just have to wait three turns to do it again. Because sometimes when you try to do something, it’s not set up properly, like, the person who you need to do it isn’t there, like, there’s a cool off period.

The other reason that we have a cool off period is so you don’t keep brute forcing the same thing over and over again because you rolled badly. But here’s where the power of backdoors and breaches comes in. I’ve played this game with over 100 different organizations over the last year and a half, and here is the question that really reveals their security.

Now, today we’re going to be a little generic with our responses because, one, we don’t want to reveal the actual security of Black Hills information. And two, information security. And two, we’re a fictional company at this time, so we’re going to be a little generic with our response.

So here’s the question to the team. Ready? Can you give me a reason financially, politically, personnel wise, or technologically why network threat hunting would be unsuccessful at this time?

Not for forever, just in this moment.

Troy Wojewoda

So networking needed to borrow the span that’s feeding the network sensor, and they’re doing troubleshooting right now. So we’re not getting any data.

Jason Blanchard

Okay, what else?

Corey Ham

No, and double check. The database is being updated.

Jason Blanchard

What else?

Corey Ham

We don’t have sensor data for Wi Fi. And it’s only a Wi Fi device.

Noah Heckman

The Wi Fi connected HVAC system. I like it.

Jason Blanchard

How. How much or how many days of data are you collecting? probably.

Corey Ham

We can’t afford three quarters.

Noah Heckman

We can’t afford three quarters of a day.

Corey Ham

We can’t afford big ourselves.

Troy Wojewoda

Big cells are down. So, I mean, I think we had a, cut back on a retention. So I think we only have, like.

Jason Blanchard

A day or two.

Kiersten Gross

The only guy that can get in, the only guy or gal that can get into the sensor quit two weeks ago. Nobody can get into the sensor.

Noah Heckman

We don’t know their password. We don’t know their password and.

Corey Ham

Yeah, or on a trial license, and we ran out of index data.

Jason Blanchard

Sorry. So here’s the. Whenever you ask that question, like financially, politically, personnel wise or technologically, anything you can think of, and this is for everyone who is currently watching at work or at home, anything you can think of is a possible finding.

That’s what you’re looking for. Is like, where do we have maybes? Where do we have, like, not 100% visibility? Where do we have. We are not quite sure what our capabilities are. Where do we need training?

Like, where do we need authorization and, the ability to do the thing that we want to do. So once you, like, write all that stuff down, here’s what I don’t want you to do. Please, please, please don’t have a long list of things that you learned while playing backdoors and breaches that you feel like you have to fix when the game is over.

Only pick one thing from your list to look into. What I’ve learned from playing this game with people is that when human beings think they’re going to have a long list of things to do after playing this, they don’t want to play this anymore.

So only one thing. One thing when you play. All right, so network threat hunting didn’t work because Hal rolled a seven.

Noah Heckman

Hal, you’re gonna have to work on a better poker face.

Troy Wojewoda

so it’s funny because choices. I have a terrible poker face.

Jason Blanchard

All right, so what would you do? Yeah, what would you do?

Corey Ham

Who’s down for SIEM review?

Noah Heckman

It’s basically, what exactly are we reviewing in the SIEM, though?

Corey Ham

We’re reviewing, like, any alerts related to HVAC stuff, right?

Noah Heckman

Shouldn’t we already be taking action on alerts?

Corey Ham

It’s a low. It’s a low. Wait, wait.

Kiersten Gross

We don’t do that. Sorry, what was the problem? What do we try and throw a circumvent.

Noah Heckman

We don’t know. The fact that network threat hunting didn’t work.

Kiersten Gross

Oh, it didn’t work.

Noah Heckman

We were on the fence about network threat hunting or firewall log review. I’m kind of like we should try the firewall log review, but true.

Jason Blanchard

Sure.

Noah Heckman

No, because I think that pivoting to their SIEM usually indicates that your, you have a host that you’re investigating or a specific thing that you’re investigating. We don’t know what we’re investigating.

Troy Wojewoda

But also, don’t you, like, put your firewall logs in your summit as well?

Corey Ham

Yeah, but there’s a low severity alert in there that we didn’t look at because we didn’t care.

Jason Blanchard

All right, so. No, I believe you mentioned firewall review. Is that the consensus of the team or someone else got something?

Noah Heckman

We’ll see if I know my asas.

Jason Blanchard

All right, Noah, go ahead and roll the dice for us and see what happens.

Kiersten Gross

So does the three go on that card, Jason?

Jason Blanchard

No, no, no. We’ll talk about that in a second.

Noah Heckman

Okay, I got a 1616. Yes.

Jason Blanchard

All right, I trust you. All right, so doing, firewall log review, you see that you have four different systems inside your environment, all using bits to send out data to the same location.

They’re all using four different systems. One’s in accounting, one’s in the, this other department, ones over here. but essentially you have four different systems, all using bits to send out information to the same location.

Corey Ham

Can anyone HVAC systems run bits?

Noah Heckman

It’s really windows. It’s. Yeah, it’s Windows based. It’s, running on Windows Vista.

Corey Ham

I guess we should have mentioned m that.

Jason Blanchard

Is this possible? And what is bits? I have a question for what is bits?

Noah Heckman

background intelligent transfer service. It’s a traffic, it’s like your HTTP or your HTTPs, web traffic, but it allows you to transfer files built into Windows.

Jason Blanchard

Do organizations use this regularly or is.

Noah Heckman

This built into Windows? So pretty much all of your Windows updates is ran through bits usually. so probably what we would have seen was actually that four hosts were using bits for non Windows update stuff, and that would have made them stand out because we would expect to see a fair amount of traffic on bits in general.

Jason Blanchard

So one time I asked an organization like, do what bits is, Jason? We hate bits so much, we have a script that runs every hour in case someone accidentally turns on bits.

Noah Heckman

I was like, right.

Jason Blanchard

Here’S why that card was revealed. If you take a look at the card, it’s got network threat hunting and firewall review. That means if they were successful in network threat hunting, I would have possibly revealed this card.

But they were successful in firewall log review. They rolled successfully for a card that reveals a part of attack. Now, if a procedure card would reveal multiple parts of the attack, I will still only reveal one part of the attack at one time, and I get to choose which part that I want to show.

And the reason why is because when you do incident response, you do something. You don’t find everything. You do something and you find a thing, and if you do it some more, you might find another, a, thing. And so that’s why I only reveal one card at a time.

So, firewallog review revealed this. You have four systems inside your organization that are all using bits for some unknown reason, all to the same location. All right, so I have a three over here, two over here.

Noah Heckman

Hold up. When you say some unknown reason, like, that’s the C2 card. So, do we know that it’s being used for C2?

Jason Blanchard

Yes.

Noah Heckman

Okay.

Jason Blanchard

It’s for the C2.

Noah Heckman

Okay, cool.

Jason Blanchard

So you still have to figure out, does this have anything to do with the HVAC company or at all? What is the initial compromise? How do they escalate to four different systems inside your organization and what do they use for that?

And how are they maintaining persistence?

Corey Ham

I feel like we should run an analysis on one of those compromised endpoints.

Jason Blanchard

Yep.

Noah Heckman

Specifically, I would recommend endpoint security protection analysis on those endpoints.

Troy Wojewoda

Yeah, absolutely.

Jason Blanchard

It’s plus three, so why is that not?

Noah Heckman

Because it’s a plus three and I know this game pretty well.

Jason Blanchard

Okay. So some people here have already noticed that there’s the established procedures and the other procedures. Established procedures means you have taken training on it. You have a run book on it or something like that.

Or you literally wrote down what you would do in this situation. Because I know all organizations have things that they do, and they have things that they write down that they do. I know on my team, like the team that I work on at Black Hills, if I got hit by a bus tomorrow, everything I did would cease to exist because I don’t write down anything that I do, which is bad.

So what we, are trying to encourage is for organizations to write down these things. And I know how hypocritical that sounds for me to say you should write down things.

I don’t write down things that I don’t do security. I do content communities. And you’re like, you should still write it down, Jason, I get it. All right. I understand. Thank you. All right. So established procedures means you get a plus three modifier for everything that you want to do.

So if you roll an eight, then you get plus three. So it’s a 910 eleven means it’s successful. So writing things down can help you in the incident response process. These other things over here is just stuff that how to do.

And so, those are just whatever you roll is what you roll. Now, some of you watching right now, like, well, at our organization, we have an amazing isolation policy, but it’s down here in the other procedures. Well, give it to yourself.

Give yourself that plus three for that other card. If you have an amazing memory analysis policy, then give yourself a plus three for that. And I just have these x’s here to remind myself that I get a plus three for those.

And if you want to play this game, however, it works best inside your environment, you’re like, hey, we have all this stuff written down. Fantastic. You get a plus three for everything. Or if you’re like, we don’t write down anything, Jason. We’re like you then, you don’t get a plus three for anything.

Corey Ham

So isn’t endpoint security protection analysis like analyzing the tool, not analyzing the actual endpoint?

Jason Blanchard

It is analyzing the log data coming off of the endpoints. in this game, that’s what that means. So it’s the actual log data coming off the endpoints, and then the other endpoint analysis is like a forensics look or remote access into an endpoint to then, take a look at how things are running.

Corey Ham

I say we log it. Do it. Do it. What Noah said. Plus, he rolled a 16, so he’s lucky he’s got those hot dice.

Jason Blanchard

I’m hearing endpoint security protection analysis. Is that the consensus? Taking a look at the, Who wants to roll the dice besides Noah and Hal.

Kiersten Gross

Overall.

Jason Blanchard

All right, Troy, end with product one.

Noah Heckman

Troy, you didn’t do us proud.

Kiersten Gross

I mean, I can’t help the roll.

Jason Blanchard

Did you roll a one?

Kiersten Gross

I, rolled a one.

Corey Ham

All right, he’s an insider threat. Let’s kick him off the team.

Noah Heckman

Troy, you’re fired.

Kiersten Gross

I am the HVAC.

Corey Ham

He just runs into rooms.

Noah Heckman

Troy, this is. We told you that you can’t learn everything for your job solely off YouTube. You need to take some formal training one of these days.

Jason Blanchard

Okay, so, can you give me a reason, financially, politically, technologically, or personnel wise, why endpoint security protection analysis would be unsuccessful this time?

You, might have to dig deep.

Corey Ham

For it, because he didn’t even show up to work.

Noah Heckman

Our vendors said everything would be fine, but it was not.

Corey Ham

He rolled a one, which means he wasn’t even there when we asked him to do it.

Troy Wojewoda

License expired.

Jason Blanchard

License expired.

Kiersten Gross

The trial license expired.

Noah Heckman

Yes, those trial licenses.

Jason Blanchard

Okay. Anything else? what could possibly be, disabled?

Kiersten Gross

It wasn’t there.

Noah Heckman

Install it on those agents. Because those users had specific use cases that.

Kiersten Gross

No, no, no.

Corey Ham

It’s a Windows XP box. It isn’t compatible. Sensor.

Noah Heckman

There you go. Why is accounting running on an XP box, though?

Corey Ham

because they have smartbooks 2003.

Noah Heckman

Oh, okay. Makes sense.

Troy Wojewoda

So our developers needed, no security stacks at all on their machine so they could do their job.

Jason Blanchard

Okay. Yeah, so there’s a lot of reasons why it’s possible. So. Okay, so since you rolled a one, Troy, what’s going to happen now is an inject card is going to come in, and this is the expansion deck, which means we have a lot more inject cards.

So I have no idea what’s about to happen. Right now, we added a lot more, like cringy m inject, cards in the original. They’re somewhat good, somewhat bad. The new one, they’re just all bad.

it is getting hot in here. HVAC systems. Oh, my God. The actual HVAC system. The HVAC systems are important, and they will fail at the worst times. This is one of those times.

Your data center HVAC system is infected with a worm. Hmm. Wonder how that. It’s supposed to be air gapped is 103 outside, and the server temperatures are rising.

All servers need to be shut down right now.

Noah Heckman

Point of order.

Kiersten Gross

Configure. We’re done.

Corey Ham

It said it was a worm. And we know we’re dealing with XP on, the accounting system.

Noah Heckman

Also, I would like to propose a different inject card because this completely conflicts with the scenario. It says that the HVAC system is air gapped.

Corey Ham

Wait, no. It says it’s supposed to be aircraft.

Jason Blanchard

It’s supposed to be air gap.

Noah Heckman

Okay.

Jason Blanchard

It’s supposed to be air gap. That is correct.

Corey Ham

But it’s not. Also, I think, confickers. Black holes. We should be. Okay, guys. It’s fine.

Troy Wojewoda

You’d be surprised.

Jason Blanchard

Back, surprisingly, is gone down. So if you need to shut the servers down, what’s some things that might, be at, issue now?

Corey Ham

Well, we use go to, help self hosted. So this meeting is going to die when we turn off the servers.

Jason Blanchard

That is the thing. what is your alternative form of communication amongst your team?

Noah Heckman

Everyone makes a free google, like a free gmail account. We all join a g meeting.

Jason Blanchard

Does that mean you’re going to switch over to hotspots, so that way you have your own Internet? Or.

Corey Ham

I say we got.

Noah Heckman

I mean, the Internet should still work.

Kiersten Gross

We, don’t have an out of band procedure.

Corey Ham

We don’t have DHCP. Dude, our networks, our entire. All of our drives just dropped off the wifi because we can just use.

Noah Heckman

Like, a cheap Walmart netgear router to get us up and going.

Corey Ham

Everyone hotspots engage. I don’t know what that means. I just feel like.

Jason Blanchard

So we have a couple things. Like dale says bye bye SIEM and bye bye firewalls. Is that true? Would you.

Noah Heckman

Depends on how we are using our, what kind of SIEM we have. If it’s cloud hosted, we’re fine.

Corey Ham

We cloud host, we can’t be bothered.

Noah Heckman

Yeah, I think that we’re on a cloud.

Corey Ham

It might be a trial, but it’s cloud hosted.

Jason Blanchard

Yeah. So Michael asked the question, is rolling a one, the only dice roll, that means inject. Yeah. no, if you roll a 20 or a one, or have three failed rolls in a row, meaning like a six, a seven, and a two, then an inject card would come in during that third roll.

So since Troy rolled a one, a natural one, even though it had a lot of plus three to it, it’s still a natural one. So anyone who write rolls a critical, hit is a one.

so with that, an inject card came into play. So, so far, you have not revealed the initial compromise. I don’t know, maybe those two things are related.

we have a pivot. Escalate cards. revealed and persistence. And you’re on turn number four right now. So here is a piece of advice. There is one consultant card that nullifies inject cards.

If you call a consultant, it would nullify your in jet card, which means your servers would come back up.

Corey Ham

Do we need our servers? Who determines if we need our servers?

Noah Heckman

We pretty much just keep those servers around for the fun of it anyhow, because it looks cool to have the blinking lights and the.

Kiersten Gross

Can the consultant be Mister cool?

Corey Ham

Well, so we should mention that we are the store store. And that we’re conglomerate, which means all of our branch locations have their own, like, retail. Like, retail sales will continue even if our servers, are down.

So I think we should just nuke them. Yeah, plus it could help us from getting X fill, right? I mean, they’re probably exfilling right now, so if we turn everything off.

Noah Heckman

Yeah, we just disabled. We just disabled some of the hosts that they’re using bits of C2 on.

Corey Ham

Exactly.

Jason Blanchard

What I’m hoping is the people who are watching at their organization are thinking right now, what would it be like if they had to shut off the servers? What capabilities would they lose if they had to?

Kiersten Gross

Do you have a backup center? Do you have a high availability?

Noah Heckman

We can put them in my garage. We could just move the data center to my garage. It’ll be fine.

Kiersten Gross

So, I mean, that’s what I would. I mean, seriously, though, that’s what I would. I’d be looking. Is there a backup center? Is there a high availability, kind of a separate physical center?

Troy Wojewoda

What’s your continuity of operations?

Jason Blanchard

Yeah, yeah. And, Troy, we were recently doing a tabletop with an organization, and this card, this thing happened, and so they had to figure what their alternative communications plan was, because all their communications were tied into their server.

So they had a side signal channel that they would use for that. And so they already had it ready to go. Just in case their main, line of communications were killed.

Corey Ham

I think in this case we should turn them off. Just because of our business isn’t dependent on our central corporate servers. We really just use it for business intel, and it doesn’t directly make us money, so.

Jason Blanchard

All right, so it looks like we’re killing the servers. do you want to keep moving along with this incident or do you want to focus on something else?

Troy Wojewoda

So, I have a question about the. So the crisis management card talks about legal team and stuff.

Jason Blanchard

Sure.

Troy Wojewoda

but is that something we can invoke to, like, initiate the doctor or the high availability site if we want to do that? I mean, I know we’re talking about we could just survive without our corporate data center, so to speak, but, we need to, pick a card or something.

So is that something that we might be able to play?

Jason Blanchard

And, Hal, what I really appreciate is whenever I play with a team, I always ask them, at what point does an incident become a crisis? At, what point?

Where’s the threshold? What’s the. Like. Oh, my God, like, at this point, how does it go from an incident to a crisis? Would you all say that this has become a crisis or this still part of an incident?

Corey Ham

I don’t think it’s a crisis. We have one data center that has a failed HVAC unit. The guys on the way. Plus the HVAC company owes us a favor since they got hacked, so they better be quick. And we have only four systems compromised.

Noah Heckman

So it’s a crisis.

Corey Ham

Yeah, four system compromises. That happens to accounting every other week.

Noah Heckman

Deb is recommending in the chat, by the way, that we buy some new servers from the server store and set them up.

Corey Ham

We can’t buy our own service because our systems are down. Wait, that’s.

Jason Blanchard

Sure.

Kiersten Gross

So, yeah, I say we continue. It’s crisis mode in my opinion. and it’s really about impact.

Jason Blanchard

Right?

Kiersten Gross

So how many. What’s the business impact? If the business impact is we can’t buy anything. So if we can’t buy anything, then we’re pretty much impacted. Right?

Troy Wojewoda

So then we talk about payroll. You can’t pay your employees. You can’t do any purchases on that. you can’t operate as a business. Sure, we can still buy stuff the.

Jason Blanchard

Store store can’t sell store.

Corey Ham

Yeah, but it’s just an HVAC outage. What are we going to do, tell our clients, hey, we had an HVAC outage? Like, I mean, that’s such a minor thing. Plus, they’ll fix it. Like this happens. Remember what happened last week at the toys store?

Noah Heckman

The door open or something?

Corey Ham

Yeah, it’s just, it’s just HVAC outage. They’ll come and fix the condenser or whatever and it’ll be, 8 hours.

Noah Heckman

Specifically say he was infected with a worm. But, this is what I’ve.

Jason Blanchard

Learned over, what I’ve learned over doing this with so many different organizations is that this thing happens. The conversation is it, this is it. This, you need someone to say either it is or it is.

So there’s someone on the team who authorizes it has now become a crisis. And if you don’t know who that person is, that’s something to define ahead of time. All right, so what would you like to do next?

Corey Ham

I say we focus on the endpoint still.

Noah Heckman

This is me do the other endpoint analysis.

Corey Ham

That’s, that’s my opinion.

Noah Heckman

Let’s get on there, run some netstat.

Corey Ham

The HVAC remediation is kind of like, we don’t know what that, like. Yeah, I don’t know. In the subtext of the game, can you like fix an inject card or is it just there?

Jason Blanchard

There is a, call a consultant. So, like, if you needed to call somebody to fix the, the HVAC, possible, we, have one consultant that nullifies any inject card.

And so that’s a way of just like bypassing, like moving on to something else. So if you wanted to just potentially hire that person by rolling eleven through 20 and nullifying that in jet card, you could.

Or you could just say, what, that’s someone else’s problem. Let’s continue with the incident.

Noah Heckman

I would just keep going.

Corey Ham

Personally, I say continue, but that’s just me. I want to know why we have four compromised systems. The HVAC systems are, we already know they’re kind of screwed anyway.

Kaitlyn Wimberley

So, like, in the context of the game, does this actually have an effect on anything that, like we can choose to do, or like, do we still have the same capabilities regardless?

Jason Blanchard

It’s one of the questions that I would ask in actual organizations. Like, if the server went down, would this cause you to lose any of your security?

Noah Heckman

If you’re self hosting the SIEM, then like, all of a sudden your SIEM is deactivated.

Jason Blanchard

Yeah.

Corey Ham

In the context of this game, we decided it was cloud. Right?

Jason Blanchard

Right.

Corey Ham

Yeah. we’re just a conglomerate. We have limited servers, like, we have no payroll. We can’t like, we have no invoicing and purchasing, but we still have our SIEM, we still have our stores. Like, our retail locations have separate infrastructure.

So we won’t get any reports about the year end sales or whatever, but we’ll still be churning out that money. Well, if that’s the case, if we, if we know what four hosts are affected, should.

I, would say we should look at the syn logs.

Kaitlyn Wimberley

But can we still do server analysis if all of our servers are shut.

Troy Wojewoda

Down or far retention policies on?

Kiersten Gross

Yeah, you can get to your SIEM, but your servers all stop sending logs because the data center is down.

Noah Heckman

Well, and the server analysis card, if I remember right, is effectively like the endpoint analysis. It’s just like, running, like, on site forensics with, on the servers.

Jason Blanchard

Yeah, it’s any server, anything that you would call a server inside your organization. The reason why we called it server analysis because we didn’t know what kind of servers you had. And so we were, just went very generic with it.

This is our last turn to actually show the process of the game, and then we’re going to talk about how it all wraps up. So, so far, you revealed one card, lots of discussion, lots of knowledge sharing, and lots of, like, possible, like, hypothetical.

Speaking of, what is this? What? What’s this? So this is typically how a game goes. A game takes about 30 minutes to an hour, depending on how much conversation takes place among the team and how well your own security.

So if you’re like, well, this is why. This is why. This is why I move on. This is why this, why this, why move on? All, right, so last turn.

Corey Ham

It sounds like SIEM or endpoint. I’m cool with either SIEM or endpoint. I mean, we know we have compromised endpoints. I’m cool with, like, looking at the logs in the SIEM for those endpoints or just.

Just doing actual deep dives.

Jason Blanchard

All right, let’s let the audience decide. In discord or on Zoom? Go ahead, type in. Do you think we should go SIEM or endpoint?

Noah Heckman

Just like a real scenario? Just reach out to the online community, say, hey, what do you recommend? Post it on Reddit.

Corey Ham

So many SIEMs.

Noah Heckman

Yeah, I think SIEM is winning.

Corey Ham

Well, we, should give the end. It’s a Longer Word. It’s four letters versus, like, eight letters.

Noah Heckman

Oh, here’s some more endpoints.

Corey Ham

We got SIEM.

Noah Heckman

We had to type longer letters just.

Corey Ham

Because someone just typed Ep. I think they’re releasing an album soon.

Jason Blanchard

All right, so it looked like if I was going to just SIEM. All right, so we’re going to roll the SIEM. Who wanted to use the SIEM first? Who said that? I think it was Kaitlyn.

Jerry, roll the dice.

Kaitlyn Wimberley

No, but I will roll it.

Jason Blanchard

All right, Kaitlyn, Go Ahead and roll the dice for us.

Kaitlyn Wimberley

19. This is why I don’t trust the computer dice.

Jason Blanchard

All right, so with your Sid log analysis, you find indication of internal password spray took place. An internal password spray took place, all originating from.

Noah Heckman

But we follow PCI guidelines. Our passwords are minute like. They require a minimum of eight characters. It’s fantastic.

Jason Blanchard

Mhm. How could they spray that?

Corey Ham

The HVAC systems are just.

Jason Blanchard

All right, so if I take the, three over here and then put the two over here and the one over here, what would happen now is your network threat hunting card would be available again, so you could do network threat hunting if you wanted to.

Well, what’s happening right now is that we’re going to wrap up the game. So, that way we can do some q and A and also, let people know what happens when the game is over. So if you were either successful with revealing all the cards, or we get all the way to the 10th card and you haven’t revealed it yet, then I would then reveal the, final cards.

And so here’s what happened. It was a trusted relationship attack where the attackers used a service level account through the HVAC into your organization. From that, they were able to do an internal password spray where they compromise for other systems, and that is where they use bits to, exfiltrate data and they use the malicious driver as a form of persistence.

Now, here’s the part that I need your help. Is this a plausible attack? That’s the question you always ask when it’s over. Is this a plausible attack in our environment, the answer could be yes, no, or maybe.

Corey shook his head no. Why not going to go with kind.

Corey Ham

Of not because the trust relationship. I mean, it depends on what the trust relationship is. Like, Troy said, it could be, oh, you just have emailing, stuff. Or it could be, like you said, a service account.

If they had a service account, it doesn’t really make sense for them to be spraying also since they already had credentials. But I mean, other than that, it depends on the context of how you define trusted relationship.

But yeah, well, I would, I would.

Noah Heckman

I would pose this one, Corey, because working with some OT stuff over time, it is not terribly uncommon for these providers to install some sort of back calling, like openssl backwards VPN in your network, and they usually require it if you want, their support.

So it’s not uncommon that in that kind of environment, you would have a complete tunnel, going back to them.

Corey Ham

Right? Yeah. If that’s the case, and they just have a compromised tunnel, basically a point of presence in your network, then it would make sense that they would spray. So. Sure.

Jason Blanchard

So Dmitry asks, so was the story about the HVAC breach notification just made up by Jason based on the initial compromise card? Yes. I can either make up the story or scenario based on the initial compromise, or I could make it up on the pivot and escalate.

most likely it’s one of those two cards where I make up the scenario. Like, you see some SIEMilar, or you see this or something like that. Generally I use it based on the initial compromised card.

Now, once you get good at playing this game, a lot of times I’ll give a scenario that has nothing to do with the cards at all. And the reason why is because sometimes you find an incident by looking for an incident.

And so I just give you a, hey, this is a thing. There was, like, a fish, and then all of a sudden, you find out it was like an external, exploitable service. You’re like, whoa, that’s been, like, compromised for six months. That nothing to do with the fish.

But it’s because we went digging is that we found something. All right, what other, So it was yes, nor maybe, is this plausible?

And then you could also do each card. Is the trusted relationship a yes, no, or maybe, let’s do that. Is a trusted relationship a yes, no, or maybe. Is that a possible attack vector in our organization?

Kiersten Gross

Yes.

Corey Ham

Oh, the store. Store has many partners. We have to partner with a lot of different companies to get all of our products.

Jason Blanchard

And if the answer is yes, then you understand the risk that you have, and either you mitigate it or you say, this is the risk that we have in order to do business. Is an, internal password spray possible?

Yes, or maybe?

Kiersten Gross

Yeah, yeah, I think so. I think that the attacker having that, like, trusted tunnel through the HVAC system and doing all that password spraying caused the HVAC actually to overload and shut down.

It wasn’t intentional by the attacker to shut down.

Noah Heckman

It couldn’t handle that much.

Kiersten Gross

It couldn’t handle all that processing. And so by the attacker leveraging that. That conduit, if you will, basically, killed the HVAC system.

Corey Ham

So definitely they locked their own service account, and it caused the HVAC to turn off due password spraying.

Kiersten Gross

No, the HVAC just couldn’t process all that processing power.

Troy Wojewoda

What about ran, out of disk space?

Corey Ham

They were logging the attack, and it ran out of disk space.

Jason Blanchard

What about using bits as a form of, exfiltration or command and control in the organization?

Troy Wojewoda

Absolutely.

Jason Blanchard

Yeah.

Corey Ham

That’s pretty underground, but sure, yeah.

Jason Blanchard

And what you’re really looking for when you ask these questions is the work. Maybe, like, if anyone on the team says maybe, well, then that is an opportunity to either find out if it’s a yes or no.

Maybe is like, the worst word you could use during the tabletop exercise. Like, well, maybe like, maybe. Oh, God, maybe like, we should know either yes or no.

Okay. malicious driver, would that be possible in some of the systems inside the organization?

Noah Heckman

So this is the card that I dislike the least out of this whole chain SIEMply just because it doesn’t match the rest of the profile. I mean, our attackers go through a trusted tunnel, they do a password spray, then they reuse bits.

I mean, none of those are extremely technical. And then you go to malicious driver all of a sudden, which is, like, incredibly hard to do.

but most organizations are susceptible to it. It just doesn’t match the profile of the attacker.

Jason Blanchard

All right, everybody, thank you so much for watching. I know you’re probably going to have lots of questions, so go ahead and ask those questions. Now, we’ll most likely go into some post show banter here in the next few minutes, but we really appreciate you taking the time to watch us play backdoors and breaches today.

And hopefully, what you saw was the knowledge transfer happening while playing. Sometimes you don’t know the stuff until you have an opportunity to talk about the things And sometimes the people on your team don’t know the things they don’t know until they hear you talk about the things you do know.

And I know that’s a lot for you to try to process, but thanks to Noah, Corey, Kaitlyn, Kirsten, Hal and Troy today. Thanks for playing the game, for being, just willing to, go in this.

I didn’t tell them what this scenario was going to be. They completely went into this blind, and so thanks for that.