💾 Archived View for clemat.is › saccophore › library › shorts › defcon › 27 › late-night-takedown-by… captured on 2022-06-04 at 01:00:31.

View Raw

More Information

⬅️ Previous capture (2021-12-03)

-=-=-=-=-=-=-

Late-night Takedown (or) How much techno-babble can you fit into one
short story?

by I)ruid


flickering of the giant curved LCD screen mounted in eggplnt's spherical
workstation pod.  Soft light illuminates the interior surfaces and edges
as the screen full of terminals and app windows occasionally updates,
the light quickly fading into the darkness beyond. The quiet hum of
cooling fans and the soft continuous whoosh of air conditioning muffle
the clacking of their old-skool mechanical keyboard.  The peripheral is
a bit dated, sure... Most users have moved on to typing in the air with
VR haptic gloves or even using voice controls, but sometimes we get set
in our ways. Something about the realness of the physical. At least we
aren't still trying to use a mouse.  This job is perfect for us.
Overnight.  When my nootropic-pickled brain fires faster. When assisted
neurons form better-lasting memories. When I can float comfortably in
our pod, enveloped in darkness. When the network is quiet and most
systems asleep or in downtime and we can hack on our own projects until
something actually needs our attention. "Perfect".  eggplnt grabbed the
half-finished Jolt Ultra-Violet soda from the pod's beverage clutch and
took a swig. Ironic that their favorite flavor of Jolt was the color of
eggplant, and of their hair. But hey, bonus points for the personal
brand. Normally that beverage would be a micro-dose modafinil-infused
rum cocktail, the recipe they picked up in New Barbados a few years back
and has been hooked on ever since, but apparently this particular
employer doesn't approve of drinking or stim-boosting on the job.
Naturel avec de la caf�ine? Really? What is this, the 20's?  As the
first alarm came from the sentry program, eggplnt spit Jolt all over the
upper corner of their screen. The sudden, abrasive sound and flash
directed their attention to the alarm status.  "We've got a breach. Game
on." First things first. Bring forward terminals Alpha and Delta for
general UI and so we can interface with the systems closest to the
intrusion point. The defensive "AI" (and we use that term loosely) had
at least done one job well and identified which network segment the
attacker had penetrated to with the initial intrusion. Luckily, it's
just one of the external DMZ's where we can be a little sloppy. Let's go
ahead and elevate the segment's layer two data link controls to
RESTRICTED to filter out most of this noise at the ports.  The attacker
hadn't gotten very far, just one segment deep into the network. Not even
past the primary external firewalls. The DMZ in question is all
command-and-control nodes for external systems. Customers of our
ever-so-benevolent employer. Probably just a skid, fresh home from their
first DEF CON running some scripts that they downloaded and don't
understand.  Probably didn't even bother to fully review their code and
have no idea what they actually do. Flooding all the nodes with with
packets, being extra noisy is usually a telltale sign. This incident
will probably be uneventful.  Wait a minute, this is too noisy. This
can't just be some skid bumbling around. This is actually looking more
like a really, really crappy DoS. The attacker set up camp in one of the
network services nodes and is basically throwing random packets at every
other node in the segment. Some packets don't even belong to an
established connection! Between the sheer idiocy of this flooding
strategy and the elevated layer two controls this DoS really isn't even
having much affect. Business as usual, move along... All we really gotta
do is eject the intruder and clean up, probably don't even need to alert
any customers.  The next three alarms and the voice chat came in almost
simultaneously.  "Where are you?!" "I'm in Central Core and DMZ 14
seeing what's up with this weird DoS. You?" "WTF! You should be in the
B2B network helping us. We're getting our asses handed to us over here!
The intruder has already managed to boot Nostrus and Z3N. We don't know
how, but their pods just completely powered down." Dammit. The DoS was a
diversion. And we fell for it. "THANKS AI".  Allright, it's about time
we got into the real fray. We can clean up this DoS later, it's not even
affecting anything at this point.  Apparently it's time to show up late
actin' early; that's probably the only way to save a little face with
the squad.  eggplnt activated one of their newly-written tools in
CentralCore as they brought forward terminal Beta to access the B2B
network. It's nothing too fancy, just some automata that scans nodes and
systems to sweep and clear malware and other unwanted files from them.
It's tailored to be aware of all the standard profiles and recognize
anything out of the ordinary. An anomaly garbage collector, if you will.
This will definitely help find and remove any of the attackers
strongholds and might even get lucky and boot them.  "Allright we're
here." eggplnt broadcast to the voice chat. "Sorry I'm late. I needed a
second to point my new toy at BNB and BNB-adjacent segments. It's
already swept..." eggplnt checked the tool's stats.  "Four compromised
nodes and seventeen compromised systems." Whew. Thank Science they added
that parellelization routine last night. This thing works fast!  "When
this is done we're having a serious talk about you referring to yourself
and your programs as 'we'." said Octomus=Prime. "It's weird. Now get
over here and HELP. We think they're after executive management." The
execs? Well sure they're high-value targets, but they gotta know the
execs are probably the most secure systems we manage. That's the company
reputation. Compromising them could sink the ship from bad press. If you
can't manage and keep your own systems secure, who else would trust you
to manage theirs? Not our B2B clients and certainly not our individual
customers. The unwashed masses be fickle about things like that; they'll
about-face on a bitdime and leave you. What ever happened to customer
loyalty?  "What makes you think that?" eggplnt broadcast to the voice
chat.  "They're scanning for specific IDs. It's not a huge list they're
iterating through, but the entire C-Suite, a few board members, and
three key-hires are on it. The way they're scanning is optimized but
prohibits encryption so we easily collected the list. Voltron modded his
network monitor to be able to scrape and log any identifiable content.
Once we worked out the regexp we had the full target list in under two
minutes." "How many are on the list?" "Fifty-three." Damn, that is
optimized. Getting a system to give up its ID over the network without
an established connection is non-trivial. It's quite a bit of process
with three separate checks and controls, all determined to ensure that
the query is authorized. Scanning systems for IDs should take some time.
Being the middle of the night in our benevolent employer's primary
market, most of the systems were in their beds asleep and their C&C
nodes idling.  The intruders must have thought this would be the ideal
time to attack.  "Ok, I'll prioritize those systems in my sweeper tool.
If any of them get compromised, it shouldn't last for long." eggplnt
accessed the list of targets from the datastore that was created for
this incident as part of the bootstrap IR procedure and fed it straight
into the running sweeper process over a local I/O channel. They had
recently learned about OS inter-process messaging and process I/O and
had built in a way to interface with a running sweeper process so as to
not have to kill and restart it in order to change its config. They also
set it to alert if it identified any anomalies on the prioritized
systems.  The updated sweeper tool immediately identified three more
systems with anomalous data.  "Crap." eggplnt said. "Intruders have
already compromised three more from the list.  It'll clean and monitor
them but they've obviously already found a way past the standard system
security controls."  These adversaries are way too fast...  Way too
skilled.  This isn't going to end well for our heroes.  And then it was
over.  Just like that.  The scanning vanished, the DoS stopped, and any
trace of intruders in the B2B network evaporated.  Everything was back
to normal, and our squad had barely had time to even respond to the
attack.  Some quick forensics unfortunately revealed that it was about
the worst it could have been.  A total of 23 systems had been
compromised including all of the target executives, and about twice that
many nodes.  Privacy and data-breach disclosure laws will ensure that
this attack becomes public knowledge shortly.  This was definitely a
corporate take-down, network assassin style.  Sometimes you get the
electric sheep and sometimes, well the electric sheep gets you.  Well
that was an epic fail. Failtown, population: us. There's no way the
squad keeps our jobs after this incident. This one's so obvious we
probably won't even get so much as an explanation why, just an e-notice
in the ol' Inbox in the morning that we've all been terminated. But hey,
that's what we get for workin' for tha Man. What ever happened to
employer loyalty?  It's alright though, we didn't need that job
anyway... The profit from our bitcoin trading bots eclipses what we were
earning at this job and already pays the bills. This job was just some
easy extra 'coin and access to a sweet top-of-the-line workstation,
getting paid a little extra to mostly work on our own stuff. Cuz why
not? Easy money. High-end tech. Of course we'll take it.  Finding
another gig that sweet might take a while. Sigh. C'est la vie.  ***