Full Report
John Strand // Lately we’ve been running a very cool game with a few of our customers. There’s been some demand for incident response table top exercises. For the […] The post Dungeons & Dragons, Meet Cubicles & Compromises appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Incident Report: Tabletop Exercise (TTX) Simulation Framework
## Executive Summary
This report summarizes a novel approach to conducting Incident Response (IR) tabletop exercises, shifting away from dry procedure reviews toward an engaging, narrative-driven simulation utilizing randomness via a 20-sided die (D20). The framework tests organizational readiness by injecting real-world complications and procedural gaps determined by dice rolls, aiming to identify deficiencies in documentation and staff training effectively.
## Incident Details
- **Discovery Date:** Monday morning (Start of simulation)
- **Incident Date:** Not applicable (Simulated)
- **Affected Organization:** Various client organizations (Simulated)
- **Sector:** General IT/Security Operations (Simulated)
- **Geography:** Not specified (Simulated)
## Timeline of Events
### Initial Access
- **Date/Time:** Monday morning
- **Vector:** User reported AV alert from help desk ticket.
- **Details:** AV alert triggered by a malware stager, but memory injection stage was missed by AV. Malware is running on the workstation.
### Lateral Movement
- **Date/Time:** Shortly after detection of stager.
- **Vector:** Attacker pivots from the infected workstation to another workstation.
- **Details:** Movement detected due to enabled host-based firewalls forwarding alerts to a SIEM.
### Data Exfiltration/Impact
- **Date/Time:** After system isolation attempt.
- **Vector:** Attacker exfiltrates sensitive HR data.
- **Details:** The attacker posts sensitive HR data to **pastebin[.]com**, which is discovered externally via Google search.
### Detection & Response
- **Date/Time:** Initial detection via help desk ticket Monday morning.
- **Details:** Initial investigation failed due to a lack of training/procedures for live systems forensics (roll failed). Later, lateral movement was detected due to existing endpoint controls and alerts forwarding. The team successfully isolated the infected system. External data leak forces management involvement.
## Attack Methodology
*(Note: This section details the attacker's hypothetical actions based on the successful dice rolls within the TTX environment.)*
- **Initial Access:** Malware stager execution on a workstation, bypassing detection of memory injection.
- **Persistence:** Not explicitly detailed, but implicitly maintained until isolation.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** The AV failed to catch the memory injection stage.
- **Credential Access:** Potential simulated password dumping using techniques where success relied on low required rolls (e.g., LanMan protocols).
- **Discovery:** Implicit observation of network controls (HB Firewall alerts).
- **Lateral Movement:** Attempted pivot from initial host to another workstation.
- **Collection:** Sensitive HR data was gathered from the compromised system.
- **Exfiltration:** Data was posted publicly to Pastebin.
- **Impact:** Public exposure of sensitive data and identification of internal process gaps.
## Impact Assessment
- **Financial:** Not specified (Simulated framework focuses on process gaps).
- **Data Breach:** Sensitive HR data was successfully exfiltrated and published publicly.
- **Operational:** Initial investigation attempt failed, though subsequent isolation was successful. Business operations were impacted by the public data leak requiring management and legal response.
- **Reputational:** Significant due to the public posting of HR data on Pastebin.
## Indicators of Compromise
*(These are illustrative indicators derived from the scenario, defanged)*
- **Network indicators:** Communication attempts to ports/protocols associated with malware C2 (implied).
- **File indicators:** The malware stager payload (specific name unknown).
- **Behavioral indicators:** Unaccounted process execution indicative of memory injection; unexpected network traffic flow between workstations; successful posting of data to external sites.
## Response Actions
- **Containment:** The infected workstation was successfully isolated after a successful dice roll (+5 for procedures, +2 for training).
- **Eradication:** Not explicitly detailed in the successful rounds, implied subsequent steps needed.
- **Recovery:** Management and legal teams engaged immediately following the public data leak disclosure.
## Lessons Learned
- **Procedural Gaps Identified:** The team immediately identified a lack of formalized procedures and training for **live systems forensics**, leading to an initial failed response action.
- **Success Factors:** Strong existing technology (HB Firewall alerts forwarded to SIEM) and established procedures/training for **system isolation** significantly aided containment efforts (+7 bonus applied).
- **Narrative Injection Impact:** Random narrative injections (e.g., competitor finding data on Pastebin, required management involvement) effectively tested response steps outside of pure technical remediation.
## Recommendations
- **Develop and Formalize:** Create and document mandatory procedures for live systems forensics and memory analysis.
- **Training:** Ensure all relevant IR team members receive recurrent, hands-on training specific to dead-box and live-box forensic procedures.
- **TTX Improvement:** Continue using narrative-driven, randomized TTX methods to expose gaps in policy, training, and cross-departmental communication.
- **Security Hygiene Review:** Re-evaluate baseline security posture if the attacker could retrieve and publicly post sensitive HR data from an endpoint (e.g., review file system permissions or encryption controls).