SPECIAL PRESENTATION: Backdoors & Breaches Live - Talkin' Bout [Infosec] News

Summary6 min read

Podcast Summary: Talkin' About [Infosec] News, Powered by Black Hills Information Security

Title: SPECIAL PRESENTATION: Backdoors & Breaches Live
Host/Author: Black Hills Information Security
Release Date: September 16, 2024
Episode Number: 001

Introduction

In the premiere episode of Backdoors & Breaches Live, hosted by Jason Blanchard from Black Hills Information Security (BHIS), the team embarks on a live interactive session to explore modern cybersecurity threats through a game-based scenario. The episode serves as both a pilot and a real-time demonstration of the Backdoors & Breaches game, designed to simulate and dissect cybersecurity incidents.

Jason Blanchard [00:01]:
"Hello, everybody, and welcome to Backdoors and Breaches Live. We're doing this episode today, very first episode 001."

Scenario Setup

Jason introduces the session's format, explaining that players will receive a scenario involving a simulated cybersecurity incident. The team is tasked with identifying the nature of the breach, determining the attack vectors, and understanding the adversaries' tactics.

Jason Blanchard [00:15]:
"So it's a new generation of backdoors and breaches players, and we're like, let's go ahead and do this."

The scenario revolves around Jonathan, a traveling salesperson who returns to headquarters and reports that his personal laptop is running slow. The help desk discovers that the device is not corporate-owned and escalates the issue to the security team to investigate potential compromises.

Jason Blanchard [01:22]:
"Jonathan's been using his own personal device for the last couple weeks on the road because Jonathan believes it makes him a better employee by using his own personal device."

Player Introductions

As the game progresses, each participant introduces themselves, sharing their roles and backgrounds in cybersecurity.

Sean [05:16]:
"I'm Sean. I am by trade a program and people manager in tech and security... this is my first time on backdoors and breaches and I am very excited to be here."
Wade Wells [05:41]:
"Hey, I am Wade Wells. I'm a lead detection engineer for a big company... I am on the board of Bside San Diego and try to run it every year."
Will [06:03]:
"I'm Will, also known as Fat Man Will in the discord... I am also now a SOC analyst with BHIS."
Chris Young [06:22]:
"Yeah, my name is Chris Young... Been in SEO for about 20 years... Recently stepped into the world of being a cybersecurity speaker."
Aaron [06:43]:
"Hi, I'm Aaron. Go by Crypto, Jones and Discord... I am a senior developer on the ACM side."
Jason Blanchard [06:56]:
"I'm the co-creator of Backdoors and Breaches..."

Gameplay: Initial Compromise

The players begin by assessing the scenario. Wade suggests starting with Endpoint Analysis since the device lacks corporate security tools, complicating log retrieval.

Wade Wells [03:07]:
"We're going to want to use is Endpoint Analysis, right?"

After agreement, the team rolls dice to determine the success of their actions, following the game's mechanics where each roll affects the discovery of attack elements.

Jason Blanchard [03:53]:
"12. All right, so a couple things. You were successful with your Endpoint Analysis..."

The team successfully identifies that login scripts have been installed on Jonathan's laptop, indicating an attempt to establish persistence by the attacker.

Wade Wells [04:44]:
"Someone's trying to establish persistence when the user logs in."

Discovering the Initial Compromise

Next, Sean opts for Network Threat Hunting, using firewall logs to trace malicious activity. The successful roll reveals that the compromised device is communicating externally, marking it as the initial point of compromise.

Jason Blanchard [10:54]:
"Through network threat hunting, they were able to use firewall logs to figure out that other systems internally were sending data to a G drive account."

Escalation and Pivoting

As the investigation deepens, the team uncovers that multiple internal systems are exfiltrating data to the same G drive account. To trace the attackers' movements within the network, they consider using Security Information and Event Management (SIEM) tools.

Aaron [16:29]:
"Pivot seam would be a good way to correlate... might be a good way to go."

However, their attempt to use SIEM does not reveal additional attack actions, leading to discussions about the limitations of their tools and methodologies.

Jason Blanchard [18:37]:
"And you reveal that the attackers were using Broadcast Multicast protocol poisoning on the environment."

Despite realizing a sophisticated attack vector, some players express skepticism about the plausibility of such methods in real-world scenarios.

Assessing Attack Plausibility

Jason poses a critical question to the participants about the realism of the attack scenario, prompting honest reflections on its viability.

Jason Blanchard [21:36]:
"Is this a plausible attack that you know of? Yes, nor maybe."

The responses reveal varied perspectives:

Will [22:41]:
"Yes, under the circumstances, I feel this could happen."
Aaron [22:52]:
"I don't think it is. I think that a corporate environment would have things in place to keep these things from happening."
Sean [23:05]:
"I'm leaning towards no... I'm also just scratching my head around whether the protocol poisoning is actually a realistic method for lateral movement in this case."
Chris Young [23:25]:
"Maybe I'll go to the other side just because I want to keep the split and let Wade break the tie."
Wade Wells [23:39]:
"I do not think this is credible... But I'm pretty sure Jason is going to come in and be like, we did this exact breach. And it is."

Key Takeaways

As the session concludes, each participant shares their primary takeaway from the experience:

Sean [26:06]:
"Biggest thing is both how to play backdoors and breaches and how useful this could be as alternative to traditional tabletops."
Chris Young [26:19]:
"I need to take more anti siphon training classes... insightful, informative... how other people think through challenges."
Aaron [26:35]:
"I had never heard of multicast poisoning, so I'm gonna have to go do some Google foo and read up on it."
Will [26:43]:
"Mine is actually the same as Aaron's. I didn't know about multicast poisoning, so that gives me something to go look up now."
Wade Wells [27:25]:
"Always remember the seam isn't always the way to go. Logs aren't always the best thing. You have to do active things."

Conclusion and Future Directions

Jason wraps up the episode by highlighting the educational value of the game, encouraging listeners to engage with Backdoors & Breaches as a tool for enhancing cybersecurity training and awareness. He also promotes upcoming expansion decks that offer more complex scenarios and tools for deeper engagement.

Jason Blanchard [28:37]:
"If you like this, let us know. Reach out to us and ask. Let us know if you want more of this."

He emphasizes that each game session provides unique scenarios tailored to help organizations prepare for real-world cybersecurity challenges.

Jason Blanchard [30:02]:
"We have the Cloud Security deck, the expansion deck, the Huntress deck... build the ttps of any ATP."

The episode concludes with humorous exchanges among the team, reinforcing the collaborative and engaging nature of the session.

Jason Blanchard [30:53]:
"We have an inject card where a bear attacks a power station, and so the power goes out."

Notable Quotes

Jason Blanchard [00:00]:
"We're doing this episode today, very first episode 001."
Wade Wells [03:07]:
"We're going to want to use is Endpoint Analysis, right?"
Seven [04:44]:
"Someone's trying to establish persistence when the user logs in."
Aaron [16:29]:
"Pivot seam would be a good way to correlate... might be a good way to go."
Jason Blanchard [22:41]:
"Is this a plausible attack that you know of? Yes, nor maybe."
Sean [26:06]:
"Biggest thing is both how to play backdoors and breaches and how useful this could be as alternative to traditional tabletops."

Final Thoughts

The inaugural episode of Backdoors & Breaches Live successfully introduces listeners to an innovative approach to cybersecurity education through interactive gameplay. By simulating real-world attack scenarios, the team not only demonstrates effective investigative techniques but also fosters a deeper understanding of potential threats and the importance of robust security measures. The episode sets the stage for future sessions, promising diverse and challenging scenarios to further engage and educate the infosec community.

Connect with Black Hills Information Security:

Website: blackhillsinfosec.com
Podcast: Available on major platforms
Training: anti siphon training.com

Loading summary

Transcript218 lines

[00:01]
Wade Wells
Ooh.
[00:01]
Will
Countdown.
[00:02]
Jason Blanchard
Hello, everybody, and welcome to Backdoors and breaches Live. We're doing this episode today, very first episode 001. If you were like, didn't you do this back during the pandemic? Shh.
[00:14]
Will
We don't talk about that time.
[00:16]
Jason Blanchard
So it's a new generation of backdoors and breaches players, and we're like, let's go ahead and do this. So today we're calling this what's called a pilot episode, where we don't know what we don't know yet. And so we're going to do this game, we're going to play live, and then we're going to figure out what do we need to fix for next time. Like, we. Right before we went live, we remembered there's a backdoors and breaches song and we forgot it. And it's fantastic. And it's like back doors and breaches, and it's great. And so we're going to get that added for next time. But hello, and welcome to today's session. We're just going to jump right into it. And so if you're watching live, thank you so much for being here. We have players we'll introduce as soon as they reveal their first card. You don't even get to know who they are until they've accomplished something today. And so I'm going to give them their scenario. They don't know what this is. I did not practice ahead of time. They don't know what the scenario is going to be today. So it's going to be brand new information for them. They got to meet each other backstage. And so some of them have never met in person before, but they've met virtually. And so here we go. Everybody ready? All right, so here is your scenario today. Jonathan has been on the road for the last couple of weeks. He's a traveling salesperson. So Jonathan's a traveling salesperson, has been on the road for the last couple of weeks, and he's back at the headquarters. Jonathan stops by what's called the help desk, where help desk people work, and Jonathan's like, hey, just want to let you know my computer's been running real slow while I've been on the road, and now I'm just trying to see if he can get it fixed for me. I'm going to be here at the headquarters for the next day or two days, but if you get this up and running for me, that would be great. And that's when the help desk realizes that this computer is not corporate it's not a corporate device. And so Jonathan's been using his own personal device for the last couple weeks on the road because Jonathan believes it makes him a better employee by using his own personal device. And so that is what you have to go on. He believes his computer. He, like, he clicks of, you know, an app, it takes forever to load, you know, all kinds of stuff. It's just not working the way it's supposed to be. And so the issue that he has is, can you see if you can fix my computer? But the help desk doesn't want to touch it, and so they've sent it over to you, the security team, to see if you can figure out if this thing has been compromised or if there's a problem with it. And if so, what is the initial compromise? How do the attackers pivot and escalate? What are they using for command and control and exfiltration of data, and how are they maintaining persistence? So with that scenario, how would you like to proceed.
[02:54]
Wade Wells
Chris? What do you think?
[02:55]
Will
An option?
[02:56]
Chris Young
Well, I think we should throw it out and get a new computer.
[02:59]
Aaron
Yeah.
[03:00]
Will
An elbow dropped.
[03:03]
Sean
Where's that card?
[03:04]
Aaron
Sorry? Per corporate policy, the instant one that's.
[03:08]
Wade Wells
Going to be, we're going to want to use is Endpoint Analysis, right?
[03:11]
Jason Blanchard
Yeah.
[03:11]
Wade Wells
So theoretically, thinking this doesn't have any of our security tools installed on it, so none of the logs are going to be forward. We're not going to be able to use uba. So Endpoint Analysis, maybe and memory analysis would be the first two, I would think.
[03:25]
Will
I agree with Endpoint on.
[03:26]
Sean
That's where I was going to.
[03:28]
Aaron
That's great.
[03:29]
Chris Young
Absolutely.
[03:30]
Jason Blanchard
Any other dissenting thoughts? No. All right, so everyone has their own D20 dice on their own screen, and we're going to be on the honor system today that whatever number they tell us that they've rolled will be the number that they've rolled. And I can normally tell by someone's face that they're lying to me or not. So, wait, Wade, since you're the one that suggested Endpoint Analysis, could you please roll the dice for us and let us know the number that you get?
[03:54]
Wade Wells
All right. All right, here we go. Roll 12.
[03:59]
Jason Blanchard
12. All right, so a couple things. You were successful with your Endpoint Analysis, and it's an established procedure, so established procedures, if you don't know, get a plus three modifier to them. So if you roll 12, that's plus three is a 15. So it's solidly a successful roll. One through 10 unsuccessful. 11 through 20 is successful. So through doing endpoint analysis on this system, you have essentially determined that logon scripts have been installed on this computer. Log on scripts were installed on this system. So first role, first reveal. So log on scripts. So real quick, if you saw log on scripts installed on a computer, what would you think is potentially going on?
[04:45]
Aaron
Someone's trying to establish persistence.
[04:48]
Wade Wells
Someone's trying to do persistence when the user logs in. Right. So when that computer reboots a lot. We know this guy's a salesman, so I'm guessing he's turning his computer off and on and off and on whenever he goes. So I would imagine that's exactly what this is probably like in a startup folder, right? Or something like that.
[05:05]
Sean
Yeah.
[05:06]
Jason Blanchard
Nice.
[05:07]
Will
They're going to collect information more than likely.
[05:09]
Jason Blanchard
So I did say once you reveal your first card, we will do introductions. And so Sean, go ahead and introduce yourself. Who are you?
[05:16]
Sean
Sure. I'm Sean. I am by trade a program and people manager in tech and security. Many moons ago I was a software dev and a systems admin. I kind of got involved with Black Hills from my last job actually. We actually brought Black Hills in to work with us and I kind of started hanging out with the community shortly thereafter. And this is my first time on backdoors and breaches and I am very excited to be here.
[05:38]
Jason Blanchard
Awesome. And Wade, who are you? What do you do around here?
[05:42]
Wade Wells
Hey, I am Wade Wells. I'm a lead detection engineer for a big company. I do a bunch of live streamy stuff with Black Hills. I am an anti siphon instructor and just all around community advocate.
[05:53]
Jason Blanchard
And you do B side San Diego, right?
[05:55]
Wade Wells
I do. I am on the board of B side San Diego and try to run it every year. It's quite the hassle.
[06:01]
Jason Blanchard
All right, Will, who are you? What do you do around here?
[06:03]
Will
I'm Will, also known as Fat Man Will in the discord. Been in the community trying to learn everything I can for the past couple years. And I am also now a soc analyst with BHIS.
[06:13]
Jason Blanchard
Awesome. Oh yeah, and that's right, Sean, you're BSides, CT. I think we just sent the whole stuff. Yeah. Chris, who are you? What do you do around here?
[06:23]
Chris Young
Yeah, my name is Chris Young. Username Reach Chris Young. Try to keep it simple. Been in SEO for about 20 years. Definitely picking up into the cybersecurity space and Cyber Threat Intelligence. Recently stepped into the world of being a cybersecurity speaker and this is my first time playing backdoors and breaches. Happy to be here.
[06:39]
Jason Blanchard
Awesome. And then last but not Least Aaron. Who are you? What do you do around here?
[06:44]
Aaron
Hi, I'm Aaron. Go by Crypto, Jones and Discord. I am a senior developer on the ACM side. I work on the Windows AC event service that communicates with AC Hunter.
[06:56]
Jason Blanchard
And for those of you that don't know, my name is Jason Blanchard. I'm the co creator of Backdoors and Breaches. We created this game back in 2019 before the pandemic and since then it's made life of its own. It's exceeded all of our wildest expectations of usefulness and coolness. Like we were hoping it'd be cool or useful, it ended up being both. So cool. All right, so next. Oh, did anyone ever notice that the logo for Backdoors and Breaches is actually a maze? Anyway. Yeah, it's fine. It's okay if you didn't. It's cool. All right, so you revealed the very first card, the persistence log on scripts. And if you've never played Backdoors and Breaches before, you have 10 turns to try to solve the four cards, which means turn number one, you solved one card, which means you have nine turns left to go and three cards left to reveal. So what would you like to do next?
[07:46]
Wade Wells
So what do you guys, what do you guys think? What? So can we scroll up to the three that we need? So right, so we're trying to do pivot and escalate C2 and X fill. An initial compromise. Yeah, so try to think about like security tools that we're going to definitely. That would definitely detect those isolation.
[08:01]
Aaron
Doesn't make sense because it's not on the corporate network, right?
[08:04]
Wade Wells
Correct. Yeah.
[08:05]
Aaron
Cyber deception. Having some type of like canary token or user token might not be necessary because we already know that there's someone in the, in the system. Right. Login scripts. So to me, of the four, the only thing really left is siem.
[08:25]
Wade Wells
Well, the deception could detect a pivot and escalate. Right. So if we had some type of deception for say a domain admin or something like that, we would be able to detect that going through, which definitely is a thing. Right. It's same thing with like a honey badger or some type of host. We could also detect that, which would be fun. But.
[08:45]
Aaron
But if it's, if it's a personal PC or personal computer, it wouldn't be joined to the domain and have those tools. Right?
[08:51]
Wade Wells
Very true. But he is. So he is logging. I will say he is logging into things. Right. So there definitely may be a pivot to try to get into the domain.
[09:00]
Aaron
Yeah. So then having, because you made that point, I think cyber deception then might be the best. Might be the best option.
[09:08]
Jason Blanchard
All right, well I'm also wondering, I'm.
[09:12]
Sean
Wondering down more on the other procedures side of things.
[09:14]
Will
Yeah, I was going to say I'm.
[09:15]
Sean
Looking at threat hunting and I'm looking at endpoint protection analysis. My only question being like in our scenario, given we're talking personal computer, are those actually viable? You know, I don't know what we got access to toolset wise, but those would be my first go to's. I'm thinking about how to find the C2 traffic.
[09:33]
Aaron
Well, Rita is a great tool that we could use to look for C2C beacons but if we use the other procedures we don't get like the three point bonus modifier. That's the only thing still 50 50. It's true.
[09:47]
Will
Yeah. I was actually thinking the network threat hunting or firewall log review, try to see if we can see any kind of suspicious connections coming in or out of it.
[09:58]
Aaron
If we do fire log review, firewall log review, we could correlate with the Mac address, couldn't we? Of the salesperson's computer.
[10:11]
Wade Wells
Yeah. So we can say we have this computer. Right. So it is on the network now. So we are going to be able to watch the traffic and we know it's compromised. So there is a way to look at at least the networking logs that are coming through because it is. We'll say we have it communicating right now. I think the network threat hunting with Rita is probably the best way to go just with that.
[10:31]
Aaron
Gotcha.
[10:32]
Sean
Let's do it.
[10:34]
Wade Wells
All right, Sean, Network threat hunting.
[10:36]
Sean
No pressure.
[10:37]
Wade Wells
No pressure.
[10:39]
Sean
Says 18.
[10:41]
Wade Wells
Wow.
[10:41]
Jason Blanchard
18. All right.
[10:43]
Aaron
Very nice.
[10:44]
Jason Blanchard
Rushing it. Something I didn't talk about before is that there's a three turn cool off period in backdoors and breaches which why I'm moving the three of the two and eventually one.
[10:53]
Wade Wells
Oh, that makes sense.
[10:54]
Jason Blanchard
You can't keep doing the same thing over and over again because you know that's not real. So network threat hunting. Taking a look at it, you are able to determine that this device is exploited. This is the initial compromise. This device is the exploited device which is causing potentially they pass through through that device into your network. But this is the initial point of con of compromise. It's nothing else that compromises the system. This system was compromised, which is now potentially compromising the rest of your organization. So you have revealed the initial compromise card. So two turns, two cards revealed. Well done. Let's see if you can figure out the pivot and escalate and the C2 and X fill.
[11:36]
Wade Wells
All right, guys, I'm going to let you guys handle this.
[11:42]
Aaron
Ueba, possibly User and Entity Behavior Analysis.
[11:47]
Wade Wells
So why.
[11:48]
Sean
That's where I was.
[11:49]
Wade Wells
Why? Why ub? Why ueba?
[11:52]
Will
Just to see, like, his normal activity on that laptop. So we can see if there's any kind of variation in that, see if anything news popped up.
[12:02]
Aaron
Salespeople don't actually do anything. So would there even be any.
[12:07]
Will
Shots fired?
[12:09]
Wade Wells
Can we get UABA on his phone? Maybe. That would probably be the better of the two.
[12:13]
Jason Blanchard
Right? Man, to all of our salespeople watching today, we love you and thank you so much for your support.
[12:22]
Wade Wells
We know you do things.
[12:25]
Sean
And so the two. We're still trying to reveal. We're trying to reveal the pivot. Right, right.
[12:30]
Will
The pivot in the 2x4.
[12:32]
Wade Wells
Yeah, got it.
[12:34]
Will
And I think doing analysis, we could probably find the pivot on that. Possibly.
[12:40]
Chris Young
Well, even with memory analysis, we don't have something to check it against, right? Like we don't have a hash or a yara.
[12:45]
Wade Wells
Well, memory analysis, you're necessarily checking for hashes in your eye. You're just looking for crazy, weird things, right? So you would be able to see, like, you would be able to see what programs are run using some, like, special artifacts, right? And be able to see caches and that type sort of stuff. There's a bunch of different, really things you could see with memory analysis. It's more of a historic. But the other thing is, depending on what type of analysis you do, you would actually like. If the computer was turned off, you may not see certain things. So which I'm assuming it was, but I would honestly think memory analysis would bring up some. Something.
[13:20]
Chris Young
I also thought server analysis, but I was looking at where logon scripts are actually stored. Definitely in a domain, maybe even group policy, if we're looking at servers. But this is on the local computer, so I just stay away from that.
[13:32]
Aaron
One thing that might be. Let's not sleep on sim, because with like Splunk or log scale, you can correlate events. So we can correlate from the time, you know, Mr. Salesperson started his computer to look. Hey, look now, you know, there's been 13 token requests for the, you know, active directory server. So that might be another cool tool to use to figure out what an attacker is doing.
[14:01]
Will
And firewall log review could still be a potential candidate too. Like somebody just.
[14:06]
Wade Wells
You're just reading the chat. All right, we Know.
[14:11]
Will
My mouth, sir.
[14:13]
Wade Wells
Geez, Roswell. Just calling us out, talking. Fucking not. We're not using firewall stuff.
[14:17]
Jason Blanchard
You know what though?
[14:18]
Will
You're gonna, you're gonna mention that I did mention firewall as the last one, so.
[14:22]
Jason Blanchard
Haha.
[14:24]
Wade Wells
So I will admit my first thought was like, Rita should have caught the C2. Right? So that, that was like, oh, like, okay, it didn't catch the C2. Maybe it's in some other weird format. So I think firewall. Firewall would catch C2, but.
[14:38]
Aaron
Well, once they have the C2, then they would want to pivot, right?
[14:42]
Sean
Or would they do necessarily?
[14:45]
Wade Wells
It doesn't always follow the freaking cyber kill chain line, but usually it's not always linear. Yeah, usually persistence is the first thing. Well, you establish command and control, then you either maintain persistence in some.
[14:56]
Chris Young
This also isn't an episode of Friends. You don't get to tell us to pivot.
[15:00]
Wade Wells
Pivot.
[15:03]
Jason Blanchard
Wow.
[15:04]
Sean
All right, we gotta pick something, guys. I don't know, should we go firewall? We can go firewall.
[15:08]
Will
Do we want to do firewall or.
[15:09]
Wade Wells
Yeah, let's do firewall. We'll roll.
[15:12]
Jason Blanchard
All right, well, go ahead and roll the dice for firewall.
[15:15]
Will
I hope you're going to be our first fail.
[15:18]
Aaron
Deb, a little bit suspicious of our goals.
[15:20]
Will
She doesn't leave 13.
[15:25]
Jason Blanchard
All right, so through the firewall log review, you're determined that within your organization there are currently eight systems all sending traffic to the same G drive account. G drive, eight systems, all sending traffic to the same G drive account. Three turns, three rolls, three cards.
[15:47]
Wade Wells
Matt, we are syncing it. This hour long webcast is not going to last an hour at this point.
[15:53]
Jason Blanchard
The podcast is going to be like 27 minutes and be like, that was great. And then the next one. So it's an hour.
[15:59]
Wade Wells
The next one, they fail and it goes for the whole hour. Yeah, that's probably what's going to happen.
[16:03]
Aaron
All threes.
[16:04]
Jason Blanchard
All right, so you still have to figure out if you have these internal systems all beaconing out or essentially sending data out to the same G drive account.
[16:11]
Will
So then we need to find the.
[16:13]
Aaron
Pivot seam would be a good way to correlate. You know, we have fire logs. We know X happened at Y. So using SIEM to correlate those timestamps with other activities might be a good. Might be a good way to go.
[16:29]
Wade Wells
You know what a great way to pivot is, is if like a person's browser isn't updated. Right. Like usually you can exploit the browser and then escalate to sys admin. I don't know why I would say that, but I'll let you guys, like, look around and figure that out.
[16:47]
Sean
Wade's a plant, guys. Wade is a plant.
[16:54]
Will
Come on. Somebody with a mustache like that could never lie to you.
[16:59]
Aaron
Cyber killed. Shane, I kind of feel like you aren't like a Secret Squirrel kind of guy, are you?
[17:04]
Wade Wells
No. Oh, no, I am definitely like tinfoil, hot wiring. I take it off and put it on when I see fit. You know, like I need to. Every now and then, a conversation needs spice.
[17:14]
Chris Young
Trustworthy.
[17:15]
Aaron
That's exactly what a fed would say.
[17:19]
Jason Blanchard
I'm going to recap the scenario real quick. The scenario is Jonathan, the salesperson, was on the road for the last couple weeks, came into headquarters and asked the help desk to help fix his computer. When the help desk realized it wasn't a corporate system, it was its own personal device. And then from there, the help desk was like, I don't want to touch this. We're going to give it over to the security team, which is who has it now, which is the team that's playing. And originally they found that log on scripts were installed. And then when they dug in a little bit deeper, they realized that this device was compromised due to network threat hunting. And they were able to determine through firewall logs that they have internal systems that are all sending data out to the same G drive account. And so that's where we are. We're trying to figure out, well, how did it get from this one compromised system that Jonathan brought into potentially throughout the rest of the organization, where other endpoints are now sending the data out to the same G drive account. So what would you like to do next?
[18:19]
Aaron
I think SIEM is the best choice. What do you guys think?
[18:22]
Wade Wells
I agree.
[18:23]
Sean
I'd go with that.
[18:24]
Chris Young
Yes.
[18:25]
Jason Blanchard
All right, who's going to roll for sim?
[18:28]
Chris Young
I can.
[18:28]
Aaron
I can roll.
[18:30]
Jason Blanchard
Who's rolling?
[18:31]
Wade Wells
I am.
[18:32]
Chris Young
Chris.
[18:33]
Jason Blanchard
All right, Chris, you're gonna go ahead and roll. This is Dallas procedure. You get a plus three.
[18:37]
Wade Wells
You got an 11?
[18:38]
Chris Young
I got an 11.
[18:39]
Jason Blanchard
Okay.
[18:40]
Wade Wells
These are shady rolls.
[18:41]
Jason Blanchard
All right.
[18:42]
Sean
Shortest live stream ever.
[18:43]
Jason Blanchard
No, I would like to know right now. The SIM was successful, but it is not picking up whatever the pivot and escalate was. So just because you had a successful attempt with a procedure does not mean it reveals the attack card if it is not listed as a detection on that attack card. So whatever the attacker is doing is not detectable to the sim. And we'll talk about that at the end.
[19:08]
Aaron
I feel like you're making stuff up, Jason. That's not fair.
[19:12]
Wade Wells
I'm going to tell you at all the sims I've looked up, there's plenty of times where it just didn't work. No. How much?
[19:22]
Sean
What do you got in it, too?
[19:24]
Jason Blanchard
And Timmy says what should be done in Discord Chat. So wait, are you saying you actually.
[19:29]
Aaron
Have to send logs to the seam to be able to read the logs? Crazy talk.
[19:35]
Wade Wells
What? Then you have to parse them. What kind of craziness is this? Just a string search.
[19:42]
Will
All right, so endpoint Security Protection Analysis.
[19:47]
Wade Wells
Think about user Mike. I'm leaning towards ueba. Yeah, because we want to see what users are doing, which things.
[19:55]
Aaron
Which, for the record, will suggested like 10 minutes ago, so.
[20:00]
Wade Wells
Yeah, but it's okay. He didn't.
[20:02]
Sean
It's not about who's right and wrong.
[20:04]
Will
He circles me all the time.
[20:08]
Chris Young
Chris, the backwards hacker shirt on.
[20:11]
Wade Wells
Oh, yeah. Chris, what do you think? Where you go? Where are you leaning?
[20:14]
Chris Young
I want to see what his behavior has been.
[20:16]
Jason Blanchard
For sure.
[20:17]
Wade Wells
Yeah. Do you think it's just him? Like, I'm not even thinking about him. We already know, like, eight people compromised, right? Yeah, we're thinking that maybe we can follow the trail backwards with some crumbs.
[20:27]
Aaron
Would UEBA identify, like, every G drive connection on the network?
[20:31]
Wade Wells
Or it should be able to discover, like, what users are doing weird things. That's if, like, UEBA ever works, to tell you the truth. Kind of.
[20:40]
Will
I mean, with us.
[20:41]
Wade Wells
But. But I think. Okay. Is that what we're gonna go with?
[20:45]
Will
All eight of them?
[20:46]
Aaron
I like it.
[20:46]
Sean
Let's go.
[20:47]
Chris Young
All right, let's have it.
[20:48]
Jason Blanchard
Who's rolling the dice for uba?
[20:50]
Aaron
I will.
[20:51]
Jason Blanchard
All right, Aaron, go ahead and roll the dice.
[20:53]
Wade Wells
All right.
[20:53]
Aaron
Oh, my gosh. I swear, I can share my screen if you guys don't believe me, but it's 18.
[20:59]
Jason Blanchard
I mean, if it's 18, it's 18. It's whatever the dice say. So I'm moving this over here. Moving this over here. And you reveal that the attackers were using Broadcast Multicast protocol poisoning on the. In the environment. So five turns, four cards.
[21:19]
Wade Wells
We got them.
[21:20]
Jason Blanchard
You got them? Yes. All right, so let's go ahead and talk through. Like, it's not just revealing the cards that leads to everything that happens. We're actually going to talk through this attack scenario now. And so, well done. You revealed all four cards in five turns. And so the original scenario was Jonathan, a salesperson on the road came to the office, said, hey, here is my laptop. We found out. The laptop was not a corporate laptop. It was a personal laptop. And so escalated to the security team where they found that it had login scripts installed on it. It was the initial compromise. Through network threat hunting, they were able to use firewall logs to figure out that other systems internally were sending data to a G drive account. And then through ueba, they were determined that broadcast multicast protocol poisoning is what was used to gain access to other accounts. So with that said, here's the question for each one of you and I'm going to have each one of you answer this question. So it's going to be a yes, no or maybe question. So whenever someone plays backdoors and breaches, when the session is over, ask every single person who participated this yes, no or maybe question. So ready? Will, is this a plausible attack that you know of? Yes, nor maybe.
[22:41]
Will
Yes, under the circumstances, I feel this could happen.
[22:47]
Jason Blanchard
Wade? Yes, nor maybe.
[22:48]
Wade Wells
Can I go last?
[22:49]
Jason Blanchard
Sure. Aaron? Yes, nor maybe.
[22:52]
Aaron
I don't think it is. I think that a corporate environment would have things in place to keep these things from happening.
[23:01]
Jason Blanchard
Okay. Sean. Logie. Yes, nor.
[23:05]
Sean
Call me whichever. Yeah, I'm leaning towards no. I'm a little bit of like the BYO device side of things, like with this little control seems a little bit far fetched. And then I'm also just scratching my head around whether the protocol poisoning is actually a realistic method for lateral movement in this case.
[23:23]
Jason Blanchard
All right, Chris. Yes, nor.
[23:25]
Chris Young
Maybe I'll go to the other side just because I want to keep the split and let Wade break the tie. But I'm going to say yes, because you have no idea what people are clicking on recklessly these days. So I want to see. Yeah, just to be ridiculous.
[23:37]
Jason Blanchard
Okay. Wade. Yes, nor maybe.
[23:40]
Wade Wells
Man, I was trying to bring up that. Can you bring up that card? The pivot and escalation card? Yeah, I was trying to look up. So I will tell you this. The broadcast. Yeah. I'm not super familiar with this attack and I do not think from like reading this right off the bat, I don't think this is. You would be able to pivot based off of this attack to the internal network. So I'm saying no, but I'm not 100% sure. I'm not an expert. I think this may need to be something else, but I'm not entirely sure. I don't, I don't have the cards memorized anymore. I used to in order to cheat in metagame, but it was pretty honestly like. Here's the thing, like Rita is Like, uber powerful. If you just use Rita off the bat, it catches, like, almost everything. But don't. You didn't hear that from me, but. So overall, I do not think this is credible. But I'm pretty sure Jason is going to come in and be like, we did this exact breach. And it is.
[24:38]
Sean
I do want to hear about that, the protocol poisoning, because I was also suspicious of that.
[24:42]
Jason Blanchard
Yeah. So when you're creating a scenario in backdoors and breaches, it's not necessarily up to like, is this possible? It's the discussion that takes place afterwards. And so, like, is this possible where we work? Like, that's the question to ask yourself. Like, is it possible where we work? All right, so I didn't want to ask you if this was possible where you work because I didn't want you to, like, give up any of the, you know, secret things that you might have. But when you're playing internally with your own team, you ask yourself the question, is it possible where we work? And so for the audience and the people watching live right now, feel free to throw into the chat if you think this is possible where you work. Now, wait, no, not where you work, because then that's also giving it up. But think through, is this possible where we work? All right, and then I didn't say this at first, but today's episode was brought to you by Anti Siphon training. So if you ever want to take hands on training with Anti siphon, it's anti siphon.com anti siphon training.com. and so you can take training with us to learn any of the things here that we're like, I don't know what some of these things were. Well, potentially could happen through training at Anti Siphon. All right, so here's how you wrap up a backdoors and breaches session. You ask every single person who participated, including spectators, what was your one takeaway from today's session? So I'm going to ask each and every one of you, what was your one takeaway from today's session? So, Sean, what was your one takeaway today?
[26:07]
Sean
Biggest thing is the both how to play black doors and breaches and how useful this could be as alternative to traditional tabletops, which I've done before. And so this just is like a great way to mix that up.
[26:16]
Jason Blanchard
Oh, thanks, Sean. Chris, what was your one takeaway today?
[26:19]
Chris Young
I need to take more anti siphon training classes. I'm surrounded by ninjas and I just want to get up to their level. No, this was really insightful, informative, not only for my personal knowledge, but also just to see how other people think through challenges as well.
[26:33]
Jason Blanchard
Aaron, what was your one takeaway today?
[26:35]
Aaron
To be honest, I had never heard of multicast poisoning, so I'm gonna have to go do some Google foo and read up on it.
[26:42]
Jason Blanchard
Will, what was your one takeaway?
[26:44]
Will
Mine is actually the same as Aaron's. I didn't know about multicast poisoning, so that gives me something to go look up now.
[26:51]
Jason Blanchard
One of my favorite things about LL MNR is that if you Google search LL mnr, Wikipedia comes up first, then Black Hills. Like, that is how synonymous we are with lmr. Or like, just turn it off. And what we've learned over time is that most organizations turn it off in the gold image that they have for all users, but the sys admins and the admins do not turn it off for themselves because they want to have everything and then do it themselves. Which is how we generally compromise a ton of organizations because they forget turn it off for themselves and so we gain access to their accounts. Wade, what is your one takeaway today?
[27:25]
Wade Wells
Yeah, echoing everyone else, right? I know a little bit about LLM and R, but I kind of wanted to understand what everyone else thought about it too. That's why I wanted to go last. Um, so definitely cheated there. I do have to research more about that now. Like, thinking about it too. Like if. If the host was on the network, right? That sales guy joined the network and then he was able to escalate. Like, it's definitely possible then. Now that I. Now we talk about and think about it. And just always remember the seam isn't like the always the way to go. Logs aren't always the best thing. You always. Sometimes you have to do active things.
[27:58]
Jason Blanchard
Well, thank you so much for watching Backdoors and Breaches Live. Today's session was only 30 minutes long because you rolled very well. Suspiciously well. But it's fine. It's fine. This is our very first episode. If you like this, let us know. Reach out to us and ask. Let us know if you want more of this. It will be a different scenario every time. And our goal is to take the scenario that we use today and then put it out to the community. So that way, if you're trying to think of what scenarios to use inside your organization, because we didn't even touch on, like, can you legally touch Jonathan's computer? Do you have the policy to touch Jonathan's computer? There's like a lot of stuff there that we could have dug into, but I Chose not to today.
[28:37]
Aaron
I tried to reject the idea, but Jason was like, nope, we're playing the game. I don't care what you say.
[28:42]
Jason Blanchard
Yeah.
[28:45]
Sean
Policy with me on the group. I get it, I get it.
[28:47]
Wade Wells
I totally forgot. Like, we didn't even talk about this. Were we gonna. Were we playing with injects too?
[28:52]
Jason Blanchard
Only if you roll a 20 or one or have three failed rolls in a row, but you have three successful rolls in a row. And I almost thought about bringing an inject in, just. You should have.
[29:00]
Wade Wells
You should have.
[29:00]
Chris Young
You should.
[29:01]
Jason Blanchard
We're also just using the core deck today, so in the expansion deck, there's a lot more evil injects because we just got mean.
[29:08]
Wade Wells
In the second Wade catches food poisoning, he's out of the game.
[29:11]
Aaron
Speaking of expansion deck, there's been like, three or four new expansion decks that have come out, right? What. What exactly are the expansion decks?
[29:18]
Jason Blanchard
Yeah. So, Ryan, if you want to throw up big on the screen, if you go to play Backdoors and Breaches, it's totally free for anyone to use. We have the Cloud Security deck, the expansion deck, the Huntress deck, the Red Canary deck, the Den Secure deck, the Trimark deck. We have an ICS and OT deck if you want to do Industrial control systems and Scadus systems, and then we have the Mega deck. And then finally, if you want to build your own attack scenario, you go down to Scenario tools, Go to Scenario Tools, custom, and then you essentially can use every single card we've ever created all in one deck, and pretty much build the ttps of any ATP. And that was a lot of acronyms. And with that, any other questions before we wrap up?
[30:03]
Wade Wells
The whole time we were playing, I was trying to figure out how to make a. How to look at all the cards with that custom tools and the scenarios down at the bottom. I thought there was, like, something that I was missing where it was like DM type of deal, but now I can actually read that element of card.
[30:19]
Sean
So we can all add a. Wade likes to cheat.
[30:23]
Jason Blanchard
I like to be.
[30:24]
Sean
That's the other learning for everyone else here, you know, I just want to.
[30:28]
Chris Young
Make sure we're not overlapping backdoors and breaches with Oregon Trail. I don't want somebody to get dysentery and not make it to the end.
[30:35]
Wade Wells
Well, we. It does. It did overlaps. It does. If you owe one, it overlaps real good.
[30:43]
Jason Blanchard
We have an inject card where a bear attacks a power station, and so the power goes out.
[30:50]
Sean
Bear versus power station. I like it.
[30:53]
Jason Blanchard
All right. Everybody. Thank you so much for playing today. Thank you so much for joining us. And tune in in the future for episode two of Back Doors and Breaches Live. And thank you so much to our guest for joining us today and for being willing to go first. We appreciate you. And in the future, if you want to be a part of Backdoors and Breaches, if you want to be a guest on, we would love to have you. So just reach out to us and we'll start building out a roster of who's going to be playing Backdoors and Breaches live. With that. Kill it, Ryan. Kill it with fire.