An Enterprise on Fire: Successful Strategies in Triage

OVERVIEW

0900 PST. You grab your cup of coffee and get into your chair. You begin the day with some small cheese factory in Wisconsin claiming that they’ve been hacked. As you log in, you behold default creds, no MFA, and a small Cisco firewall set to ALLOW ANY:ANY because hey, having a rule means passing compliance checks. In the corner of your eye, you suddenly start to see alerts appear. Mimikatz, Metasploit, some Cobalt Strike Beacons, LSASS dumps, the lot quickly piles on and on in your environment. No amount of caffeinated adrenaline will help as you watch your environment go up in flames.

Even the most seasoned veterans can be stricken by keyboard fright when facing the unknown state of a compromised system. Maybe your playbooks are woefully inadequate, out of date, or simply don’t exist. Perhaps you’ve assumed that your tooling will feed you information, but the right information may not always be available or easily consumable. It can be daunting when faced with the prospect of manual box-by-box triage.

If you’ve ever been in any of the aforementioned situations and have stared in incredulity at your terminal then this talk is for you.

We will examine the compromised environment from the 2023 WRCCDC security competition and discuss the foundation of the competition and the infrastructure from where all the data was pulled. Next, we will explore the strategies of the teams based on data from images taken at specific and timed intervals. Lastly, we will attempt to rank the strategies undertaken by the top eight collegiate cybersecurity teams in the competition and focus on what steps led to the most success in remediating the threat, which were not successful, and what kept threat actors out of systems the longest.