Go back to main page
0
No slides because lazy, but thanks for coming to my Defcon talk. It's assumed you have intermediate knowledge shoot questions, I'm sure it's hard to follow.

Today we're going to talk about not fucking it up.
1. Common Mistakes
2.Threat Modeling
3. Prep
4.Disaster Recovery

1.
Some common mistakes new and old players alike make is not being ready to clear a duplicate log. These sometimes occur on server connection - you will remove the log only for another to quickly spawn. This is a high exposure moment and you should now treat your IP as dirty. You may at this point also turn on your scanner, and check to confirm active disaster recovery which we will cover later.

Maintaining the same password over IP change. This can be fatal, as someone with your current password can skip pulse. Granting immediate access once you're pinged again. Reset your password more often than your IP. Easy.

Assumed safety - No one has logged me and therefore I have not been logged. We all at times fall victim to this, we haven't seen anyone on inside our threat model, we're busy chugging away on missions or what ever our task may be and we become complacent. Most often this is when you're going to take damage. Reset your IP often. Idle for 2 minutes? IP reset. 15-20 levels missioning? IP Reset. Rolled the server list for Cmods? IP reset.

Cross Bank Transfers - I see this a lot with newer players. Running bank missions transfering out to Wells Fargo from Canada, or what ever the case may be. This produces logs at both banks and exposes your accounts. Never do it. Always transfer when a transfer is required to the account at the same server. Upon completion, the account becomes dirty no exceptions. Do your laundry and get a new account.

2.Threat Modeling

Your threat model is going to determine how you act while online. APTs exist here, Advanced Persistent Threats. These are players with extremely high, or max level software and infinite resources to ruin your day with. While they are known to be online one should alter their behavior accordingly. They are basically state level actors.

Your threat model should include what actions you take when these known threats exist as well as how you proceed when these threats are unknown. Be informed by risk and reward, and include disaster recovery for the scenario in which you are attacked.

For example, an action I take in my personal threat model is to retain 120 BTC balance at all times for system repairs. This roughly equates to several DDoS damage in cost at my current size. You will also at times take different amounts of damage before repairing, and noting your required stats for desired mission times is quite handy.

3. Prep
In talking to a lot of the persistent player base the past two weeks I've realized most people are ill prepared heading out to the NPCs running missions.

Some things you should be doing to advance your defensive ability:
Keep completed processes for the following.
AV - IP - Password - Full restore of system programs x1-3 depending on your threat model (how fast can they delete your system do you think - do you want to be able to retaliate)

Retaliation comes with it's own set of problems and one should keep a full prepared process suit of reinstalled DDoS on 5-15 slaves as in a combat action with another player not only can one be attacked directly from multiple vectors but as well their botnets can be attacked.

This covers mission prep.

PvP prep is far more complex.
In addition to the above, and possibly more backup processes - threat dependent - you're going to be preparing attacks, maybe even multiple attacks as their defenses may be strong as in the above example.

You will want to take your time in gathering intelligence, probably logging your adversary several times in more complex cases, identifying malware names, preparing the disassembly of bot nets.

Deleting the pulse sensor, ddos remote, and waterwall of a player and keeping them down is key to disabling offensive capability. Assure this is foremost in your attacks.

An example of a lockdown -
I find a target IP on the Bank of Canada and Whois it -> I determine this to be a target I want to slave for mining -> Pulse -> Login -> Recon -> At this point if I've deemed them a possible threat I will disabled their offensive capabilities, readying antivirus to their botnet as well as removal of their ddos remote, pulse, waterwall, adding next a spy and ransomware. Setting each of these processes up twice. As most will have an IP reset. The key is to timing when the spy is slipped on and when the attack starts. The spy taking 15 minutes to report. Be sure they reset as your spy is about to report or this is a high chance it will be removed from formatting. If I am successful in timing the attack, I will get the new IP and use my second set of processes to lock down the player. You now have a slave until they pay or you fail to reinstall random and spy. As you've come in and locked them with your second ransom.

You won't often find yourself wanting to launch or defend is this complex a fashion, but this is an example of how it can be done.

4. Disaster Recovery:
Basic - All you need to do for this is have completed these processes
IP, AV, Password, A full restore of all files.
And have enough money hidden in any of the formats to repair your systems.

In the case you want to be able to retaliate when attacked, it's a lot of work. But, it can be done by having ready processes to protect the integrity of your botnet as well as your PC.

4 comments share
0
MrSlippery    4 years ago
Lmao HiIIII I just misclicked the report button on your comment and cant undo it. so if you eat any kind of automated justice my bad bwahhahah

Ok so, you're there bumping money around leaving multiple logs- I was under the mistaken impression that both banks generate logs- I play another game just like this one that has that variable and I wrote this middle of the night. So that covered.

You don't want to keep your account after you do a transfer. Take your money out via BTC or Stock and issue the new account command. This can be done during the next drill, so you're not adding time. You have about 130-260s to do this before your bank is potentially drained. 130 if the player is boosted vs not. People often sit intercepting mission runners to drain their accounts. Me, I'm people.
0
HIiIIIIII    4 years ago
what does this part mean:

Cross Bank Transfers - I see this a lot with newer players. Running bank missions transfering out to Wells Fargo from Canada, or what ever the case may be. This produces logs at both banks and exposes your accounts. Never do it. Always transfer when a transfer is required to the account at the same server. Upon completion, the account becomes dirty no exceptions. Do your laundry and get a new account.
0
MrSlippery    4 years ago
I intend to alter it as i see what works now vs the stuff above which I only for sure, mostly, know to have worked a year ago, and where multiple people are required for an attack eg. dismantling a botnet while pinning
0
Steel_Titan    4 years ago
Nice write-up
 
Go back to main page