Summary

Podcast Summary: Talkin' About [Infosec] News, Powered by Black Hills Information Security

Title: SPECIAL PRESENTATION: Backdoors & Breaches Live
Host/Author: Black Hills Information Security
Release Date: September 16, 2024
Episode Number: 001

Introduction

In the premiere episode of Backdoors & Breaches Live, hosted by Jason Blanchard from Black Hills Information Security (BHIS), the team embarks on a live interactive session to explore modern cybersecurity threats through a game-based scenario. The episode serves as both a pilot and a real-time demonstration of the Backdoors & Breaches game, designed to simulate and dissect cybersecurity incidents.

Jason Blanchard [00:01]:
"Hello, everybody, and welcome to Backdoors and Breaches Live. We're doing this episode today, very first episode 001."

Scenario Setup

Jason introduces the session's format, explaining that players will receive a scenario involving a simulated cybersecurity incident. The team is tasked with identifying the nature of the breach, determining the attack vectors, and understanding the adversaries' tactics.

Jason Blanchard [00:15]:
"So it's a new generation of backdoors and breaches players, and we're like, let's go ahead and do this."

The scenario revolves around Jonathan, a traveling salesperson who returns to headquarters and reports that his personal laptop is running slow. The help desk discovers that the device is not corporate-owned and escalates the issue to the security team to investigate potential compromises.

Jason Blanchard [01:22]:
"Jonathan's been using his own personal device for the last couple weeks on the road because Jonathan believes it makes him a better employee by using his own personal device."

Player Introductions

As the game progresses, each participant introduces themselves, sharing their roles and backgrounds in cybersecurity.

Sean [05:16]:
"I'm Sean. I am by trade a program and people manager in tech and security... this is my first time on backdoors and breaches and I am very excited to be here."
Wade Wells [05:41]:
"Hey, I am Wade Wells. I'm a lead detection engineer for a big company... I am on the board of Bside San Diego and try to run it every year."
Will [06:03]:
"I'm Will, also known as Fat Man Will in the discord... I am also now a SOC analyst with BHIS."
Chris Young [06:22]:
"Yeah, my name is Chris Young... Been in SEO for about 20 years... Recently stepped into the world of being a cybersecurity speaker."
Aaron [06:43]:
"Hi, I'm Aaron. Go by Crypto, Jones and Discord... I am a senior developer on the ACM side."
Jason Blanchard [06:56]:
"I'm the co-creator of Backdoors and Breaches..."

Gameplay: Initial Compromise

The players begin by assessing the scenario. Wade suggests starting with Endpoint Analysis since the device lacks corporate security tools, complicating log retrieval.

Wade Wells [03:07]:
"We're going to want to use is Endpoint Analysis, right?"

After agreement, the team rolls dice to determine the success of their actions, following the game's mechanics where each roll affects the discovery of attack elements.

Jason Blanchard [03:53]:
"12. All right, so a couple things. You were successful with your Endpoint Analysis..."

The team successfully identifies that login scripts have been installed on Jonathan's laptop, indicating an attempt to establish persistence by the attacker.

Wade Wells [04:44]:
"Someone's trying to establish persistence when the user logs in."

Discovering the Initial Compromise

Next, Sean opts for Network Threat Hunting, using firewall logs to trace malicious activity. The successful roll reveals that the compromised device is communicating externally, marking it as the initial point of compromise.

Jason Blanchard [10:54]:
"Through network threat hunting, they were able to use firewall logs to figure out that other systems internally were sending data to a G drive account."

Escalation and Pivoting

As the investigation deepens, the team uncovers that multiple internal systems are exfiltrating data to the same G drive account. To trace the attackers' movements within the network, they consider using Security Information and Event Management (SIEM) tools.

Aaron [16:29]:
"Pivot seam would be a good way to correlate... might be a good way to go."

However, their attempt to use SIEM does not reveal additional attack actions, leading to discussions about the limitations of their tools and methodologies.

Jason Blanchard [18:37]:
"And you reveal that the attackers were using Broadcast Multicast protocol poisoning on the environment."

Despite realizing a sophisticated attack vector, some players express skepticism about the plausibility of such methods in real-world scenarios.

Assessing Attack Plausibility

Jason poses a critical question to the participants about the realism of the attack scenario, prompting honest reflections on its viability.

Jason Blanchard [21:36]:
"Is this a plausible attack that you know of? Yes, nor maybe."

The responses reveal varied perspectives:

Will [22:41]:
"Yes, under the circumstances, I feel this could happen."
Aaron [22:52]:
"I don't think it is. I think that a corporate environment would have things in place to keep these things from happening."
Sean [23:05]:
"I'm leaning towards no... I'm also just scratching my head around whether the protocol poisoning is actually a realistic method for lateral movement in this case."
Chris Young [23:25]:
"Maybe I'll go to the other side just because I want to keep the split and let Wade break the tie."
Wade Wells [23:39]:
"I do not think this is credible... But I'm pretty sure Jason is going to come in and be like, we did this exact breach. And it is."

Key Takeaways

As the session concludes, each participant shares their primary takeaway from the experience:

Sean [26:06]:
"Biggest thing is both how to play backdoors and breaches and how useful this could be as alternative to traditional tabletops."
Chris Young [26:19]:
"I need to take more anti siphon training classes... insightful, informative... how other people think through challenges."
Aaron [26:35]:
"I had never heard of multicast poisoning, so I'm gonna have to go do some Google foo and read up on it."
Will [26:43]:
"Mine is actually the same as Aaron's. I didn't know about multicast poisoning, so that gives me something to go look up now."
Wade Wells [27:25]:
"Always remember the seam isn't always the way to go. Logs aren't always the best thing. You have to do active things."

Conclusion and Future Directions

Jason wraps up the episode by highlighting the educational value of the game, encouraging listeners to engage with Backdoors & Breaches as a tool for enhancing cybersecurity training and awareness. He also promotes upcoming expansion decks that offer more complex scenarios and tools for deeper engagement.

Jason Blanchard [28:37]:
"If you like this, let us know. Reach out to us and ask. Let us know if you want more of this."

He emphasizes that each game session provides unique scenarios tailored to help organizations prepare for real-world cybersecurity challenges.

Jason Blanchard [30:02]:
"We have the Cloud Security deck, the expansion deck, the Huntress deck... build the ttps of any ATP."

The episode concludes with humorous exchanges among the team, reinforcing the collaborative and engaging nature of the session.

Jason Blanchard [30:53]:
"We have an inject card where a bear attacks a power station, and so the power goes out."

Notable Quotes

Jason Blanchard [00:00]:
"We're doing this episode today, very first episode 001."
Wade Wells [03:07]:
"We're going to want to use is Endpoint Analysis, right?"
Seven [04:44]:
"Someone's trying to establish persistence when the user logs in."
Aaron [16:29]:
"Pivot seam would be a good way to correlate... might be a good way to go."
Jason Blanchard [22:41]:
"Is this a plausible attack that you know of? Yes, nor maybe."
Sean [26:06]:
"Biggest thing is both how to play backdoors and breaches and how useful this could be as alternative to traditional tabletops."

Final Thoughts

The inaugural episode of Backdoors & Breaches Live successfully introduces listeners to an innovative approach to cybersecurity education through interactive gameplay. By simulating real-world attack scenarios, the team not only demonstrates effective investigative techniques but also fosters a deeper understanding of potential threats and the importance of robust security measures. The episode sets the stage for future sessions, promising diverse and challenging scenarios to further engage and educate the infosec community.

Connect with Black Hills Information Security:

Website: blackhillsinfosec.com
Podcast: Available on major platforms
Training: anti siphon training.com

Summary

Podcast Summary: Talkin' About [Infosec] News, Powered by Black Hills Information Security

Title: SPECIAL PRESENTATION: Backdoors & Breaches Live
Host/Author: Black Hills Information Security
Release Date: September 16, 2024
Episode Number: 001

Introduction

Jason Blanchard [00:01]:
"Hello, everybody, and welcome to Backdoors and Breaches Live. We're doing this episode today, very first episode 001."

Scenario Setup

Jason Blanchard [00:15]:
"So it's a new generation of backdoors and breaches players, and we're like, let's go ahead and do this."

Player Introductions

As the game progresses, each participant introduces themselves, sharing their roles and backgrounds in cybersecurity.

Sean [05:16]:
"I'm Sean. I am by trade a program and people manager in tech and security... this is my first time on backdoors and breaches and I am very excited to be here."
Wade Wells [05:41]:
"Hey, I am Wade Wells. I'm a lead detection engineer for a big company... I am on the board of Bside San Diego and try to run it every year."
Will [06:03]:
"I'm Will, also known as Fat Man Will in the discord... I am also now a SOC analyst with BHIS."
Chris Young [06:22]:
"Yeah, my name is Chris Young... Been in SEO for about 20 years... Recently stepped into the world of being a cybersecurity speaker."
Aaron [06:43]:
"Hi, I'm Aaron. Go by Crypto, Jones and Discord... I am a senior developer on the ACM side."
Jason Blanchard [06:56]:
"I'm the co-creator of Backdoors and Breaches..."

Gameplay: Initial Compromise

The players begin by assessing the scenario. Wade suggests starting with Endpoint Analysis since the device lacks corporate security tools, complicating log retrieval.

Wade Wells [03:07]:
"We're going to want to use is Endpoint Analysis, right?"

After agreement, the team rolls dice to determine the success of their actions, following the game's mechanics where each roll affects the discovery of attack elements.

Jason Blanchard [03:53]:
"12. All right, so a couple things. You were successful with your Endpoint Analysis..."

The team successfully identifies that login scripts have been installed on Jonathan's laptop, indicating an attempt to establish persistence by the attacker.

Wade Wells [04:44]:
"Someone's trying to establish persistence when the user logs in."

Discovering the Initial Compromise

Jason Blanchard [10:54]:
"Through network threat hunting, they were able to use firewall logs to figure out that other systems internally were sending data to a G drive account."

Escalation and Pivoting

Aaron [16:29]:
"Pivot seam would be a good way to correlate... might be a good way to go."

However, their attempt to use SIEM does not reveal additional attack actions, leading to discussions about the limitations of their tools and methodologies.

Jason Blanchard [18:37]:
"And you reveal that the attackers were using Broadcast Multicast protocol poisoning on the environment."

Despite realizing a sophisticated attack vector, some players express skepticism about the plausibility of such methods in real-world scenarios.

Assessing Attack Plausibility

Jason poses a critical question to the participants about the realism of the attack scenario, prompting honest reflections on its viability.

Jason Blanchard [21:36]:
"Is this a plausible attack that you know of? Yes, nor maybe."

The responses reveal varied perspectives:

Will [22:41]:
"Yes, under the circumstances, I feel this could happen."
Aaron [22:52]:
"I don't think it is. I think that a corporate environment would have things in place to keep these things from happening."
Sean [23:05]:
"I'm leaning towards no... I'm also just scratching my head around whether the protocol poisoning is actually a realistic method for lateral movement in this case."
Chris Young [23:25]:
"Maybe I'll go to the other side just because I want to keep the split and let Wade break the tie."
Wade Wells [23:39]:
"I do not think this is credible... But I'm pretty sure Jason is going to come in and be like, we did this exact breach. And it is."

Key Takeaways

As the session concludes, each participant shares their primary takeaway from the experience:

Sean [26:06]:
"Biggest thing is both how to play backdoors and breaches and how useful this could be as alternative to traditional tabletops."
Chris Young [26:19]:
"I need to take more anti siphon training classes... insightful, informative... how other people think through challenges."
Aaron [26:35]:
"I had never heard of multicast poisoning, so I'm gonna have to go do some Google foo and read up on it."
Will [26:43]:
"Mine is actually the same as Aaron's. I didn't know about multicast poisoning, so that gives me something to go look up now."
Wade Wells [27:25]:
"Always remember the seam isn't always the way to go. Logs aren't always the best thing. You have to do active things."

Conclusion and Future Directions

Jason Blanchard [28:37]:
"If you like this, let us know. Reach out to us and ask. Let us know if you want more of this."

He emphasizes that each game session provides unique scenarios tailored to help organizations prepare for real-world cybersecurity challenges.

Jason Blanchard [30:02]:
"We have the Cloud Security deck, the expansion deck, the Huntress deck... build the ttps of any ATP."

The episode concludes with humorous exchanges among the team, reinforcing the collaborative and engaging nature of the session.

Jason Blanchard [30:53]:
"We have an inject card where a bear attacks a power station, and so the power goes out."

Notable Quotes

Jason Blanchard [00:00]:
"We're doing this episode today, very first episode 001."
Wade Wells [03:07]:
"We're going to want to use is Endpoint Analysis, right?"
Seven [04:44]:
"Someone's trying to establish persistence when the user logs in."
Aaron [16:29]:
"Pivot seam would be a good way to correlate... might be a good way to go."
Jason Blanchard [22:41]:
"Is this a plausible attack that you know of? Yes, nor maybe."
Sean [26:06]:
"Biggest thing is both how to play backdoors and breaches and how useful this could be as alternative to traditional tabletops."

Final Thoughts

Connect with Black Hills Information Security:

Website: blackhillsinfosec.com
Podcast: Available on major platforms
Training: anti siphon training.com

wavePod

SPECIAL PRESENTATION: Backdoors & Breaches Live

Powered by Wave AI

Summary

Introduction

Scenario Setup

Player Introductions

Gameplay: Initial Compromise

Discovering the Initial Compromise

Escalation and Pivoting

Assessing Attack Plausibility

Key Takeaways

Conclusion and Future Directions

Notable Quotes

Final Thoughts

Summary

Introduction

Scenario Setup

Player Introductions

Gameplay: Initial Compromise

Discovering the Initial Compromise

Escalation and Pivoting

Assessing Attack Plausibility

Key Takeaways

Conclusion and Future Directions

Notable Quotes

Final Thoughts