It's Game Over Man — How to Train Your Blue Team

after I close the door.

>> The duck is still locked in. I have to find another way. Paul to present his presentation. Now, Paul, we have Nino here. He's going to be your guide for time. >> That's good. You probably have to do it like this because I have a pen not to notice. >> Do you want to make me shout [laughter] from the top? I can. And I can shout very [laughter] but I'm very excited for this talk. It's going to be fantastic. And I hope you guys are having a fun. If you're having fun, can I have a woot so we can get some vibe in this room? Very soft. >> Very excited. >> You know, I was going to give out

special cards, but we'll have to try the next time. [laughter] >> Okay. So, um, how to train your booty. All right. Game over, man. Um, first I want to introduce you to um a character from the I guess it's early 90s. It's Glo the Cheese Maker, my role playing uh Chaotic Mutual Dwarf, my companion in crime back in the days when I used to do do role play playing the old fashioned way with with paper and dice. Anyone here doing playing games the old fashioned way or digital? >> Fion. Yeah, dude. So I have some partners in Brian. So basically I'm just introducing this character in the beginning because I always have learned that when you do storytelling you

shouldn't have any characters popping up in the end out of nowhere. So this is just exist he will return to this story. So >> incidents right we love it especially when it happens to someone else. Uh like the crow strike one last year that was kind of yeah okay this is good this is fun. Millions of people stranded on airports raising havoc all over the world. Me sitting at home with a glass of wine just enjoying the chaos, right? I guess anybody else enjoying security incense at the internet when it will happen to them, right? Yeah. >> Because when it happens to yourself, it's more like this, right? There's crying, there's whailing, there's people running around waving their arms. There

are you have your manager over your shoulder saying, "Okay, what's happening? What's going on? Why this all do all these people getting emails? Why doesn't my system work, right? Your team is just up on the roars in the chaos running back and forth trying to figure out things. So then again back to that later. This is me, right? This is me. This is me Paul. That is my home office. Uh this is a forensic treasure chest I guess because it tells reason for producing this image is because it tells a lot about me right def etc. I'm a uh I love Doctor Who. Uh fantasy, Linux here, football, you name it. If you could also look at the

bookshelf, you will also look like cartoons like Disney, Donald, etc. So, uh I work for a company called Globe Team. I do what I do. I'm a C super higher. I do training. uh I have experience from uh no script when I headed up the internal blue team. So but then again not this speaker this talk is not about me it's about avoiding this scenario right because if something happens to you and you end up like this you would be like yeah sorry you would be like this you would be the guys who just fend off the security like you laugh at them ah bring it on we'll just sort this out right there it will be

happy days because when it's happy days you can still do this clothes of the other company's burning down on the side, right? Because you have the best team ever and you can spend your time on the internet looking for security incident, traveling the world, finding them. So thinking about finding them, I asked, as everybody do, I asked Ch, okay, where in the world can I find security incidents? >> And also, by the way, I asked Ch to draw a self-portrait. Mhm. >> Ending up with Marvin the paranoid and Android. It might have been with something to do with my story with the chest that day. Anyway, surprisingly enough, it's red everywhere, right? Security is everywhere. This light shed a red not

yet. >> So, you can go over there if you want to have a fight. Sorry. And this also goes back to the part with role playing games and building scenarios because at least what I usually do when I build [clears throat] the role playing scenarios. I always start with a map, right? Draw I draw a map after I figure out, okay, where are the bad guys? Who who are the bad guys? Where do they live? Uh, by the way, this is rookie mistake number one. When you do presentations, never have something moving on your presentation. Never use flashing lights because then people do start with the presentations instead of listening to what you're talking about. So that was a

presentation advice. Well, you have still you still have the lone hackers. It's not many of them that causes a lot of mischief, but they're still out there. Uh you have the I was wondering is it possible to turn on the fault lights a bit because it's uh >> it by you and you should mind me coming around that side and press. There we go. There you go. >> No, that's wrong. [laughter] Okay. Yeah, because I spent a lot of time on this chap illustration. That's important. >> I respect that those courts took me a month to >> because you have to argue, right? >> Yeah. >> Yeah. >> Okay. Back to the presentation. So, yeah, you have crime as a service. You

have really bad guys. This is serious stuff. It's criminal gangster. It's a Russian mafia that is trying to get into your systems. And if that isn't enough, you have these guys, right? state actors, the North Korean army or the Chinese army trying to penetrate your systems >> or the US >> or the US. As as I usually say, you have to choose the flag on your back door. >> Is it in Chinese? Is it Russian? Is it German, French or American or UK? That's u Yeah, everybody wants to get in. But then again, back to those guys, it's that's a huge part of their state economy, right? to to to target companies and to blackmail them

ransomware and steal their cryptocurrency. And when those guys are at your doorsteps, you don't really have a chance. You might have all this fancy stuff to protect your your system, right? You have actually acquired the latest in AI to protect your your network, but it will fall right like dominoes. It will be gone and those guys start attacking you. So you should assume reach, right? But no worries because you got this cracked blue team. Everybody got this crack blue team like the superheroes that are fending off the attackers. Well, at least some companies have cracked blue teams or some of the professional security companies have crack teams that you can hire. Most IT look like this, right?

And this is we can laugh of the IT crow, but it's a generic real kind of IT because everybody knows those guys, right? They're doing their best to to cope with everyday IT uh stuff and it security isn't necessarily the kind of the the main thing and then you end up this because you don't have this crack routine. You will have again crying and chaos waving arms. You will not be able to gloat, right? Because you have enough about fixing your own [ __ ] So then you have to build a blue team. And how do you do that when you don't have a set of security professionals that are already expert in fighting off

cyber criminals? Why am I speaking about Lutin? Has anyone of you been to Defcon? Yeah, of course. [laughter] Have you seen the line outside the red team village line? It's insane because everybody loves red teams. That's a sexy part, right? Have you seen the line outside of the blue team? No, we haven't because there isn't a line. But that is actually where the exciting talks are because that is where you talk about defending your ship, right? That is so if you ever go to DevCon, you should it's highly recommended to spend some time in the blue team bridge. So yeah, you don't simply build a team because it's not like you can walk around in the forest and then you

suddenly come by this uh band of wannabe heroes that you just could kind of shape into your mold and they're instantly will be able to defend, right? And step to it, step up to it because you're you're still back to this. I [clears throat] know I have a time keeper, but I still need to >> Yeah, you you you still still have have this shape. So, um but you could you could actually train them, right? But there is a medicine. There is a super elixir, right? Super powers. You give this to your team and you just add some training, you will have the most awesome blue moon team ever. you will have a coherent team that

knows how to work together. You can predict each other, right? So just get this elixir and add some training. So how do you then add this training? Well, now now it's come to kind of ch channeling your inner uh game master or dungeon master, right? You you go into a meeting room, you'll find your whiteboard, you have this idea up in your head. Maybe it's a been a previous incident or something or something that happens to the company next door. You start mapping it out on the whiteboard, right? You you kind of try to fit it into how an incident actually works. Maybe start with a fishy email. Okay, how does that lead to uh intrusion and

lateral movement in your system? You start to kind of shape this scenario. No, it's important that you you don't write the whole script, right? You you just kind of envision, okay, this is where I want to go. This is this is my start because this is when the the role playing game part starts coming in that this is when you introduce playing cards and dice, right? And then it at least for me then it takes me back to the early 1990s sitting in the basement playing role playing games with my my friends. This is actually me. It's not a chat image. It's been a bit enhanced because it was taken from an album, but it's me with my

trusted Sharp M720 computer. My first computer got for Christmas in 1996. [clears throat] So yeah, back to the role playing part. So what you need for this and and this is this is also the wonderful thing about this whole concept. It's cheap. You don't have to hire some expensive consultants from Supraia, Centure or or EY to kind of help you with this. You could go to the closest or to the shop, buy some dices or you can get them online, right? And DIS is important because they will fork the story. >> I love I love this one, right? And you will have multiple forms. But but yeah, it's essential, right? Because usually when you do or often

when you do tabletop exercises, you have this uh set of um you have this uh script that is linear. You're going you're moving from A to B to C, etc. This will introduce some randomness into your game. And then you go back to then you have this card deck. I want to show you afterwards where you can actually get one of those card decks, but you you have a card deck that um you started with the initial attack and you also have a set of some something really really sexy called procedures. Yeah, everybody knows procedures, right? But the procedures in this games that's everything that's that's kind of that's your X XDR endpoint protection, your

CDN, your your sock, uh your firewall, etc. So that is what you use to defend. That is what the defending team holds in their hand. That's the blue team cards, right? So you as the game master, you start with off the initial attack. Maybe you decide okay my scenario that is fishing. Quite a common attack, right? So what is happening though when we do this is that okay you as the game master says there comes a call from services, right? They have they tell you that they have multiple fishing emails coming in. They want to know what what to do. What what is going on now? What what are we going to advise our users? So then you

hand off that to your security team who sits in the room with you in this game. Maybe you have told Kai yesterday you are the incident manager. So you have to lead up. You have to sort this out right. What do you do? You get a fishing email warning from service desk. Then she has to figure out what okay what are procedures do I have to follow here? What can I select from? It might be uh endpoint protection to figure out what is actually happening here uh on the the endpoints. It might be seem to see what kind of triggers it has uh or what kind of event it has triggered. It might be uh getting

reports from the sock. So basically then the team has to discuss between themsel okay what are we going to do? What are we going to do in this situation? Do we have to have a procedure from this already? Can we follow it? uh and then they all landed okay let's see okay let's you know check the CM for see what's happening on on the clients on the side right and then to in introduce the randomness and then you ask them okay you you can do that but you have to throw a dice first and you kind of give them a 50/50 chance of success or not because as we know from handling security and it's never goes never never

go anything that goes as planned right there's always some hiccup up. There's always something that doesn't work, right? There is some guy that is off on holiday or or something like that. That's why you introduce this random part of a dice because you can say that okay let's let's uh throw a dice on the CM part that then and then it fails right then this team have to discuss okay why would that fail in our organization what kind of procedures are we missing uh what kind of persons are we dependent on right you you get that discussion and also you want to trigger that discussion even though if it was a successful throw because you want to

learn the team about your organization right you want to trigger that discussion between the team members because that means that also they will learn of each other. They will learn how the other people other members of the team think and you want to keep that discussion as informal and as low key as possible because one important part here that I didn't mention is also that it is allowed to fail, right? This is low key. It's meant to be fun and entertaining. So yeah, and then you move on to the persistence uh phase, right? Next card, same thing. But you could then introduces that okay for persistence uh the fishing email when you click on it,

it uh set some malicious email rules, right? It it starts to fiddle with the rule sets in Outlook and maybe its all emails etc. Same things goes here. The team has to figure out okay what kind of procedures do you have? You you try to figure out if it's successful or not. And then this next phase you can get the drift right and maybe then you kind of things are going to get you turn up the heat right it's not only emails getting forwarded or deleted actually when you click on this it will download and install some some malware and let's say that you are the team that is responsible for couple of thousand users

then it's going to be really really really painful but then it's backflow this guy right the chaotic neutral role playing my chaotic neutral role playing friend from the ' 90s. At least when I do this, he kind of comes back and tap me on the shoulder and hey, let's introduce some chaos. Let's have some fun with your team, right? Let's do injections. All right, this is the fun part when you are the the game master for this because this is when you can really really mess up, right? You you your team might have might have plans. They feel that okay they had malware but yeah we have endpoint protection so we we have successfully rolled the dice and that

and it works but then you come in and you play the injection card saying that no endpoint protection doesn't work because maybe uh maybe it's it's down for maintenance or something like that or there's something with the the you know the um authentication to the console so you're not able to log in You can say that. Oh yeah, but the the the team responsible for endpoint protection, they are actually at the conference. >> That's fine. They're not able to help us right now. We are currently call them, but uh they are out drinking beers in in Vegas or something like that. Or you could have maybe the management has said that you by the way that critical

security patch that you wanted to deploy before the summer we have accepted the risk of delaying that after summer vacation because we don't want the risk of systems going down now just before the summer meaning that your system is wide open to some sacment or you could also have a card saying that okay C you're the incident manager but uh you have to go out of the room now and brief uh management. So then the team have to uh do without you for some while. So you can throw in kind of all all kind of weed stuff into that part and just see how how they how they react [clears throat] and and see what happens when their best

lay hands and just um vanishes into thin air. [clears throat] And that is also because of that you could introduce a separate track right you have the first track so that they thought was the main event but maybe then you could introduce uh as a part of the injection you introduce a separate track just to rock things up a bit and then you could do kind of kind of maybe it was a supply chain attack maybe the reason for the endpoint protection not being available was that the provider of that service had been hacked. imagine that you have some sort of SAS console or some service that provides protection and then that service provider was uh was hacked and used to

attack you. That is a good that could be a scenario on that cloud drive. Uh and that is not that farfetched that happens from from time to time or they maybe they did the kind of the pro strike thing and the endpoint client that they deployed was really messed up and fed up the whole system. So, so you could if if you see your team is coping very good with the first incident, you can throw that in, right? To get get another one because then they have to think a bit and reorganize and discuss, okay, how how we all going to cope with this? Is this related to the other attack? Is it two different

things? Do we have to split it into two world war rooms? And then you start to get into the end part, >> the C2 and exhilaration part, right? And and still is it's all about the procedures and they have to discuss and and select what what are they going to do and how are they going to to proceed. So that is the whole important part right to mention procedures and discuss what do we actually have as a company and if they were successful uh sorry if they were successful why would that be right why is it that we can't set the firewall rules maybe it's because in our company it's only one guy who is able to do that and what happens

if you are sick and you have a major instance right and it's important that we then take note of during uh during the game. So [clears throat] yeah uh and then again options for what kind of explanation we're talking about. I am particularly fond of those who goes on notice, right? When things are sent out as your Gmail or Discord or anything else that most users actually use because there's a lot of noise on your on your on your system and it's hard hard to notice. So when you start introducing all this, it will be chaos mentioned right there is enemy at the gates, there is a breach, there is enemy on the inside. You have your then you have managers

poking you on your shoulder asking, "Okay, what's what is going on here? Why are all these orcs in our castle, right? [clears throat] And then it's game over time. Your company's burned down to the ground. Your team hasn't been able to handle this." And and you kind of you're you're uh my love the cheesemaker car character smiles. Come on. You're not disturbing us. Okay. [laughter] Uh yeah. So yeah. Uh he starts to smile smiling inside because I know by myself that they were never meant to succeed, right? I was the plan was never for me to have that team to go victorious out of this. Maybe it's the evil part of me because yes, okay, the part that loves

to see other people struggle with security instances. But I think it's also important to learn when you fail, right? Of course, you should give them some victories during it. But I noticed that when they fail, they have a lot of discussion afterwards, right? They talk what what what do we what did we fail here? Why did we burn the company down to the ground? What kind of procedures are we missing? Why is only that guy able to fix the firewall? We should have more people do it. and you will probably have a long list and of course as any security incident is important to have this after action with but the main thing here and to keep

things fun and not end up as a brag because as I said you will probably have a long list of things that didn't work sit down a find two things that you should prioritize right only two not not three but five only those two things and you G ticket or something and you ask your team to investigate how do we fix this? Right? Is this does this actually trigger a major project or is this just small things you can fix and again important you just killed your team right they're all that it's game over you have to revive them I know that I said it's the evil part of me likes to see them lose but also I like to feel a

bit good for them so you have to revive them you have to actually what I learned you have to actually do a kind of a debrief because uh I noticed after doing this several times uh they got a coherent team right they're proud of their work they get frustrated and they kind of feel uh inside that this is actually something that can happen to my company right they get this this knot in their tummy because they think that okay this is not that farfetched this could actually happen so so it's important to make them feel good again afterwards do that debrief because uh you're going to kill them again every every month. You're going to do

this because the beauty of this is that it doesn't take a lot of time and resources. Uh when you get good at doing this, you will probably set up a scenario uh and do the exercise in a couple of hours. As I said in the beginning, this is not expensive. You have you need the dices. You might you need some need some playing cards. You need someone of course in the team or yourself need to be kind of as I said channel your inner game master because you need to drive the story. You need to have a story behind this. You also as a game master you also as a game master needs to have

a plan B because trust your team will go rogue right when they when they discover that okay this is actually a fun game. Let's challenge the game master. They will try to invent things on their own. So that means that you as a game master also has to be able to think on your own two feet and figure and come up on extra stories during u at least when you come to the point as I do u all this whole thing is based on a game called backdrops and breaches that has their own rule set and explanation on how to do things. I quickly invented my own house rules that fitted my company. Uh so that meaning that I kind

of opened Pandora's box all for for a team for them to kind of challenge me and that was also good thing for me as a as an as a teamm incident manager, right? Because uh and then I also learn of the chaos that is to manage this kind of the of incidents. But when you do this multiple times, as I said, may you should do this uh at least once a month, you will actually discover that you have this uh crack blue team. All right. Uh the the the IT crowd that you saw earlier have actually turned into this because it will mean that your team starts to learn from each other. they will know their other their

colleagues strengths and weaknesses and how they react in stress that controlled situation. So even though your IT department is not that um team that uh or is not a professional security vendor you will be a lot better when it comes to handling both small and large security instance. So yeah um back doors and breaches it's freely available it's a digital version it's also a card game so I will recommend having it I don't you should use it if you don't use it already you should use it in your training >> I have every pattern in instant response fundamentals our students play but I'm evil like we have inject like on the role and double >> oh yes yes yes you could as I said I

when I presented I did inject in the middle but you could use it anytime during the game, right? And you just play out often. And I also discovered when preparing the presentation, there is also a board game called Under Attack. Haven't tried it. I don't know. I think it's a Danish game actually. So I will have a look at that also to see how that works. So yeah, that's me. Um, if you feel adventurous, feel free to take pictures of the QR codes and see what happens. [laughter] So, this is a link to the backup screen that I showed you. This is as sent as my LinkedIn profile. That was me. Thank you.

>> Thank 100%. back there. But it's a great game, >> but I quickly went uh and created my own house rules because I found it a bit too