BLUE CYOA

Choose your own Blue Team Adventure with The Unicorn Company, INC. It’s 4:45pm in the office (remember when that was a thing?). On a Friday. Almost time for the weekend! Your mind turns to your plans. An evening of Glam hosted by Alyssa Miller tonight. Catch up on that episode of Cooking with Bryson with Dave Kennedy, you are definitely going to try to make Dave’s Famous Wings on Saturday. And Sunday morning, well, absolutely nothing, you plan to sleep until the afternoon. Then the phone rings. Do you answer it? (align: "==><==")[ ] (align: "<==")[[[Yes->WHO IS THIS]]] (align: "<==")[[[No->TED!]]]

WHO IS THIS? A clearly disguised voice speaks, “You’ve been hacked. Send 10 Bitcoin to the following wallet.” <click> Your co-worker, Ted, is looking at you. Your face must’ve given away that the call wasn’t good. (align: "==><==")[ ] (align: "<==")[[[IT BEGINS->Your mind begins to race.]]]

TED! You let it ring. It’s Friday afternoon. It rings a few times, then stops. Phew. Just 10 more minutes until you. Are. Out. Of. Here! Ted’s phone rings. . . . Ted picks it up. . . . Ted! Of course, Ted picks it up. Sigh. Darn it, Ted! . . . Meanwhile, Ted’s face goes white. He hangs up and turns to you. “We’ve been hacked.” (align: "==><==")[ ] (align: "<==")[[[IT BEGINS->Your mind begins to race.]]]

IT BEGINS &#60unlisted number&#62 Your mind begins to race. As the current on-site lead for the company’s incident management process, the next step is up to you. Ted stares at you waiting. (align: "==><==")[ ] (align: "<==")[[[Call the CEO->CEO]]] (align: "<==")[[[SIEM log analysis->SIEM LOG ANALYSIS]]] (align: "<==")[[[Call the Red Team->RED TEAM]]] (align: "<==")[[[Cut off all internet connections->CUT THE INTERNET]]] (align: "<==")[[[Call the CISO->CISO]]] (align: "<==")[[[Power off all systems->SHUT IT DOWN]]]

CEO The CEO is in Tokyo on a work trip to negotiate a partnership with Zen Hooves. Do you know what time it is there? You know now. Quite clearly. After the yelling subsides, she snaps, “So... why are you calling me?” “Well, we’ve just been informed we’ve been hacked.” “What?” “Yeah, we received a call from an unidentified number requesting ransom payment.” “And…?” “Well, um, that’s it.” “...when I get back, your boss and I are going to have a conversation.” <click> Maybe… you should do something else? (align: "==><==")[ ] (align: "<==")[[[SIEM log analysis->SIEM LOG ANALYSIS]]] (align: "<==")[[[Call the Red Team->RED TEAM]]] (align: "<==")[[[Cut off all internet connections->CUT THE INTERNET]]] (align: "<==")[[[Call the CISO->CISO]]] (align: "<==")[[[Power off all systems->SHUT IT DOWN]]]

SIEM LOG ANALYSIS You look through the SIEM logs. SIEM has a lot of endpoint logs but it doesn't seem to be receiving the firewall or outbound proxy logs. How much data are we missing? How long has this been the case and why didn't anyone notice before? (align: "==><==")[ ] (align: "<==")[[[Check firewall logs->FIREWALL]]] (align: "<==")[[[Call the Red Team->RED TEAM]]] (align: "<==")[[[Check endpoint logs->END POINT]]] (align: "<==")[[[Call the CISO->CISO]]]

RED TEAM Red Team picks up. “Yo, what’s up?” They’re in a good mood because your teams just completed a successful purple team exercise with… <ready for a shameless plug?> SCYTHE! The ability to quickly deploy realistic APTs and work together to improve protection, detection, and response. But, to the problem at hand. “Tell me this isn’t your team pulling this right now late on a Friday before the weekend.” You explain the phone call you just received. “Nope, it isn’t us. But, we did identify a number of new systems being deployed with the same local admin password. We identified and reported the issue 5 days ago. You should probably get on that.” “Kk, thanks. Have a great weekend!” <click> (align: "==><==")[ ] (align: "<==")[[[Call the CEO->CEO]]] (align: "<==")[[[SIEM log analysis->SIEM LOG ANALYSIS]]] (align: "<==")[[[Cut off all internet connections->CUT THE INTERNET]]]

CISO Called the CISO. You get her on the phone and explain the situation. She says, “you are the Incident Handler! You tell me what to tell senior management and resolve this ASAP or we’re all out of a job.” (align: "==><==")[ ] (align: "<==")[[[SIEM log analysis->SIEM LOG ANALYSIS]]] (align: "<==")[[[Check firewall logs->FIREWALL]]] (align: "<==")[[[Call the Red Team->RED TEAM]]] (align: "<==")[[[Cut off all internet connections->SHUT IT DOWN]]]

SHUT IT DOWN! Power off the systems - you tell the team to power off the systems. Ted notes, “um… we’ll lose all the volatile memory that could have been used to understand how this attack happened, initial compromise, lateral movement, and impact, all endpoint evidence gone. We’d mitigate the attack in the short term, but at what cost? We won’t be able to figure out what’s really going on.” “Ah, yeah, good point. Let’s get some more information first.” (align: "==><==")[ ] (align: "<==")[[[Call the CEO->CEO]]] (align: "<==")[[[SIEM log analysis->SIEM LOG ANALYSIS]]] (align: "<==")[[[Call the CISO->CISO]]] (align: "<==")[[[Call the Red Team->RED TEAM]]]

FIREWALL LOGS You check the firewall logs. And, sure enough, there are a few suspicious outbound connections and several computers are beaconing out to them. There are also 8 machines that reached out and pulled a page from pastebin.com which is not normal behavior. (align: "==><==")[ ] (align: "<==")[[[Call the CISO->CISO]]] (align: "<==")[[[Check endpoint logs->END POINT]]] (align: "<==")[[[Call the Red Team->RED TEAM]]]

ENDPOINT LOGS Endpoint logs - You review the endpoint logs and see new files being created and crypto being used on 8 machines. Then a new file is pulled from the Internet. The activity is coming from an executable named MOAR&#95BACON. MOAR&#95BACON is also trying to establish SMB connections with a bunch of other IP Addresses. (align: "==><==")[ ] (align: "<==")[[[Segment these 8 systems into a quarantined network->SYSTEM SEGMENTATION]]] (align: "<==")[[[Perform forensic analysis on the 8 systems with MOAR&#95BACON->MOAR BACON]]]

CUT THE INTERNET You tell the team to cut off the internet. You figure might as well stop anything else from happening. Ted raises an eyebrow, “um… you sure that’s a good idea?” “Of course, now… we’ve cut off all connections, nothing bad gets in or out.” “Yeah… nothing gets in or out. We’d also be cutting our production servers and that means the whole business stops too. I’m pretty sure I remember Rob Lee telling us in our SANS IR class, FOR508, that the first step is identification. We… haven’t identified anything yet, all we’ve got is a phone call.” (align: "==><==")[ ] (align: "<==")[[[Call the CEO->CEO]]] (align: "<==")[[[SIEM log analysis->SIEM LOG ANALYSIS]]] (align: "<==")[[[Check firewall logs->FIREWALL]]] (align: "<==")[[[Call the Red Team->RED TEAM]]]

SYSTEM SEGMENTATION Segment these 8 systems into a separate, infected network - you successfully segment these 8 systems from the network and can now perform forensics without fear of further outbreak. (align: "==><==")[ ] (align: "<==")[[[Perform forensic analysis on the 8 systems with MOAR&#95BACON.exe->MOAR BACON]]]

MOAR BACON Perform forensics on the 8 systems with MOAR&#95BACON. You identify a phishing email to a new employee that was assigned one of the 8 new systems. This led to remote code execution and deployment of a new malware, MOAR&#95BACON. The new images did not have the latest updates leading to a privilege escalation vulnerability that was exploited automatically by the malware. With the privileges, credentials were dumped and lateral movement attempted with the local admin password. The 8 new systems all had the same local admin password which allowed the malware to propagate to the other 7 systems. Data on these systems were encrypted, exfiltrated, and now show a ransom. Thankfully, these were new systems and did not have much data on them. You easily re-build them since you just have to re-format withe golden image. The END, Enjoy the Weekend! ####Credits This Choose-Your-Own-Hackventure game was produced by SCYTHE, Inc. Bryson Bort Christine Billingsley Jorge Orchilles Adam Mashinchi Sean Sun ####THE END (align: "==><==")[ ] (align: "<==")[[[Play again->Choose Your Hackventure!]]]