← Talkin' Bout [Infosec] News![Backdoors & Breaches Live! 05/19/2021 — Talkin' Bout [Infosec] News cover](https://img.transistor.fm/AukI425sRBc3M3UIa9lVng7qjeNeYEQ8BZfzCEXhALs/rs:fill:0:0:1/w:1400/h:1400/q:60/mb:500000/aHR0cHM6Ly9pbWct/dXBsb2FkLXByb2R1/Y3Rpb24udHJhbnNp/c3Rvci5mbS8xZTA1/ZWZhNDcxZGM4ZTFj/ZGJhMTMwNmYzMmJj/ZjBkNi5wbmc.jpg)
Talkin' Bout [Infosec] News
Backdoors & Breaches Live! 05/19/2021
01:11:18
Join Incident Master Ean Meyer as we play another round of Backdoors & Breaches.
Loading summary
Transcript575 lines
- [00:00]
Caitlin
Hello.
- [00:01]
Jason Blanchard
People are starting to show up here in the twitch chat and YouTube. It's great to see you. Thanks for being here today. This is going to be a regular occurrence here on the Twitch stream and on YouTube. We're gonna do this at least once a month, hopefully every two weeks.
- [00:14]
Ralph
We'll see.
- [00:16]
Ian Meyer
And.
- [00:16]
Jason Blanchard
But if you're here for the news, this is not the news. We're about to breach this live stream. Ralph's like, it's not the news.
- [00:25]
Ralph
I've been prepping for like the whole day. Thank you. Now it's ruined.
- [00:28]
Ian Meyer
You've got your news ready to go?
- [00:30]
Ralph
Yeah, I had all my link.
- [00:32]
Ian Meyer
Nothing's happened in cybersecurity in the last 24 hours.
- [00:34]
Ralph
Nothing.
- [00:35]
V
Let's just hope nothing comes out of this. That becomes.
- [00:38]
Blake
Unless it's an article from the Hill written as an opinion that set a lot of people off.
- [00:45]
Ralph
I do have questions about half those articles.
- [00:48]
No words.
- [00:49]
Jason Blanchard
Well, and we ran out of banter. Good job, everybody.
- [00:53]
Ian Meyer
I killed it.
- [00:54]
Blake
I'm sorry?
- [00:55]
Ian Meyer
I killed it.
- [00:56]
Ralph
Gosh, just talking about, you know, hyped up news articles.
- [01:00]
Jason Blanchard
Blake, I know last time, we may talk about it again, but you said sign. You called it a sign. You called the seam or sim, a sign. I was playing backdoors and breaches with someone earlier today that called it a cm.
- [01:12]
Blake
Okay, so it is open interpretation or no.
- [01:16]
Jason Blanchard
What are your thoughts? A cm.
- [01:19]
Blake
So I'm a reformed infosec person now and I say sim.
- [01:25]
I don't know where the sign came from. It just happened. And you gotta roll with it. At that point, the cat's out of the bag.
- [01:30]
Ian Meyer
Because you gotta admit, if you've only ever read something, how do you know how to say it? I was learning about computers and my uncle was an administrator for a large power company. He did programming in some ancient language. And I said, yeah, I'm on this BBS and they've made me the sysop. And he stares at me.
- [01:49]
Do you mean sysop? And I go, sure, yeah.
- [01:54]
I'm one of those. He's like. And he just started bawling, laughing. And I'm like, well, that's really not very encouraging, Uncle Terry.
- [02:02]
But yeah, you only ever read it. How do you know how to say it?
- [02:04]
Blake
Right. Similar jobs. Pseudo or pseudo?
- [02:09]
Ian Meyer
Sudo.
- [02:10]
Ralph
Sedon't.
- [02:11]
Ian Meyer
I keep yelling like pseudo at those puzzles with the math and they never solve themselves. I don't understand how that command works. Sudoku, that's what's up. Sudoku puzzles.
- [02:23]
Ralph
Oh, fun story. You don't need sudo. If you just always run as root. Oh, yeah.
- [02:30]
Jason Blanchard
All right, Everybody, it is 4:30. It is time for another edition of Backdoors and Breaches Live where we invite guests on from the Infomec. Did I call it Infomec?
- [02:40]
Ralph
Here we go.
- [02:42]
Ian Meyer
I was supposed to bring my Gundam.
- [02:45]
V
How do we restart the live stream?
- [02:49]
Ralph
Fly this ship, buddy.
- [02:51]
Jason Blanchard
It already started. All right, so welcome to Backdoors and Breaches Live. I'm just Jason Blanchard. I'm not doing much today except controlling the tabletop simulator that Ian Meyer will be using. I'm here to introduce Ian Meyer. He's going to be our Incident Master today. Our hope is to bring on future Incident Masters. So if you've been playing Backdoors and Breaches and you're like, hey, I'd like to do this on a live stream, sure, sounds great. You can always reach out to me or on the Discord Channel or through email, but Ian Myers, our host. So if you could bring up Ian and I could just say that Ian is probably one of my favorite people in the infrastructure community. He is the president, president of BSides Orlando. Just feel like he's an instructor, a great guy, and he's taken Cubicles and Compromises, which is what Backdoors of Breaches is built on, and he just like, went in another direction with Cubicles and Compromises and turned it into, like, a viable thing. We couldn't do that. And so we created Backdoors and Breaches, but Ian was able to. And so maybe we should just copy what Ian's doing. So instead we just brought him on to play Backdoors and Breaches. And with that, Ian, it's all yours.
- [03:58]
Ian Meyer
Well, first off, I mean, you're one of my favorite people, big guy like this. So no. Yeah. Thank you for those kind words. Like I said, my name is Ian Meyer. I do run the advanced cue balls and compromises at Wild West Hack and Fest, which is coming up in Reno, Nevada. Was it June 16th and 17th there, Jason? So you should definitely sign up for that. If you're listening. As my plug, I'll take the $10 later. With that said, we are going to play Backdoors and Breaches today, and I've put together a wonderful scenario for the team of folks that are going to help us solve this. So if it is your first time hearing about Backdoors and Breaches, if you turn into the live stream to see what this is all about, let's talk about it for just a moment. Backdoors and Breaches is a card game. That you can play with your business, with your peers, with people that might need to learn a little bit more about incident response and understand the ways in which attackers get into an environment and how you might respond to it. So there's a few rules that you need to understand. We'll go through them real quick and then we'll introduce the team that'll be playing with us today. And if it's like I said, your first time seeing it, don't worry, it'll all start to make sense pretty quickly. So what we have as we go through this environment, you should be seeing now the game board. We have four things that we need to solve to beat the incident, to stop the attacker. And those are our. We have our initial compromise, how the attacker got into the environment. We then have our pivot and escalate. Once they got in, where did they move to? What did they do? How did they escalate Privilege? Well, just like any good apt, once they've done that, they need to maintain persistence. They don't want to leave, they're comfortable, they got a couch, they're getting creds, they're stealing stuff, so they want to stay, they don't want to be kicked out. So they've got persistence. And then the last thing they'll go through and do is the command and control and exfil. How can they send more commands in to get more things? How can they control that persistence that they have? And then how do they get that sweet, sweet, juicy data out of the environment so they can compromise it further? There's some other rules that you should be aware of as well. So we have a series of procedures that you get to use. We have a set of procedures that the team can use. They're laid out on here that give them a 3 modifier. Now, what does that mean? These procedures are procedures that the team knows incredibly well. So we saw a SIEM there, we saw calling a consultant, endpoint analysis there, User entity behavior analytics, and then the last one, isolation. So these are procedures that the team knows incredibly well. And when they go to use them to try and figure out any of these four areas that the attackers are using to get the environment, they get a three modifier. And you're saying, but Ian, what are you talking about, a 3 modifier? Well, this game injects entropy, randomness, and that is done in the form of D20 dice. Now, what you're seeing on the screen is a virtual representation of this in person. I've got one of these cool black hills dice but in person, you would roll the dice. And what ends up happening is if you get a one through a ten. Well, unfortunately, even though the procedure that you chose to try and figure something out should have worked, it didn't. You know, maybe if your solar winds, I probably shouldn't say that. Solar winds. You blame the intern. Oh, the intern didn't do it, all right. Or, you know, the backups weren't there or whatever it is, it just didn't work. Now, when it doesn't work, you can't use that procedure again for another three turns. However, if it was one of those written procedures, the ones you just kill it at, you had the big four come in and they said, man, you're so incredibly mature in this area. It's amazing. And you get that three modifier. If you rolled a 10, you get plus three, which brings you up to 10, 11, 12, 13. And now you pass. And if your procedure, if your procedure happens to be one that is effective at discovering one of those four areas, your card flips over and you find out one of the ways, whether it be C2, exfil, pivot, escalate, whatever it is. One of the ways that the attackers got into the environment and what they're doing.
- [08:24]
So if it didn't work, it spins. You don't get to use it again. Now, those written procedures, those five that you got, that you're the three, those aren't the only ones you can use any of the procedures in the Black Hills backdoors and breaches card set you can use, they just don't give you that modifier. When you do use them, though, you can only use them for another three turns as it goes through. So they have that cooldown period for those of you who are gamers. So last couple rules we want to cover real quick before we introduce the team here is also those roles. If you happen to roll a one.
- [09:05]
You just flat failed. It fell completely on your face. You went to get the backup, and literally you dropped it and it shattered into a million pieces. I don't know how that would happen. It was just that bad. If you roll a one, you have to pull an inject card. So an inject card, and that's a procedure card. Inject card. Here I do. You have to pull an inject card. What's an inject? Well, this is a new thing that comes up. This is a. It could be good, it could be bad. Who knows? It's just another problem or benefit that you have to deal with. So if you run a roll of one or 20, you do that. Also, if for whatever reason, you pull procedure cards and three times in a row you fail the procedure, procedure doesn't work. You got to roll an inject card. So just to, you know, add insult to injury, if you're still not making your way, you pull an inject card. But remember, those injects aren't always bad. Sometimes you get lucky. It's like, oh, somebody found the backup. Ooh, something good happened. So we're going to stop there because I think we covered everything. Jason, did I miss anything before we roll into introductions?
- [10:08]
Ralph
Nope.
- [10:08]
Jason Blanchard
Just a reminder that there's a three turn cool off period for successful and unsuccessful.
- [10:14]
Ian Meyer
Yes, thank you. Thank you for the clarity. Perfect. So I believe we are ready to start. And look, we have this lovely group of folks ready to go here. And I'll just do the quick name introductions for everyone. So, Caitlin, hello. Thank you for joining us today and playing. We've also got V. Q. We've got Blake myself on camera there, and then we've got Ralph as well. So thank you for joining. Say hi, everybody.
- [10:38]
Blake
Hello.
- [10:39]
Ian Meyer
Hello. Hi. Hello. Are you ready to play?
- [10:43]
Are you ready for the scenario?
- [10:44]
V
Yeah, I think it's a little too late to back out.
- [10:47]
Ian Meyer
It's too late to back up. Jason will hunt you down.
- [10:51]
Ralph
Is it too late to back up? I don't know.
- [10:55]
V
It is if you're asking that question. It is too late to back up.
- [11:00]
Ian Meyer
Okay, so we're ready for the scenario. Excellent.
- [11:03]
Q
Ian scares me a little bit. I don't know why he looks all like sleeping innocence and is going to come up with a crazy scenario. I just know it.
- [11:10]
Ian Meyer
Oh, well. I mean, are you prepared for werewolves that have HAK5 devices?
- [11:15]
Yes.
- [11:16]
Blake
Werewolves love pineapples.
- [11:18]
Ian Meyer
Let's do it.
- [11:20]
Werewolves love pineapples. So excellent. So we're ready. It's after hours and you find yourself on call for the incident response team. You finally come home after a long week of dealing with triage and alerts and phishing emails, and you get a pager duty notification. The security operations center noticed some odd authentications. It hasn't seen them before. You call the SOC to find out what they're seeing and what's going on. They respond back that it looks like they're service accounts of some sort and they seem to be ours. They're using our naming convention, but they're not coming in in the way that they usually would. And some are successful. They're getting logged in and we don't ever see these accounts being used on these services. There's a lot of attempts and we think this might be. And you do your best, Penn and tell. I think we've got a hacker. What's your first move? Feel free to ask questions.
- [12:20]
Ralph
Someone said resign. I mean, I don't know.
- [12:22]
Blake
It's feeling like an option.
- [12:25]
V
To call Cyber Risk Insurance.
- [12:28]
Blake
So do we know where these accounts are logging into? And when I say where, do we mean into an Azure login endpoint or is this authenticating against our active directory domain?
- [12:41]
Ian Meyer
Okay, excellent question. Hold on, let me ask. Let me get the A junior stock guy.
- [12:48]
Okay. They said external. They said it's external. Owa. That kind of stuff. They're just hitting anything that's on the edge.
- [12:58]
Ralph
So did you say that they were getting successful logins for some of them?
- [13:01]
Ian Meyer
Successful, yeah. Okay.
- [13:04]
Ralph
All right. So we have compromised accounts.
- [13:07]
Blake
It's a fact, potentially. Or accounts that can log in from external that might have got sprayed.
- [13:14]
So the screen's a little blurry for me because it's out of zoom. Is there ability to zoom in and see our.
- [13:21]
Ian Meyer
Yeah. Let's go through our procedures again. So what do we have?
- [13:23]
Ralph
We have.
- [13:23]
Ian Meyer
We can check our sim. We can call a consultant. We can.
- [13:28]
Look at endpoint security protection analysis. We can do user entity behavior analytics, or we can start isolating systems. Those ones that people are attaching to.
- [13:41]
Blake
I would rule out euba because if these accounts haven't authenticated before, there's probably not enough context in EUBA to get anything meaningful.
- [13:53]
My vote is for the siem.
- [13:55]
Ralph
All right. Voting for the seam.
- [13:59]
Ian Meyer
Yeah. All right. We.
- [13:59]
Ralph
Sorry, I had to bring it back.
- [14:01]
Ian Meyer
There it is. We have our. We have our first move of 10, remember? 10. You have 10 turns to figure this out. You want purple or you want orange? Orange. Who's choosing?
- [14:13]
Q
Not me.
- [14:14]
Caitlin
Purple.
- [14:16]
Ian Meyer
I heard purple, Jason. I heard purple.
- [14:18]
Ralph
I'm blaming all of you guys if it doesn't work. Oh my gosh.
- [14:20]
Blake
Purple.
- [14:22]
Ian Meyer
14. 14.
- [14:26]
Excellent. So with 14, we had. That was sim log analysis, right? Jason? The one up there team.
- [14:34]
Jason Blanchard
That is correct.
- [14:40]
Blake
It's okay.
- [14:41]
Ian Meyer
We're going to give them external cloud access for the initial compromise.
- [14:48]
Ralph
It seems to work.
- [14:49]
Ian Meyer
Yeah, it seems to work. Okay, so. And not that I'm telling you this for any particular reason, but just a reminder that just because you got one once with something doesn't mean that necessarily there aren't others that seem wouldn't have discovered. So just keep that in mind as you're playing through, especially those who are new to watching. I am only required by, you know, South Dakota law. To give you one things there are there. I don't know why South Dakota did that or why they. But either way it's a law. Yeah, it's a law. It's just the way it is. So external cloud access. So the soc starts digging through and they say, hey, wait a minute, I'm noticing here that these credentials, the only time that they ever get used on the network are when they're used to connect services internally up to some of these cloud environments that we have. So I think someone actually may have gotten access to some of these services that we actually have hosted outside and potentially got a hold of these credentials. So we're going to dig into that a little bit further but that certainly seems to be the credentials that are being used to get into the environment. So you got a little more detail. You know that somehow an external cloud service potentially has some sort of impact that allowed for attackers to potentially use credentials to get into your environment. Time to turn off the Internet.
- [16:25]
Ralph
It was SolarWinds again.
- [16:28]
Ian Meyer
That's right, we've got SolarWinds all over again. No, so yeah, so we know that. So now that's turn one. We've now rotated our SIM card and we are moving on to turn to. What does the illustrious team here suggest we do with the new information? Feel free to ask questions about the first response.
- [16:46]
Blake
So to cover this again, you said that the accounts that are authenticating are have been provisioned in good faith to connect from on prem to cloud.
- [16:59]
Ian Meyer
Correct.
- [17:00]
Blake
So these accounts would be then enabled to access the cloud. It wasn't a change in configuration. We're saying that is a correct credentials have been compromised.
- [17:10]
Ian Meyer
Yeah, that is a correct understanding. The credentials that were being used at that point were used specifically and created and configured to work with a cloud, a hybrid environment in which there's some on prem and there's some cloud services and some of the credentials that are being used are ones that have only ever been associated with those services.
- [17:37]
Blake
My vote would be to do is the endpoint security analysis. I'm thinking that a box was compromised, the creds were hard coded somewhere to run. That's just a thought.
- [17:50]
V
Isn't there a separate one that does same on servers? I remember there being another card for that.
- [17:58]
Caitlin
Server analysis.
- [18:00]
Ian Meyer
I'm going to make weird deceptive DM noises when you say things. I'm going to be like.
- [18:07]
And that means nothing by the way.
- [18:08]
V
That sounds like something out of North Dakota.
- [18:13]
Ian Meyer
We don't do what North Dakotans do around here.
- [18:17]
Blake
That's just my thought. Just from saying that it was. Those credentials were provisioned for a reason. That's where we would find them.
- [18:25]
Ian Meyer
That's a thought.
- [18:27]
V
Now, those being service accounts, possibility that they may find more info and server analysis than input analysis.
- [18:38]
Maybe.
- [18:40]
Ralph
I mean, those service accounts could have been from a workstation, right? I mean, there's tons of different services that run on workstations. Login too, especially like provisioning workstations. That's a common thing I've seen inside of environments. And they'll actually log into the system over and over again to provision and continue. Those credentials get in memory. Right. They stay in w. Digest a bunch of different places inside. And you know, if you could extract that, you could possibly win immediately. Right.
- [19:08]
Blake
Okay, what do we think?
- [19:09]
Q
V. Oh, wow, putting me on this spot. Do endpoint analysis. But the question is, do we know which boxes potentially look at?
- [19:18]
V
No, but wouldn't if you pick that, wouldn't that just. In spirit of the game, Check all the endpoints.
- [19:25]
Ian Meyer
Check all the endpoints. So jump into something and like a carbon black or an EDR or something like that and say, have I seen this anywhere? Please help.
- [19:35]
Blake
Yeah, We've worried on CrowdStrike.
- [19:37]
Ian Meyer
Okay. Yeah, yeah. So for those listening at home while they're thinking, the group here is thinking about taking your endpoint detection and response tools and hunting around to see, hey, do we see anything that looks potentially like these credentials executing on the systems and seeing what processes may be running as well. So is that, is that your vote?
- [20:00]
Ralph
I'm good with an endpoint. I'm good with the point.
- [20:03]
Ian Meyer
Yeah.
- [20:03]
Ralph
Or server. Those are both fine. I think there's, there's some win there, but let's do input.
- [20:07]
Blake
Yeah, So I think. Not the, not the card with the modifier, we're looking at the standard cards, right? Those two options.
- [20:13]
Ian Meyer
Which card are you going to use? That server.
- [20:16]
Blake
Now let's go with server analysis. That was Q's. I like Q's original line of thought.
- [20:21]
V
Hey, don't blame me for that now.
- [20:22]
Ian Meyer
Yeah.
- [20:25]
Q
Look, I know everyone would go isolate and I see some comments, but one of the things I learned is that in the spirit of the game, you don't want anything by isolating the machine. However, in practice you would want to isolate. We would want to minimize the impact.
- [20:42]
Blake
Yeah, we'd have to find those hosts first though.
- [20:45]
Ian Meyer
All right, so which one are you going with?
- [20:47]
Q
Orange.
- [20:49]
V
Orange.
- [20:49]
Ian Meyer
Oh, I'm sorry, but which card did we go with? I thought I heard some isolation changes there or what no. Okay, so a server analysis.
- [20:57]
Ralph
Yeah, do server analysis. Let's go. Come on.
- [20:59]
Ian Meyer
Okay, let's do it. 7. Okay, so. And server analysis wasn't one of our three. Even if it was, it wouldn't have given us a modifier to get there.
- [21:11]
I should have gotten the prices right. Like.
- [21:14]
That one. That one I feel like is a little too much, but like.
- [21:19]
Anyway, so server analysis, unfortunately, you went through and checked the servers and hunted through the environment again, using tools that are on the servers to detect either anything that might be out of place, any sort of indicator of compromise based on what you know, and there was nothing there, nothing that led you to believe that there was any sort of challenge, any sort of link to the IOCs, just nothing. So unfortunately, that didn't do anything. So we're give that one a turn that will be available to you again in three turns. I think seam is now available to you in two turns. Coming back in two turns, and we are moving on to turn three. I need fail horns. Okay, so we're moving on to turn three. So server analysis didn't do anything for us. We still know that there's our cloud services, they're associated somehow. The accounts that are logging in to successfully to some places and not to others, those services are still going and right now we don't know much else.
- [22:27]
V
So what the option brought up in addition to the server was the endpoint.
- [22:34]
Ian Meyer
Yeah, that was one of the options brought up. So endpoint hunting around and actually seeing if there's something on the individual endpoints that might give us a clue as to how these accounts potentially leaked out into the one.
- [22:49]
Ralph
Yeah, we could do endpoint. I mean, does anyone have any.
- [22:52]
Ian Meyer
I mean, hey, the crowd.
- [22:55]
Blake
My other thought would be Rita.
- [22:57]
Ralph
Oh, going for the Rita.
- [22:59]
Ian Meyer
Going for cyber deception. All right, is there anyone we haven't heard from? I think we've heard, I don't know everyone's voice when they're away yet. So is there anyone who hasn't chimed in yet? Come on, let's hear the feedback. Let's, let's. You're in the war room. Think about it. It's the old. It's in before times. Your incident response. Now there's cold pizza. Someone brought like half a flat of leftover Red Bull from the last time this happened. You start talking, get a little punchy. No.
- [23:27]
All the dad jokes start coming out. Some of you aren't even fathers, just like, I don't even know what happened.
- [23:32]
Blake
Laughing at. Laughing at your failure?
- [23:34]
Ralph
Yes, exactly.
- [23:35]
Blake
Maybe that's just A personal thing. I don't know.
- [23:37]
Ralph
Okay. Shining your crying in a corner.
- [23:40]
Ian Meyer
Yeah, that's right.
- [23:41]
Ralph
You can fight. It's the one.
- [23:43]
Ian Meyer
All right, so. So the. The word on the street here is endpoint. How does everyone feel about that? Let's get a thumbs up with everybody on screen.
- [23:51]
Ralph
Yeah, let's do it.
- [23:52]
Ian Meyer
Thumbs up. Thumbs up. Thumbs up. Be. So he's not okay just doing the whole gladiator thing in the middle there.
- [24:00]
You know. Anyway, okay, so we're going end point analysis. All right, let's go ahead and roll.
- [24:07]
Ralph
Which.
- [24:08]
Ian Meyer
Which color we rolling? Did we already roll? I was looking down. Which one we can orange.
- [24:12]
Caitlin
Another shot.
- [24:13]
Ian Meyer
Orange. Oh, we're going back to orange.
- [24:15]
Ralph
Shoot, here we go. Come on, come on, come on, come on.
- [24:21]
V
You know what?
- [24:21]
Ian Meyer
We should.
- [24:22]
V
We should ban orange.
- [24:23]
Caitlin
It's time to retire orange.
- [24:25]
Ian Meyer
Yeah, we always get in this game where it's like orange. Susan. Anyway, okay, so we tried our analysis, looked around and. Wait a minute. Hold on. Just realized something.
- [24:42]
Ralph
Hey, did.
- [24:43]
Ian Meyer
Hey, hold on. Hey. Employment. Yeah. Yeah. Behind the. Put the pizza down. Yeah, the upgrade of carbon Black. Done. There's 400 systems that. There's 400 systems. Not done yet, of course. Okay, so we didn't find anything because James didn't get this done and the project's behind. So. Yeah, there's no audit to this. So we didn't find anything. And unfortunately.
- [25:15]
James.
- [25:17]
V
Fire James.
- [25:19]
Ralph
That's the last time we hire interns.
- [25:22]
Blake
That's the last time we give the intern domain admin privileges.
- [25:26]
Ian Meyer
Okay.
- [25:31]
V
Is it.
- [25:31]
Ralph
Is it that normal? Sop. I don't understand what's wrong with this statement.
- [25:35]
Ian Meyer
That's right.
- [25:36]
Ralph
That's right.
- [25:37]
Ian Meyer
Give them everything. Okay, so we didn't. We didn't learn anything new. We have now failed two roles. We're moving on to four. So if we fail again, we are going to get one of our inject cards. So this one I really want to. We want to get at.
- [25:54]
Jason Blanchard
So.
- [25:54]
Ian Meyer
And I need to start keeping track here. So we're on turn four. Keeping track in another window. But. Okay, so we're on turn four. Remember what seem is about to come back online. So we'll have that back next turn.
- [26:06]
Q
So maybe do Rita.
- [26:08]
Ian Meyer
Rita. Okay, Rita. I see Rita. How are we thinking Rita for. For those listening in the audience. What. What. What would we get out of Rita?
- [26:15]
Q
You asking me?
- [26:17]
Ian Meyer
So.
- [26:19]
We.
- [26:20]
Ralph
We hopefully find out where they're. Where they're at. Right?
- [26:22]
Q
Yeah, exactly.
- [26:24]
Blake
Exactly.
- [26:25]
Q
It's just narrowing it down.
- [26:27]
Blake
Detect beaconing, detect east west traffic. Find some Anomalies determine possible source destination inside our network.
- [26:36]
Ralph
Where, how?
- [26:37]
Blake
They landed on those.
- [26:39]
Ralph
Most likely, Janice from accounting system got popped. And so we'll find Janice, right? That's the. That's the hope, right?
- [26:48]
Ian Meyer
Who was it?
- [26:48]
Jason Blanchard
That.
- [26:49]
V
Is that.
- [26:50]
Ian Meyer
Is that where we're going to go? Rita?
- [26:52]
Blake
We're going. Rita.
- [26:53]
V
Let's go, Rita.
- [26:55]
Ralph
Purple dice. Purple dice. The orange is.
- [26:58]
V
You can throw the orange one away.
- [27:04]
Ian Meyer
Who? I don't know, V or Caitlyn.
- [27:07]
Caitlin
Who.
- [27:07]
Ian Meyer
Who originally suggested. Who originally suggested Zeke? I heard one of you.
- [27:13]
Ralph
I thought it was V. Yeah.
- [27:15]
You.
- [27:15]
Ian Meyer
Get to choose purple or orange.
- [27:18]
Q
I'm not sure as I'm not going to do orange, so. I mean, purple it is. And just for the record, I'm terrible at dice roll, so I'm not expecting.
- [27:28]
Ian Meyer
Well, don't worry. If it fails, It's Jason's fault.
- [27:32]
Blake
Eleven.
- [27:33]
Ralph
It was 11. It fell back.
- [27:36]
You touched it.
- [27:37]
Ian Meyer
It was three.
- [27:38]
Ralph
All right.
- [27:39]
Ian Meyer
Okay. So we did. The game is rigged, Rita. Okay, okay.
- [27:45]
Blake
Now we resign.
- [27:46]
Ian Meyer
Now we resign.
- [27:51]
V
Somebody posted a job yet?
- [27:52]
Ian Meyer
Yeah.
- [27:58]
I'm trying to come up with a quick scenario here. For sure. So there's a couple things that are going to happen here now. So we went into Rito. We started to pull those logs out, looking for beaconing, looking at any sort of behavior there, and. Yeah, hold on. Steve.
- [28:14]
V
Steve.
- [28:15]
Ian Meyer
Oh, Steve.
- [28:18]
Quit. Why? Oh, okay. Steve turned off all the logging. It turns out that we stopped doing candy in the cafeteria. And we're like, steve, it's Covid. We don't do that right now. And he was like.
- [28:34]
And so all the logging's been off to bring that data through the network and whatnot. So. James, I know I yelled at you before. No. Okay, it's. Okay, fine. Just fix it. Fix it. Okay, so what else happens as we move on to turn five? Does everyone remember day drinking? Day drinking.
- [28:56]
We call our mental health professional and we talk to them over a long cry. That is a better coping mechanism than drinking.
- [29:02]
Ralph
Everyone, it's crowding.
- [29:04]
Ian Meyer
Okay, we have to pull an inject card because we've had three failures in a row. So the Ed McMahon to my Johnny Carson. Could you get us an inject card from the decky deck? What do we get?
- [29:22]
Legal takes your most skilled handler into a meeting to explain the incident. That is not a great card, but it's very realistic. It is realistic. It is absolutely realistic. So who brought the lawyer to the party? So what does this card represent? You are dealing with an incident, and suddenly an executive bursts into the room and says, we've got a contract to sign with IKEA for all kinds of different nuts and bolts that we're going to ship with this blinky box. And we say, why are we even doing this? Shut up. We need that person. Bring them with me. No, we need that we. Oh, okay. Have fun storming the castle. So they've taken them away for very important reasons. So they may never come back. All is quiet now. It's time to step up and shine. Now, I don't actually see a negative on this card other than it. It's kind of a storyline. Jason, can you give some clarity on that? I can't remember if there was actually a downturn to that.
- [30:14]
Jason Blanchard
So the thing is that, Ian, you get to choose who's been leading the most in this incident, and they will remain silent until the incident is over. Your choice.
- [30:26]
Ian Meyer
Oh, who needs to remain silent? You know what? You know what I think I'm going to do here? I think we're going to take. Hold on. I'm gonna. I'm just gonna leave it to chance because you've all actually been participating really well. So let's see.
- [30:44]
I should have gotten the one through 10. There we go. Ralph. Sorry, buddy.
- [30:49]
Ralph
How did I know it was gonna be me?
- [30:51]
Ian Meyer
I actually got. I rolled until I got a number that matched. You know, going this way and. Sorry, man, I could feel it. Ralph, you've got to go with legal and help them figure out the legal requirements around testing the manufacturing systems for the IKEA nuts and bolts that sold for the government penetration test to make sure that we can actually meet all the Fedramp requirements and FIPS requirements. So you have fun with that.
- [31:13]
Ralph
I feel depressed.
- [31:17]
Q
But could we still contact him via email?
- [31:20]
Ian Meyer
Could you still contact him by email? You could, but the lawyers are going to tell him we can't bring phones into the room right now. Very highly. You know, as we work out this manufacturing deal for the nuts and bolts that we don't need, but our customers want to come with our blinky box.
- [31:39]
V
Do we have an intern who can just walk in with a piece of paper?
- [31:43]
Ian Meyer
Do we have a blinker?
- [31:45]
Caitlin
Just slide him a note on the table.
- [31:49]
Ralph
I'll be over in the corner coloring.
- [31:50]
Ian Meyer
Guys, let's move on to five. Time to sing the doom song. So let's move on to five. All right, Ralph, have fun with the legal team. Okay, so I believe we've got SIM back on the table. Yay, SIM back on the table. Remember, you still have your other. You can call a consultant. You can. You got any of the other procedures, at this point, we don't know anything new yet. We've moved. We moved on to. This is. This is turn five, right? Yeah, this is turn five. So we've got five turns left. We're halfway through the game. You've got one of the four cards needed to stop the incident. What say you?
- [32:31]
Caitlin
So maybe this would be a good time to call a consultant. Since we're halfway through, we're not doing so great.
- [32:37]
Ian Meyer
Yeah, no, that's not.
- [32:38]
V
What do.
- [32:40]
Ian Meyer
Yeah, that's a really solid point. Yeah, absolutely. You just lost someone. You say. You go to the legal team and you say, hey, if you're gonna take our person, you got to come up with budget for us to go get somebody, because we're deep in it right now. So that happens in the real world. Who said that? Who was that? Was that Caitlin? Was that B. Yep.
- [33:00]
Okay.
- [33:01]
Ralph
Is that.
- [33:01]
Ian Meyer
Is that what everyone agrees to call a consultant?
- [33:04]
Q
Yeah.
- [33:06]
Ian Meyer
Excellent. Caitlin, please choose a dice.
- [33:09]
Caitlin
All purple, all the way. Let's go.
- [33:13]
Ian Meyer
Seven. All right, but that only brings us to ten.
- [33:16]
Blake
Modifier.
- [33:17]
Ian Meyer
So close.
- [33:18]
V
Do we have a third color?
- [33:22]
Ian Meyer
Can we swirl it, like. Can we do something? All right, so call a consultant. Unfortunately, didn't work. So I'm gonna. I'm gonna. Let's see. Who was it? Who, Jason? Which one of the consultant. Because I'm not real familiar with consultant cards. Which consultant would have told us, I don't know, pivot and escalate or C2 and X fill? Any of those.
- [33:46]
Jason Blanchard
Either George or Chiles or Timidine.
- [33:49]
Ian Meyer
Okay, so we call. We call. Okay, we're gonna. All right, perfect. So you pick up the phone, you say, we got to get George. We got to get George on the phone. And get him on the phone, he answers like, hello. Yeah, we need you in here. We really need you in here. Help us figure this out. And he's like, I'm running a sans course right now, and I got Bryson in my ear talking about what we need to do for Scythe, and I just wished I could help you, but I just don't have the time. Can I get back to you in a couple hours? But, you know, a couple hours might be too late, so you say, thanks for your time. Maybe I can call you back later. Let me know. We'll do that. So, unfortunately, he wanted to help, but he's deep in it too, and he can't get you yet. So maybe when he comes back around, you can give him a call again. He'll be like, yes, I finished my sans Course, I'm ready to help you, but for right now, nothing. All right, so we're moving on to six. James made the call. That's what. He's over there. I swear he's just playing Warcraft. I don't know. And I'm like, who even does that anymore? And he's like, I play Warcraft. Classic.
- [34:52]
Ralph
It's cool.
- [34:52]
Ian Meyer
And I'm like, whatever, that's fine. I mean, maybe do your job. Okay, so we're on. We're on a move. Six. We don't know much else. We have three more to go.
- [35:06]
Blake
So what does the group think about firewall log?
- [35:09]
V
That's what I was looking at this point too, because we're getting so close to the doom time, right?
- [35:16]
Blake
We got.
- [35:18]
Three cards and five chance.
- [35:21]
Ian Meyer
Hopefully there's no modifier on this one.
- [35:24]
Blake
So we don't get the plus three. That if we get that eight doesn't bring us to 11. So we're. It's a hard. It's a hard roll on that one.
- [35:33]
Caitlin
We do have our SIM again.
- [35:35]
Ian Meyer
Yeah, we do.
- [35:37]
V
Would the fatwa logs be in sim?
- [35:40]
Blake
They could be. They should.
- [35:41]
Caitlin
We say they are.
- [35:44]
Q
It depends.
- [35:45]
V
Were those also turned off?
- [35:49]
Blake
Oh, we fixed that.
- [35:50]
Ian Meyer
We have to check, but arguably they should be there.
- [35:53]
V
Well, in that case, personally, I think SIM would kill two birds with one stone.
- [35:59]
Blake
Yeah, it could, but if we're trying to pick up the C2, firewall logs would help us as well.
- [36:07]
Ian Meyer
Yeah, you gotta check that. Ben's like. If James configured him, forget it. He's like, yeah, I routed. I routed everything to null. That's good, right?
- [36:15]
V
I think there's. There's a lot of emphasis on firewall logs.
- [36:18]
Ian Meyer
A lot of emphasis on firewall logs. Can we get everyone up on the screen? We'll do a. We'll do a thumbs up vote here. Let's see. Let's bring everybody up. Wonderful. Firewall logs. Thumbs up. Is that one, two. Ralphie, Ralph, get Eric in the legal room.
- [36:35]
Ralph
Yeah.
- [36:36]
Ian Meyer
Gee, what are you doing? All right, so thumbs up again. Who do we have? Because Ralph can't vote. So we got four. Four of you. One, two, three. Okay. Caitlin's the abstainer. Caitlin, just out of curiosity, where were you? Where were you thinking?
- [36:50]
Caitlin
I just think that we should look at the sim. I think that hopefully we've got all of those logs in there and we get the Plus 3 modifier on it. So if, you know, purple fails us again, then we should be good. Hopefully. Fingers crossed.
- [37:02]
Blake
Caitlin, convince me I'm on the SIM board.
- [37:06]
Ralph
So.
- [37:06]
Ian Meyer
Oh, man.
- [37:14]
I need somebody to cave here, or. You know what we'll do? We'll do a dice roll to decide.
- [37:19]
Ralph
We?
- [37:20]
V
What are you thinking?
- [37:22]
Q
I don't know. I'm thinking rock, white, paper, scissors. I don't know. I'm kind of in between.
- [37:27]
Ian Meyer
You want to let fate decide?
- [37:29]
Q
Yeah.
- [37:30]
Ian Meyer
Let's do some house rules. Let's do it. Jason, can you give us a role for whether they want to try their firewall rules or if they want to try sim? And since I'm choosing, we're going orange. All right.
- [37:43]
V
By the way, Magneto, you spelled your wrong.
- [37:46]
Ralph
Oh.
- [37:47]
Ian Meyer
If you roll the dice, does it count as a turn in the tabletop or.
- [37:50]
V
No.
- [37:52]
Jason Blanchard
So 1 through 10 will be SIM, and 11 through 20 will be firewall.
- [37:57]
Ian Meyer
Okay. See her go.
- [37:59]
Blake
Come on.
- [38:01]
Ian Meyer
All right, so firewall it is. The fates have decided. Now you have to roll if it's going to be successful. So let's go. Who wants. Does anyone want everything? Everyone wanted to go purple, right? Because now they hate orange.
- [38:17]
Blake
We just needed that 20 on our last.
- [38:21]
Caitlin
We wasted our good roll.
- [38:22]
Ian Meyer
And that would have gotten you an inject.
- [38:27]
So a little bit of column A, a little bit of column B. Okay, you guys want to do purple again?
- [38:33]
V
Purple hasn't been very friendly either, but we'll do it.
- [38:36]
Blake
Okay, nice.
- [38:40]
Ian Meyer
So you did your firewall analysis. You start looking through the firewall logs, and everything looks normal. You start looking through, and it's like, wait a minute. This. All. This all seems fine, but then when you start digging a bit deeper. Wait a minute. Hold on. Let me look at this. Wait, Stephanie. Hey. Did you configure that next gen firewall that we got? No, not next quarter. This quarter. So the next. No, the next gen. No, the layer seven. Oh, yeah. It turns out all those cloud services actually go through a layer 7 firewall that hasn't been set up for logging yet. So maybe there was something there, but it's not set up the log yet, unfortunately. That didn't really give you any other information either. What are we on to? This is move seven, right? Let's take a look here. I'm taking some notes to fill you in on the.
- [39:47]
V
I'm not going to need to update my resume.
- [39:51]
Ian Meyer
When I worked in a NOC that we were going to make it so that certain events automatically uploaded a resume to Monster.
- [39:59]
But it was our resume, not like somebody else's. It was a joke. All right, so we're on to move seven. We are running low here. Can we bring up the plus Three cards. Just a little closer. Perfect. All right, so your seam is still there. Your consultant's not back yet. You could do endpoint. You could do user entity behavior and also isolation. So I mean, you've only got seven, eight, nine. Oh, we're on. This is move seven. So you've got a couple moves left. I would highly suggest that maybe you start leveraging some of those other ones to see where it leads you.
- [40:42]
Q
What about ueiba? Because it's going to deal with concurrent logins.
- [40:48]
Ralph
Yeah.
- [40:49]
Blake
UEBA or isolation, just shut down that part of the network.
- [40:54]
V
Do we know what part that is?
- [40:55]
Q
But is isolation going to give us anything closer to finding out what's happened? Or is it simply just going to isolate the machine? Which in practice works.
- [41:08]
Ian Meyer
So having to do a little metagaming right now in the really real world.
- [41:12]
Blake
Right. So we have three chances left with three cards left. So in the spirit of the game, to stop the damage, plus using the modifier, which we obviously desperately need. Unless Ian decides to Rick, roll us by saying that the layer 7 firewall is not set up.
- [41:34]
Q
Yeah, I think they need to really hire some new stuff.
- [41:38]
Ian Meyer
Yeah, no, I mean, we get what we can get. I mean, if you came in and you saw the environment the way it is, I mean, you know, we hire the best interns.
- [41:48]
V
Ian, you gotta send your employees to Black Hills training.
- [41:52]
Ian Meyer
That's true. Absolutely right.
- [41:54]
V
Take a class with bo.
- [41:56]
Ian Meyer
That's right. They do need to take a class with bo. Get some cloud perimeter training, reach that thing.
- [42:01]
Q
So what about we do the seam again? Because we get the modifier for it.
- [42:05]
Ian Meyer
Gonna bring the seam back into action. That's right, Thomas. That's what we hired you guys for.
- [42:11]
Ralph
The.
- [42:11]
Ian Meyer
The.
- [42:12]
V
The.
- [42:12]
Ian Meyer
The top notch crack incident response team we've got here on the phone.
- [42:16]
Q
Wait, we get paid?
- [42:18]
Ian Meyer
What's that?
- [42:20]
Q
I'm saying, as far as I know, we don't get paid.
- [42:22]
Ian Meyer
No. Oh, well, now you get like interns.
- [42:26]
Hey, you're getting paid. An exposure. All right, so I think we heard steam again. Everyone agree with seam.
- [42:34]
Blake
I'll go with it.
- [42:35]
Ian Meyer
Wonderful. Purple dice again.
- [42:38]
V
I'll go with the team.
- [42:40]
Ian Meyer
Let's give it two.
- [42:43]
Blake
Yeah.
- [42:44]
Caitlin
It's rigged.
- [42:46]
V
The game is rigged.
- [42:50]
Blake
We need to do a code review on these dice.
- [42:55]
Ralph
This is actually past that point where we put in a resume. Like, I'm just gonna look for a.
- [43:00]
Ian Meyer
New job, Like a new career.
- [43:02]
Q
Yeah, career change.
- [43:03]
Ian Meyer
I'm gonna move. I'm gonna move out to South Dakota and become a farrier. I'm Gonna shoe horses. Look.
- [43:10]
Okay, so let's get into the scenario here. So anyway, so you rolled, you started digging back through the seam again and you're looking through it and you're not seeing anything new. Now what you start to realize as you're looking through here and you're running your searches. Oh, wait a minute, hold on. This query is not done running. What's going on? So the query is just chugging, chugging, chugging, chugging, chugging. And the data you're getting back isn't complete. So you're trying to find something. Maybe there's still something in there, maybe there isn't. But the data you're getting back currently is not showing you anything. So you say, well, you know, maybe we come back to this. Maybe we get a sharper search query, maybe we start looking for something else inside of that search. But right now we've got nothing new. So we're moving on to turn eight. Now let's see, we passed turn six, right? Are we to another inject? Did we fail three times? I think we failed three times, right?
- [44:09]
Q
No.
- [44:09]
Caitlin
Did you get an 18 on the firewall?
- [44:12]
Blake
We did get an 18, yeah.
- [44:13]
Ian Meyer
You did pass. Okay, cool. So you got one more until you.
- [44:18]
Remember the injects can be good though. They're good injects. So you know, somebody could show up with, like I said, pizza and cold Red Bull, you know.
- [44:25]
Blake
Yeah. Is there a sleep option in this game? I mean, how long have we been up working this incident, just getting rolled.
- [44:31]
Ian Meyer
As Jason talked about advanced cue ball compromises, we do take fatigue into, into account in advanced cubicles and compromises, but not here, is not, that's not part of the play. So. All right, so you've still got a couple cards that you could play there that are not in cooldown. Your consultant comes back in turn nine, but they're not there yet. And you know, you can play some of these other ones, but yeah, I would definitely keep hanging on to those plus threes because it really does seem like you need them. So what do you all think? CEO doesn't care. Oh, they care.
- [45:10]
End of quarter. It's the end of the quarter. They want to know what's going on.
- [45:13]
Ralph
I think it's Russia.
- [45:14]
Ian Meyer
This is too advanced.
- [45:16]
But it's not fancy bear. It's like a, you know, it's a casual bear. He's got, he's good. It's lazy bear. He threw a corporate logo polo on khaki bear.
- [45:27]
Ralph
Perfect. That'll be the next apt, right?
- [45:31]
Ian Meyer
Okay, so let's all right, Moving through the game here.
- [45:34]
V
So isolation and UEBA were suggested previously.
- [45:39]
Ian Meyer
Okay, UEBA or isolation? What? Says the team?
- [45:45]
Caitlin
I think ueba.
- [45:47]
Q
Yeah, I'm gonna go for that one as well.
- [45:51]
Ian Meyer
Okay, ueba. All right. Purple. We heard. I think we heard purple.
- [45:55]
Ralph
Purple.
- [45:56]
Blake
Dice, your days are numbered.
- [45:59]
You're back on the end circle.
- [46:03]
Ian Meyer
And guess what, Mr. Jason, if you would please reveal for us. Pivot and escalate. We now know that, and you probably could have guessed it was credential stuffing. So what do we now know about the incident? Well, you heard me say service accounts. And what has happened is somehow the attackers have gotten a hold of service accounts that exist in that cloud service, that hybrid cloud environment. And they've started taking them and putting them everywhere they can find them. They're going through, and they're trying to use them because they found them. They found them in that outside service. And they say, wait a minute, hold on. We know that this service is tied back to this company, and so we're going to find anything on their edge that'll take a credential, and we're going to throw it at it, and we're going to see if we can get in. And they were successful in doing so, which allowed them to pivot and escalate into the environment. So now we know that they somehow have gotten cloud credentials.
- [47:06]
Out of some cloud service we're using, and they were able to use those to pivot into our internal environment. What we still don't know is what those credentials necessarily were. And we also don't know how they're getting data out or what data they're getting out. So those are. We still need to discover C2 and Xfil, and we still need to discover persistence and coming back into gameplay. I believe we do have the consultants now. Correct. With two turns left. So we are on turn nine. You have. You have two turns left and two things to discover. You can do it, I believe, in all of you.
- [47:47]
Caitlin
So can we do perfectly on these last two turns? Or we maybe get a consultant that gives us some more terms?
- [47:55]
Blake
Gets us one.
- [47:56]
Ian Meyer
Gets you both. Yeah.
- [47:57]
Caitlin
Or gets a. Is there a consultant that gives us both of these?
- [48:01]
Ian Meyer
Oh, that's a good question, Jason. I don't know. I don't know. Do we have a consultant that can tell you the. Well, you could. Well, no, you can't, because you only got two turns left. I was gonna say you could choose one of the consultants that gives you, like, a plus five modifier or one of those, but that would only give you one card.
- [48:19]
Caitlin
So I think we have a consultant that does extra turns.
- [48:23]
Jason Blanchard
Yeah, there's a consultant for extra turns.
- [48:26]
Ian Meyer
Oh, who's that? Who's got that wonderful consulting card?
- [48:29]
Jason Blanchard
Chloe.
- [48:33]
Ian Meyer
A wonderful, wonderful person who would absolutely give you extra turns if she could.
- [48:39]
Like. No, we'll get it. We'll do this. We got it. Okay, so what do y' all think? Are you calling. Are you gonna call the consultant? And if you get it. Are you. Are you ringing? Chloe?
- [48:50]
Blake
Here, use my phone.
- [48:51]
Ralph
Yeah.
- [48:54]
Ian Meyer
All right. Call the consultant.
- [48:59]
Purple treated you well last time. You sticking with purple, everybody?
- [49:03]
Ralph
Yes.
- [49:03]
Ian Meyer
Not hearing a no. Oh, okay. So why is that role not coming out, Jason? They get the consultant and they get an inject. Or they just get the inject.
- [49:11]
Jason Blanchard
They get the consultant and an inject.
- [49:13]
Ian Meyer
Oh, man. This might pull you out. So you get. Can we see the Chloe card first? Yeah, absolutely. So we give Chloe a phone call, and they're like, oh, wow, I'm so sorry that you're. You know, you're having these problems. I've got a team that might be able to help you out that we can have work on this in parallel. Let's see if we can get some defenders on there with you and into your environment, and they can work at the same time during that incident. So now you got a little more head count, a little more horsepower, so you can turn that last turn into. What is this? Three extra turns. So we are now going into extra innings thanks to Chloe, but we also get an inject card. So let's. Let's get our inject card.
- [50:07]
And steam goes.
- [50:11]
We talked about that. That is rough talk.
- [50:16]
Blake
Were there any questions that you had?
- [50:18]
Ralph
The only thing that's worked.
- [50:20]
Ian Meyer
Yeah, what is it?
- [50:21]
V
What was SIM running on an old laptop?
- [50:26]
Ian Meyer
What's the budget?
- [50:27]
Ralph
Jesus Christ.
- [50:30]
V
It must be running on aws.
- [50:33]
Ian Meyer
No, they just. It does go down. They just be Like A $37,000. Thanks for your.
- [50:38]
Blake
Was this the one where they sell you a very small license and then they tell you to send everything to the sim?
- [50:46]
Ian Meyer
You can run this sensor on a Raspberry PI. No, the more data trash came up. Because I was saying that. Okay, so let me take a note here for the end.
- [51:01]
V
It is now.
- [51:02]
Ian Meyer
Okay, so your seam's down. Let's get that off the board. And so no more. Yeah.
- [51:10]
Ralph
Are there any good inject cards?
- [51:12]
Ian Meyer
There are, yeah.
- [51:13]
Ralph
I feel like we don't know where they are.
- [51:16]
Ian Meyer
Trying to see here. Where is. Oh, yeah, here's a good one. One of the injects is Seam Analyst returns From Splunk training +2 modifier to all logging. Oh, yeah, there are good ones in there.
- [51:30]
Caitlin
I think we got a good inject. Last time we played, actually, it, like, revealed two of the cards.
- [51:35]
Ralph
Oh, yeah, yeah, yeah, it did.
- [51:37]
Ian Meyer
Okay, so we got three more turns. Chloe's helped us out. We're doing. They're getting there. The seam went down, though, so that's going to be a problem because a lot of our logs are going in there. But that's okay.
- [51:50]
Ralph
Steve.
- [51:51]
Ian Meyer
Yeah. No. Get the seam back. No. What do you mean you ran a query to the beginning of time?
- [51:58]
We have four terabytes of log. Do you have any.
- [52:04]
Just go home for the rest of the. Okay, so Steve ran a query against all four terabytes of log files, and that's what took the thing down. We're going to get it back up, but we might have some data store corruption, so it's going to take a minute to do those restores. Yeah. So there went your siem. We'll get it back up and running hopefully soon. But Chloe's got you covered with some extra folks. So what are we going to do here with our. Our next turn? We are on to turn 10. Keeping in mind you have three extra turns.
- [52:36]
Caitlin
So this is turn 10, and then we have three additional turns after this one.
- [52:42]
V
You want to go with the ones with some extra oomph in them. The endpoint and isolation are the ones that have the. What's that number? The addition.
- [52:54]
Ian Meyer
Endpoint plus three.
- [52:58]
Ralph
Okay.
- [52:59]
Caitlin
I think I vote for Endpoint, so maybe we can figure out the persistence.
- [53:05]
Ian Meyer
Okay. I think Q. I think you called that originally purple or orange.
- [53:10]
V
That's a hard decision.
- [53:12]
Ian Meyer
Oh, man. That's the thing. You take a leadership role. You gotta, you know, run with it.
- [53:17]
V
This is not leadership. This is just jumping on the grenade.
- [53:20]
Ian Meyer
Everyone else stepped backwards.
- [53:23]
V
I'm gonna follow what everybody's been doing and just go with purple.
- [53:27]
Ian Meyer
Purple. Purple's good. All right, let's see it. Was that a roll? Was a seven.
- [53:35]
V
I don't think it was at all.
- [53:36]
Ian Meyer
Was it a roll? Yeah, that was a roll. That was a roll. Okay. And we only saw you pick it up. Yeah.
- [53:41]
Caitlin
I don't believe it.
- [53:43]
V
Yeah.
- [53:45]
Q
I have our three rolls.
- [53:46]
Ian Meyer
You know what I love about this? No one's blaming me for this. They're like, jeez.
- [53:51]
Like, how did that happen? Okay, so we got a seven. Unfortunately, that only takes us to 10 with your plus three. So you were right at the edge there. So here's the thing. You start looking through the analysis from the behavior analytics, and you're seeing something. Something does look odd. There are some behaviors that you don't necessarily expect to see happen from certain systems, but you can't put your finger on it. There's just something that doesn't look normal. But you. You don't know why. So that's really, you know, unfortunately, because the roll failed you. You're not potentially getting that additional detail, but there's definitely something going on. We are now into extra innings. We had our passing roll, so I think. I don't think we actually get. We. I don't think it's possible for us to get an inject again because we had no. We had a failing. No, we could get an inject again. We could get it on roll 13. Okay, so roll 11.
- [54:50]
Q
I would say endpoint analysis or Rita, kind of where my mind is.
- [54:57]
Ian Meyer
Okay, so we're going to actually go and look at.
- [55:02]
The endpoint on this one. I think I always get the two mixed up. We're actually going in physically looking at the. Grabbing the logs physically off of it. Not remote, correct, Jason?
- [55:10]
Jason Blanchard
That is correct. You could remote into it, but you're looking at the. Whatever task you're running and things like that.
- [55:15]
Ian Meyer
Wonderful, Perfect.
- [55:16]
V
I'm looking at persistence now, right? Persistence. And.
- [55:19]
Ian Meyer
Yeah, yeah, you need persistence, and you need C2 and exfil at this point.
- [55:22]
Caitlin
So endpoint could get us persistence or reta could get us exfil. So I think either one is a good option.
- [55:30]
Blake
Incident master. Can you check with James or Steve and see if they got the logs turned back on for Rita?
- [55:37]
Ian Meyer
Oh, yeah, hold on. Yeah, hold on, James. Yeah, no, put. Put the switch down. I don't care if it's Mario Party. Okay, fine. Did you get. Did you get Rita setback?
- [55:49]
Ralph
You get.
- [55:50]
Ian Meyer
Yes. No. What? Okay. Yeah. That's wonderful. You got a star in Mario Party. I'm thrilled for you. Now, the readologues.
- [55:58]
Yeah, no, they think they did it. They think it's back up. But, I mean, we're gonna have to check that work because James always tells us he's got stuff done but doesn't. So anyway. So, yeah.
- [56:12]
Q
If only Jones is good at his job as he is at playing on his switch.
- [56:16]
Ian Meyer
I know.
- [56:18]
V
I don't think he's very good at that either.
- [56:22]
Ian Meyer
So I think. So we doing. You trust James?
- [56:28]
Ralph
I do not.
- [56:29]
Ian Meyer
Okay. First off, James is the. The owner's kid. It's okay. But, you know, just, you know. So anyway, preferential.
- [56:38]
A little Bit of nepotism going on. So anyway, so we got to get those two. You said endpoint analysis. And he's a people person, I'm a people person.
- [56:48]
So we need either endpoint analysis. And I also heard Rita, what saith the group?
- [56:55]
V
I'll do endpoint.
- [56:56]
Ian Meyer
Does everyone agree with that?
- [56:57]
Blake
Let's do it, let's go.
- [56:59]
V
But I'm not picking the dice.
- [57:03]
Ian Meyer
All right. I heard Caitlyn say let's do it immediately after queue. So Caitlyn, you pick the dice. Purple 4.
- [57:12]
Ralph
This is the gift of the game.
- [57:15]
Ian Meyer
Okay, so we go over and we start looking around to see what we can find out about the systems. And you go over and you think that based on some of the traffic you're seeing, maybe it's the developer. So you go back into the developer pit and you start looking around and seeing, is there anything here that we can look at? So you examine a couple developer laptops, you sit down and they're.
- [57:45]
Trying to make a developer joke and I can't come up with it quick enough.
- [57:50]
You walk into the developer room and it reeks of kombucha and hoodies.
- [57:56]
That's your room.
- [58:02]
Anyway, you go in there, you examine the developer laptops, and again, you know, you see something in the user behavior logs and you know that you're getting close, but you're still not quite able to find it. Like everything looks just normal. RGB keyboards everywhere. That's right, they've got those. And if Comrade Ev was on here, they've got productivity hexagons like these.
- [58:28]
So okay, yeah, you didn't find anything, unfortunately. So we're going to move on into 12. And I think on this one, I think if we get a failure, we are going to get an inject. Is our consultant already back?
- [58:44]
V
Yeah, the consultant is back.
- [58:45]
Ian Meyer
Oh, the consultant's back again. Wow, that was fast.
- [58:47]
Ralph
Wow, wasn't it?
- [58:49]
Ian Meyer
No, I think 9, 10. So they were consultant was 9, 10, 11, 12. Wouldn't that be next turn? Yeah.
- [59:04]
Ralph
How dare you.
- [59:06]
Ian Meyer
Okay, you know, we didn't like Jason before, but now.
- [59:13]
Okay, so Rita was your other one that you had called out. Is there anyone that isn't currently turned that you might also want to take a, a peek at? Inject. Felix is going. So the listeners here are like inject. Inject.
- [59:29]
It's a monster.
- [59:30]
Ralph
I have an opinion, but I'm gonna keep it to myself.
- [59:32]
Ian Meyer
No, we don't keep opinions to ourselves. This is an open loving forum.
- [59:36]
V
I mean, what kind of security person keeps opinion that's true, too. Get them access to Twitter.
- [59:41]
Ian Meyer
Absolutely. Have you seen my Twitter? All right, so let's. Okay, so what are we doing? Let's get some ideas on the table here.
- [59:49]
Jason Blanchard
All right, we're also losing Blake because he has to attend a meeting.
- [59:52]
Ian Meyer
Oh, yeah, yeah. We gotta move this.
- [59:54]
Jason Blanchard
It's very realistic.
- [59:55]
V
That is also very realistic.
- [59:57]
Ian Meyer
It is, yeah.
- [59:58]
V
Shooting incident. You're gonna have other meetings to go to.
- [60:00]
Ian Meyer
All right, so we wouldn't. We would have been right on time, but you got Chloe, so we're an extra inning. So let's move this foot through 12. What are we gonna do, Rita?
- [60:10]
Q
I'm still there.
- [60:13]
Ian Meyer
Rita.
- [60:13]
Q
All right, but perhaps we should go orange dice and not have Jason roll it.
- [60:19]
Ian Meyer
Orange dice.
- [60:21]
V
I think.
- [60:21]
Ian Meyer
I think the.
- [60:22]
V
The preferences do not have.
- [60:23]
Ralph
We need a celebrity role.
- [60:25]
Ian Meyer
Please, somebody hold his hand.
- [60:28]
Jason Blanchard
No one's gonna respond to my emails anymore.
- [60:32]
Ian Meyer
I think Jason's the only one that can.
- [60:34]
Ralph
So.
- [60:36]
Ian Meyer
Here we go.
- [60:37]
Ralph
Come on, money.
- [60:40]
Ian Meyer
10. All right, so what did we have, though? Because. Did we have a.
- [60:44]
Caitlin
Which one was the modifier?
- [60:46]
Ian Meyer
Yeah, we don't have a modifier. Okay.
- [60:50]
James. Yeah, no, he left. He knew what he did. He knows he's done wrong.
- [60:56]
V
Justin, this is the game you invite me to.
- [60:58]
Ian Meyer
Yeah, this is. This is the one. This is the one. Yeah. Unfortunately, it seems like James. He left. He knew what was coming. Like, I must ask him, like, hey, did you get those logs? And I was like, oh, yeah, totally. I got the log. I got the logs. I'll be right back. So we got one move left.
- [61:19]
Q
Did you beat him up? Did you say I did?
- [61:21]
Ian Meyer
Well, no, no. That's against HR policy.
- [61:26]
Right? All right, I think we're. We're at the last turn, right? And we got the inject, didn't we? That was inject.
- [61:34]
Jason Blanchard
God, you're right.
- [61:36]
Ian Meyer
Oh, yeah. Inject to inject.
- [61:38]
Ralph
I mean, I keep seeing it in the chat, so I think it's the same. All right.
- [61:46]
Ian Meyer
Honey. Pots deploy. Oh, I think that's a good one. Hold on. Bring it up.
- [61:48]
Caitlin
I think.
- [61:48]
Ian Meyer
So what do we get?
- [61:52]
Jason Blanchard
It reveals the escalate card. It reveals the pivot and escalate card, which you've already.
- [61:59]
Ian Meyer
Which we've already revealed. Perfect.
- [62:02]
Ralph
A card that does nothing for us.
- [62:06]
Ian Meyer
Do anything bad.
- [62:09]
Ralph
It doesn't make me feel better.
- [62:12]
V
This feels like 2020.
- [62:14]
Ian Meyer
What's funny is, y' all were, like, really? Like, I can't wait to break this incident down, because this is gonna be interesting. Okay, so one last move. Let's close her down.
- [62:25]
Caitlin
Call a consultant really our only chance, I think.
- [62:28]
Ian Meyer
Yeah. And who.
- [62:32]
Caitlin
We clearly need somebody to help us out.
- [62:36]
Q
What about who would give us C2 or X4 or both?
- [62:41]
Ian Meyer
Is there any way to get you both?
- [62:45]
Jason Blanchard
There is no way to get both.
- [62:46]
Ian Meyer
There's no way to get both.
- [62:47]
Jason Blanchard
There's no way.
- [62:48]
Ian Meyer
Let's just see if we can get one. Then we shall not pass. Jason, can we. Well, let's first off, roll. And then if we're gonna say. Are we saying call a consultant?
- [62:59]
Caitlin
Yes.
- [63:02]
Q
What do we have to lose?
- [63:08]
Ian Meyer
The exact mood of an incident response, or towards the end, you're like, whatever.
- [63:15]
Q
It is, nearly midnight. Just for the record.
- [63:18]
Ian Meyer
Okay, so let's give it. Let's give the roll here. Move it along here. Let's. I'm gonna choose. Let's do purple 18. Very good. Who are we choosing, Jason? I guess we just pick one that'll.
- [63:30]
Ralph
Give us the best.
- [63:33]
Ian Meyer
All right, George, let's see. We already have C2 and X fill. George will give us.
- [63:39]
Jason Blanchard
Yep.
- [63:40]
Q
Yeah, perfect.
- [63:41]
Ian Meyer
Because that works in with the storyline. Everyone good with that?
- [63:43]
Q
Yeah.
- [63:44]
Ian Meyer
All right, so remember earlier you called George, George, help us out? Well, all right. He finished up his sans class. He's on a break. And he called back to and said, hey, I'm on a break. What's going on? Can I help? And you start describing the problem to him. And he goes, oh, man. That really sounds like you've got. And if we go ahead and reveal the C2 and exfil card, it seems like you've got some exfil over HTTPs. So let's see what's happened so far. So right now you've got a cloud environment that somehow it was leaking some credentials. Those credentials were then used against your environment, and somehow they were getting more data out of your environment using HTTPs and just kind of just going right straight out. So what we didn't get was our persistence card. We don't know how that data was getting out. And unfortunately, I believe that was our 13th turn. So even though Chloe brought in the big guns to help you out, unfortunately, the mystery was not solved. Scooby and the gang will go home.
- [64:51]
Lawyers. We'll get Ralph back with the lawyers and say, get the. Get the cyber insurance people. We're in trouble here. All right, so who wants to hear what actually happened?
- [65:02]
Ralph
Yes.
- [65:03]
Ian Meyer
Everyone's like, do it.
- [65:04]
Ralph
Just.
- [65:04]
Q
Yes, just tell us.
- [65:06]
V
There's so much enthusiasm in here.
- [65:08]
Ian Meyer
Actually.
- [65:10]
Ralph
No thunder.
- [65:11]
Ian Meyer
This particular incident the way I always. Who cares?
- [65:19]
Everyone knows attribution's a joke. No. So this was actually Based off the most recent CodeCOV disclosure, where essentially what happened was CodeCOV, which is a code quality company that integrates into your CI CD pipeline. And the reason this popped into my head as I was doing this is Rapid7, a large provider of vulnerability and scanning management. For those who are listening to this and aren't, you know, just getting into the field, they had to disclose a breach because they said, hey, we use this codecov. Codecov, I should say, because it's like code coverage tool. And attackers were able to use it to get a hold of a portion of our source code. So using that as the basis for this scenario, what actually happened was developers in your organization were using a tool like CodeCOV that had hard coded ad credentials in it. Now, these services that were coded into the containers, yeah, they were only ever really running internally to the environment and then connecting outbound to these cloud services that they, that they're actually running in this hybrid environment. You heard me say that this is a hybrid environment, right? So they were phoning home that way. This is also, by the way, a really good reason to not have hard coded credentials in your containers and use a secrets manager. So the attackers got that initial compromise by poisoning. The reason we have external cloud service is just as you can read about in the CodeCOV breach response, they poisoned the containers that you would pull into your CI CD pipeline and used their bash script functions to actually send data out. So that's where we got the HTTPs. If you actually go through and look at the exfil method they were using.
- [67:08]
Curl through HTTPs through this bash updater tool that would send the code up to CodeCOV and then analyze it. And so what they do is they'd send it there, but they'd also redirect it somewhere else and the attackers would analyze it. They found these service credentials which they then used all over the environment. Actually, that's glaring there. But the credential stuffing, they said, hey, let's try and use these everywhere. You then said, well, wait a minute, service accounts are working from the outside. Yes, because those service accounts were set up as domain admin because they were only ever supposed to be inside of the environment. So they went through, they got those credentials, and on external services that for whatever reason had domain admin as an allowed login, externally, they were able to log in. So in the end, it was essentially a supply chain compromise of a code quality tool that allowed for additional credentials to be leaked out and then the attackers to come back in. So it's a little topsy turvy. In this case, the exfiltration actually happened when the credentials got out, not when the attackers got in. So that was the scenario if we want to come back to everyone, if you'd like to ask me questions, call me a jerk, whatnot. I think you all did phenomenally, though, because the notes that I had here, that I actually put up at the top, because I tried to sort of. When you went to the server analysis, I was like, no, go to the endpoints. Because the storyline was going to be. They were running a local Docker container that had their code quality thing on it. They were running it, they were checking it. And your UEBA spotted. Hey, wait a minute. This should never be coming from here. When Caitlin suggested we should try the SIEM again, you should try the seam again because that would have given you one of the other ones. And thankfully, though, for those of you who were worried about the inject, your seam not working by the end, there were no cards that were going to discover that. So it actually didn't hurt you.
- [69:08]
V
What sucks about this is that our code is still terrible.
- [69:12]
Ian Meyer
Right?
- [69:12]
Ralph
Right.
- [69:13]
Ian Meyer
Just so everyone knows, code is still terrible. And Ralph's in there with the lawyers. He'll be like, hey, can we okay out of the IKEA thing, let's talk about how we got to pay out on this breach.
- [69:23]
Ralph
So.
- [69:25]
I'm pick up on Ralph.
- [69:26]
Q
Is he still okay? Did you survive the lawyers?
- [69:30]
Ralph
That's a negative.
- [69:31]
V
Ralph is the only one who gets.
- [69:33]
Ralph
To keep his job.
- [69:36]
Only by proxy.
- [69:39]
Ian Meyer
Yeah, the lawyers at the end took him all out for steak and scotch and whatnot. He's like, so what I miss, folks.
- [69:45]
Ralph
Boy, this sounds horrible over there.
- [69:47]
Ian Meyer
This is great.
- [69:48]
Ralph
These guys just talk and feed me.
- [69:49]
Ian Meyer
They did a reverse fear on this steak. It's amazing. Excellent. So thank you all for playing and thank you for having me, Jason. This was a pile of fun. Yeah.
- [69:58]
Jason Blanchard
Thank you all so much. We're gonna wrap it up for today. If you joined us at the beginning, if you would like to play in the future, always let us know. If you ever want a demo for you and your organization, you can always reach out to us at Black Hills Information Security and we can do that for you. For those of you that hung out the whole time, thanks for doing that. This was the most brutal game I've ever seen. I've never seen a game this brutal. I've never seen a game go to 13 rounds game before, and I've never seen it get to 13 rounds and not be resolved like it's. It's never happened. Like, you had two consultants, you had three inject cards.
- [70:36]
Ian Meyer
Those are some mean dice.
- [70:38]
Caitlin
Wow.
- [70:39]
Jason Blanchard
So well done to our people, our friends who volunteered today and thank you so much for being a part of our community and to everyone who watched, thank you. We'll see you next time. And Ian, great job. I mean, the fact that you had to keep rolling with the reason why things weren't working, I was like, I don't know if he's gonna be able to do it again. You're like, James, Jesus Christ. So I definitely learned a couple things today that I'm gonna incorporate into when I do, when I play instant Master.
- [71:09]
Ian Meyer
So love you, buddy.
- [71:10]
Jason Blanchard
All right, everybody. Thank you. Go ahead and kill it, Ryan. Kill it with fire. And we are out.
- [71:15]
V
Thanks, everyone.
- [71:17]
Ralph
Bye, guys.