Halloween Kill Chain

Jason Pufahl 00:25
It’s Halloween. So, I think today we’re going to talk a little bit about the Halloween Kill Chain.

Matt Fusaro 00:33
Yeah. The horror Kill Chain, Halloween Kill Chain. We’ll see where it goes.

Jason Pufahl 00:38
So we know that every single kid craves the full size candy bar. Right, nobody wants, nobody wants an apple. Nobody wants to think of popcorn balls, that was your least favorite.

Matt Fusaro 00:52
That and the darn house up the street that used to give out the wax lips, I’ll never understand it.

Steven Maresca 00:58
And who can forget, you know, black licorice jelly beans.

Matt Fusaro 01:02
Oh, yeah, that too.

Jason Pufahl 01:03
So from a reconnaissance standpoint, every kid knows who gives out the wax lips, right? They know who to avoid. They also know who might have that prized either, supersized candy bar king size, or just a general full size candy bar. Nobody wants the Three Musketeers Mini because we all can agree that Three Musketeers in the worst candy that you can get on Halloween. So reconnaissance, right? Talk to your friends. Figure out which houses have the candy that you want. Right? So that’s your target.

Matt Fusaro 01:38
And you could find that stuff on all those those parent websites too. What is that, Nextdoor?

Steven Maresca 01:44
Nextdoor for Halloween.

Matt Fusaro 01:45
There’s another one too, I can’t remember the name of it. I’m sure, you know, Facebook Groups, you’ll find out where all the, all the good stuff is, all the moms post on there.

Jason Pufahl 01:52
And they’re digital natives, these kids, so they probably do turn to Nextdoor and Facebook and figure out, you know, who’s buying what candy and what do they plan on giving out?

Matt Fusaro 02:00
Oh yeah.

Jason Pufahl 02:00
Because your point is well made, you don’t want to be the last one to find out that a house gave full size candy bars, right? You want to be there first. So a little bit of digital surveillance.

Steven Maresca 02:10
And we have to take notes in a distributable form to everybody so you know which houses to egg afterward.

Jason Pufahl 02:18
So, egg afterward?

Steven Maresca 02:20
Well, well, yeah, the one that gives out saltines. Then they’re reminded not to do that again.

Jason Pufahl 02:24
So that’s interesting. So I was thinking, you have to get in the house somehow. So I was wondering if you know, a single egg might draw the inhabitants out and make it easier for you to get in, possibly, so do you do that even earlier?

Matt Fusaro 02:41
This is true. They usually get pretty angry, when you do something like that,

Jason Pufahl 02:44
They do.

Matt Fusaro 02:45
Come out, run after you, maybe tackle your friend.

Jason Pufahl 02:47
Alright, so you want, you’re gonna opt, you’re going to opt for a little bit more subtle approach, initially.

Matt Fusaro 02:54
I don’t know.

Jason Pufahl 02:57
I guess if I were really trying to do it, right, it would be great to get in and get out unseen. Maybe even make it so you can get in and get out another time in the future, if you’re really gonna try to be crafty.

Matt Fusaro 03:07
Well, if you got a big group with you, you have a whole bunch of kids, you can maybe sneak in behind them. Or just have their whole garage, open.

Jason Pufahl 03:12
Alright, so we know who has the candy bars. The great thing about Halloween is people who ordinarily wouldn’t open their doors for strangers are going to open their door for every single stranger, right, so you’ve definitely simply got, Whole garage, they might put a whole box of candy right on the doorstep, which, when dumped in its entirety into a bag, is more than a king size bar. So that’s the target of opportunity as well. But we don’t want to, we have an objective and our objective is the king size. Walk up to your door and you say trick or treat right. And typically it’s going to be confusing, right? The person behind has got a bucket of candy. They’re probably getting mobbed by eight or ten kids. They really don’t know how many kids were at the door, do you just have one slip inside?

Steven Maresca 04:00
It’s sweet, little Raggedy Ann standing there looking adorable who, you know, disarms.

Jason Pufahl 04:08
So that is the trick if you send that one in,

Steven Maresca 04:10
Absolutely.

Jason Pufahl 04:10
Right, probably like four years old, five years old, small, probably doesn’t have any demons yet.

Steven Maresca 04:17
I mean, it could just be a dad wearing makeup and walking on his knees, but if It’s Halloween, who knows?

Matt Fusaro 04:25
It has to be very specific. They want a very specific color of candy so they’re fishing through the bowl, taking forever.

Jason Pufahl 04:32
Oh, you need to do that. Take three or four and make the person say, can you put two back, you’re only supposed to take two. So you create confusion and you have a diversion by having a big group of people and you slip Raggedy Ann through the door, right, which is a good concept.

Steven Maresca 04:45
And if that doesn’t work, I mean it is Halloween, so just dress up as the neighbor and you know make it look comical. But, you know, they’ll believe you.

Jason Pufahl 04:54
So now they know the house, right? We’ve gotten to the door and we’ve slipped somebody in. They actually have, they have no idea that we’ve got this persistent, this persistent threat embedded.

Matt Fusaro 05:06
Well, you have to hide, right, because it might take you a little while to find what you’re looking for.

Jason Pufahl 05:11
I mean, and I didn’t call it an advanced persistent threat. It’s just plain old persistent, because they’re in there. They’re gonna keep trying, but they’re four years old, how advanced really, right,

Matt Fusaro 05:19
And I mean, when’s the last time you saw an APT use like modern methods to get into places? I mean, it’s always in the old stuff.

Jason Pufahl 05:28
Some basic social engineering, right, that’s all. That’s all that’s happened so far. You know the kids know how to do it. So, you got you’ve got your insider.

Steven Maresca 05:35
You know, I’d say that the kids are probably the most adept at social engineering of anyone. They’re manipulative, heartless, and ruthless. They’ve got nothing to lose.

Jason Pufahl 05:47
Is this your kids?

Steven Maresca 05:48
Well, no, they haven’t learned social norms yet. So they’re still okay and acceptably, you know, pathological.

Matt Fusaro 05:55
They can lose a friend, they’ll find a new one. People like us, we lose a friend, that’s one less friend now.

Jason Pufahl 05:57
That is true. So the good news is, right, if we’re looking, they’ve studied the habits of the people at the house, and the likelihood is every single time that doorbell rings, it’s an interruption from Jeopardy, or whatever it is that somebody’s watching. They can’t wait to go back to it. They’re going straight back to the TV room, or the family room, whatever they want to call it. Right? So it probably leaves the kitchen, reasonably exposed. You got Raggedy Ann now wander around the house. Pretty much carte blanche, they don’t know she’s in there. She’s small, quiet. She gets the candy. Actually, it’s not really fair for us to presume that Raggedy Ann was a she. So, Raggedy Ann has now gotten the candy. What do we do? How do we get the candy out? Because everybody has to get a piece right?

Steven Maresca 06:45
Well, she needs a path out. And there’s still a door there. You know, she’s gotten in, but there’s still fences.

Matt Fusaro 06:51
You unlock the backdoor, right?

Steven Maresca 06:52
Well, I mean, how tall is she? Maybe she can’t reach the deadlock. What would he do?

Jason Pufahl 06:57
So do you send another group back in to knock on that door and exfiltrate her?

Steven Maresca 07:01
Maybe. Or you know, she’s probably trying to find a way out. Gotta find the doggie door. Maybe there’s,

Matt Fusaro 07:08
First story window?

Jason Pufahl 07:10
Or, do you just leave her in there? Is that just the persistence part?

Steven Maresca 07:14
Nope, nope, nope. This is Halloween, so there’s got to be a basement hatch. You have to go down into the bowels, deeper into infrastructure.

Jason Pufahl 07:24
It’s definitely dark out there.

Matt Fusaro 07:27
The bulkheads kind of noisy though when you open it.

Steven Maresca 07:29
Right, it’s acoustic effects you expect to hear on Halloween.

Jason Pufahl 07:33
That’s true. That’s just a spooky sound, like a normal spooky sound.

Steven Maresca 07:36
Right, your neighbor wouldn’t know any better.

Jason Pufahl 07:37
Right, and they probably got some ornaments out there that are making noise each time somebody passes by. So they don’t, that’s fine. So that’s a good diversion right there, position one of those ornaments back behind the bulkhead. Let her open it up so she squeaks her way out. So now you’ve got an open bulkhead basically, carte blanche, you can go back anytime you want until they figure out that that thing is open. And again, they’re watching Jeopardy. So you know you at least have like eight hours before sunlight? You know that they’re probably up at daybreak, but you got a bunch of time to get in and out of that place. World’s your oyster at that point. Alright, so we got Raggedy Ann we snuck the person in. Did they steal anything yet? Or do they simply get it so that everybody else can get in?

Steven Maresca 08:27
I mean, she’s built a map. You know, there are teams now. People know where to go for the valuables, people know where to go for the candy. You know, the secondary target is now the primary target.

Jason Pufahl 08:39
So now, does Raggedy Ann actually tell anybody that there is this ingress and egress, or does she just actually sell the candy?

Steven Maresca 08:48
Exactly, she goes down to the corner,

Matt Fusaro 08:50
Or she can she can tell everyone about it if they give up their bag of candy.

Jason Pufahl 08:54
That’s the trick. Do a twofer. So, pretty easy exploit. I mean now that we’ve talked it out, I’m actually I might trick or treat this year. Seems like a no brainer.

Matt Fusaro 09:11
And find the bourbon for the candy bar.

Jason Pufahl 09:14
It’s all what you’re going after, right? I mean, in parallel. It really is how a normal Ransomware attack works. I mean, that is the, that’s the reason this whole Kill Chain exists.

Matt Fusaro 09:25
But do you rate, like how do you ransom the personnel zone? Do you tell them I’ll give you your candy back if you give me money?

Steven Maresca 09:31
Well, it wasn’t Raggedy Ann. She was just the breaking entering you know, initial salvo. It’s Johnny down the street dressed up as Chucky, he’ll leave the stink bomb or you know the flaming bag on the porch. I have to imagine that that is the,

Matt Fusaro 09:48
You’re showing your age with the Chucky reference.

Steven Maresca 09:50
I know, aren’t we all Raggedy Ann? Come on now.

Jason Pufahl 09:55
Chucky was the worst, when Chucky was hiding under that bed, that was one of the scariest scenes I’ve ever seen, I did not like that at all. So that’s a good point, though. There really was no ransomware, this was an outright theft, not a smash and grab, I think it was gracefully executed.

Steven Maresca 10:12
No, again, the secondary team who got sold entry is now incoming with the threat.

Jason Pufahl 10:20
Gotcha. We don’t know what that is. I mean, that’s up to them to be creative. So you know, threat actor one was able to get there was able to get entry, and then sell access to other people. That’s it, of course.

Matt Fusaro 10:31
So how do we defend against this?

Jason Pufahl 10:34
It’s tough, right? Because Halloween, you’re at your most vulnerable to this attack? For sure. So once a year, I think we’re all susceptible.

Matt Fusaro 10:42
So do you just put the full size candy bars out there for everybody?

Jason Pufahl 10:46
Yeah, I suppose you could do I mean, you could do like those. Maybe some like the baby gates, you at least can open your door. Somebody can reach over and get the candy, but they actually can’t kind of slip past you.

Matt Fusaro 10:56
A lot of people take the screen door out, or take the top screen out.

Jason Pufahl 11:00
That’s the way to do it. Like the old style half door. Yeah, I mean, it’s the people who open the door all the way. Right, they’re the fools. The Ring doorbell, I don’t know, I mean, sure, you can see who snuck by later, but it doesn’t help you at the time of theft.

Steven Maresca 11:16
Everybody’s dressed up, you can’t exactly authenticate people by looking at the Ring doorbell.

Jason Pufahl 11:20
That’s true. And people are dressing up like, you know, Raggedy Ann is benign. So you trust that, it’s not like somebody dressed as a spooky ghost, or Jack Skellington, something like that. Everybody’s keeping an eye on that one, though, everybody’s keeping an eye, what you need to do is come to the door actually with like a group of 14 or 15 year olds, people who you already don’t want there because they’re on the edge of too old, and that’s when you slide Raggedy Ann down below, right, because they’re already disgusted with the people who dressed as a bum, or a hobo. Right, the laziest costumes known to man.

Matt Fusaro 11:35
Everybody knows that’s a problem. Yep.

Steven Maresca 11:57
So, you know, is there anything left behind? You know, is there a camera for next year?

Jason Pufahl 12:03
I mean, I suggested leaving Raggedy Ann behind but,

Steven Maresca 12:05
Well, she has to eat, she can’t just eat chocolate.

Jason Pufahl 12:07
She has, you got a kitchen at your disposal, do whatever she wants in that place. She can’t just live on candy?

Steven Maresca 12:14
You get the fish or whatever they have for the rest of the year.

Jason Pufahl 12:18
I think the only thing that you’ve left behind is permanent scarring and the fear of Halloween for the people who’ve been infiltrated.

Matt Fusaro 12:24
Yeah, yeah, probably no candy next year.

Steven Maresca 12:29
Probably not.

Jason Pufahl 12:29
Yeah, that light will be switched off the following year.

Matt Fusaro 12:34
Oh, well. Probably not a great idea to do this.

Jason Pufahl 12:38
I know, now I feel bad for the people. So this is the discussion here really is intended to talk about the Kill Chain a bit. And it’s seven steps. You know, we did some reconnaissance and delivery, we installed our threat we got, what do they call it, that the intruder there, the hands on keyboard, somebody who’s actually your actor inside. Weaponization, exploitation and Steve you were trying to figure out the command and control piece, right, the persistence aspect. Kind of fun to apply it to Halloween, but it is the way we see attacks occur, cyber attacks, we’ll be more specific. I think on that, Happy Halloween, everybody, and put up your baby gate. I think it’s clear enough that you want to protect your house.

Matt Fusaro 13:29
And protect those full size candy bars.

Jason Pufahl 13:32
We hope you enjoyed the episode. Happy Halloween, everybody.

13:36
We’d love to hear your feedback. Feel free to get in touch at Vancord on LinkedIn or on Twitter at Vancordsecurity. And remember, stay vigilant, stay resilient. This has been CyberSound.