Announcement

Collapse
No announcement yet.

Late-night Takedown (or) How much techno-babble can you fit into one short story? by I)ruid

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Late-night Takedown (or) How much techno-babble can you fit into one short story? by I)ruid

    Late-night Takedown
    (or)
    How much techno-babble can you fit into one short story?
    by I)ruid

    ***
    It's almost 3AM. The only light in the dark room comes from the flickering of the giant curved LCD screen mounted in eggplnt's spherical workstation pod. Soft light illuminates the interior surfaces and edges as the screen full of terminals and app windows occasionally updates, the light quickly fading into the darkness beyond. The quiet hum of cooling fans and the soft continuous whoosh of air conditioning muffle the clacking of their old-skool mechanical keyboard.

    The peripheral is a bit dated, sure... Most users have moved on to typing in the air with VR haptic gloves or even using voice controls, but sometimes we get set in our ways. Something about the realness of the physical. At least we aren't still trying to use a mouse.

    This job is perfect for us. Overnight. When my nootropic-pickled brain fires faster. When assisted neurons form better-lasting memories. When I can float comfortably in our pod, enveloped in darkness. When the network is quiet and most systems asleep or in downtime and we can hack on our own projects until something actually needs our attention. "Perfect".

    eggplnt grabbed the half-finished Jolt Ultra-Violet soda from the pod's beverage clutch and took a swig. Ironic that their favorite flavor of Jolt was the color of eggplant, and of their hair. But hey, bonus points for the personal brand. Normally that beverage would be a micro-dose modafinil-infused rum cocktail, the recipe they picked up in New Barbados a few years back and has been hooked on ever since, but apparently this particular employer doesn't approve of drinking or stim-boosting on the job. Naturel avec de la caféine? Really? What is this, the 20's?

    As the first alarm came from the sentry program, eggplnt spit Jolt all over the upper corner of their screen. The sudden, abrasive sound and flash directed their attention to the alarm status.
    "We've got a breach. Game on."

    First things first. Bring forward terminals Alpha and Delta for general UI and so we can interface with the systems closest to the intrusion point. The defensive "AI" (and we use that term loosely) had at least done one job well and identified which network segment the attacker had penetrated to with the initial intrusion. Luckily, it's just one of the external DMZ's where we can be a little sloppy. Let's go ahead and elevate the segment's layer two data link controls to RESTRICTED to filter out most of this noise at the ports.

    The attacker hadn't gotten very far, just one segment deep into the network. Not even past the primary external firewalls. The DMZ in question is all command-and-control nodes for external systems. Customers of our ever-so-benevolent employer. Probably just a skid, fresh home from their first DEF CON running some scripts that they downloaded and don't understand. Probably didn't even bother to fully review their code and have no idea what they actually do. Flooding all the nodes with with packets, being extra noisy is usually a telltale sign. This incident will probably be uneventful.

    Wait a minute, this is too noisy. This can't just be some skid bumbling around. This is actually looking more like a really, really crappy DoS. The attacker set up camp in one of the network services nodes and is basically throwing random packets at every other node in the segment. Some packets don't even belong to an established connection! Between the sheer idiocy of this flooding strategy and the elevated layer two controls this DoS really isn't even having much affect. Business as usual, move along... All we really gotta do is eject the intruder and clean up, probably don't even need to alert any customers.

    The next three alarms and the voice chat came in almost simultaneously.

    "Where are you?!"

    "I'm in Central Core and DMZ 14 seeing what's up with this weird DoS. You?"

    "WTF! You should be in the B2B network helping us. We're getting our asses handed to us over here! The intruder has already managed to boot Nostrus and Z3N. We don't know how, but their pods just completely powered down."

    Dammit. The DoS was a diversion. And we fell for it. "THANKS AI".

    Allright, it's about time we got into the real fray. We can clean up this DoS later, it's not even affecting anything at this point. Apparently it's time to show up late actin' early; that's probably the only way to save a little face with the squad.

    eggplnt activated one of their newly-written tools in CentralCore as they brought forward terminal Beta to access the B2B network. It's nothing too fancy, just some automata that scans nodes and systems to sweep and clear malware and other unwanted files from them. It's tailored to be aware of all the standard profiles and recognize anything out of the ordinary. An anomaly garbage collector, if you will. This will definitely help find and remove any of the attackers strongholds and might even get lucky and boot them.

    "Allright we're here." eggplnt broadcast to the voice chat. "Sorry I'm late. I needed a second to point my new toy at BNB and BNB-adjacent segments. It's already swept..."
    eggplnt checked the tool's stats.

    "Four compromised nodes and seventeen compromised systems." Whew. Thank Science they added that parellelization routine last night. This thing works fast!
    "When this is done we're having a serious talk about you referring to yourself and your programs as 'we'." said Octomus=Prime. "It's weird. Now get over here and HELP. We think they're after executive management."

    The execs? Well sure they're high-value targets, but they gotta know the execs are probably the most secure systems we manage. That's the company reputation. Compromising them could sink the ship from bad press. If you can't manage and keep your own systems secure, who else would trust you to manage theirs? Not our B2B clients and certainly not our individual customers. The unwashed masses be fickle about things like that; they'll about-face on a bitdime and leave you. What ever happened to customer loyalty?

    "What makes you think that?" eggplnt broadcast to the voice chat.

    "They're scanning for specific IDs. It's not a huge list they're iterating through, but the entire C-Suite, a few board members, and three key-hires are on it. The way they're scanning is optimized but prohibits encryption so we easily collected the list. Voltron modded his network monitor to be able to scrape and log any identifiable content. Once we worked out the regexp we had the full target list in under two minutes."

    "How many are on the list?"

    "Fifty-three."

    Damn, that is optimized. Getting a system to give up its ID over the network without an established connection is non-trivial. It's quite a bit of process with three separate checks and controls, all determined to ensure that the query is authorized. Scanning systems for IDs should take some time. Being the middle of the night in our benevolent employer's primary market, most of the systems were in their beds asleep and their C&C nodes idling. The intruders must have thought this would be the ideal time to attack.

    "Ok, I'll prioritize those systems in my sweeper tool. If any of them get compromised, it shouldn't last for long."

    eggplnt accessed the list of targets from the datastore that was created for this incident as part of the bootstrap IR procedure and fed it straight into the running sweeper process over a local I/O channel. They had recently learned about OS inter-process messaging and process I/O and had built in a way to interface with a running sweeper process so as to not have to kill and restart it in order to change its config. They also set it to alert if it identified any anomalies on the prioritized systems.

    The updated sweeper tool immediately identified three more systems with anomalous data. "Crap." eggplnt said. "Intruders have already compromised three more from the list. It'll clean and monitor them but they've obviously already found a way past the standard system security controls." These adversaries are way too fast... Way too skilled. This isn't going to end well for our heroes.
    And then it was over. Just like that. The scanning vanished, the DoS stopped, and any trace of intruders in the B2B network evaporated. Everything was back to normal, and our squad had barely had time to even respond to the attack.

    Some quick forensics unfortunately revealed that it was about the worst it could have been. A total of 23 systems had been compromised including all of the target executives, and about twice that many nodes. Privacy and data-breach disclosure laws will ensure that this attack becomes public knowledge shortly. This was definitely a corporate take-down, network assassin style.
    Sometimes you get the electric sheep and sometimes, well the electric sheep gets you.

    Well that was an epic fail. Failtown, population: us. There's no way the squad keeps our jobs after this incident. This one's so obvious we probably won't even get so much as an explanation why, just an e-notice in the ol' Inbox in the morning that we've all been terminated. But hey, that's what we get for workin' for tha Man. What ever happened to employer loyalty?

    It's alright though, we didn't need that job anyway... The profit from our bitcoin trading bots eclipses what we were earning at this job and already pays the bills. This job was just some easy extra 'coin and access to a sweet top-of-the-line workstation, getting paid a little extra to mostly work on our own stuff. Cuz why not? Easy money. High-end tech. Of course we'll take it.

    Finding another gig that sweet might take a while. Sigh. C'est la vie.

    ***
    PGP key: dtangent@defcon.org valid 2020 Jan 15, to 2024 Jan 01 Fingerprint: BC5B CD9A C609 1B6B CD81 9636 D7C6 E96C FE66 156A
Working...
X