Summary

Podcast Summary: Talkin' Bout [Infosec] News – Backdoors & Breaches Live! 05/19/2021

Episode Overview

This live “Backdoors & Breaches” session, led by guest Incident Master Ian Meyer and featuring the Black Hills Information Security (BHIS) team and friends, transforms a real-world infosec supply chain breach into a collaborative tabletop incident response game. The episode walks listeners through group decision-making, troubleshooting, random failures, and the complications of incomplete visibility—all while emphasizing the chaos, camaraderie, and gallows humor of incident response in cybersecurity.

Key Discussion Points & Insights

1. Kicking Things Off and Inside Jokes

Pronunciation Woes: The team jokes about infosec terms (“SIEM,” “sysop,” “sudo”), riffing on the confusion common with jargon read but rarely heard.
- Ian: “If you’ve only ever read something, how do you know how to say it?” [01:30]
Tabletop Game Premise:
- Ian introduces Backdoors & Breaches—a scenario-driven card game that simulates incident response, useful for both learning and tabletop exercises.
- Key stages: Initial Compromise, Pivot & Escalate, Persistence, C2/Exfiltration. [04:00–08:00]
Game Mechanics Explained:
- Randomness via D20 dice rolls and “inject” cards adds realism and unpredictability (think real-life curveballs).
- Five “core” procedures with +3 modifiers: SIEM, Call Consultant, Endpoint Analysis, UEBA, and Isolation. [08:00–10:00]

2. Scenario Revealed: Cloud Service Breach

The Scenario (Werewolves not included):
- The SOC spots anomalous service account authentications from external sources, matching internal conventions but at irregular endpoints (e.g., OWA/external cloud). Some logins succeed—a clear sign accounts are compromised. [11:19–13:10]
Initial Responses:
- Team debates first moves, weighing SIEM over EUBA (“not enough past context”), then tries SIEM log analysis first.
- Quote:
  - Blake: “My vote is for the SIEM.” [13:53]
- Successful: They identify external cloud access as the initial compromise but are told there may be more undetected paths (“South Dakota law!” joke). [14:34–16:00]

3. Mid-Game: Troubleshooting, Failures, and IT Snafus

Rounds of Investigation:
1. Server Analysis fails (no IOC found).
2. Endpoint Analysis fails (EDR rollout unfinished—“James didn’t upgrade Carbon Black,” becomes running gag). [24:42]
3. RITA (Network Analysis) fails (logs missing—blamed on “Steve” disabling them over lost cafeteria candy). [28:14]
Inject Cards & Real-Life Parallels:
- Legal abruptly pulls a key responder for a meeting (“You must remain silent until the incident is over”)—Ralph is “sent to legal.” [30:13–31:13]
- Jokes abound about calling cyber insurance, resume updates, and exasperated IR fatigue.
  - V: “This feels like 2020.” [62:11]

4. Late-Game: Desperation, Recovery, and More Adversity

Key Strategies:
- Multiple failed attempts with limited dice luck; SIEM, consultant calls (“George, Chloe”), firewall logs, injects, etc., often stymied by missing data or randomness.
- Chloe’s consultant card grants three extra turns (a rare break), but SIEM soon crashes because someone fatally queries all historical logs (“Four terabytes! Go home, Steve.”). [51:58]
Breakthroughs:
- UEBA analysis finally reveals “Pivot & Escalate”—attackers leveraged stolen service account credentials for credential stuffing (matching real CodeCov breach mechanics). [46:03–47:05]
- Despite new consultant help, time runs out before the group can fully solve both the “Persistence” and “C2/Exfil” components.
- Quote:
  - Ian, on team burnout: “The exact mood of an incident response toward the end—you’re like, whatever.” [63:08]
Ending:
- The final move, a “call consultant” (George), finally reveals C2/Exfil is HTTPs exfiltration.
- The group is unable to discover Persistence before the scenario ends.

5. Debrief & Learning Points

Scenario Solution:

Attackers exploited a supply chain weakness, poisoning a CI/CD tool (CodeCov), leaking cloud service credentials. These were used externally for credential stuffing, internal escalation, and ultimately, exfiltration over HTTPS—in other words, a practical breakdown of the real CodeCov breach as applied to incident response education.
- Moral: Never hardcode credentials; use secrets management!

Notable Quotes / Memorable Moments

“This was the most brutal game I’ve ever seen… never seen it go to 13 rounds and not be resolved.” – Jason [70:39]
Running gags blaming “interns,” “James” and “Steve” for IT mishaps, and legal interruptions reflecting real workplace chaos.
“Is there a sleep option in this game?” – Blake, on IR fatigue [44:24]
“You walk into the developer room and it reeks of kombucha and hoodies.” – Ian [57:49]

Humor & Realism

The stress, escalation, and humor mimic real-world security incident response: legal interference, tool misconfigurations, IT scapegoating, and the emotional rollercoaster of dire situations.

Timestamps of Important Segments

Game & Rules Overview: [03:57–10:07]
Incident Scenario Revealed: [11:19–16:00]
Critical Decision-Making (Early Rounds): [16:46–25:14]
First Inject (Legal Intervenes): [30:13]
Consultants Enter (Chloe’s Extra Turns): [48:32–51:29]
Persistence & C2/Exfil Discovery: [53:05–63:40]
Scenario Debrief (CodeCov supply chain): [65:02–69:08]
Final Wrap-up: [69:58–71:16]

Takeaways for the Infosec Community

Incident Response is Chaotic: Even in simulations, unexpected setbacks and incomplete data can derail the best responders.
Communication/Human Factors Matter: Legal, “interns,” and misconfigured tooling play as big a role as technology.
Modern Threats Leverage Supply Chain: Real breaches (like CodeCov) highlight risks in pipelines and cloud integrations.
Tabletop Exercises Reveal Gaps: These exercises surface process and technical shortfalls, just like in real life.

In the spirit of the original episode, the tone remains witty, self-deprecating, and pragmatic—showcasing both the technical and human sides of incident response.

If you missed the episode, this play-by-play, complete with quotes and context, will help you understand both the educational value and entertainment that Backdoors & Breaches brings to the table!

Summary

Podcast Summary: Talkin' Bout [Infosec] News – Backdoors & Breaches Live! 05/19/2021

Episode Overview

Key Discussion Points & Insights

1. Kicking Things Off and Inside Jokes

Pronunciation Woes: The team jokes about infosec terms (“SIEM,” “sysop,” “sudo”), riffing on the confusion common with jargon read but rarely heard.
- Ian: “If you’ve only ever read something, how do you know how to say it?” [01:30]
Tabletop Game Premise:
- Ian introduces Backdoors & Breaches—a scenario-driven card game that simulates incident response, useful for both learning and tabletop exercises.
- Key stages: Initial Compromise, Pivot & Escalate, Persistence, C2/Exfiltration. [04:00–08:00]
Game Mechanics Explained:
- Randomness via D20 dice rolls and “inject” cards adds realism and unpredictability (think real-life curveballs).
- Five “core” procedures with +3 modifiers: SIEM, Call Consultant, Endpoint Analysis, UEBA, and Isolation. [08:00–10:00]

2. Scenario Revealed: Cloud Service Breach

The Scenario (Werewolves not included):
- The SOC spots anomalous service account authentications from external sources, matching internal conventions but at irregular endpoints (e.g., OWA/external cloud). Some logins succeed—a clear sign accounts are compromised. [11:19–13:10]
Initial Responses:
- Team debates first moves, weighing SIEM over EUBA (“not enough past context”), then tries SIEM log analysis first.
- Quote:
  - Blake: “My vote is for the SIEM.” [13:53]
- Successful: They identify external cloud access as the initial compromise but are told there may be more undetected paths (“South Dakota law!” joke). [14:34–16:00]

3. Mid-Game: Troubleshooting, Failures, and IT Snafus

Rounds of Investigation:
1. Server Analysis fails (no IOC found).
2. Endpoint Analysis fails (EDR rollout unfinished—“James didn’t upgrade Carbon Black,” becomes running gag). [24:42]
3. RITA (Network Analysis) fails (logs missing—blamed on “Steve” disabling them over lost cafeteria candy). [28:14]
Inject Cards & Real-Life Parallels:
- Legal abruptly pulls a key responder for a meeting (“You must remain silent until the incident is over”)—Ralph is “sent to legal.” [30:13–31:13]
- Jokes abound about calling cyber insurance, resume updates, and exasperated IR fatigue.
  - V: “This feels like 2020.” [62:11]

4. Late-Game: Desperation, Recovery, and More Adversity

Key Strategies:
- Multiple failed attempts with limited dice luck; SIEM, consultant calls (“George, Chloe”), firewall logs, injects, etc., often stymied by missing data or randomness.
- Chloe’s consultant card grants three extra turns (a rare break), but SIEM soon crashes because someone fatally queries all historical logs (“Four terabytes! Go home, Steve.”). [51:58]
Breakthroughs:
- UEBA analysis finally reveals “Pivot & Escalate”—attackers leveraged stolen service account credentials for credential stuffing (matching real CodeCov breach mechanics). [46:03–47:05]
- Despite new consultant help, time runs out before the group can fully solve both the “Persistence” and “C2/Exfil” components.
- Quote:
  - Ian, on team burnout: “The exact mood of an incident response toward the end—you’re like, whatever.” [63:08]
Ending:
- The final move, a “call consultant” (George), finally reveals C2/Exfil is HTTPs exfiltration.
- The group is unable to discover Persistence before the scenario ends.

5. Debrief & Learning Points

Scenario Solution:

Attackers exploited a supply chain weakness, poisoning a CI/CD tool (CodeCov), leaking cloud service credentials. These were used externally for credential stuffing, internal escalation, and ultimately, exfiltration over HTTPS—in other words, a practical breakdown of the real CodeCov breach as applied to incident response education.
- Moral: Never hardcode credentials; use secrets management!

Notable Quotes / Memorable Moments

“This was the most brutal game I’ve ever seen… never seen it go to 13 rounds and not be resolved.” – Jason [70:39]
Running gags blaming “interns,” “James” and “Steve” for IT mishaps, and legal interruptions reflecting real workplace chaos.
“Is there a sleep option in this game?” – Blake, on IR fatigue [44:24]
“You walk into the developer room and it reeks of kombucha and hoodies.” – Ian [57:49]

Humor & Realism

The stress, escalation, and humor mimic real-world security incident response: legal interference, tool misconfigurations, IT scapegoating, and the emotional rollercoaster of dire situations.

Timestamps of Important Segments

Game & Rules Overview: [03:57–10:07]
Incident Scenario Revealed: [11:19–16:00]
Critical Decision-Making (Early Rounds): [16:46–25:14]
First Inject (Legal Intervenes): [30:13]
Consultants Enter (Chloe’s Extra Turns): [48:32–51:29]
Persistence & C2/Exfil Discovery: [53:05–63:40]
Scenario Debrief (CodeCov supply chain): [65:02–69:08]
Final Wrap-up: [69:58–71:16]

Takeaways for the Infosec Community

Incident Response is Chaotic: Even in simulations, unexpected setbacks and incomplete data can derail the best responders.
Communication/Human Factors Matter: Legal, “interns,” and misconfigured tooling play as big a role as technology.
Modern Threats Leverage Supply Chain: Real breaches (like CodeCov) highlight risks in pipelines and cloud integrations.
Tabletop Exercises Reveal Gaps: These exercises surface process and technical shortfalls, just like in real life.

In the spirit of the original episode, the tone remains witty, self-deprecating, and pragmatic—showcasing both the technical and human sides of incident response.

If you missed the episode, this play-by-play, complete with quotes and context, will help you understand both the educational value and entertainment that Backdoors & Breaches brings to the table!

wavePod

Backdoors & Breaches Live! 05/19/2021

Powered by Wave AI

Summary

Episode Overview

Key Discussion Points & Insights

1. Kicking Things Off and Inside Jokes

2. Scenario Revealed: Cloud Service Breach

3. Mid-Game: Troubleshooting, Failures, and IT Snafus

4. Late-Game: Desperation, Recovery, and More Adversity

5. Debrief & Learning Points

Timestamps of Important Segments

Takeaways for the Infosec Community

Summary

Episode Overview

Key Discussion Points & Insights

1. Kicking Things Off and Inside Jokes

2. Scenario Revealed: Cloud Service Breach

3. Mid-Game: Troubleshooting, Failures, and IT Snafus

4. Late-Game: Desperation, Recovery, and More Adversity

5. Debrief & Learning Points

Timestamps of Important Segments

Takeaways for the Infosec Community