Podcast Summary: Talkin' Bout [Infosec] News – Backdoors & Breaches Live! 05/19/2021
Episode Overview
This live “Backdoors & Breaches” session, led by guest Incident Master Ian Meyer and featuring the Black Hills Information Security (BHIS) team and friends, transforms a real-world infosec supply chain breach into a collaborative tabletop incident response game. The episode walks listeners through group decision-making, troubleshooting, random failures, and the complications of incomplete visibility—all while emphasizing the chaos, camaraderie, and gallows humor of incident response in cybersecurity.
Key Discussion Points & Insights
1. Kicking Things Off and Inside Jokes
- Pronunciation Woes: The team jokes about infosec terms (“SIEM,” “sysop,” “sudo”), riffing on the confusion common with jargon read but rarely heard.
- Ian: “If you’ve only ever read something, how do you know how to say it?” [01:30]
- Tabletop Game Premise:
- Ian introduces Backdoors & Breaches—a scenario-driven card game that simulates incident response, useful for both learning and tabletop exercises.
- Key stages: Initial Compromise, Pivot & Escalate, Persistence, C2/Exfiltration. [04:00–08:00]
- Game Mechanics Explained:
- Randomness via D20 dice rolls and “inject” cards adds realism and unpredictability (think real-life curveballs).
- Five “core” procedures with +3 modifiers: SIEM, Call Consultant, Endpoint Analysis, UEBA, and Isolation. [08:00–10:00]
2. Scenario Revealed: Cloud Service Breach
- The Scenario (Werewolves not included):
- The SOC spots anomalous service account authentications from external sources, matching internal conventions but at irregular endpoints (e.g., OWA/external cloud). Some logins succeed—a clear sign accounts are compromised. [11:19–13:10]
- Initial Responses:
- Team debates first moves, weighing SIEM over EUBA (“not enough past context”), then tries SIEM log analysis first.
- Quote:
- Blake: “My vote is for the SIEM.” [13:53]
- Successful: They identify external cloud access as the initial compromise but are told there may be more undetected paths (“South Dakota law!” joke). [14:34–16:00]
3. Mid-Game: Troubleshooting, Failures, and IT Snafus
- Rounds of Investigation:
- Server Analysis fails (no IOC found).
- Endpoint Analysis fails (EDR rollout unfinished—“James didn’t upgrade Carbon Black,” becomes running gag). [24:42]
- RITA (Network Analysis) fails (logs missing—blamed on “Steve” disabling them over lost cafeteria candy). [28:14]
- Inject Cards & Real-Life Parallels:
- Legal abruptly pulls a key responder for a meeting (“You must remain silent until the incident is over”)—Ralph is “sent to legal.” [30:13–31:13]
- Jokes abound about calling cyber insurance, resume updates, and exasperated IR fatigue.
- V: “This feels like 2020.” [62:11]
4. Late-Game: Desperation, Recovery, and More Adversity
- Key Strategies:
- Multiple failed attempts with limited dice luck; SIEM, consultant calls (“George, Chloe”), firewall logs, injects, etc., often stymied by missing data or randomness.
- Chloe’s consultant card grants three extra turns (a rare break), but SIEM soon crashes because someone fatally queries all historical logs (“Four terabytes! Go home, Steve.”). [51:58]
- Breakthroughs:
- UEBA analysis finally reveals “Pivot & Escalate”—attackers leveraged stolen service account credentials for credential stuffing (matching real CodeCov breach mechanics). [46:03–47:05]
- Despite new consultant help, time runs out before the group can fully solve both the “Persistence” and “C2/Exfil” components.
- Quote:
- Ian, on team burnout: “The exact mood of an incident response toward the end—you’re like, whatever.” [63:08]
- Ending:
- The final move, a “call consultant” (George), finally reveals C2/Exfil is HTTPs exfiltration.
- The group is unable to discover Persistence before the scenario ends.
5. Debrief & Learning Points
Scenario Solution:
- Attackers exploited a supply chain weakness, poisoning a CI/CD tool (CodeCov), leaking cloud service credentials. These were used externally for credential stuffing, internal escalation, and ultimately, exfiltration over HTTPS—in other words, a practical breakdown of the real CodeCov breach as applied to incident response education.
- Moral: Never hardcode credentials; use secrets management!
Notable Quotes / Memorable Moments
- “This was the most brutal game I’ve ever seen… never seen it go to 13 rounds and not be resolved.” – Jason [70:39]
- Running gags blaming “interns,” “James” and “Steve” for IT mishaps, and legal interruptions reflecting real workplace chaos.
- “Is there a sleep option in this game?” – Blake, on IR fatigue [44:24]
- “You walk into the developer room and it reeks of kombucha and hoodies.” – Ian [57:49]
Humor & Realism
- The stress, escalation, and humor mimic real-world security incident response: legal interference, tool misconfigurations, IT scapegoating, and the emotional rollercoaster of dire situations.
Timestamps of Important Segments
- Game & Rules Overview: [03:57–10:07]
- Incident Scenario Revealed: [11:19–16:00]
- Critical Decision-Making (Early Rounds): [16:46–25:14]
- First Inject (Legal Intervenes): [30:13]
- Consultants Enter (Chloe’s Extra Turns): [48:32–51:29]
- Persistence & C2/Exfil Discovery: [53:05–63:40]
- Scenario Debrief (CodeCov supply chain): [65:02–69:08]
- Final Wrap-up: [69:58–71:16]
Takeaways for the Infosec Community
- Incident Response is Chaotic: Even in simulations, unexpected setbacks and incomplete data can derail the best responders.
- Communication/Human Factors Matter: Legal, “interns,” and misconfigured tooling play as big a role as technology.
- Modern Threats Leverage Supply Chain: Real breaches (like CodeCov) highlight risks in pipelines and cloud integrations.
- Tabletop Exercises Reveal Gaps: These exercises surface process and technical shortfalls, just like in real life.
In the spirit of the original episode, the tone remains witty, self-deprecating, and pragmatic—showcasing both the technical and human sides of incident response.
If you missed the episode, this play-by-play, complete with quotes and context, will help you understand both the educational value and entertainment that Backdoors & Breaches brings to the table!
![Backdoors & Breaches Live! 05/19/2021 - Talkin' Bout [Infosec] News cover](/_next/image?url=https%3A%2F%2Fimg.transistor.fm%2FAukI425sRBc3M3UIa9lVng7qjeNeYEQ8BZfzCEXhALs%2Frs%3Afill%3A0%3A0%3A1%2Fw%3A1400%2Fh%3A1400%2Fq%3A60%2Fmb%3A500000%2FaHR0cHM6Ly9pbWct%2FdXBsb2FkLXByb2R1%2FY3Rpb24udHJhbnNp%2Fc3Rvci5mbS8xZTA1%2FZWZhNDcxZGM4ZTFj%2FZGJhMTMwNmYzMmJj%2FZjBkNi5wbmc.jpg&w=1200&q=75)