Episode #5 of Defend the Kingdom, "The Flies and the Hornet", begins with Marty briefing Dave Reinhardt the CISO on a significant compromise of MagnaCorp's security. Improper logins, remnants of cracking utilities and other evidence clearly indicates a serious problem. The source of the intrusion, while still unknown at this time, points towards a nefarious interest in MagnaCorp's blossoming relationship with a promising new technology partner - vNextGen. While the executives deal with the serious danger to the company and their relationship with vNextGen, Marty, Greg and Erin fight the technical battle. Meanwhile, as their access to the Kingdom is slowly dwindling, frustration grows in the Guild. However, they have their secret weapon, The Ghost, ready for the final strike.
Episode #5 highlights many angles of a serious security breach. A compromise of security is not a singular act - it is an ongoing battle to regain control of systems, determine the targets of the compromise, address reputational damages and contain the situation. The team at MagnaCorp have to unwind the attack and address both tactical issues (patching vulnerabilities, shutting down accounts, inspecting systems, protecting against data exfiltration, etc.) and strategic issues (ensure business continuity, maintain compliance, protect the business relationships, etc.). The episode also highlights that the final motive of the attack can be obscured by the 'fog of war'. The ultimate motive of the attack is a mystery as they combat the very persistent and skilled adversaries.
Episode #5 has some interesting subpoints to consider:
- When the CISO briefs the executive team about the compromise, multiple functions are present to ensure coverage throughout the organization. Compliance, audit, IT and other elements of the organization need to be involved in significant issues such as a data breach.
- The CISO also references execution of several plans in his briefing. It is implied that these plans are already thought through and designed to deal with the breach. Preparation for a significant crisis is critical in ensuring the situation does not spiral out of control. It is obvious the management team has discussed this scenario and is prepared.
- Marty, Erin and Greg are coordinating a host of efforts to address the technical impacts of the breach. This includes:
- Reviewing controls around administrative accounts
- Reviewing access attempts, escalated privileges and other user activity
- Comparing staff responsibilities and schedules against suspect user activity
- Forensic analysis to identify remnants of hacking utilities (MimiKatz in this episode)
- Guarding against data exfiltration by filtering access to external sites
These are just a sampling of the many tasks necessary to properly quarantine and contain a technical threat. For purposes of brevity, I chose to include only a few of these elements but there are many others to consider. A key to the identification of the breach is the usage of common administrative tools like PowerShell. Building on the storyline in episode 4 where the Siren uses administrative tools to stay under the radar and bypass security simply by acting like an authorized user, episode 5 highlights the importance of logging and controlling these key utilities.
Some final thoughts:
- While organizations have built multiple layers of defense to protect company assets, not every attack will be thwarted. Preparations must be made to handle a system breaches. These steps must include an understanding of the threat at the executive level as well as the technical acumen to identify, investigate and respond to an active attack. Even working through a table top exercise to discuss the various angles of a data breach will lay the groundwork.
- The "flies" referenced in the title of the episode characterize the massive battle against the many remnants of a system compromise. Marty, Erin and Greg take on the slogan 'swatting flies' to describe the multitude of minute details when pulling apart the attack and ensuring all of the loose ends are tied up. A security incident is not simply the matter of turning off accounts that have been compromised. Responding to a security incident involves a host of activities that ensure the access is completely shut off and systems do not have backdoors that allow the attackers back into the network.
- The Ghost character referred to in the title as "the hornet" represents the most menacing type of threat actor today. He is patient, motivated and skilled. He is blessed with the luxury of time and a singular motive. These types of threats not only can compromise security but hide in the infrastructure through a variety of methods. They are the most significant driver of the shift from signature based intrusion detection to 'hunting' techniques.