 We are going to begin first by the introduction of today's guest. We are then going to be quickly moving to the demo to try the interactive demo to try and get as much out of today's session as we possibly can. We will then be moving to the Q&A session to answer any additional questions that you all may have. With that, I'm going to silence and mute myself and hand this over to Jason to introduce himself, what he does and talk a little bit about Black Hills. Hello everybody. Hi, my name is Jason Blanchard. Today I'm going to be presenting using a game called Backdoors and Breaches that we created at Black Hills Information Security. We are a pen testing company. We are hired to break into places to see if we can break into places, and then if we can break into places, we give a report of all the ways that we could break into places, either physically or through computer systems. We created a game to help people understand cybersecurity because cybersecurity can be complex and can be hard to understand, and so we created a game to help with that. I'm going to be teaching cybersecurity today using this game called Backdoors and Breaches, which you have complete and total access to, that you can use completely for free. I drop the link into the chats, play.backdoorsandbreaches.com. I'm going to show you how to play this game today and teach cybersecurity at the same time. We have a lot of people here which is exciting. There's over 100 people here today, and I'm going to ask for volunteers at some point. I'm going to need five to seven volunteers, so if you start to think that you want to participate and be a part of this, then I'll want you to turn on your camera and your microphone and participate. For everyone else, you can keep your microphones and cameras off, but you can absolutely continue to participate in the chat. My name is Jason Blanchard. My background is in comic books and filmmaking before I even got into cybersecurity, and so I brought that comic books and filmmaking into cybersecurity to be able to help people learn cybersecurity the best I can. I'm here and I'm excited. I'm the excitement co-creator of Black Hills, so I'm excited to be here. Is it time for demo or do we have more? Yeah. With that, we're just going to jump right into it, Jason. All right. I'm going to give a demo for about 10 to 15 minutes, and then while I'm doing the demo, think to yourself if you'd like to participate. Kevin, can you confirm that you can see my screen? Yes, I can. All right. Fantastic. All right. So show of hands, I guess. You can still hit the raise hand button. How many people here already know cybersecurity? So show of hands. Got a real life hand right there. Got a couple hands going up. It says plus eight, plus 14. Cool. For those of you that know cybersecurity, we're going to talk about things that you might already know, and for those of you that don't, we're going to talk about things you may not know. So hopefully you can just follow along. So what we're doing right now is we're using a thing called Play.back.George and Bridges. This is a physical card game that we created prior to the pandemic. The reason why that's important is because we created a card game before the pandemic because we thought people would play cards together at their facilities and organizations and actually learn cybersecurity together. Then once the pandemic hit, we realized that none of you were together, and so we had to start doing these things where we had Zoom sessions and we created a Zoom version of this game, and then we gave it away completely for free. So today we're going to learn how to play it so in case you want to take your cybersecurity skills and take it back to your organization and start to teach other people, this is great for teaching C-suite people how to play. This is great for teaching high school students how to play. This is great for teaching college students and people who don't know cybersecurity at all. So I can see a blank screen. Did I, I did see the original screen with Jason's picture. All right, so Carolyn said, can everyone see the cards? If I bring up the card right here, it says credential stuffing. Okay, so it might be you, Carolyn, you might need to drop and come back in. If not, hopefully you can see this. Okay, all right, so what we're going to do is we're going to walk through what these are, but I'm going to start teaching cybersecurity using these cards. And so I'm going to walk you through what's called a cyber kill chain. So the first thing we have here are the red cards. And so if you take a look, we have red cards. It says initial compromise on it. We have the pivot and escalate cards. We have the C2 and Excel cards and the persistence cards. This is what attackers do when they get into your organization. First, they have to get in initial compromise. That's how they get in the very first step to your organization. Now this could be a lot of things and we can cover some of those. And then once they get in, they have to move from one system to another because generally your computer isn't the one that they're looking for. They're looking for the server. They're looking for active directory. They're looking for access to everything. And right now your computer has the least amount of privileges and the least amount of access. And so they're going to use your computer to get access to the rest of the network. And then we have what's called C2 and exfiltration. So that's the brown cards. Now C2 and exfiltration stands for command and control and the exfiltration of data. So attackers have to maintain a connection with the malware and everything that they put inside of your organization to be able to talk to it and use it to get more access and more accessibility to the rest of your organization. So it's called C2 command and control and exfiltration. And then you have something called persistence. So persistence is how the attackers stay in your organization. I don't know if anyone here has ever had their house broken into and hopefully I'm not triggering you in any way but if you ever had your house broken into a lot of times what happens when a person breaks into your house for the first time they don't quite know the lay of the land. They don't quite know how many rooms you have. They don't know all the valuables you have. They don't know where all your things are. And so they might need to come back and rob you again. And so what they do is they break in the first time they take a couple of things but then they come back with some more people on a truck and they wanna take all the things. And so what they do is they leave a back door open where they leave a window open that you never check. I don't know about you but I'm pretty paranoid about human beings invading my life. So whenever I check into an Airbnb so I do I check into an Airbnb I check every single window and door when I get into that place. I check every window and door because I never know if someone is you setting me up for something and I was staying at an Airbnb and on the basement floor on this one back window it was unlocked and I pretty much was like as soon as I found an unlocked window I was like we're out of here, we're out because I don't want this to be the place that they come in tonight to kill or rob me. And in fact we did stay but I was paranoid the entire time. So persistence is where the attackers will come out with a way to get back in to keep robbing you to keep taking your stuff to keep coming back. And so getting in through external cloud access is not hard. Like if any of you right now are using cloud resources getting in through external cloud access is not difficult because most likely you have a lot of misconfigurations for access and permissions for all of your users and what attackers can do is use tools like Spring Toolkit, Truffle Hog and Fireprox to just run a scan against your cloud resources find the two or three people who have misconfigured permissions and then use that to get access into your environment. So the initial compromise is relatively easy. Let's take a look at another one. Okay, it's cloud access. Let's take a look at another one. Wow, did this break while I was playing? All right, there we go. Credential stuffing. Anyone here ever heard of credential stuffing? Go ahead and raise your hand if you've heard of credential stuffing. All right, so we got one, maybe a couple more. All right, so here's what credential stuffing means for those of you that may not know what this is. Is that there are websites that get breached all the time. They steal the user accounts all the time. Like LinkedIn got hacked. They stole all of that data. They go after like low hanging fruit websites like a comic book store or like some other person like who doesn't practice cybersecurity like your organization. They come after you to steal your whole user list and here's the reason why. Because if I get your user list, there's a good chance that your users use the same username and password at other places. And so what attackers do is they buy a huge bunch of data breaches. They just buy up a whole bunch of data breaches for three bucks or 10 bucks or 20 bucks. And so now they have this massive database of usernames and password hashes. And what they do is they do a search through that whole database to find the at last of your email address. So it's the at nameofyourorganization.com or .org or whatever it is. And all of a sudden they find three of them. They find three of them in all of these data breaches they find three. Well, guess where they're going to start? With those three people who have the same username and most likely the same password that they use everywhere they go. And they're going to try to log in from that. And it works. It works all the time. We use this all the time. The tool to do this type of attack is called Burf Suite and Hydra will help us scrape and find user accounts. All right. So if you take a look at the cards right now that we're using, it has a major headline, credential stuff. So like that's the attack. And then there's a brief explanation of what the attackers take advantage of third party breaches. So that's not your organization. That's other organizations to identify and use IDs and passwords against your organization. So it's other breaches that they may use against you. All right. And so what can detect this type of attack is server analysis and user and entity behavior analytics. And we'll talk about that in a second. Now if I hit refresh, I should get a brand new card, trust a relationship. All right. So here's what this attack is. So trust a relationship is the major headline. So it's someone that you trust. It's a relationship situation going on. A trusted third party. So it's not your organization who has access to your network as compromised. The attackers use it to pivot to your internal resources. So it's not you you have to worry about. It's the people who have access to your network that you have to worry about. And then you have to be concerned if they get breached or not. So I don't know about you, but at one point I owned a house in Florida and then I moved to Maryland and we thought it would be a really good idea to rent out our house in Florida. And then I realized I had to worry about every single hurricane that hit Florida because I knew the renters didn't care about the house. So I had to care about the house. And so every time a hurricane popped up that was heading to Florida, I had to worry about it. And so I had to worry about it so much that I eventually sold the house because I didn't want to have to worry about it anymore. I didn't want to have to worry about hurricanes unless that hurricane was coming to Maryland. Here's my point. You have to worry about your people who have access to your network because if they get breached, then it gives access into your environment. And so not only do you have to worry about you, you have to worry about them. So when was the last time you did permissions or auditing of the people who have access into your environment? And if it's been a while, then maybe you put that on your list of who does have access to our environment? Is it the HVAC provider? Is it the person who has badge readers for getting in and access to our building? Like who has access to our network and why did we give it to them? And then do they still have it? And when was the last time we talked to them? Because the tools to do this type of attack is an unfortunate unfounded trust in humanity and business partners who are complete strangers. That's true. You have people out there that you've given access to your network who you do not know and you don't know when they fire people. You don't know when they hire people. You don't know if they have disgruntled people. You don't know what's going on in their environment. And so you need to check and audit with their permissions from time to time. All right. So once again, initial compromise is easy. It's easy for us. We do 650 pen tests per year. So penetration tests. We do 650 security assessments per year for clients and the easiest part for us is the initial compromise. The hardest part is pivot and escalate. The hardest part is pivot and escalate because getting into a system, easy. Getting from that system to another system is incredibly difficult. You need skill and you need more tools and you need to make sure that the security team does not catch you because this is the most noisiest part of the attack and this is the part where if you're gonna get caught, it's gonna be right here. So pivot and escalation is where the attackers have gotten in and now they're moving from one system to another to another to another to another to another. They're escalating privileges because right they started off and they got, you know, they got Carolyn's privileges but Carolyn doesn't have admin rights. And so now that they have to escalate up to admin rights where they get onto and system. And so and doesn't have admin rights. And so they have to escalate privileges from one system to another. So what they do is an internal password spray. So the attackers start a password spray against the rest of the organization from a compromised system. Raise your hand if you know how to password spray works. Anyone here know how to password spray works? All right, so here's what a password spray is. There's a good chance if you are on a 90 day password policy, which means your organization has a 90 day password policy that you have to reset your password every 90 days that your users will take that and use it in this way. Well, if it's summer, when I have to reset my password then I will say it's summer 2023 exclamation point because you have a password schema that says capital letter has to be at least seven letters has to have numbers and has to have a special character. And since we will look and identify what your passwords like your protocols are for passwords, we'll go wait. Okay, so you only need seven characters and it needs to be a capital letter and numbers and exclamation point or special character and you reset every 90 days. Oh, that's fine. We're gonna get in in the next 24 hours because we're gonna take what human beings do to make it easy for themselves to remember the passwords and they're gonna put winter 2023 exclamation point, spring 2023 exclamation point, summer 2023 or they might say the name of your company and sucks. Company sucks. One exclamation point. We might find out the name of your manager and manager sucks number one exclamation point because what humans are doing is trying to remember their passwords because you keep making them reset their passwords all the time. One of the things that we recommend is that you set a 15 character password and if you're like right now you're like 15 characters. How dare you? I understand 15 characters is a lot of characters but what you do is you set a 15 character password, you set it for a 365 day rotation and I almost guarantee you no one will ever get into your organization with a password spray ever again. And the reason why is because 15 characters cannot be cracked in this lifetime. 15 characters cannot be cracked in this lifetime. 15 characters is difficult to remember because remember passwords and cracking them has nothing to do with the complexity of what you do. If you have a eight character or seven character password and you've made it all fancy and it's got like capital letters and lowercase letters and numbers and special characters, that doesn't matter because I'll run a tool called hash cat and I will set it up on a GPU system where I will crack that in the next three seconds. A seven character password gets cracked in three seconds. And if you're like really? Yes, it doesn't matter the complexity. It's just the length of the password. So a 15 character password is almost completely uncrackable. It will take pretty much the heat death of the universe in order to crack a 15 character password. At our organization, we have 25 character password limitations for admin level accounts. 25 character limitations and here's why. You'll never crack that. But right now you're thinking like, well, how do you remember 25 character password? So what we do is we use past phrases. I will recommend everyone in here start using past phrases. But a past phrase is three words and in a number schema and a special character and that's pretty much uncrackable. It's dictionary words so that people can remember them. So it's Steven jumps rabbit. 25 exclamation point, exclamation point. That is an uncrackable password. It's an unguessable password. And in fact, we have recommended that people start calling the passwords past phrases because a past phrase means it's multiple words and it's longer and people get used to doing a past phrase. Past word, seven characters, ugh. Past phrase, 15 characters, uncrackable. And right now if you're thinking about how hard that's gonna be to try to pass through your organization, I get it. I completely get it. And that's something you're gonna have to think about. Okay, so an internal password spray would be caught through user and entity behavior analytics, cyber deception and sim log analysis. So those things would catch an internal password spray because you would see a bunch of failed login attempts because if you're trying to log in with Emily and Kathleen's and Carolyn's like password and you're like using summer 2023 that's gonna fail for most people. And so you as an organization you would see a higher number of failures during a period of time. Now, if you have that three password lockout for every 15 minutes, we'll figure that out too. So we'll run a password, password spray every 16 minutes. So it was set to go every 16 minutes for all the users in your organization. And then if you're like, wait, if you're coming from the same IP address that we're gonna catch you. Oh, that's fine. We created a tool called Fireprox that allows us to attack you from a never ending stream of IP addresses. So it's never gonna look like any of those failed and login attempts came from the same place. And you're like, burn it. So we're real good at getting in. We're real good at getting in, getting from one system to another. That's difficult and that's where you can catch us. And so don't lose heart. You can still catch us when we're trying to go from one system to another. All right. So the tools to do an internal password spray or domain password spray, brute loops, curb root and meta-split. If you wanna see what these tools look like the Githubs are right there. If you wanna see what this tool looks like you can absolutely go to github.com slash daft hack go to domain password spray and you can totally check out what this tool looks like. You can even run it your environment and see if you can even notice it or what it does or how it works. And then we have a blog post down here if you go to blackhillsinfosec.com slash webcast dash attack dash tactics, it's a long stream but you get the point. We'll show you exactly how we'll get into an organization in 55 minutes. We take you from start to finish, how we get in, how we get around and how we do everything in there. Okay. All right. So once you get from one system to another the whole time you have to communicate, right? You have to communicate with what's going on in your network. So I'm outside your network. I have to communicate with something inside your network. This is where you can catch me again. You can totally catch me through network traffic. So don't lose heart. You can catch me through network traffic if you're looking for it. But I got a quick question for everybody. Does anyone here know how the Windows background and Telvin transfer protocol works and why it's even exist in the first place? Are spaces okay for passphrases? I don't like spaces personally. I don't like spaces for passphrases because I'm going to forget that that space exists. I just like three words butted against each other with a couple of numbers at the end and special character. Okay. Can you say again the composition of a password phrase? I think I just did three words, some numbers, special character. Three words, some numbers, special character. All right. So for those of you that don't know what a Windows background telvin transfer service is I'm going to ask you this question. Ready? Do you have a Windows system? Do you have a Windows system? All right. So let's say you have a Windows system. How does it get updated? You know, it's Tuesday and all of a sudden like it needs to run some updates. Where do those updates come from? And how did they get into your computer? And how does Microsoft know that you need to update in the first place? So that's what Windows background and Telvin transfer services. Windows knows that your computer needs updates so it sends it through an open port on your computer that Windows has allowed to remain open so that it can update your system. Attackers know that you've never, ever, ever, ever, ever look here. And so what they do is they start sending information out of this protocol to their own systems through Windows background and Telvin transfer service. It's called BITS. Most companies never look here. I'm pretty sure you've never looked here either. And so what you're going to have to do is have some network thread hunting or firewall log review and see, are you whitelisting any of the information coming in and out of this protocol? And if you are, probably are, but see if there's any data leaving it. And so right now if you're like, Jason, you're giving me like a lot of work to do. Just find one thing today to fix. Just one thing, not all the things. Just find one thing today to fix. And then lastly, what the attackers did here is they hijacked accessibility features. Maybe you've never used the accessibility features of your computer, but there are accessibility features in. There's a magnifying glass. There's an on-screen keyboard. There's some other features to help you in case you need help accessing or using some of your computer. Well, attackers can take advantage of this and they can replace some of the accessibility features with their own malware or their own command and control. And so this is how they can maintain persistence on your system. They will hijack what should be a helpful thing on your computer to be a thing that is not helpful for your computer. So here's what happened, right? This is why I'm doing this. You have the initial compromise, then you have the pivot and escalate. You have the, we have the windows background, the C2 and exfiltration and the persistence accessibility features. This is how you got attacked. This is how you got robbed. They came in this way through a trusted relationship. They did an internal password spray once they got access into your system to get more access. They were exfiltrating data maintaining command and control through bits which you weren't looking at. And then they took over the accessibility features of the computers that they actually got on. And so I got a quick question for everyone on the call. Is this a plausible attack inside your environment? And that's a question that you have to ask yourself. Is this a possible way for attackers to get in and move through your system to system and actually get stuff out of your environment? And if the answer is yes, then either mitigate it or live with the risk. That's your two options. You either mitigate it, you put some things in place, you put permissions in place, you put protocols in place, you put tools in place to mitigate it. Or you say, this is something that could happen to us. We're gonna choose to live with the risk because of the way that we do business. Because remember, business comes first, security comes second. Business comes first, security comes second. Now sometimes security makes business better. And that's the point you have to like convey to senior leadership is that the security we're putting in place is protecting the business. What they see is that the business is being hurt by the security. And so you have to be able to convey, here's the threats that we're under, here's the situation that we find ourselves in. And if the security is not in place, then it's going to hurt the business. Because remember, every suggestion you make is to improve the business. Every suggestion we make to an organization by providing a pen test report is to improve the business. And sometimes businesses look at the ways that we get in and they go, we're okay with that risk. And we're like, understood. All right, so what we're going to do is I'm going to ask for five volunteers. So I need five volunteers and you can either put it in chat. We got, we got Mark is going to volunteer. So we got one here. If you're going to volunteer, I need you to come off to put your camera on and come off mute. You don't need to come off mute right yet because I'm going to still do some explanation. But I have, so I got two marks. So go ahead, we got a second mark, two mark of the C, mark of the K. Do we have any other people who would like to volunteer today? If so, go ahead and come off camera. Also, Diane and Tiffany are just joining us. I see that they were. All right, anybody else want to join us? Heather is going to join us. Thank you, Heather. And you're not quite sure what you're volunteering for and that's fine. I need two more volunteers if you'd like to volunteer. If not, totally fine. I can play with three people. Okay. So Mark, Heather and Mark, what we're going to do is we're going to play back doors and breezes. If someone else wants to join us, they totally can. Dave is joining us. Thank you, David. All right. So what's going to happen is we're going to play like two or three rounds. I'm going to show you how this game works so that you can see how this game works so that way you can see if you want to play it inside your own organization if you want to. All right, so what I need the volunteers to do is go and type in role D20 unless you have a physical D20 dice in front of you. I mean, there's a chance that some of you have played Dungeons and Dragons before. Do you actually have a D20 somewhere close by? But if you haven't, go ahead and bring up Google and type in role space D20. Do you not go to roled20.com? That is completely different. You do not want to do that. And to the 166 of you that joined us today, wow, that is awesome. We're going to keep learning about cybersecurity as we play through this game today. All right. So what we're going to do is I already have a scenario set up, right? I can see the card. So if I go back over here to the demo one, do you see how it's like credential stuffing internal password spray, DNS SC2? This is how you got attacked. Now what's going to happen is I get to see the explanation here. I get to see the explanation and I'm going to hide it. So what you're going to do today, David, Mark, Heather and Mark is that you're going to try to figure out what my four hidden cards are. I'm going to give you a simple scenario about cybersecurity, about a possible breach. And then you're going to use the blue cards down here to try to solve what my four cards are up here. You're going to have to try to figure out how did the attackers initially get compromised? How did they pivot and escalate? What are they using for command and control? And how are they maintaining persistence? You're going to use these procedures to try to solve my four cards. So if I look over here, do you see where on my cards it says SIM log analysis and user entity behavior analytics? Well, that's what would detect a trusted relationship attack. If you look over here, what would detect a local privilege description is endpoint analysis, cyber deception and endpoint security protection analysis. What would detect Gmail, Twitter, Salesforce being used as C2? Well, that would be a network thread running and firewall log review. What would be used to catch evil firmware would be endpoint security protection analysis, endpoint analysis and also a prayer to engage the merciful God because this is really, really difficult. There's really not much that's going to catch that. Okay. So I get to see the cards and I get to come up with a brief scenario based on those cards. And then Mark, Mark, David and Heather, you're going to work together. You're going to be the security team today. You're going to work together and you're going to like talk it through. Yes, Mark. Are we supposed to bring up a browser separately from this? You said role space type. Yes. You would bring up a browser separately from this so that way you can roll the dice scores today. I'm having difficulty finding that. I did role space D20. Yep. If you go here and you type it into the, it will bring this up. Yeah, on Google search? Yep. Yeah, it gives me like, you know, search results. Okay. Then Heather, did you get a role D20? All right, so we'll have Heather roll for you there, Mark. No worries. All right, so I'm going to give you your scenario and then I'm going to explain some things. So don't worry about not knowing what to do. We're going to figure out what to do while I'm actually playing. So here we go. Your scenario is this. Are you ready? Are you ready? All right, here we go. And for everyone listening too, this is the same scenario for all of you. You can absolutely engage in the chat. You can engage in the chat any way you want. Okay, so here is your scenario. You got an email from your HVAC provider. All right, so you got an email from your HVAC provider and they said, just want to let you know, we have experienced a cybersecurity incident. And due to our policies and our agreement with you, we've gone through the incident response process. We've contacted our insurance provider. We've done all the things that we can to remediate this task, this incident. We don't believe that it exceeded past our boundaries, but we are letting you know, due to our policies and agreement that we experienced a cybersecurity breach and we just want to inform you, that's it. Also, this email came in three weeks ago to your person who maintains your actual environment. So it's the person who's like the property manager. It came to them three weeks ago and then they decided to actually read it. And then when they're like, oh, this feels like something I should send to the help desk. So they sent it to the help desk and the help desk said, oh, okay. And then sent it to Mark, Mark, Heather and David who's our incident response team. So you're gonna work as a company today. You're gonna be your own security team and you're gonna tell me what would you do if you got an email from your HVAC provider that came in three weeks ago, what would you do to see did that breach actually make it to you in any way? And if so, what happened? And what you're gonna use today are these different procedures. You're gonna do endpoint analysis, all right? So this is where you take a look at the actual computer where you either physically have it in front of you or you're going to remote access into it. You're gonna take a look at user and entity behavior analytics. So here's what this means. What do users normally do? Do users normally log in between nine and five? Do they normally log in from the same IP address? Do they normally look at these three folders? Do they normally run PowerShell? Do they normally do this? And so a user and entity behavior analytics is taking a look at what a user would normally do and then see if there's anything that they are doing right now that they wouldn't normally do and they would send you an alert on that. Memory analysis where you could take an actual memory dump from the system that you believe might be compromised and see if there's something running. Firewall log review, taking a look at the inbound traffic, north and south traffic coming in and out of your system. You can isolate. You could totally isolate a potentially compromised system. You could do crisis management where you bring in other people like senior leadership and others and the PR firms and everybody else and go like, I think we got a problem. All right, so you got that. Network thread hunting. This is where you're taking a look at the network traffic. So reminder, you're taking a look at network traffic. Like what is coming in and out is it a large amount of traffic? Is it beaconing? Is it malware that triggers every 10 minutes? If you didn't know, malware always calls home for the most part. Malware is always calling home and it calls home on a set timer. So that malware is set to call back to a command and control server every 10 minutes for eight seconds. Do you need something from me? 10 minutes goes by. Do you need something from me? 10 minutes goes by. Do you need something from me? It looks like a heartbeat. And so if you're looking at your network traffic, you can see these regular interval of traffic that you can potentially go like, well, that doesn't make any sense that this computer connected for eight seconds every 10 minutes. I believe that's not normal looking behavior. And so you can take a look at that. Server analysis, do you know what normal looks like? Do you know what a normal looking server looks like? What your normal tasks are running? The normal services are running. Do you know what a normal looking server is? And if you don't, then how would you know what an abnormal looking server is? And so this is going through and looking at what potentially changed with EDR. So some of you might have Carbon Black or CrowdStrike or this or that or something else. And that's sending log data constantly back to all of your internal servers saying, hey, we see some things. Cyber deception. Most people don't do cyber deception, but I'm gonna tell you right now, cyber deception is the most effective, inexpensive form of protecting your environment. And most people don't do this because you don't think about it. But here's what cyber deception is. It's the home alone addition of building out your network. If you've seen the movie Home Alone, where Kevin McAllister sets up booby traps all through his house, because it's his house he can protect it any way that he wants to, is that when the attackers get into your environment, you've set up so many booby traps and so many things to deceive and mislead them that all of a sudden they keep hitting their heads, they keep getting knocked on things, they keep finding things that shouldn't be there because you've put them there on purpose, that they go, what the heck is going on here? And they decide to leave. So if I'm not trying to sell you something today, because this is a completely pay what you can course, we love cyber deception so much. We created a pay what you can course where you can take this class completely for $0 if you want to. You just ask for tuition assistance. You can take it on demand to cost a little bit because it cost us a little bit to send it to you. But this is a class, a 16 hour class on how to implement cyber deception in your environment. And this is the most fun you will have with architecting out your network. Cause you're like, oh, what if we put a honeypot over here? Oh, what if we put a canary token over here? Oh, what if we have a shadow network that if someone ever gets in there, they just get lost in a loop for days and days and days. There's a way that you can run a folder within a folder within a folder. And so if someone hits it with an end map scan, it will never end. And so after like three or four days of running an end map scan, they're like, this is stupid. I don't wanna be here anymore. And then they just leave and go to somewhere else. All right, so I'm gonna give you one last tip for cyber deception. All right, this is a fun one and a little weird. What you can do is if you have a LinkedIn company page, so your company has a LinkedIn page and it has nine employees on it or 47 employees on it or 150 employees or whatever people who are associated with your organization. You can create a fake employee. You can go to AI and stuff and create like a fake face. You can create a fake background and history of that person, where they went to school and everything else. You can put like a fake about me for that person and then have them friend other people inside your organization. So where it looks like they actually work there. And what happens is attackers will scrape your LinkedIn company page. They'll scrape in your LinkedIn company page and they'll find your first name and last name and they'll figure out the schema for how you do your emails and how you do your account logins. And that's where they start doing their password spray preparation for because they get all that account login information and then they start doing the season and year for every one of those people. Well, guess what? If Rebecca Johnson doesn't actually exist, if anyone tries to log in as Rebecca Johnson and all of a sudden you know, you have an attacker who's doing a password spray against your organization and you just caught them because nobody should ever try to log in as Rebecca Johnson. Okay? All right. So last one here is SIM log analysis is like where do you ingest all this traffic, all this information, all the security tools, everything into this one place. That's your SIM log analysis. All right. So back to Mark, David, Mark and Heather. Remember I gave you a scenario that said you had an HVAC provider that was compromised. They sent an email three weeks ago and it finally made its way to the security team. So with all these things at your disposal, all these different procedures that you could do, what is the one thing that you would like to do first? Now, all of you go ahead and come off mute, go ahead and talk to each other. And you tell me after looking at all these things, what would you wanna do first? Also everyone in the chat, you can absolutely throw out the thing that you would wanna do first, but what is the thing that you would want to do first if this came your way? I'm thinking if I would check my network logs. So Mark and Mark was kind of the same place. You had either network threat hunting, so your network traffic or firewall log review, okay? You can parse that into a database and you can look for similarities that would be potential sources. Yeah, and I would be looking as a low hanging fruit, did anything come in from that HVAC provider and any IP address in their range? They may not have come, they may have gotten information there and come on in a different way, but that seems like an obvious thing to block. Okay, Heather, thoughts? Yeah. So I would consider that any passwords, any staff used for that system could be used on the system they're using at work. So that would be a good time to, I believe that's the UEBA, checking where those passwords were used. And it would also be a good time to find out if there was any other emails sent that could be a phishing scam from that company with links embedded that were sent while the breach was happening. Okay. Because that would, if the maintenance person did not read the breach email or got the phishing email before the breach email was recognized and sent, it's possible there's been something in our system for three weeks because he thought that email from our HVAC company was legitimate. Okay. So what you're gonna do is all four of you have to decide. You have to decide what's first and what's the one and first thing that you do. We don't do multiple things at a time. We do one thing at a time. And here's why. You're secretly building an incident response plan because you're like, well, I'd go to the network logs first or I'd go to UEBA first. And like whatever you choose to do, like that becomes your not playbook, but like here's what we would do if we ever find ourselves in this situation again, we would do these things in this order. All right. So right now I have either firewall logs or UEBA. What do y'all think? I need a consensus. All you have to do great. I have to agree. Logs. Logs. Logs first. I think Heather has a great idea there, but I would say logs first. Yeah. Okay. So we're gonna look at the firewall logs. Is that's where we're starting? All right. I need someone to roll the dice for me and let me know what you get. All right. I will roll since I've got it pulled up here unless Mark will see. Okay. All right. Mark rolled a six. So I didn't wanna tell you what rolling meant yet because I wanted you to roll and then we'll talk about what it actually means. All right. So here's what happens. One through 10 is unsuccessful. So a six would be an unsuccessful attempt. 11 through 20 is successful. And if you're like, wait a second, isn't that just 50-50? Can't we just flip a coin? I agree with you. But do you see up here where it says established procedures and down here it says other procedures? Okay. So what happens is whenever you play this game, you get them, they just randomly give them to you. And here's why we give you some that are written procedures because I don't know what your organization's like. I don't know if you actually write things down or if you just know stuff. So we're just gonna give you a couple to just say you write some stuff down. So what we're saying here is that you wrote down a firewall log policy. Like for reviewing firewall logs, you have it written down like here's where to go. Here's the wiki. Here's the form. Here's this. Here's where we wrote down how to do this. And you wrote down how to do memory analysis. You wrote down user and anti-behavior analytics. And you wrote down endpoint analysis. Theoretically, right? I don't know for sure. So you get a plus three modifier for these procedures. All right. So these are written down. So you get a plus three. So you rolled a six, which plus three is a nine. Still not successful, but it did help, right? And so what we're trying to explain to all hundred and some of you right now is if you write things down, it will help you during an incident. If you write things down, it will help you in an incident. If you don't write things down, then it is a 50-50 chance. Like, I don't know if it might work, it might not. We'll see what happens. So here is, here's the rest of us, right? Like there's a couple of things I write down at work, but I'm pretty sure if I got hit by a bus when I left today, no one would know how to do this right now. Like the thing I'm doing with you would just cease to exist here at my organization. And so nobody would know how to do this because I don't write it down. Now I'm not doing it for job security. I'm just doing it because I don't write it down. And we do the same thing all the time. We know how to do stuff, but we don't choose to write it down because we just don't choose to write it down. But if you do write it down, I can only imagine it's gonna help you a little bit. Mark. So you're talking about SOP, standard operating procedures that you have in place that anybody can go to and look at. That's what you're talking about, right? Yeah. And that people can find. Because I've done this with a lot of organizations where they're like, well, we have that. And then I ask other people in the team, do you know where to get that from? And they go, oh, oh no. No, I don't. Yeah, this game is good for, so a lot of times I'll play this game with sales and marketing for cybersecurity companies because sometimes the sales and marketing people don't actually understand cybersecurity. They just know marketing or sales. And they don't know the thing that they're selling or the thing that they're promoting. And so this is a good thing to learn. So this is good for C-suite people if you wanna help them understand how cybersecurity actually works. This helps for users, if you want to teach them how cybersecurity works. It also works for high school and college students. All right. If you notice, I'm gonna put a three here. So you did firewall log review. I'm gonna put a three here, because it didn't work. And we have a three turn cool off period whenever you try to do something in back doors and breaches. So for three turns, you can't use it. And here's why. Sometimes you try to do something and you can't, but you go talk to somebody or you ask better questions or you research or you watch a video on YouTube. And all of a sudden you're like, ah, that's the search query I need. So it's not that it never works. It's just that it doesn't work right now because never works. That's not real life. Not working right now that is real life. Okay. So whenever someone roles badly, remember I'm trying to teach you all at the same time as we play this game. The second time you play, you would all understand this already. Like you would be like, I don't need you to say any things again. All right. So here's the thing. If you role badly, then I would ask this question and I'm gonna ask this question to every single person listening right now. So this question is for everybody in chat and especially for Mark, Mark, Heather and David. Okay. If someone roles badly in this game, you ask this question. Can you give me a reason politically or financially or technologically or personnel wise why firewall log review would be ineffective at this time? Either politically, financially, technologically or personnel wise. Why would firewall log review be ineffective? Mark. Because it's already happened. It's in the past. So you've already got, you're just looking to see if it happened but it probably may have already happened. And so you wanna start looking at compromise systems or whatever. Yeah. It could be that it's in the past, you don't have those logs or you don't know what you're looking for in those logs at this time because you don't have enough information. What else could it be? So Sue said, not enough time or personnel. Sometimes people aren't like, you have a firewall person. You don't have everyone's firewall people. And so that firewall person's like, I can't get to it right now. I have to do these other things right now. I have to run these roles right now. I have to do these things right now. Like I can't log could be cleared possible. Someone went in and removed it. You don't know what to look for. It's possible. You don't know what to look for once again. So here's the thing. Every time you can potentially write something down that you could figure out that's either politically, financially, technologically or personnel-wise is a potential finding for you to make improvements on. Like today, when I talked about the 15 character password, passphrase, like that's a thing that might be the thing that you try to fix. And every time you have a failed login or a failed role or unsuccessful role, you can ask that question. Why would this be unsuccessful? And your team will know, Heather, your team will know. Mark, your team will know. David, your team will know. Helen, your team will know why they would be unsuccessful at this time. And those are reasons to get training. Those are reasons to invest in a tool. Those are reasons to invest in things like this right now. All right. So what would you like to do next? So we tried Firewallography review. Heather mentioned UABA. So since Firewallography was ineffective at this time, do you wanna go UABA or do you wanna think about something else? I'd like my team to try it if anyone else is. Yeah, I think we should. Okay. Heather, go ahead and roll the dice for us for UABA. Six. Oh, I get it. All right. It also is a one that you have a written procedure for. It did not work. So I'd ask the same question for UABA. Can you give me a reason politically, financially, technologically or personal why UABA would not be effective at this time? I'm gonna skip that for now so that we can move on to the next turn. So if UABA is not working for you, Firewallography is not working for you. What would you try now? About the network threat hunting analysis. I know it's not one of our written procedures, but... You still use it. You just don't get a plus three. Anybody else in the chat wanna throw out something? So we can look at both established and up. Absolutely. You just don't get an advantage. I missed that. I like server analysis. Kevin also thought about threat hunt. Network threat hunting. Emily is going with server analysis. One thing I wanted you all to notice while you're thinking about this is that when Heather and Mark were discussing Firewallography and user entity behavior analytics, they were given the reason why they were looking for it and why they wanted to go in that direction. As they were explaining what they wanted and why they wanted it, it was creating knowledge transfer from one person to another on the team. And so sometimes you'll be playing with people who are less knowledgeable than you on certain tactics. And as you're explaining them, you're also teaching them at the exact same time why you would do something and what you're planning to do and what for. All right, do you have a final thing? Cause we gotta wrap up here in just a second. Yeah, I want to server analysis. Plus one for server analysis. Okay. I'm going to have Mark roll the dice force. I got two marks here. Yeah, Mark with the C. All right, nine. Nine. Plus nothing. Okay. So that would be a failed log in attempt or a failed opportunity to and I would ask you the same question. Can you give me a reason politically, financially, technologically, personal? Now the other thing too is since you have three failed roles in a row, you get an inject card. So inject cards come into the game if you roll a 20, a one or have three failed roles in a row. And right now if you're like I can't keep track of all this stuff. There's a lot of things to cover. If you go to backdoorsandbreaches.com we have a how-to video. We have an explanation visual guide that you can follow. So don't feel like you're losing out today if you can't remember all this stuff. Cause it does take a little bit and you can watch this video right here. It's with me and a bunch of other people. You can learn a lot about cybersecurity and instant response just by watching this video alone. And so you can totally do this. Hi, Joe. Question for you. This scenario, the email says, hey, you know, we're the your HVAC company. We saw a breach that we think it was completely under control. What if they're right? It was completely under control. Is that something that's covered in the game? I mean, I'm assuming in the real IT world you have to cover all your bases. You have to be looking for this just in case it was not taken care of. But what's to prevent you from going on a wild goose chase looking for something that doesn't exist? It is possible to go on a wild goose chase to find something that does not exist. But you do want to look through and run through your protocols and just see if you can find something. If not, then you just say, you know, we took care of it and we moved on. But I've learned over a period of time that sometimes you find a breach by looking for a breach. That by looking for this one thing, you actually find something that's been there much, much longer. And so sometimes looking for an incident, you'll find an incident. And I didn't have to give you a scenario that has anything to do with this actual scenario. You just started looking because I gave you something to look for. It doesn't mean what you find has anything to do with the email or the HVAC provider. Okay. All right, so I'm gonna wrap up right now. Here's the part that we were missing. Let's say you were doing network threat hunting and you rolled successfully. Then I would have said that HTTPS was being used and you had three systems internally that were beaking out to the same malicious IP address. Okay, you had a system in accounting, you had a system in marketing and you had a system in sales that were all beaking and out. Do you see where network threat hunting is on here? So if you had a successful role, I would have shown you network threat hunting. Now, from that, you'd be like, oh, crap, that's not good. And so you would then try to figure out and then so maybe you go to your SIM to see where those three systems, like how that worked. And if you rolled successfully for SIM, I would have showed you that the attackers used curb roasting to get from one system to another. So it's a thing called curb roasting. If you've never heard of it before, I highly recommend you look up Tim Medine and curb roasting. It is fascinating. He figured out how this all worked. So if you look up Tim Medine and curb roasting, you'll learn all about how curb roasting works. This is a great way for attackers to get from one place to another. And then if you kept looking and you did user and its behavior analytics successfully, I would have showed you that it was a trusted relationship. It was absolutely people who use that compromise account from your HVAC provider to get access into your environment. From there, they use curb roasting to get to those three systems that are now beaking out to the same. And then if you look at those systems, so you would use endpoint security protection analysis to look at those three compromised systems, then you would have found out that they have firmware that's been updated with evil. And so the attackers, once they got onto those systems, they updated something that they could through the firmware so that they could keep coming back in on those systems. So this is how you got robbed today. We didn't get a chance to run through everything. A session normally takes about an hour to go from beginning to end. Today I spent a lot of time teaching you about the game itself and also about cybersecurity and touching on things that I thought would be important for you to learn today. And with that, do you have any questions? Cheryl asks, is there a 15 character password suggested for logging into your computer or every place that you use a password? Is every place, is it okay to use the same password? So don't use the same passwords. At this point, use a password manager to keep track of all your different passwords. I would say any account that you very, very, want to protect, you would use a passphrase for if it's like logging into your favorite shopping site or so. Like if it has your credit card information on file, I would use a 15 character password. But if it's just a like, I just signed up for this account. It doesn't really matter to me if it gets compromised then I would use a, I don't know, use a eight character, nine character password. A good password manager, we currently use Secret Server. We like Secret Server, we like it very, very much. We went through a very long vetting process after last pass got breached and we decided to work with Secret Server. So we're a cybersecurity company. If we get breached, that's very, very, very bad for us. And so we went through a very long, intensive process to evaluate password managers and we settled on Secret Server. So we definitely like them. What's my take on password manager like last pass and one password? I would go with Secret Server, if you can. A password manager is better than no password manager, but right now last pass I would not use. So your Outlook Microsoft account for your school keeps getting hacked other than double authentication. First of all, double authentication for sure and not push notification double. So you don't wanna use push notifications for MFA. So multi-factor authentication. The reason why you don't wanna use push notifications is because attackers like us, we can keep just sending the push notification to you, to you, to you, to you, to you. And so you finally got fine, yes. And then we're like, ah, cool. So we get in. So it either has to be through SMS or through Google authenticate. That's what they keep doing. They keep pushing, not pushing and pushing and pushing and finally they get in. So other than MFA, anything else? So MFA is great. So remember it's security and layers. Getting in is not necessarily the problem. It's what they do once they get in. And so we always get in, right? So we're a pen testing company, we always get in, but it's who catches us once we get in. So taking a look at your SIM, taking a look at user and anti-behavior analytics and getting those to where you can actually do, they're tuned. I do recommend the cyber deception because if you can start implementing cyber deception in your environment, then you can trip up hackers to the point where they'll get in cause you wanted them to get in and then once they get in, you can then kick them out. There's a new system. They're talking about implementing it. My job where instead of somehow now that the direction of the numbers is reversed. So instead of them sending to you and you and I haven't seen it, haven't done it yet. But right now they send out a number to your cell phone and then you key it in your keyboard. Somehow they reverse it as opposed to work better. Yeah, SMS is better than push notifications, but we can do SMS spoofing. It costs about $10,000 to do. So it's not cheap to do SIM cloning. That's what I meant to say, SIM cloning. So if you really want to get in some place, you can spend the money to do so. Before we wrap up today, Mark, Mark, Heather, David, Mark, Mark, Heather, thank you so much for being our volunteers today. Kevin, thank you so much for having me here today. I'm sure you have a lot more questions. If Kevin, if you want to invite us back in the future, you totally can. And we hope that today was beneficial to you in some way. Yeah, I can't thank you enough, Jason, this having the opportunity to have an interactive event was just awesome, the participation. Everybody that's joined us, it's been amazing. If there's a way, if you wanted to just toss in or just even mention your organization like Contact or anything to that effect, you certainly can feel free to. Hopefully this was a very informative session for everybody. No matter where you sit in the IT knowledge spectrum, being proactive is the thing to do. You talked about MFA, but as an individual having ownership over your account credentials, you would treat it just how Jason was talking about your home earlier in his earlier example is that you have the keys to your accounts. IT teams can help protect you to great degrees, but that does not mean that you are quote unquote safe. So practice the same type of mindset that you would if you had your kids at the park as you would when you're engaging with your various application endpoints. So I will post off on throwing out the last couple of slides, I'll just verbally let everybody know that we will be having our next virtual office hour session on the 20th of April. We are actually going to be having guest speakers again. We're gonna have a panelist group from IT administrators talking about their experience with onboarding Microsoft 365, the good, the not so good on everything in between an open Q&A for individuals to come in and ask questions about that platform. So with that, I think all of you for joining us, I'm going to toss my personal email in the chat and as well as our team at customer success at techsuit.org. This recording will be disseminated next week along with the slide deck. Again, the focus of this session was Jason's amazing performance and demonstration. And we look forward to you joining us next month. Take care. Thanks everyone.