IC-Secure

(if:(history: where its name contains "Server Admin Notes")'s length is 1)[Your Text Here]You are a cyber-security auditor and investigator. You have been hired by the CIO of Newb-Tech to investigate a security breach that resulted in a denial of service. You will be tasked with investigating people associated with the breach, the places associated with the breach, and the affected servers themselves. You have been asked by the CIO to maintain discretion while you investigate the security breach. You will be limited to 6 actions. You must identify 3 things. 1. The method and security control type of the breach. 2. How the breach occured. 3. The person responsible for the breach. When you find the information or when you exhaust your action tokens you will present your findings to the CIO. [[Choose a path for investigation]] (set: $ActionTokens to 6) (print: $ActionTokens)

You enter the building and may investigate the following indviduals: [[The Server Administrator]] who was shown as having been logged into the server near the time of the outage. [[The Secretary]] at the front desk who may have seen an intruder coming and going. [[A helpdesk technician]] who works in the offices and was affected by the outage.

You may investigate [[The entrance to the building]] [[The server room]] where the compromised server sits. [[The Helpdesk Station]] connected to the server room.

[[The Compromised Server]] [[The security Camera Footage]] collected from the time of the outage. [[The server room log]]

The Server Adminstrator "I was logged into the server at the time of the breach, but I didn't cause the outage. We had a maintenance window that scheduled well in advance of the breach..." "We're not sure how an attacker might have taken advantage of that, we send notices to all affected parties with processes running on that domain controller so anyone on the helpdesk would have known about it." "The outage started after the upgrade from Windows server 2019, if that helps. We didn't have a snapshot on hand of the old system or we would've just reloaded that." "The server is a fairly old, and we didn't keep a configuration or security baseline on hand in case things went wrong. We figured that the server was going to get replaced soon anyway, ya know?" [[Server Admin Notes]]

"Did I see any weird people about...you mean besides you?" "Look kid I see weird people all the time, the front door key-card reader hasn't worked in at least a year and no one is poised to do anything about that The main walkup is dark as all get up and go...you figure it out." "I don't get paid enough to notice things, and frankly neither does anyone else around here apparently. I would take it up with the tech guys. They know more than I do." [[The Secretary Notes]]

"Outage eh? Doesn't surprise me, this place doesn't have the budget to pay anyone anything." "If you ask me, and since you're asking...the place could do with better managment...more specifically, yours truly. Clearly I'm the only one who knows anything around here and I don't get paid enough to care." "They laid off half the helpdesk last month. Good people, people who knew the business ya know?" "Yeah, why don't we just leave the server room door open and see who can do what!" [[A helpdesk technician notes]]

You observe that the keycard reader to the front of the building has been tampered with and is likely not functional. You observe that the entranceway is dark and poorly lit. There is one camera facing the entrance the building, but the positioning seems suboptimal. [[The entrance to the building notes]]

The server room door bridges the helpdesk station room to the server room. The door has a piece of metal afixed to the strike plate to prevent the door from fully locking. There doesn't appear to be any kind of alarm system attached to the server room security door. The server room is a tangelum of poor cable management and servers stuffed into racks. There are no labels to be seen. [[The server room notes]]

The helpdesk station connects to the server room by a security door. The security door requires a keycard for access. There are 7 cubicles, but only 3 helpdesk employees are present after a series of layoffs. You observe a very frustrated helpdesk technician on a phone with many blinking lights. Each station is equiped with a few monitors and a laptop with a docking station. [[The Helpdesk Station notes]]

You observe the server has a USB dongle attached physically to the device. It has a network cable running to the NIC and the power light is green. After logging into the server you can see that the server administrator account was added to the helpdesk group which should only have super-user level permissions. You can also see that additional software was loaded onto the system during a server upgrade maintenance window. [[The Compromised Server notes]]

The security camera footage shows the server administrator enter the building, then enter the server room. There is nothing else of note. [[Security Camera Footage notes]]

The log is blank. It hasn't been filled out in some time. The last update was from a year prior to the outage. The name on it is smudged out and illegible. [[The server room log notes]]

This is a good line of inquiry, but ultimately unhelpful. The server adminstrator knows that the outage occured during his upgrade window. That upgrade window had been scheduled in advance, and affected users would have been privy to that knowledge. There is good knowledge here such as the fact that the organization didn't have configuration baselines, templates or backups. This can be a good indicator of the overall cybersecurity posture and knowledge level of the support staff and network administrators. [[Choose a path for investigation]]

You want to be discrete, so the secretary would not be the person to ask about an ongoing investigation. You didn't walk away empty handed, organizations that have breaches of this kind usually have other factors associated with them. Uninterested employees who aren't security oriented or perhaps indifferent to an organization can create the conditions for security breachs and that is what we have here. [[Choose a path for investigation]]

The helpdesk technician may never admit guilt, but the evidence is certainly stacked against him: 1. He doesn't make enough money. 2. Half of his staff has been laid off. 3. He feels under appreciated and unrecognized. These are the hallmarks of a motive, and a good indicator that you may be dealing with an insider threat. When evaluating insider threats we have to consider a few things: 1. Access: How would an insider threat gain access to a device? 2. Motive: What is the potential motive of an insider threat? 3. Capability: Would this insider threat be able to negotiate the systems, and create the kind of breach that we have seen? Good work! [[Choose a path for investigation]]

Broken keycard readers, bad camera placements, and darkened entrances invite bad actors. Bad actors will feel more confident in attempting a malicious action if they feel the conditions are easier to navigate. Most crimes are crimes of opportunity, and for an IT company to have poor security will inevitably invite trouble. It is also indicative of the type of organization you're investigating. This information is useful, but not necessary to understanding ths investigation. [[Choose a path for investigation]]

A server room with compromised security is a red flag. We know the door had a keycard reader, but no alarm system. Someone ensured that the door would be propped open by placing a piece of metal over the strike plate of the door. This is likely how our intruder would have gained access. It doesn't tell us when they did it, but it does explain how they did it. Good job. The other observations point to the poor performance of the organizations IT staff, and general unreadiness of the environment. [[Choose a path for investigation]]

Recent layoffs and empty cubicles can point to a downsizing business. Frustrated staff are usually unhappy with their work environments. This can point to a motive for causing the outage. It is possible this is an insider threat. If you haven't already, you may wish to consult with the helpdesk technician. [[Choose a path for investigation]]

The server had a USB dongle hanging out of it. USB access hasn't been blocked by the adminstrators on the server. This is a poor security practice and possibly the method by which software was installed. It may have been pre-configured to launch after the operating system updated during the maintenace window. An insider also, may not have had full credentials to load the software and, as a result, may have needed to add the server administrator to the helpdesk group in order to load the software! We're looking at two points of entry then: 1. Privilege Escalation: By adding the server administrator to the helpdesk group they will have allowed themselves to use those credentials to escalate the privileges on their own accounts. 2. Loaded software via USB. The attacker used a usb fob to load the malicious software onto the system which may have been pre-configured to load after the upgrade. We have our "how" for the system compromise. Good job! We just need to find out how the attack gained access to the system and who the attacker was. [[Choose a path for investigation]]

Most intruders aren't going to be on premesis when they attack a system. Many processes can be automated, or scheduled to run at certain times. There may also be mitigating factors. It may help to check security camera footage, but in this case it becomes intrusive and less discrete. It also doesn't tell us anything we don't already know about the events of that night. [[Choose a path for investigation]]

Server room logs ensure that users entering into a secure area like a server room record their presence, but if the logs aren't being used effectively then they have no value. Without other physical security tools such as cameras, guards, badging or other entry data a security log won't record anything important. [[Choose a path for investigation]]

[[People]] [[Places]] [[Devices]] (set: $ActionTokens to 6) (if:(history: where its name contains "Server Admin Notes")'s length is 1)[(set: $ActionTokens to it + -1)] (if:(history: where its name contains "The Secretary Notes")'s length is 1)[(set: $ActionTokens to it + -1)] (if:(history: where its name contains "A helpdesk technician notes")'s length is 1)[(set: $ActionTokens to it + -1)] (if:(history: where its name contains "The entrance to the building notes")'s length is 1)[(set: $ActionTokens to it + -1)] (if:(history: where its name contains "The server room notes")'s length is 1)[(set: $ActionTokens to it + -1)] (if:(history: where its name contains "The Helpdesk Station notes")'s length is 1)[(set: $ActionTokens to it + -1)] (if:(history: where its name contains "The Compromised Server notes")'s length is 1)[(set: $ActionTokens to it + -1)] (if:(history: where its name contains "Security Camera Footage notes")'s length is 1)[(set: $ActionTokens to it + -1)] (if:(history: where its name contains "The server room log notes")'s length is 1)[(set: $ActionTokens to it + -1)] Action Tokens: (print: $ActionTokens) (if:$ActionTokens is 0)[(t8n-depart:"blur")+(t8n-arrive:"blur")+(t8n-time:1s)(click-goto:?page,"CIO Office")]

You enter the CIO's office to discuss your findings: The CIO: "Welcome, I hope we can go over the evidence and discuss the security situation further." (if:(history: where its name contains "A helpdesk technician notes")'s length is 1)[The CIO:"We certainly have our Culprit!" Understanding the motives of an attack, and more specifically, recognizing an insider threat can help us improve our security posture. Good job!] (if:(history: where its name contains "The Compromised Server notes")'s length is 1)[The CIO:"We know how the culprit was able to attack the server! He ran a malicious program with an elevated access credential attack that was timed to run on the server. He may not have had the permissions on his own account to make changes to the server, but he knew the server administrator would, and by adding the user account to the helpdesk group he would be able to change the password, thus allowing him to install the malicious software, from the USB device, that caused our outage! Good job!] (if:(history: where its name contains "The server room notes")'s length is 1)[The CIO: "We now know how the culprit was able to access the server room! This will help us improve our security posture moving forward. We need to teach staff to recognize physical security measure bypass: Latches that don't work, unknown people in secure areas, and relaxed reporting procedures can all contribute to poor security conditions allowing a malicious actor to create problems. Good job!] (if:(history: where its name contains "A helpdesk technician notes")'s length is 0)[The CIO:"We still don't know who was responsible for the attack, we have a good idea based on some of the information we found. It is possible, however, that there may have been an outside threat and our poor security posturing has led us into a situation where security controls and accountability are lacking. This is troubling..."] (if:(history: where its name contains "The Compromised Server notes")'s length is 0)[The CIO:"We still don't know how the attack happened. Did they attack the server directly, or was it a network attack? Could the attacker have had outside help? Did it include malware, or was data manually deleted. This is something we will need to explore in detail if we choose to analyze the security posture again in the future. This is troubling..."] (if:(history: where its name contains "The server room notes")'s length is 0)[The CIO:"We still don't know how the attacker accessed our server. The attacker may have assumed our weakened security posture created an opportunity for a remote takeover of the server. They may never have even approached the server physically to make a connection. We have ideas about how our security posture has led to inefficiency and poor management of security controls, but nothing conclusively states how the attacker was able to gain physical access to the server. This is troubling..."] The CIO: "We did learn a few things about our security posture: Employee attitudes towards security, systems security compliance, and employee security education. We also learned more about our physical security measures: Cameras, Doorlocks, Secure areas and lighting. We also learned, and our technical security controls: Identity Acccess Management, Device Security Management, and Data Integrity. We certainly, have much to consider...Thank you." You may choose to restart to see all the endings: (link: "Restart From the Beginning")[<script>document.location.reload();</script>]