Breaking the Kubernetes Kill Chain: Host Path Mount
Insect invasion Rules
1. INSECT INVASION TABLETOP GAME
THE STORY SO FAR
Brood X, Inc. is a Virginia-based company founded in 2003 as a
cloud-based SaaS that facilitates the realtime sharing, review,
annotation, and modeling of entomological data. The Brood X web
portal allows scientists and members of the general public to share
information, collaborate on uploaded data, securely share and
compare data, and visualize information on the fly.
Currently, Brood X is exclusively U.S.-based, with most users being
colleges, universities, and independent scholars who probably need
to get out of their offices more often than once every 17 years or
so.
This summer is the moment Brood X has been waiting for. The
cicadas are coming, and, for the sake of Brood X’s upcoming IPO,
Brood X had better be ready.
All Brood X data is held in their VPC in AWS US-East 1. Brood X uses
AWS GuardDuty and Falco to detect intrusions. They use runtime
monitoring software and AWS Inspector to detect potential
vulnerabilities. Scans are run daily to check vulnerability in virtual
machines and containers. Cloudwatch and Cloudtrail are used as
anti-exfiltration measures. They use AWS WAF for protecting their
web-based systems and AWS API Gateway for the APIs that they
make available to researchers. Configuration management is done
through AWS Config.
THE OTHER PLAYERS
Brave Tailor Security
Brood X is overly smug about what they consider to be their
impenetrable AWS fortress. Their angel investors, however, are not.
As part of their pre-IPO maturity assessment, Brood X has hired BTS
for a pentest engagement.
BTS’s goal is to find the most likely attack vector or vectors and
report back to Brood X. BTS has a total of two weeks and cannot
significantly disrupt end user access, though they are allowed to test
without notifying BTS as to exactly when they will do so.
The Bugsuckers
The Bugsuckers are a loosely-connected group of amateur
entomologists that believes that insect research should be as free as
a cicada on the wind.
The Bugsuckers’ goal is to exfiltrate the research data uploaded to
the Brood X portal and leak it onto the World Wide Web. They have
been planning their move for about six months now, and would like
to be ready to fly as soon as all the buzz begins this summer.
Brood Y, Inc.
Brood Y is a direct competitor of Brood X. Founded several years
after Brood X, Brood Y’s goal is to make Brood X look bad, and are
offering “bug bounties” to anyone who can make that happen. This
can be in terms of security, service, or just plain old scandal. The
“bug bounties” have only been offered for about one month.
2. RED TEAM RULES
This time, red goes first.
BTS, the Bugsuckers, and Brood Y are each a separate red
team.
Each red team gets one move.
A “move” is a discrete action that each red team will take to
further their specific goal.
Moves can be any action that the team can reasonably
argue would help them reach their objective. Moves might
include, but are not limited to: open port scans, social
engineering, phishing emails, fuzzing, or hamster dancing.
Moves must include:
(1) A description of the action taken
(2) How long that action will take
(3) When the team began taking that action
Image credit Misty View @cheatlines https://www.instagram.com/cheatlines/
BLUE TEAM RULES
This time, blue is responding to the red attacks
Blue gets one counter move to each red team’s move
A “move” is a discrete action that each red team will take to
defend or mitigate. Moves can be any action that the team
can reasonably argue would help them reach their
objective.
Moves might include, but are not limited to: patching,
employee training, calling Legal, purchasing new security
software, or deploying kittens into your office production
environment.
Moves must include:
(1) A description of how you learned about each red
team’s action
(2) A description of the action the blue team is
taking in response
(3) How long that action will take
(4) When the team began taking that action