Loading...
Loading...
Today is the day!
You've spent the last few weeks going through rigorous interviews of both technical and behavioral nature against tens of qualified candidates, and it's yours. The first day at the new job! Orientation was amazing and taught you about the history, the culture, and the ins and outs of your new employer. You couldn't be more excited to start.
Your manager greets you warmly and welcomes you to your job. She says, "Welcome Pat, we're so happy you're here and ready to go. There's been a change in your opportunity and you have the chance to take your current job or fill a new role in the company.
If you want to keep your current job, go to page 11
If you would like to take the new opportunity, go to page 8
2
You've spent the last few weeks going through rigorous interviews of both technical and behavioral nature against tens of qualified candidates, and it's yours. The first day at the new job! Orientation was amazing and taught you about the history, the culture, and the ins and outs of your new employer. You couldn't be more excited to start.
Your manager greets you warmly and welcomes you to your job. She says, "Welcome Pat, we're so happy you're here and ready to go. There's been a change in your opportunity and you have the chance to take your current job or fill a new role in the company.
If you want to keep your current job, go to page 11
If you would like to take the new opportunity, go to page 8
2
You switch users and head back to the login screen. You enter \Administrator:Summer2016.
Success! You've logged in as Administrator. You start poking around and looking at the files stored on the system as part of the default build. In the Recycling Bin you find a file called unattended.bat. You take the file out of the Recycling Bin, move it to the desktop, and open it with Notepad.
You find credentials of a Domain Admin! Proud of yourself, you want to make sure the credentials are actually what you think they are.
Turn to the next page
3
Success! You've logged in as Administrator. You start poking around and looking at the files stored on the system as part of the default build. In the Recycling Bin you find a file called unattended.bat. You take the file out of the Recycling Bin, move it to the desktop, and open it with Notepad.
You find credentials of a Domain Admin! Proud of yourself, you want to make sure the credentials are actually what you think they are.
Turn to the next page
3
You switch users and head back to the login screen. You enter \Administrator:Summer2016.
Success! You've logged in as Administrator. You start poking around and looking at the files stored on the system as part of the default build. In the Recycling Bin you find a file called unattended.bat. You take the file out of the Recycling Bin, move it to the desktop, and open it with Notepad.
You find credentials of a Domain Admin! Proud of yourself, you want to make sure the credentials are actually what you think they are.
Turn to the next page
3
Success! You've logged in as Administrator. You start poking around and looking at the files stored on the system as part of the default build. In the Recycling Bin you find a file called unattended.bat. You take the file out of the Recycling Bin, move it to the desktop, and open it with Notepad.
You find credentials of a Domain Admin! Proud of yourself, you want to make sure the credentials are actually what you think they are.
Turn to the next page
3
Knowing a little about remote computer management, you download psexec and attempt to login to the domain controller using your discovered credentials.
Unfortunately for you, this was a honey document. Opening it paged the Incident Response team who traced the IP back to you. They remotely accessed your system and found the logs going back to your initial login to the local administrator account.
This was a clear violation of exceeding authorized access and due to the nature of your role, a terminable offense. You have breached the trust of the company that hired and have been fired. You are now unemployable and thrown away your education. You die alone.
The End
Unfortunately for you, this was a honey document. Opening it paged the Incident Response team who traced the IP back to you. They remotely accessed your system and found the logs going back to your initial login to the local administrator account.
This was a clear violation of exceeding authorized access and due to the nature of your role, a terminable offense. You have breached the trust of the company that hired and have been fired. You are now unemployable and thrown away your education. You die alone.
The End
You know you're out of your element and escalate to tier 2. This is where the experts live.
They take one look and ask if you've uploaded to the internal malware sandbox yet. You proudly state you've uploaded it to Virustotal.
They look at you and slowly repeat "You... uploaded it to Virustotal?"
You happy say "Sure did, I'm all about reverse engineering malware!"
Turn to page 36
5
They take one look and ask if you've uploaded to the internal malware sandbox yet. You proudly state you've uploaded it to Virustotal.
They look at you and slowly repeat "You... uploaded it to Virustotal?"
You happy say "Sure did, I'm all about reverse engineering malware!"
Turn to page 36
5
You know you're out of your element and escalate to tier 2. This is where the experts live.
They take one look and ask if you've uploaded to the internal malware sandbox yet. You proudly state you've uploaded it to Virustotal.
They look at you and slowly repeat "You... uploaded it to Virustotal?"
You happy say "Sure did, I'm all about reverse engineering malware!"
Turn to page 36
5
They take one look and ask if you've uploaded to the internal malware sandbox yet. You proudly state you've uploaded it to Virustotal.
They look at you and slowly repeat "You... uploaded it to Virustotal?"
You happy say "Sure did, I'm all about reverse engineering malware!"
Turn to page 36
5
Knowing 56 other independent engines can't be wrong, you decide it's nothing to worry about. Besides, it looks like it was stopped by the signatureless web analysis solution.
Unfortunately, it was the APT. Your company was patient zero and experienced a full compromise with losses containing both HIPAA and PCI data. Countless lawsuits resulted in the firing of the CISO and eventual bankrupting of the company.
Public record of the incident shows you as the analyst who made the grave error in judgment that led to the largest data breach in history. You are now unemployable and die alone.
The End
Unfortunately, it was the APT. Your company was patient zero and experienced a full compromise with losses containing both HIPAA and PCI data. Countless lawsuits resulted in the firing of the CISO and eventual bankrupting of the company.
Public record of the incident shows you as the analyst who made the grave error in judgment that led to the largest data breach in history. You are now unemployable and die alone.
The End
Welcome to Multi-Spectrum Cyber Threat Hunting!
You feel like you're starting to become a pretty big deal. After all, you're new to this field and need to hit the ground running. Unsure of where to start, you hit Reddit and ask what to do in your first week of Threat Hunting.
They are savage. They point you to the search feature and talk about stickies asking the exact same thing hundreds of times. But that doesn't matter, you're a Threat Hunter now. These people are just talking, you're doing.
Turn to page 17
7
You feel like you're starting to become a pretty big deal. After all, you're new to this field and need to hit the ground running. Unsure of where to start, you hit Reddit and ask what to do in your first week of Threat Hunting.
They are savage. They point you to the search feature and talk about stickies asking the exact same thing hundreds of times. But that doesn't matter, you're a Threat Hunter now. These people are just talking, you're doing.
Turn to page 17
7