Ocean's Firewall

30 Apr 2025 - joe

Ocean’s Firewall: The Digital Score

A Heist-Themed Cybersecurity Tabletop Exercise

Exercise Overview

Title: Ocean’s Firewall: The Digital Score
Duration: 4 hours (recommended)
Target Audience: Security Specialists, Threat Hunters, Forensic Analysts, Executive Management
Difficulty: Rookie to Mastermind-level
Objective: Test Diamondback Casino & Resort’s ability to detect, contain, and neutralize a sophisticated criminal crew attempting a multi-vector cyber heist targeting both the casino’s financial systems and high-roller guest data.

Learning Objectives

1. Evaluate team coordination during complex security incidents with multiple simultaneous threats
2. Test response capabilities against a highly organized adversary with insider knowledge
3. Assess communication protocols between security, operations, and management
4. Practice decision-making under pressure with high financial and reputational stakes
5. Identify gaps in current security measures for high-value targets

Exercise Structure

Preparation Phase (2 weeks prior)

1. Casino Manager Selection: Appoint 1-2 individuals to coordinate the exercise
2. Security Team Selection: Identify key personnel from various security divisions
3. Resource Preparation: Ready the necessary documentation, communication channels, and simulated casino environment
4. Pre-Exercise Briefing: Conduct a security briefing explaining exercise parameters and expectations

Exercise Roles

1. Casino Manager: Controls exercise flow, introduces scenarios, evaluates responses
2. Security Specialists: Personnel responsible for monitoring casino systems
3. Threat Hunters: Specialists who actively search for and respond to threats
4. Forensic Analysts: Technical specialists who investigate breaches and evidence
5. Executive Management: Decision-makers who balance security with business operations
6. Observers: Record actions, decisions, and potential improvements
7. Guest Relations: (Optional) Add realism with customer impact considerations

Exercise Materials

Required Documentation

1. Casino security protocols
2. Emergency response procedures
3. Guest data protection policies
4. Incident escalation matrices
5. Technical documentation of casino systems
6. Exercise evaluation metrics

Technical Setup (Optional)

1. Simulated casino security operations center
2. Surveillance camera feeds (real or simulated)
3. Financial system dashboards
4. Guest management interface

Scenario Background

Diamondback Casino & Resort is a luxury gambling and entertainment destination catering to high-net-worth individuals. The casino’s Security Division provides monitoring and protection for:

• Casino Management System (gaming floor operations)
• High-Roller Database (VIP guest information and preferences)
• Financial Transaction Network (cage operations and credit lines)
• Hotel Operations Grid (room access and guest services)

The casino utilizes a sophisticated Security Operations Center that monitors both physical and digital assets, with specialized teams focusing on fraud prevention, cyber threats, and physical security.

Exercise Narrative

A notorious criminal crew known as “The Venetian Crew” has selected Diamondback as their next target. Led by a master strategist with a background in casino operations, the crew includes specialists in social engineering, digital intrusion, and financial fraud. Their objective is a two-pronged attack: compromising the casino’s financial systems for a major theft while simultaneously harvesting high-roller data for future exploitation. The heist will unfold in multiple stages over the course of the exercise, combining technical attacks with social engineering and potential insider threats.

Exercise Timeline and Scenarios

Phase 1: Initial Detection (0:00-1:00)

Setting the Scene (0:00-0:10)

• Casino Manager introduces the scenario as a busy Friday night at Diamondback
• Teams are at their stations monitoring normal casino operations

Scenario 1 (0:10): Unusual Access Patterns

• Security monitoring detects anomalous login attempts to peripheral casino systems
• The attempts use valid credentials but from unusual locations
• Access attempts focus on systems containing guest preference information

Expected Actions:

• Investigate the suspicious logins
• Verify if credentials belong to current employees
• Review login source and access patterns
• Begin documenting the incident

Scenario 2 (0:30): Social Engineering Attempt

• Guest Relations reports that someone claiming to be from IT called requesting password resets
• The caller had accurate employee names and partial identifying information
• Similar calls were reported at different hotel departments

Expected Actions:

• Escalate the incident to senior security personnel
• Alert all departments about potential social engineering
• Begin tracing the calls if possible
• Start assembling a response team

Scenario 3 (0:45): Surveillance Anomalies

• Security cameras in the high-limit room experience intermittent outages
• IT confirms the cameras are functioning properly at the hardware level
• Pattern suggests deliberate interference rather than technical failure

Expected Actions:

• Activate formal security incident protocols
• Deploy physical security to areas with camera issues
• Begin investigation into surveillance system access
• Consider heightened monitoring of high-value areas

Phase 2: Escalation (1:00-2:00)

Scenario 4 (1:00): High-Roller Complaints

• Several VIP guests report unauthorized room charges
• Investigation shows the charges originated from the casino’s internal billing system
• The pattern suggests testing of financial transaction capabilities

Expected Actions:

• Acknowledge potential connection to earlier suspicious activities
• Implement enhanced monitoring of financial systems
• Deploy fraud specialists to review recent transactions
• Update incident documentation and escalate to management

Scenario 5 (1:20): Malware Detection

• Deep system scan reveals sophisticated malware on a cage workstation
• The malware appears designed to intercept and modify financial transactions
• Evidence suggests it was installed using the compromised credentials

Expected Actions:

• Perform detailed malware analysis
• Begin investigating infection vector and potential spread
• Consider isolation of financial systems
• Update response team and executive management

Scenario 6 (1:40): Evidence of Data Exfiltration

• Security monitoring detects unusual outbound traffic from the guest database
• Analysis suggests customer data is being slowly extracted
• The exfiltration uses encrypted channels that bypass standard monitoring

Expected Actions:

• Implement blocks on suspicious outbound connections
• Preserve evidence of the data breach
• Begin determining scope of potentially compromised data
• Update risk assessment based on potential data loss

Phase 3: Crisis Management (2:00-3:00)

Scenario 7 (2:00): Financial System Anomalies

• The casino cage reports discrepancies in electronic chip balances
• Analysis shows systematic manipulation of transaction records
• Pattern suggests preparation for a major financial theft

Expected Actions:

• Prioritize protection of financial systems
• Consider moving to backup or manual procedures
• Deploy specialists to audit transaction records
• Prepare for potential financial reconciliation challenges

Scenario 8 (2:20): Executive Involvement

• The Casino CEO demands immediate briefing on the situation
• Preliminary financial impact estimates show potential for significant losses
• Media relations wants guidance on potential public response

Expected Actions:

• Prepare concise executive summary
• Provide initial impact assessment and containment status
• Advise on customer and public communications
• Continue technical response while managing executive expectations

Scenario 9 (2:40): Coordinated Attack

• Multiple systems simultaneously experience targeted attacks
• Physical distractions occur on the casino floor near high-limit areas
• Evidence suggests the main heist attempt is beginning

Expected Actions:

• Document all aspects of the coordinated attack
• Implement emergency response protocols
• Deploy all available security resources
• Consider partial casino operations shutdown
• Coordinate with local law enforcement if available

Phase 4: Resolution and Recovery (3:00-4:00)

Scenario 10 (3:00): Crew Identification

• Security analysis identifies the attack patterns
• Evidence confirms The Venetian Crew’s involvement
• Analysis reveals their methodology and likely objectives

Expected Actions:

• Document complete findings for leadership and law enforcement
• Develop a prioritized defense plan against identified techniques
• Identify all compromised systems requiring immediate attention
• Prepare comprehensive briefing on the attack methodology

Scenario 11 (3:20): Containment Decision Point

• The response team must decide on final containment strategy
• Options include full system shutdown vs. targeted isolation
• Each option has different impacts on casino operations and guest experience

Expected Actions:

• Evaluate business impact of each option
• Make decisions based on comprehensive risk assessment
• Communicate decisions and rationale to all stakeholders
• Begin implementing the chosen strategy

Scenario 12 (3:40): Recovery Planning

• With immediate threats contained, focus shifts to system restoration
• Multiple casino systems require secure rebuilding
• Guest relations requires guidance on communication with affected customers

Expected Actions:

• Develop a prioritized recovery sequence
• Create a communication plan for different stakeholders
• Prepare for potential regulatory reporting requirements
• Begin documenting lessons learned

Conclusion (3:50-4:00)

• Casino Manager declares the end of the exercise
• Brief initial feedback from participants
• Schedule a formal debrief session for the following day

Exercise Evaluation

Evaluation Metrics

1. Detection Effectiveness
   • Time to detect initial suspicious activities
   • Ability to correlate related security events
   • Thoroughness of investigation
2. Response Efficiency
   • Time from detection to initial response
   • Appropriateness of response actions
   • Resource allocation and deployment decisions
3. Communication Effectiveness
   • Internal security team communication
   • Management and executive updates
   • Guest and public relations considerations
4. Decision Quality
   • Financial loss prevention prioritization
   • Decision-making balancing security and business operations
   • Guest experience considerations

Post-Exercise Activities

1. Initial Debrief (Immediately following exercise)
   • Quick round-table discussion of initial impressions
   • Identification of major strengths and challenges
   • Collection of immediate feedback
2. Formal Review (1-2 days after exercise)
   • Structured review of exercise timeline and decisions
   • Analysis of major decision points
   • Documentation of lessons learned
3. Improvement Planning (1-2 weeks after exercise)
   • Development of specific action items
   • Assignment of responsibilities for improvements
   • Timeline for implementing changes
4. Follow-up Exercise (3-6 months later)
   • Targeted scenario to test improvements
   • Focus on previously identified weaknesses
   • Validate effectiveness of changes

Casino Manager Guidelines

Pre-Exercise Preparation

1. Scenario Customization
   • Adjust technical details to match your casino’s specific systems
   • Modify crew capabilities as appropriate for difficulty level
   • Ensure scenarios balance technical and operational realism
2. Information Control
   • Determine what information is available to participants at each stage
   • Prepare answers for likely questions from participants
   • Create physical or digital information cards for scenarios
3. Environment Setup
   • Arrange the exercise space to simulate casino operations
   • Prepare relevant displays and monitoring systems
   • Consider appropriate props and room layout

During Exercise Facilitation

1. Maintaining Casino Atmosphere
   • Introduce complications related to high-stakes environment
   • Provide realistic time pressures
   • Balance technical challenges with operational realities
2. Adaptability
   • Be prepared to adjust scenario pacing based on participant progress
   • Have additional heist elements ready if teams resolve issues quickly
   • Be willing to provide hints if teams get completely stuck
3. Observation
   • Take notes on key decisions and actions
   • Identify teaching moments for the debrief
   • Document specific areas for improvement

Post-Exercise Activities

1. Facilitating Discussion
   • Use open-ended questions to promote reflection
   • Focus on process improvements rather than assigning blame
   • Highlight both strengths and areas for improvement
2. Documentation
   • Compile observations and participant feedback
   • Prepare a comprehensive after-action report
   • Develop specific, actionable recommendations

Appendix: Detailed Technical Scenarios

Technical Details for Scenario 1

• Login Attempts:
  • Username: martin.chen
  • Access Locations: VPN from Las Vegas (unusual for this employee)
  • Timestamp: Friday, 9:17 PM, 9:22 PM, 9:34 PM
  • Systems Accessed: Guest Preference Database, VIP Host Portal
  • Employee Status: Martin Chen is on approved vacation in Hawaii

Technical Details for Scenario 2

• Social Engineering Details:
  • Caller identified as “Alex from IT Support”
  • Requested password resets for specific accounts with system access
  • Had knowledge of internal department structure and reporting hierarchy
  • Called from number showing internal extension but traced to external source
  • Targeted departments: Guest Relations, Cage Operations, Surveillance

Technical Details for Scenario 3

• Surveillance Anomalies:

  Affected Cameras: HC-7, HC-8, HC-12 (all high-limit areas)
  Pattern: 3-minute outages rotating between cameras
  System Logs: Show active but no commands issued to disable
  Network Analysis: Packet inspection shows command injection
  Access Method: Using legitimate credentials with elevated privileges
  

Technical Details for Scenario 5

• Malware Characteristics:
  • Type: Custom-built financial transaction interceptor
  • Capabilities: Transaction monitoring, selective modification, log cleaning
  • Installation: Executed through privileged account access
  • Command & Control: Encrypted communication through DNS tunneling
  • Evasion Techniques: Memory-resident components with minimal disk footprint
  • Target: Specifically designed to manipulate electronic chip balances

Technical Details for Scenario 7

• Financial Anomalies:
  • Electronic Chip Balance Discrepancies: +/- $50-100 per transaction
  • Pattern: Testing modifications on smaller transactions before larger ones
  • Timing: Manipulations occur during peak transaction periods
  • Method: Transaction values modified during processing, before final commit
  • Scale: Cumulative impact approximately $45,000 across multiple accounts
  • Evidence of Preparation: Log entries suggest testing of system thresholds

Technical Details for Scenario 9

• Coordinated Attack Elements: ``` Digital Components:
  • Simultaneous login attempts across multiple systems
  • Surveillance camera freeze on recorded loops
  • Electronic door lock system targeted for high-roller suites
  • Casino Management System processing abnormal chip transfers

  Physical Components:

  • Disturbance at main gaming floor bar
  • Fire alarm pulled near cage operations
  • Multiple high-value chip redemptions at different cage positions
  • Suspicious individuals observed near security access points ```

Technical Details for Scenario 10

• Attack Methodology:
  1. Initial reconnaissance through compromised employee credentials
  2. Social engineering to gather additional access and information
  3. Malware deployment on targeted financial systems
  4. Data exfiltration from high-roller database for future exploitation
  5. Testing of financial transaction manipulation capabilities
  6. Physical distraction coordinated with digital system manipulation
  7. Execution of financial theft through modified transactions during confusion