2. THE STORY SO
FAR
CRY HAVOC AND LET SLIP THE CICADAS OF SCIENCE!
Brood X, Inc. is a Virginia-based company founded in 2003 as a
cloud-based SaaS that facilitates the realtime sharing, review,
annotation, and modeling of entomological data. The Brood X
web portal allows scientists and members of the general public to
share information, collaborate on uploaded data, securely share
and compare data, and visualize information on the fly.
Currently, Brood X is exclusively U.S.-based, with most users being
colleges, universities, and independent scholars who probably
need to get out of their offices more often than once every 17
years or so.
This summer is the moment Brood X has been waiting for. The
cicadas are coming, and, for the sake of Brood X’s upcoming IPO,
Brood X had better be ready.
All Brood X data is held in their VPC in AWS US-East 1. Brood X
uses AWS GuardDuty and Falco to detect intrusions. They use
runtime monitoring software and AWS Inspector to detect
potential vulnerabilities. Scans are run daily to check vulnerability
in virtual machines and containers. Cloudwatch and Cloudtrail are
used as anti-exfiltration measures. They use AWS WAF for
protecting their web-based systems and AWS API Gateway
for the APIs that they make available to researchers.
Configuration management is done through AWS Config.
3. THE OTHER PLAYERS
Brave Tailor Security
Brood X is overly smug about what they consider
to be their impenetrable AWS fortress. Their
angel investors, however, are not. As part of
their pre-IPO maturity assessment, Brood X has
hired BTS for a pentest engagement.
BTS’s goal is to find the most likely attack
vector or vectors and report back to Brood X.
BTS has a total of two weeks and cannot
significantly disrupt end user access, though
they are allowed to test without notifying BTS
as to exactly when they will do so.
4. The Bugsuckers
The Bugsuckers are a loosely-connected group of amateur entomologists that believes that
insect research should be as free as a cicada on the wind.
The Bugsuckers’ goal is to exfiltrate the research data uploaded to the Brood X portal and
leak it onto the World Wide Web. They have been planning their move for about six months
now, and would like to be ready to fly as soon as all the buzz begins this summer.
5. Brood Y, Inc.
Brood Y, Inc. is a West Virginia-based company founded in 2003 as a cloud-based SaaS that
facilitates the realtime sharing, review, annotation, and modeling of entomological data.
The Brood Y web portal allows scientists and members of the general public to share
information, collaborate on uploaded data, securely share and compare data, and
visualize information on the fly.
Brood Y prides itself on being “a golden scarab in a world of dull beetles.” After 13 years,
they still claim to embrace a startup culture. Rumors have begun to surface on Twitter
that they have started offering “bug bounties” to anyone that can help them sting Brood
X in advance of their IPO and minimize potential shareholder value.
Brood Y’s goal is to make Brood X look bad. This can be in terms of security, service, or
just plain old scandal. The “bug bounties” have only been offered for about one month.
7. Red Team Rules
This time, red goes first.
BTS, the Bugsuckers, and Brood Y are each a separate red team.
Each red team gets one move.
A “move” is a discrete action that each red team will take to further their
specific goal.
Moves can be any action that the team can reasonably argue would help them
reach their objective. Moves might include, but are not limited to: open port
scans, social engineering, phishing emails, fuzzing, or hamster dancing.
Moves must include:
(1) A description of the action taken
(2) How long that action will take
(3) When the team began taking that action
8. Blue Team Rules
This time, blue is responding to the red attacks.
Blue gets one counter move to each red team’s move.
A “move” is a discrete action that each red team will take to defend
or mitigate. Moves can be any action that the team can reasonably
argue would help them reach their objective.
Moves might include, but are not limited to: patching, employee
training, calling Legal, purchasing new security software, or deploying
kittens into your office production environment.
Moves must include:
(1) A description of how you learned about each red team’s action
(2) A description of the action the blue team is taking in response
(3) How long that action will take
(4) When the team began taking that action
9. ENDGAME
Both sides will present their
moves publicly, red first, then
blue.
The GM will adjudicate those
moves based on their feasibility,
appropriateness, and the teams’
arguments.
Don’t fight the scenario, don’t be
a sore winner or loser.
A scorpion is a bug. I will die on
this hill.